450 likes | 675 Views
Logging and Review: HIPAA Style. Chip Nimick, University of Rochester/Strong Health Lee Olson, Mayo Clinic Don Sweezy, Duke University Health System. Activity Review and Monitoring Requirements in Security Reg. Information Systems Activity Review 164.308(a)(1)(ii)(D)
E N D
Logging and Review: HIPAA Style Chip Nimick, University of Rochester/Strong Health Lee Olson, Mayo Clinic Don Sweezy, Duke University Health System
Activity Review and MonitoringRequirements in Security Reg • Information Systems Activity Review 164.308(a)(1)(ii)(D) • Log-in Monitoring 164.308(a)(5)(ii)(C) • Audit Controls 164.312(b)
Issues • What risks that can be effectively addressed by review of operating system logs and application logs? • What are some practical heuristics for highlighting log event patterns that are worth further investigation? • Which tools are most useful for applying these heuristics – commercial, open source, or home-grown?
Auditing HIPAA Style August 2005 Lee Olson Mayo Clinic
Security standard: Audit • STANDARD: System Administrators must be able to audit access and access attempts to Mayo confidential information. Audits will be conducted when unauthorized accesses and attempts are identified. Audit records shall be kept at least six months, and administrators shall periodically review the audit records for evidence of violations or system misuse. • GUIDELINE: Implementation procedures are developed at the local and business unit levels. Stewards should specify audit controls based on business needs and risk levels.
Security standard: Violations • STANDARD: Any deviation from the Mayo Information Security Policies and Standards is a violation. Everyone must report instances of noncompliance. Violations will be reviewed for appropriate disciplinary action in accordance with appropriate personnel policy and procedures. Corrective action may include termination of employment and/or criminal prosecution. • GUIDELINE: The Information Security Office, the personnel function and an appropriate level of department management will review standards violations and recommend corrective or disciplinary action. • GUIDELINE: Users should report security violations to a supervisor, the personnel function, system administrator, information steward, information security, physical security or Internal Audit Services, as appropriate.
Administrative Policy • Strongly discourage employees from accessing their own records • Prohibit employees from accessing the records of their: Children (if not the documented medical provider) Adult family members (without signed authorization and proper notation) Co-workers, friends and neighbors • Outline process for requesting a copy of medical record (same as patient process)
Starting in 2004 Proactive approach Continuing in 2004 Reactive approach New Way to Protect Confidentiality Investigation of employees who are reported to have breached confidentiality Systematic audits will flag employees who may be breaching confidentiality
Considering intent, we classify inappropriate medical information access into three buckets. Instances in the first bucket are fairly unambiguous, pose the highest institutional risk and threaten patient confidence. Audits focus on the first bucket. Malice or habitual Family members* Neighbors Co-workers Habitual surfing Legal ammo Convenience Own record Minor children Family members* Error or mistaken judgment Wrong patient *Pattern will disclose intent
CRITERIA METHOD OF AUDITING:-Matches from same last names (user/patient)-Matches name on emergency contact -Matches name on insurance guarantor-Department name searches
Duke Medicine Logging & Review - HIPAA Style Don Sweezy, CISSP Duke Medicine / NCHICA Use Only
Security Events Security Incidents Basic Model OS and Apps Extract Security Events Filter Incidents Log Files or Syslog Duke Medicine / NCHICA Use Only
Log Review Standard - Highlights • Part of the risk management practice for each system. • Server logs will be reviewed at least daily • By software with no human intervention. • Logs from workstations will be reviewed for cause (i.e. not on a scheduled basis). Duke Medicine / NCHICA Use Only
Frequency and Retention Duke Medicine / NCHICA Use Only
Security Events Security Incidents Basic Model Filter for Incidents Extract Security Events Security Controls Log Files or Syslog Duke Medicine / NCHICA Use Only
Log Repository Central Logging Extract Normalize Events Filter for Incidents Security Controls Security Reports Duke Medicine / NCHICA Use Only
Systems and Strengths Duke Medicine / NCHICA Use Only
Critical Issues • Scalability • Distributed Administration • HIPAA Compliance Reports • Customer Defined Agents • OS Deployment Duke Medicine / NCHICA Use Only
URMC / Strong Health • Rochester, Monroe County, New York • Employees – 10500 FT + 2400 PT • Inpatient – 1050 beds • Ambulatory – 1.16M visits per year • Emergency – 113K visits per year • Laboratory – 1.5M orders, 10M tests per year • Radiology – 400K exams per year (85% digital) • NIH Research Funding – $155M in FY04 (ranks 30th)
