WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Transcription

1 WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

2 Complying With HIPAA The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that personal information stored, accessed, or processed adheres to a set of guidelines or security rules. These rules outline security measures that should be implemented to adequately secure all electronic protected health information (EPHI). The Secretary of Health and Human Services enforces this law. Non-compliance can lead to civil monetary penalties and public distrust. The collection, management, and analysis of log data is integral to meeting many HIPAA requirements. The use of LogRhythm directly meets some requirements and decreases the cost of complying with others. IT environments consist of heterogeneous devices, systems, and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of organizing this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. and notifies relevant personnel. With the click of a mouse, LogRhythm s out-of-the box HIPAA reporting packages ensure you meet your reporting requirements. The National Institute of Standards and Technology (NIST) Special Publication provides guidance for meeting HIPAA Standards. The remainder of this paper lists the applicable standards LogRhythm can help address. For each standard, an explanation of how LogRhythm supports compliance is provided. Learn how LogRhythm s comprehensive log management and analysis solution can help your organization meet or exceed HIPAA regulatory requirements. LogRhythm can help. Log collection, archive, and recovery is fully automated across the entire IT infrastructure. LogRhythm automatically performs the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm s powerful alerting capability automatically identifies the most critical issues LogRhythm Report Center Screenshot PAGE 1

3 LogRhythm Compliance Support for HIPAA The table below outlines each HIPAA Standard and associated Security Rule that LogRhythm helps to address. The Compliance Requirements were taken directly from NIST Special Publication titled An Introductory Resource Guide for Implementing the HIPAA Security Rule. These columns briefly describe the key activities and descriptions that are necessary to reach compliance. The column describes the capabilities LogRhythm provides that help a company achieve compliance. In some cases LogRhythm can be used to directly meet the compliance requirement, in others, LogRhythm helps verify the compliance requirement is met and/or reduces the cost of meeting the requirement. Administrative Safeguards 4.1 Security Management Process (a)(1) HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. 7. Develop and Deploy the Information System Activity Review Process 8. Develop Appropriate Standard operating procedures 9. Implement the Information System Activity Review and Audit Process Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. Activate the necessary review process and begin auditing and logging activity. LogRhythm provides centralized monitoring, analysis, and reporting of audit activity across the entire IT infrastructure. LogRhythm automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm reports provide easy and standard review of inappropriate, unusual, and suspicious activity. Audit Failures by User Audit Failures by Host Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications LogRhythm collects and analyzes log data from operating systems, applications, and databases. This includes logs from intrusion detection/prevention systems, anti-virus systems, firewalls, and other security devices. All log data is normalized and centrally stored and secured for easy exception-based reporting. LogRhythm can correlate activity across user, origin host, impacted host, application and more. LogRhythm reports provide easy and standard review of inappropriate, unusual, and suspicious activity. Audit Failures by User Audit Failures by Host Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications LogRhythm s Personal Dashboard provides customized real-time monitoring of event activity and alerts. LogRhythm s Investigator provides deep forensic analysis of intrusion related activity. LogRhythm s integrated knowledge base provides information and references useful in responding to and resolving intrusions. PAGE 2

4 Administrative Safeguards 4.6 Security Incident Procedures ( (a)(6)) HIPAA Standard: Implement policies and procedures to address security incidents. 1. Determine Goals of Incident Response 3. Develop and Implement Procedures to Respond to and Report Security Incidents Gain an understanding as to what constitutes a true security incident. Under the HIPAA Security Rule a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (45 CFR ) Determine how the organization will respond to a security incident. Establish a reporting mechanism and a process to coordinate responses to the security incident. Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups as needed. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team. Review incident response procedures with staff with roles and responsibilities related to incident response, solicit suggestions for improvements, and make changes to reflect input if reasonable and appropriate. LogRhythm s alerting capability can detect and notify individuals of activity that may constitute an incident. LogRhythm s analysis capabilities provide quick & easy analysis of activity to determine root cause and impact. LogRhythm s notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. LogRhythm reports provide summary and detail level reporting of incident based alerts. LogRhythm s Investigator and reporting capabilities facilitate the documentation efforts for incident response procedures. LogRhythm s integrated knowledge base provides information useful in responding to and resolving the incident Access Control ( (a)(1)) HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. 6. Review and Update User Access 9. Terminate Access if it is No Longer Required Enforce policy and procedures as a matter of ongoing operations. Determine if any changes are needed for access control mechanisms. Establish procedures for updating access when users require the following: - Initial access. - Increased access. - Access to different systems or applications than those they currently have. Ensure access to EPHI is terminated if the access is no longer authorized. LogRhythm reports provide easy review of permissions granted to ensure access rights have been terminated and/or appropriately modified. Access Granted/Revoked by Host Access Granted/Revoked by Application LogRhythm reports provide easy review of terminated personnel to ensure access rights have been removed. LogRhythm alerts can detect the use of accounts that should have been terminated. Disabled/Removed Account Summary Disabled/Removed Accounts by Host Disabled/Removed Accounts by Application PAGE 3

5 4.15 Audit Controls ( (b)) HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 4. Develop Appropriate Standard Operating Procedures 5. Implement the Audit/System Activity Review Process Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. Activate the necessary audit system. Begin logging and auditing procedures. LogRhythm can collect logs from intrusion detection/prevention systems, anti-virus systems, firewalls, and other security devices. LogRhythm provides central analysis and monitoring of intrusion related activity across the IT infrastructure. LogRhythm can correlate activity across user, origin host, impacted host, application and more. LogRhythm can be configured to identify known bad hosts and networks. LogRhythm s Personal Dashboard provides customized real-time monitoring of event activity and alerts. LogRhythm s Investigator provides deep forensic analysis of intrusion related activity. LogRhythm s integrated knowledge base provides information and references useful in responding to and resolving intrusions. LogRhythm reports enable easy and standard review of exceptions. Access Granted/Revoked by Object Successful/Failed File Access by User Successful/Failed Host Access by User Successful/Failed Application Access by User 4.16 Integrity ( (c)(1)) HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. 1. Identify All Users Who Have Been Authorized to Access EPHI 4. Implement Procedures to Address These Requirements Identify all approved users with the ability to alter or destroy data, if reasonable and appropriate. Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2, below. Identify and implement methods that will be used to protect the information from modification. Identify and implement tools and techniques to be developed or procured that support the assurance of integrity. LogRhythm collects all access activity and changes to access controls. LogRhythm reports provide easy and independent review of access control settings and enforcement. Access Granted/Revoked by Object Successful/Failed File Access by User Successful/Failed Host Access by User Successful/Failed Application Access by User LogRhythm s file integrity monitoring capability can be used to detect, report and/or alert on the following changes to the file system: Additions Modifications Deletions Permissions This capability can be used to detect unauthorized alteration and destruction of information. INFO@LOGRHYTHM.COM PAGE LogRhythm Inc. Whitepaper - HIPAA Compliance