HIPAA Vulnerability Management & Logging for Giva's Cloud Help Desk Software

A security-first approach means that a regular assessment of application vulnerabilities is a key part of providing the highest levels of data security for PHI from electronic health and medical records. It's also key to preventing accidental HIPAA violations. Proper HIPAA log risk management is used for anomaly detection and forensic analysis.

HIPAA Vulnerability Management

  • Monthly third-party vulnerability and penetration scan
  • Security team reviews scan results
  • Remediation of all threats found
  • Partner with Trustwave for extended validation
  • Whitelists on IDS/IPS and Web Application Firewalls to ensure vulnerability scanners have enhanced view into infrastructure
  • Timely infrastructure patching to ensure all security updates are applied
  • Security research for proactive notification of potential threats
  • HIPAA compliance assessment

Comprehensive Logging

  • HIPAA-comliant logging
  • Tripwire Enterprise security solutions
  • File Integrity Monitoring to detect changes to system files preventing back doors and root kits
  • Log offloading into external log servers to prevent attackers from "covering their tracks"
  • Enhanced retention of firewall, web app firewall, and event logs
  • Dual factor authentication with extended logging for remote users

HIPAA Log Requirements

In order to ensure that confidentiality, integrity and availability of Protected Health Information (PHI) is HIPAA compliant, an organisation should keep audit logs for all activities. A well-documented audit trail as well as a log of all activity will help document breaches, and reviewing the logs on an ongoing basis it can also help prevent them.  The U.S. Department of Health and Human Services (HHS) has set guidance on audit controls and logs.  Application audit trails monitor and log user activities including any files that are created, read, edited, or deleted with respect to Electronic Health Records (EHR). Any system should also log successful or unsuccessful log-on attempts, ID/username, log-on/off date and time events, type of device, application accessed, and authentication method.  The logs should also include any other activities such as commands executed by the user and any resources accessed.
These logs will establish access patterns for the employees and contractors in any organisation, and it will be possible to detect unauthorised access by stolen login credentials.
To meet HIPAA audit log requirements, it is best to track:
  1. User logins
  2. Database changes
  3. Moves, adds and changes of users
  4. User access levels and files accessed
  5. Logins to operating systems, firewalls and anti-malware
These requirements are for protecting PHI, but organisations must track access to paper PHI to ensure compliance using a sign in/sign process for paper files.

HIPAA Log Retention Requirements

There is a lot of confusion around log retention requirements and conflicting information in HHS bulletins. In general, the HIPAA log retention policy is six years; however, some states require even longer. Check with the state laws where the PHI data is maintained. If the state law is longer than six years, then adhere to the state law. The limits of the systems of a Business Associate, as well as the requirements of the Covered Entity, should also be considered as internal audit policies may require even more than six years for log retention.

HIPAA Risk Assessment Requirements

The requirement for conducting HIPAA security risk assessments was first introduced in 2003 and extended to the HITECH Act of 2009.  A record $5.5 million fine was assessed against Advocate Health Care Network for failing to identify risks, so the penalties can be expensive.
No specific risk analysis methodology is mandated by the HHS; Covered Entities and Business Associates are all different. HHS recommends the identification of potential risks and vulnerabilities of all PHI. Risk assessments should be completed on at least an annual basis as new technology and organisational practises often changed.
The HHS suggests that the following should be included in a HIPAA secuirty risk assessment:
  • Document where PHI is stored, received, maintained or transmitted
  • Document potential threats and vulnerabilities
  • Assess security policies and procedures for protecting PHI and if used properly
  • Assess the likelihood of a threat
  • Assess the potential impact of a PHI breach
  • Assign risk levels for vulnerability
  • Take action where necessary and document it all for possible audit

HIPAA Vulnerability Scan Requirements

HIPAA rules do not require vulnerability scans or penetration testing, although they are more important than ever.  However, as discussed above, a risk assessment is required, and vulnerability scans and penetration testing are two important tools for risk assessments.  Since hacking in healthcare is so prevalent, it makes good sense to perform these tests. The U.S.'s NIST organisation also recommends vulnerability scans and penetration testing, if reasonable and appropriate for your organisation.  These tools will help document any issues and speed remediation.

Learn More About Giva HIPAA Compliance

HIPAA-Compliant HIPAA Basics
HIPAA Basics
HIPAA-Compliant Data Encryption
Data Encryption
HIPAA-Compliant Onsite & Offsite Encrypted Backups
Onsite & Offsite Encrypted Backups
HIPAA-Compliant Physical, Logical & Network Access Controls
Physical, Logical & Network Access Controls
HIPAA-Compliant Vulnerability Management & Logging
Vulnerability Management & Logging
HIPAA-Compliant Defined & Tested Security Policies & Procedures
Defined & Tested Security Policies & Procedures
HIPAA-Compliant SSAE 18 SOC II Type 2 Certification
SSAE 18 SOC II Type 2 Certification
HIPAA-Compliant Security Risk Assessments & Breaches
Security Risk Assessments & Breaches
HIPAA-Compliant Web Apps, Websites & Hosting
Web Apps, Websites & Hosting
HIPAA-Compliant Phone, Mobile & Computer Devices
Phone, Mobile & Computer Devices
HIPAA-Compliant Common Violations, Breaches & Mistakes
Common Violations, Breaches & Mistakes
HIPAA-Compliant Remote Work Conferencing & Telehealth
Remote Work Conferencing & Telehealth
HIPAA-Compliant HIPAA Audits
HIPAA Audits

Client Success

  • 50% reduction in time to deploy Giva's change, incident, problem, asset management and knowledgebase modules
  • 60% reduction in the 5 year Total Cost of Ownership (TCO)
  • Saved at least 1 FTE due to lower ongoing administration
  • Saved 1 week per month due to easy to use reports
  • Increased to 90% achievement in meeting service level agreements
  • 70% reduction in generating reports and admin; eliminated 35 hours/month
  • 50% faster to create/assign a service request
  • 60% increase in information captured during the initial phone call
  • 50% increase in the number of service requests created due to intuitive design
  • 80% increase in productivity by using Giva's dashboards and reports
  • 60% increase in meeting service level agreements
  • 45% increase in the number of the calls logged due to Giva's intuitiveness and ease of use
  • 50% increase in productivity by using Giva's integrated custom forms