URMC / Strong Health • University of Rochester Medical Center • Strong Memorial Hospital • School of Medicine & Dentistry • School of Nursing • Medical Faculty Group • Eastman Dental Center • University Health Service (student care) • Highland Hospital (community hospital) • The Highlands (long term care) • Visiting Nurse Service (home care)
Current Privacy Practice is Still Reactive • Compliance Hotline receives complaints • Word of mouth – use the training team and the IT support staff in clinical areas • Publish the privacy officers contact info widely
Network & OS Security Practice is More Pro-Active • Network activity logs trigger • dynamic firewall rules • e-mail and paging alerts • Operating system log-in multiple failures trigger • short-term account locks • paging alerts for administrator/operator accounts
Top Risks Addressable by Proactive Log Review • Inappropriate access using authorized ePHI access privileges • UserID/password sharing • Malicious / erroneous use of privileged userIDs
Next Steps • RFP for log aggregation, pattern analysis, and alerting system • Handles application access logs, not just OS and network logs • Flexible raw log parsing language/specification • Flexible pattern description language/specification • Manufacturer-developed inputs and reports are nice as templates, but… • Alerting via syslog, SMS text, SNMP to MOM
Next Steps • RFP for controlling privileged userID activities • Temporary privilege escalation - authorization and logging • Safe directories - command logging • Keystroke logging
An Unscientific Surveyof Other AMCs • University of Pittsburgh • Vanderbilt University • Ohio State University • Johns Hopkins • University of North Carolina • Indiana University
Pro-Active Methods • Manual review of access to current VIP records • Manual review of all access by randomly selected users, both internal users and vendors • Pre-designated access reviewers in each inpatient and outpatient unit • Spot audit both internal users and business partners • Centrally developed log audit guidelines; pro-active execution distributed to sysadmins
Pro-Active Methods • Automated highlighting of “after hours” access from unlikely locations • Automated highlighting of patient or guarantor lastname = user lastname • If the user accessing a patient’s record has ever entered documentation into the record, then the access is OK • If access is questionable, follow up with accessor first, rather than supervisor
Pro-Active Methods • Let all application users see which users have accessed a given patient’s record • Let patients see who has accessed their record
Top Risks • More concern about an improper disclosure of 1000 patient records than improper accesses to individual patient records. • More concern about disclosures from the hundreds of Access databases and Web front-ends than from the central systems. • …
Logging and Review – HIPAA Style • Current practice is still reactive! • Strongly disagree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __ • What practices ___
Logging and Review – HIPAA Style • Business associates and non-employee treatment providers are of equal concern as employees. • Strongly disagree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __
Logging and Review – HIPAA Style • Network logs (from routers, firewalls, IDS, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • Network logs are reviewed by software, humans or both • software ___ • humans ___ • both ___
Logging and Review – HIPAA Style • Server logs (from host operating systems, domain controllers, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • Server logs are reviewed by software, humans or both • software ___ • humans ___ • both ___
Logging and Review – HIPAA Style • PHI access logs (from healthcare software, database daemons, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • PHI access logs are reviewed by software, humans or both • software ___ • humans ___ • both ___
Logging and Review - Innovative Technologies • My AMC manually audits log files ___ • My AMC uses third party audit & compliance tools ___ • My AMC uses internally developed audit and compliance tools ___ • My AMC uses some combination of the above ___
Logging and Review – HIPAA Style • The top priority over the coming year for implementing pro-active review of logs is for • Network logs ___ • Server logs ___ • PHI access logs __
Logging and Review - Experience • What was involved in the implementation at your AMC? • What have been the successes/failures/issues? • What are the lessons learned?
What follow-up activities would be helpful to AMCs in dealing with this topic? • {Audience/panelists responses}
Engagement Quality Instant Poll • This session did a good job of engaging the panelists and the audience on the topic. 1 - Strongly Disagree ___ 2 - Disagree ___ 3 - Neither agree not disagree ___ 4 - Agree ____ 5 - Strongly agree ____
Logging and Review: HIPAA Style • Questions?