HIPAA Compliance Log Reporting

Transcription

1 ALERT LOGIC LOG MANAGER HIPAA 2013 REPORT PACK Overview of Alert Logic s Log Manager HIPAA 2013 report pack; methodology, report types, and HIPAA mapping. Contents Methodology... 2 Report Types... 3 HIPAA Coverage... 4 Report Categories... 5 Frequently Asked Questions... 6

2 Methodology HIPAA compliance log reporting mandates focus on providing the capability to demonstrate integrity of access controls, encryption, auditing, backups, and continuity of retained records. In order to understand why the HIPAA reporting pack differs from those for other industries, we need to consider the ways in which HIPAA mandates a slightly different approach to IT security. That approach differs in the degree to which requirements are mandated and enforced on systems that contain electronic patient health information (e-phi). Because these are mandated and enforced, we more often see e-phi systems hardened and access controls more narrowly restricted in scope of data as well as access to software applications. That is, compared to a typical business system, the systems which host e-phi will normally be hardened according to an organization-specific risk analysis, and as a result, provide much more limited access to software other than the electronic medical records (EMR) systems which they host. The Office for Civil Rights (OCR) [2010, p1] states, The security rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-phi. Risk analysis is one of four required implementations, within which four capabilities are mandated: authentication, access controls, encryption at rest and in transit, and backups. Log data on e-phi systems may differ in fundamental ways as compared to logs on general purpose business desktop or laptop systems, or even a multi-purpose server. What may be considered normal activity on an e-phi system is often greatly narrowed by the system hardening and restricted range of applications. Because the data exhibit significant differences, there are differences in the way log reports may be tailored for HIPAA compliant systems. As a result of mandates, log reporting for HIPAA systems has a significantly more inclusive focus of normal system activity in validating the health of controls and operating systems that support risk control. Log reporting is motivated by the mandate to demonstrate integrity of auditing with respect to both gaps in continuity and completeness of retention. HIPAA d2, pg. 7-79, and , mandate auditing and integrity of the audit logs. The Office of the National Coordinator for Health Information Technology (ONC HIT) provides suggested ways of approaching the Centers for Medicare & Medicaid Services (CMS) guidelines for ongoing information security risk management [p9 ]. The Office for Civil Rights (OCR) states [2010 p7], In order for an entity to update and document its security measures as needed, which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. ONC HIT Core Measure 15 recommends organizations demonstrate ongoing assessment of security capabilities. Log reporting provides a crucial link between implementation of controls and either validation or remediation according to risk analysis. Contiguous log reporting provides the capability to demonstrate continuous risk analysis, with completeness in both time and retention of records. This completeness is essential in translating periodic analysis into continuous risk assessment, and more importantly, capability to demonstrate to a third party, the performance of continuous risk assessment through cyclic log review. The bottom line: When records have gaps, they cover periods, thus risk analysis is periodic. When records are contiguous, risk analysis is continuous. Alert Logic s reporting capabilities provide the means to validate ongoing risk analysis through continuity and completeness of archived daily reports covering mandated areas.

3 Report Types HIPAA log reporting focuses on providing the capability to demonstrate integrity of access controls, encryption, auditing, and backups, as well as continuity of retained records of each category. HIPAA guidelines favor contiguous monitoring and ongoing timely review. As a result, the volume of data may create significant burdens, especially in large organizations. An overwhelming volume of events can completely obstruct any ability to identify undesirable activity and identify distinguishing attributes. Without data reduction tools, one may not be able to see forest for the trees. When the raw data is highly repetitive, it may obscure any ability to observe distinguishing characteristics which relate a set of events sprinkled among unrelated data. In order to make data review more time efficient, each report in the HIPAA pack is provided in three forms: high level Summary, intermediate Survey of variations in parameters, and full Detail of individual log messages. Summary Report The high level summary focuses on a primary target affected by the action: a user, host or object affected. It provides a count of the number of events per event type and per affected user, host or object such as the number of failed logins per authentication method and per target account name. For example, above is a single line from the daily (24h) report "Access Control Change on Group". The line shows a frequency of 319 members per day added to groups for this event type. Survey Report The intermediate Survey report provides additional detail including the frequency of invoking user names and remote host names, or other secondary parameter values that qualify how or who performed the actions such as the count of how many invocations per host name and per caller user name. Continuing with the example of the Access Control Change on Group" report, within the 319 members added per day to groups, we now see the breakdown of Administrator accounts added, with three variations in group type: Local, Universal, and Global group type.

