Logging and Review: HIPAA Style

1
Logging and Review HIPAA Style

• Chip Nimick, University of Rochester/Strong
  Health
• Lee Olson, Mayo Clinic
• Don Sweezy, Duke University Health System

2
Activity Review and MonitoringRequirements in
Security Reg

• Information Systems Activity Review 164.308(a)(1)
  (ii)(D)
• Log-in Monitoring 164.308(a)(5)(ii)(C)
• Audit Controls 164.312(b)

3
Issues

• What risks that can be effectively addressed by
  review of operating system logs and application
  logs?
• What are some practical heuristics for
  highlighting log event patterns that are worth
  further investigation?
• Which tools are most useful for applying these
  heuristics commercial, open source, or
  home-grown?

4
Auditing HIPAA Style

• August 2005
• Lee Olson
• Mayo Clinic

5
Std Number Standard Implementation Specifications (R)Required (A)Addressable Compliance Documentation Site
Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R The compliance baseline is established at the EMR which has 20,000 users. Log data from six high-risk of 12 Mayo Integrated Systems applications (Documents Browser, Clinical Notes, PPI, CDM, Medical Indexing and Master Sheet) are evaluated against relationship and sensitivity criteria as approved by the Rochester Information Security Subcommittee. The MICS Security Administrator investigates security-relevant accesses through further reviews of LastWord, Orders 97 and other applications as necessary. Culpable individuals identified are referred to appropriate departmental oversight authorities. The MICS Security Administrator maintains operational documentation. MCR
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R A proactive audit of medical records access is being conducted to determine trends of inappropriate use. Information, based on pre-defined criteria is provided by the Data Warehouse IT function to the Security Officer. The Security Officer creates a report of likely abuse cases and passes them on to the Privacy Officer for evaluation. Based on the Privacy Officers input (including a possible request for more information to the Security Officer) the report goes to HR for investigation. Reactive and Proactive Audit process MCA
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R Additional Policies/Procedures HR Policy Confidential and Privileged Information Procedure is in place for the Jacksonville Information Security Office to review and report suspected violations of access to the EMR. Security incident tracking reports are maintained locally. MCJ
6
Security standard Audit

• STANDARD System Administrators must be able to
  audit access and access attempts to Mayo
  confidential information. Audits will be
  conducted when unauthorized accesses and attempts
  are identified. Audit records shall be kept at
  least six months, and administrators shall
  periodically review the audit records for
  evidence of violations or system misuse.
• GUIDELINE Implementation procedures are
  developed at the local and business unit levels.
  Stewards should specify audit controls based on
  business needs and risk levels.

7
Security standard Violations

• STANDARD Any deviation from the Mayo Information
  Security Policies and Standards is a violation.
  Everyone must report instances of noncompliance.
  Violations will be reviewed for appropriate
  disciplinary action in accordance with
  appropriate personnel policy and procedures.
  Corrective action may include termination of
  employment and/or criminal prosecution.
• GUIDELINE The Information Security Office, the
  personnel function and an appropriate level of
  department management will review standards
  violations and recommend corrective or
  disciplinary action.
• GUIDELINE Users should report security
  violations to a supervisor, the personnel
  function, system administrator, information
  steward, information security, physical security
  or Internal Audit Services, as appropriate.

8
Administrative Policy

• Strongly discourage employees from accessing
  their own records
• Prohibit employees from accessing the records of
  their
• Children (if not the documented medical provider)
• Adult family members (without signed
  authorization and proper notation)
• Co-workers, friends and neighbors
• Outline process for requesting a copy of medical
  record (same as patient process)

9
New Way to Protect Confidentiality
Investigation of employees who are reported to
have breached confidentiality
Systematic audits will flag employees who may be
breaching confidentiality
10
Considering intent, we classify inappropriate
medical information access into three buckets.
Instances in the first bucket are fairly
unambiguous, pose the highest institutional risk
and threaten patient confidence. Audits focus on
the first bucket.
Malice or habitual Family members Neighbors Co-wo
rkers Habitual surfing Legal ammo
Convenience Own record Minor children Family
members
Error or mistaken judgment Wrong patient
Pattern will disclose intent
11
(No Transcript)
12
CRITERIA METHOD OF AUDITING-Matches from same
last names (user/patient)-Matches name on
emergency contact -Matches name on insurance
guarantor-Department name searches
13
(No Transcript)
14
Duke Medicine

• Logging Review - HIPAA Style
• Don Sweezy, CISSP

Duke Medicine / NCHICA Use Only
15
Basic Model
OS and Apps
Extract Security Events
Filter Incidents
Log Files or Syslog
16
Log Review Standard - Highlights

• Part of the risk management practice for each
  system.
• Server logs will be reviewed at least daily
• By software with no human intervention.
• Logs from workstations will be reviewed for cause
  (i.e. not on a scheduled basis).

