1 / 45

Logging and Review: HIPAA Style

Logging and Review: HIPAA Style. Chip Nimick, University of Rochester/Strong Health Lee Olson, Mayo Clinic Don Sweezy, Duke University Health System. Activity Review and Monitoring Requirements in Security Reg. Information Systems Activity Review 164.308(a)(1)(ii)(D)

gaia
Download Presentation

Logging and Review: HIPAA Style

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logging and Review: HIPAA Style Chip Nimick, University of Rochester/Strong Health Lee Olson, Mayo Clinic Don Sweezy, Duke University Health System

  2. Activity Review and MonitoringRequirements in Security Reg • Information Systems Activity Review 164.308(a)(1)(ii)(D) • Log-in Monitoring 164.308(a)(5)(ii)(C) • Audit Controls 164.312(b)

  3. Issues • What risks that can be effectively addressed by review of operating system logs and application logs? • What are some practical heuristics for highlighting log event patterns that are worth further investigation? • Which tools are most useful for applying these heuristics – commercial, open source, or home-grown?

  4. Auditing HIPAA Style August 2005 Lee Olson Mayo Clinic

  5. Security standard: Audit • STANDARD: System Administrators must be able to audit access and access attempts to Mayo confidential information. Audits will be conducted when unauthorized accesses and attempts are identified. Audit records shall be kept at least six months, and administrators shall periodically review the audit records for evidence of violations or system misuse. • GUIDELINE: Implementation procedures are developed at the local and business unit levels. Stewards should specify audit controls based on business needs and risk levels.

  6. Security standard: Violations • STANDARD: Any deviation from the Mayo Information Security Policies and Standards is a violation. Everyone must report instances of noncompliance. Violations will be reviewed for appropriate disciplinary action in accordance with appropriate personnel policy and procedures. Corrective action may include termination of employment and/or criminal prosecution. • GUIDELINE: The Information Security Office, the personnel function and an appropriate level of department management will review standards violations and recommend corrective or disciplinary action. • GUIDELINE: Users should report security violations to a supervisor, the personnel function, system administrator, information steward, information security, physical security or Internal Audit Services, as appropriate.

  7. Administrative Policy • Strongly discourage employees from accessing their own records • Prohibit employees from accessing the records of their: Children (if not the documented medical provider) Adult family members (without signed authorization and proper notation) Co-workers, friends and neighbors • Outline process for requesting a copy of medical record (same as patient process)

  8. Starting in 2004 Proactive approach Continuing in 2004 Reactive approach New Way to Protect Confidentiality Investigation of employees who are reported to have breached confidentiality Systematic audits will flag employees who may be breaching confidentiality

  9. Considering intent, we classify inappropriate medical information access into three buckets. Instances in the first bucket are fairly unambiguous, pose the highest institutional risk and threaten patient confidence. Audits focus on the first bucket. Malice or habitual Family members* Neighbors Co-workers Habitual surfing Legal ammo Convenience Own record Minor children Family members* Error or mistaken judgment Wrong patient *Pattern will disclose intent

  10. CRITERIA METHOD OF AUDITING:-Matches from same last names (user/patient)-Matches name on emergency contact -Matches name on insurance guarantor-Department name searches

  11. Duke Medicine Logging & Review - HIPAA Style Don Sweezy, CISSP Duke Medicine / NCHICA Use Only

  12. Security Events Security Incidents Basic Model OS and Apps Extract Security Events Filter Incidents Log Files or Syslog Duke Medicine / NCHICA Use Only

  13. Log Review Standard - Highlights • Part of the risk management practice for each system. • Server logs will be reviewed at least daily • By software with no human intervention. • Logs from workstations will be reviewed for cause (i.e. not on a scheduled basis). Duke Medicine / NCHICA Use Only

  14. Frequency and Retention Duke Medicine / NCHICA Use Only

  15. Security Events Security Incidents Basic Model Filter for Incidents Extract Security Events Security Controls Log Files or Syslog Duke Medicine / NCHICA Use Only

  16. Log Repository Central Logging Extract Normalize Events Filter for Incidents Security Controls Security Reports Duke Medicine / NCHICA Use Only

  17. Systems and Strengths Duke Medicine / NCHICA Use Only

  18. Critical Issues • Scalability • Distributed Administration • HIPAA Compliance Reports • Customer Defined Agents • OS Deployment Duke Medicine / NCHICA Use Only