4 Detail Report The Detail report includes each individual log message (full text) specified within a report category used to generate results in the Summary and Survey reports. To complete our example, within the 319 members added to Windows Group Member Added, 22 included the Global Group type. And now, within the Detail report, is the full log message for each member added to the Global group. HIPAA Coverage The Log Manager HIPAA 2013 reports were designed to address the following HIPAA 2013 compliance sections: HIPAA Mapping HIPAA a.4- Object Access - Failed and Successful attempts to access files and registry HIPAA a.5.ii.B Protection from malicious software HIPAA a.5.ii.B Protection from malicious software HIPAA a.4 - System Startup/Shutdown

5 Report Categories The Log Manager HIPAA 2013 report pack contains 19 report categories; each with a Summary, Survey, and Detail report (total 57) Report Name Description HIPAA Mapping Shows changes in users' account or other objects which control Access Control Change on User access to resources. Access Control Change on Named Admin User Shows changes in accounts having the user name 'Admin' or 'Administrator'. Access Control Change on Administrative User Shows changes in user accounts that have administrative privileges. Access Control Change on Group Shows changes in objects that control a group of users' access to systems or services. Authentication of User Failed Shows failed authenticated access to systems or services by a user. Authentication of User Succeeded Authentication of Named Admin User Failed Shows authenticated access to systems or services by a user. Shows failed authenticated access to systems or services by a user named Admin or Administrator. Authentication of Named Admin User Succeeded Shows authenticated access to systems or services by a user named Admin or Administrator. Cryptographic Availability Cryptographic Exceptions Shows transitions in the availability of cryptographic services that provide authentication or privacy. Shows errors, failures and other exceptions in cryptographic services that provide authentication or privacy. Database Authentication Database Backup Auditing Availability Auditing Exception Shows authenticated access by a user to a database. Shows transitions in database backup service availability, as well as occurrences of database backups. Shows transitions in the availability of services that archive audit records. Showss errors, failures and other exceptions in services that archive audit records. Shows occurrences of access to objects that auditing enabled. HIPAA a.4- Object Access - Failed and Successful Access to Audited Object attempts to access files and registry Host Antivirus Availability Shows transitions in availability of anti-virus services. HIPAA a.5.ii.B Protection from malicious software Shows occurrences of files, web pages, and connections infected HIPAA a.5.ii.B Protection from malicious software Host Malware Detected with malware. System Availability Shows transitions in the availability of systems. HIPAA a.4 - System Startup/Shutdown

6 Frequently Asked Questions Where are the Log Manager HIPAA 2013 reports located? All reports are available through the Log Manager user interface. From the Log Manager Messages page, click on the Gear icon (upper right), and select Available Saved Views. From the left folder hierarchy, select the HIPAA 2013 folder. Is there an additional cost to use these reports? No, access and use of these reports (and other Saved View reports) is part of the standard Log Manager license. How often can I run/review these reports? Reports can be loaded to run immediately, daily, or at any scheduled time you require. Loading and scheduling reports is done on the Available Saved View page. Does Log Manager Log Review Service use these reports? No, the Log Review Service utilizes a set of reports designed for the PCI DSS daily log review compliance mandate. Can I customize these reports for my needs? Yes. From the Available Saved View page, select the report of interest, click Load View. The data filters used to create the report will be exposed within the Search window. There, you can add, delete, or modify existing filters. Once complete, click the Gear icon and select Save View to create a new folder and save this version as your own. Are there any special set up considerations for using these reports? All reports will include the log data which meet the criteria of the report and are available within your data set. While standard logging best practices will likely generate the required log data, one report, Access to Audited Object utilizes Object Access logs. If this type of logging is not enabled in your environment today, and the report is desired, you must enable Object Access logging on the target machines/directories.