17
Frequency and Retention
Server logs Review daily by software
Workstation logs Available for 30 days. Review for cause
Changes to filters Retain 6 years
False positives Retain 6 years
Non-logging app Not required
Security logs 1 month online
Incremental backup daily 1 month online
Monthly backup 2 years
Security tests 6 years
18
Basic Model
Filter for Incidents
Extract Security Events
Security Controls
Log Files or Syslog
19
Central Logging
Extract Normalize Events
Filter for Incidents
Security Controls
Security Reports
20
Systems and Strengths
IBM Integration with Tivoli
Consul / BMC GUI and Profiling
SenSage Scale and Storage
21
Critical Issues

• Scalability
• Distributed Administration
• HIPAA Compliance Reports
• Customer Defined Agents
• OS Deployment

22
URMC / Strong Health
23
URMC / Strong Health

• Rochester, Monroe County, New York
• Employees 10500 FT 2400 PT
• Inpatient 1050 beds
• Ambulatory 1.16M visits per year
• Emergency 113K visits per year
• Laboratory 1.5M orders, 10M tests per year
• Radiology 400K exams per year (85 digital)
• NIH Research Funding 155M in FY04 (ranks 30th)

24
URMC / Strong Health

• University of Rochester Medical Center
• Strong Memorial Hospital
• School of Medicine Dentistry
• School of Nursing
• Medical Faculty Group
• Eastman Dental Center
• University Health Service (student care)
• Highland Hospital (community hospital)
• The Highlands (long term care)
• Visiting Nurse Service (home care)

25
Current Privacy Practice is Still Reactive

• Compliance Hotline receives complaints
• Word of mouth use the training team and the IT
  support staff in clinical areas
• Publish the privacy officers contact info widely

26
Network OS Security Practice is More Pro-Active

• Network activity logs trigger
• dynamic firewall rules
• e-mail and paging alerts
• Operating system log-in multiple failures trigger
• short-term account locks
• paging alerts for administrator/operator accounts

27
Top Risks Addressable by Proactive Log Review

• Inappropriate access using authorized ePHI access
  privileges
• UserID/password sharing
• Malicious / erroneous use of privileged userIDs

28
Next Steps

• RFP for log aggregation, pattern analysis, and
  alerting system
• Handles application access logs, not just OS and
  network logs
• Flexible raw log parsing language/specification
• Flexible pattern description language/specificatio
  n
• Manufacturer-developed inputs and reports are
  nice as templates, but
• Alerting via syslog, SMS text, SNMP to MOM

29
Next Steps

• RFP for controlling privileged userID activities
• Temporary privilege escalation - authorization
  and logging
• Safe directories - command logging
• Keystroke logging

30
An Unscientific Surveyof Other AMCs

• University of Pittsburgh
• Vanderbilt University
• Ohio State University
• Johns Hopkins
• University of North Carolina
• Indiana University

31
Pro-Active Methods

• Manual review of access to current VIP records
• Manual review of all access by randomly selected
  users, both internal users and vendors
• Pre-designated access reviewers in each inpatient
  and outpatient unit
• Spot audit both internal users and business
  partners
• Centrally developed log audit guidelines
  pro-active execution distributed to sysadmins

32
Pro-Active Methods

• Automated highlighting of after hours access
  from unlikely locations
• Automated highlighting of patient or guarantor
  lastname user lastname
• If the user accessing a patients record has ever
  entered documentation into the record, then the
  access is OK
• If access is questionable, follow up with
  accessor first, rather than supervisor

33
Pro-Active Methods

• Let all application users see which users have
  accessed a given patients record
• Let patients see who has accessed their record

34
Top Risks

• More concern about an improper disclosure of 1000
  patient records than improper accesses to
  individual patient records.
• More concern about disclosures from the hundreds
  of Access databases and Web front-ends than from
  the central systems.

35
Logging and Review HIPAA Style

• Current practice is still reactive!
• Strongly disagree ____
• Disagree ___
• Neither agree nor disagree ___
• Agree ___
• Strongly agree __
• What practices ___

36
Logging and Review HIPAA Style

• Business associates and non-employee treatment
  providers are of equal concern as employees.
• Strongly disagree ____
• Disagree ___
• Neither agree nor disagree ___
• Agree ___
• Strongly agree __

37
Logging and Review HIPAA Style

• Network logs (from routers, firewalls, IDS, etc.)
  are reviewed
• daily ___
• weekly ___
• monthly ___
• only when an incident occurs __
• Network logs are reviewed by software, humans or
  both
• software ___
• humans ___
• both ___

38
Logging and Review HIPAA Style

• Server logs (from host operating systems, domain
  controllers, etc.) are reviewed
• daily ___
• weekly ___
• monthly ___
• only when an incident occurs __
• Server logs are reviewed by software, humans or
  both
• software ___
• humans ___
• both ___

39
Logging and Review HIPAA Style

• PHI access logs (from healthcare software,
  database daemons, etc.) are reviewed
• daily ___
• weekly ___
• monthly ___
• only when an incident occurs __
• PHI access logs are reviewed by software, humans
  or both
• software ___
• humans ___
• both ___

40
Logging and Review - Innovative Technologies

• My AMC manually audits log files ___
• My AMC uses third party audit compliance tools
  ___
• My AMC uses internally developed audit and
  compliance tools ___
• My AMC uses some combination of the above ___

41
Logging and Review HIPAA Style

• The top priority over the coming year for
  implementing pro-active review of logs is for
• Network logs ___
• Server logs ___
• PHI access logs __

42
Logging and Review - Experience

• What was involved in the implementation at your
  AMC?
• What have been the successes/failures/issues?
• What are the lessons learned?

43
What follow-up activities would be helpful to
AMCs in dealing with this topic?

• Audience/panelists responses

44
Engagement Quality Instant Poll

• This session did a good job of engaging the
  panelists and the audience on the topic.
• 1 - Strongly Disagree ___
• 2 - Disagree ___
• 3 - Neither agree not disagree ___
• 4 - Agree ____
• 5 - Strongly agree ____

45
Logging and Review HIPAA Style

• Questions?