  19. URMC / Strong Health

  20. URMC / Strong Health • Rochester, Monroe County, New York • Employees – 10500 FT + 2400 PT • Inpatient – 1050 beds • Ambulatory – 1.16M visits per year • Emergency – 113K visits per year • Laboratory – 1.5M orders, 10M tests per year • Radiology – 400K exams per year (85% digital) • NIH Research Funding – $155M in FY04 (ranks 30th)

  21. URMC / Strong Health • University of Rochester Medical Center • Strong Memorial Hospital • School of Medicine & Dentistry • School of Nursing • Medical Faculty Group • Eastman Dental Center • University Health Service (student care) • Highland Hospital (community hospital) • The Highlands (long term care) • Visiting Nurse Service (home care)

  22. Current Privacy Practice is Still Reactive • Compliance Hotline receives complaints • Word of mouth – use the training team and the IT support staff in clinical areas • Publish the privacy officers contact info widely

  23. Network & OS Security Practice is More Pro-Active • Network activity logs trigger • dynamic firewall rules • e-mail and paging alerts • Operating system log-in multiple failures trigger • short-term account locks • paging alerts for administrator/operator accounts

  24. Top Risks Addressable by Proactive Log Review • Inappropriate access using authorized ePHI access privileges • UserID/password sharing • Malicious / erroneous use of privileged userIDs

  25. Next Steps • RFP for log aggregation, pattern analysis, and alerting system • Handles application access logs, not just OS and network logs • Flexible raw log parsing language/specification • Flexible pattern description language/specification • Manufacturer-developed inputs and reports are nice as templates, but… • Alerting via syslog, SMS text, SNMP to MOM

  26. Next Steps • RFP for controlling privileged userID activities • Temporary privilege escalation - authorization and logging • Safe directories - command logging • Keystroke logging

  27. An Unscientific Surveyof Other AMCs • University of Pittsburgh • Vanderbilt University • Ohio State University • Johns Hopkins • University of North Carolina • Indiana University

  28. Pro-Active Methods • Manual review of access to current VIP records • Manual review of all access by randomly selected users, both internal users and vendors • Pre-designated access reviewers in each inpatient and outpatient unit • Spot audit both internal users and business partners • Centrally developed log audit guidelines; pro-active execution distributed to sysadmins

  29. Pro-Active Methods • Automated highlighting of “after hours” access from unlikely locations • Automated highlighting of patient or guarantor lastname = user lastname • If the user accessing a patient’s record has ever entered documentation into the record, then the access is OK • If access is questionable, follow up with accessor first, rather than supervisor

  30. Pro-Active Methods • Let all application users see which users have accessed a given patient’s record • Let patients see who has accessed their record

  31. Top Risks • More concern about an improper disclosure of 1000 patient records than improper accesses to individual patient records. • More concern about disclosures from the hundreds of Access databases and Web front-ends than from the central systems. • …

  32. Logging and Review – HIPAA Style • Current practice is still reactive! • Strongly disagree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __ • What practices ___

  33. Logging and Review – HIPAA Style • Business associates and non-employee treatment providers are of equal concern as employees. • Strongly disagree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __

  34. Logging and Review – HIPAA Style • Network logs (from routers, firewalls, IDS, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • Network logs are reviewed by software, humans or both • software ___ • humans ___ • both ___

  35. Logging and Review – HIPAA Style • Server logs (from host operating systems, domain controllers, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • Server logs are reviewed by software, humans or both • software ___ • humans ___ • both ___

  36. Logging and Review – HIPAA Style • PHI access logs (from healthcare software, database daemons, etc.) are reviewed • daily ___ • weekly ___ • monthly ___ • only when an incident occurs __ • PHI access logs are reviewed by software, humans or both • software ___ • humans ___ • both ___

  37. Logging and Review - Innovative Technologies • My AMC manually audits log files ___ • My AMC uses third party audit & compliance tools ___ • My AMC uses internally developed audit and compliance tools ___ • My AMC uses some combination of the above ___

  38. Logging and Review – HIPAA Style • The top priority over the coming year for implementing pro-active review of logs is for • Network logs ___ • Server logs ___ • PHI access logs __

  39. Logging and Review - Experience • What was involved in the implementation at your AMC? • What have been the successes/failures/issues? • What are the lessons learned?

  40. What follow-up activities would be helpful to AMCs in dealing with this topic? • {Audience/panelists responses}

  41. Engagement Quality Instant Poll • This session did a good job of engaging the panelists and the audience on the topic. 1 - Strongly Disagree ___ 2 - Disagree ___ 3 - Neither agree not disagree ___ 4 - Agree ____ 5 - Strongly agree ____

  42. Logging and Review: HIPAA Style • Questions?

More Related