HIPAA Vulnerability Management & Logging for Giva's Cloud Help Desk Software
A security-first approach means that a regular assessment of application vulnerabilities is a key part of providing the highest levels of data security for PHI from electronic health and medical records. It's also key to preventing accidental HIPAA violations. Proper HIPAA log risk management is used for anomaly detection and forensic analysis.
Monthly third-party vulnerability and penetration scan
Security team reviews scan results
Remediation of all threats found
Partner with Trustwave for extended validation
Whitelists on IDS/IPS and Web Application Firewalls to ensure vulnerability scanners have enhanced view into infrastructure
Timely infrastructure patching to ensure all security updates are applied
Security research for proactive notification of potential threats
HIPAA compliance assessment
Tripwire Enterprise security solutions
File Integrity Monitoring to detect changes to system files preventing back doors and root kits
Log offloading into external log servers to prevent attackers from "covering their tracks"
Enhanced retention of firewall, web app firewall, and event logs
Dual factor authentication with extended logging for remote users
HIPAA Log Requirements
In order to ensure that confidentiality, integrity and availability of Protected Health Information (PHI) is HIPAA compliant, an organisation should keep audit logs for all activities. A well-documented audit trail as well as a log of all activity will help document breaches, and reviewing the logs on an ongoing basis it can also help prevent them. The U.S. Department of Health and Human Services (HHS) has set guidance on audit controls and logs. Application audit trails monitor and log user activities including any files that are created, read, edited, or deleted with respect to Electronic Health Records (EHR). Any system should also log successful or unsuccessful log-on attempts, ID/username, log-on/off date and time events, type of device, application accessed, and authentication method. The logs should also include any other activities such as commands executed by the user and any resources accessed.
These logs will establish access patterns for the employees and contractors in any organisation, and it will be possible to detect unauthorised access by stolen login credentials.
To meet HIPAA audit log requirements, it is best to track:
Moves, adds and changes of users
User access levels and files accessed
Logins to operating systems, firewalls and anti-malware
These requirements are for protecting PHI, but organisations must track access to paper PHI to ensure compliance using a sign in/sign process for paper files.
HIPAA Log Retention Requirements
There is a lot of confusion around log retention requirements and conflicting information in HHS bulletins. In general, the HIPAA log retention policy is six years; however, some states require even longer. Check with the state laws where the PHI data is maintained. If the state law is longer than six years, then adhere to the state law. The limits of the systems of a Business Associate, as well as the requirements of the Covered Entity, should also be considered as internal audit policies may require even more than six years for log retention.
HIPAA Risk Assessment Requirements
The requirement for conducting HIPAA security risk assessments was first introduced in 2003 and extended to the HITECH Act of 2009. A record $5.5 million fine was assessed against Advocate Health Care Network for failing to identify risks, so the penalties can be expensive.
No specific risk analysis methodology is mandated by the HHS; Covered Entities and Business Associates are all different. HHS recommends the identification of potential risks and vulnerabilities of all PHI. Risk assessments should be completed on at least an annual basis as new technology and organisational practises often changed.
The HHS suggests that the following should be included in a HIPAA secuirty risk assessment:
Document where PHI is stored, received, maintained or transmitted
Document potential threats and vulnerabilities
Assess security policies and procedures for protecting PHI and if used properly
Assess the likelihood of a threat
Assess the potential impact of a PHI breach
Assign risk levels for vulnerability
Take action where necessary and document it all for possible audit
HIPAA Vulnerability Scan Requirements
HIPAA rules do not require vulnerability scans or penetration testing, although they are more important than ever. However, as discussed above, a risk assessment is required, and vulnerability scans and penetration testing are two important tools for risk assessments. Since hacking in healthcare is so prevalent, it makes good sense to perform these tests. The U.S.'s NIST organisation also recommends vulnerability scans and penetration testing, if reasonable and appropriate for your organisation. These tools will help document any issues and speed remediation.