Thursday, August 25, 2011

Hipaa Logging Requirements

Health care and insurance organizations must have secure logging protocols.


The Health Information Portability and Accountability Act (HIPAA) Security Rule came into final effect in 2006 requiring 18 safeguard standards governing how health care providers and insurers manage patient information. All covered entities must be in full compliance or they can face lawsuits, loss of business and--for Medicare participants--sanctions by the Centers for Medicare Services. In 2009, The American Recovery and Reinvestment Act strengthened the push for HIPAA compliance by giving the U.S. Department of Health and Human Services the mandate to promote the development of a nationwide interoperable Health IT infrastructure


Provider Flexibility


The HIPAA Audit Controls rules establish that, "Entities have flexibility to implement the standard in a manner appropriate to their needs as deemed necessary by their own risk analyses." This leaves some gray area that each affected party or organization must decide for itself when developing computer login and logout procedures, among other information technology procedures. However, with so many facilities and companies working with the federal government to comply, common standards have emerged.


General Events


Information system servers need to be able to capture and record logging data for long-term records. In particular, events related to logging should include successful and unsuccessful login attempts, logouts, changes to user accounts, changes to privilege levels, use of privileged accounts and utilities, timeouts, instances of excessive failed logins and any events in which one user logs out and another logs in immediately thereafter.


Monitoring Activities


System administrators have special responsibilities to ensure logging compliance. Suspicious events such as multiple failed logins or any login attacks against the system require follow-up with investigation. Users should be required to have very strong and generally complex passwords. Suspicious events should be reviewed with management officials. Systems should correlate changes in systems and files to the user who performed them.


General Controls


Organizations need to have detailed records of which system is capable of logging which pieces of information. They also need to keep careful track of which users perform what tasks in which systems. Logins should provide system administrators and organization managers with an audit trail that shows what each user has done in each and every system.







Tags: failed logins, Suspicious events