The Pros and Cons of an Onsite HIPAA Audit

Is a HIPAA audit right for your organization?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Ever wondered how HIPAA compliant your organization actually is? Are you struggling with the implementation of certain HIPAA requirements? Are you concerned your organization might not pass an OCR HIPAA audit?

Contracting with an external professional to perform an onsite HIPAA audit might be a good option for you. If you are a business associate, a 3rd party onsite compliance assessment is vital in showing your partners you take HIPAA compliance and the security of their patient information seriously. This is a great differentiator because not all business associates do this.

A HIPAA audit is a thorough examination of an entity’s HIPAA compliance practices to discover any problems, loose ends, or security vulnerabilities.

HIPAA audits are a great way to help get your HIPAA compliance in order. However, they aren’t right for every organization.
Here are the pros and cons of contracting with a third party for a HIPAA audit.Tweet: Pros and cons of a third party #HIPAA audit. http://bit.ly/1CjWu8TTweet

Pros of an onsite HIPAA audit

You don’t have to spend as much time on HIPAA
Because your auditor is analyzing your HIPAA requirements for you, you don’t have to spend as much time organizing certain components of HIPAA compliance. Learn how to speed up your HIPAA audit.

You can trust your auditors to find holes
External HIPAA auditors are experts. They know healthcare’s list of common mistakes and are experts at finding what you still need to do to become HIPAA compliant. Guaranteed, they will catch something your internal HIPAA compliance team missed.

Your auditor is objective
A third party HIPAA auditor will be objective, focused, and agnostic. Conducting an internal audit with your own workforce staff is a great first step, but the results may not be accurate. There is always the chance that a staff member may accidentally or purposely overlook something. The great thing about a third party auditor is, they give you all the information you need, then leave you to decide what to do with the information presented.

You’ll get reports
An external auditor should provide a HIPAA compliance report that documents the security efforts and compliance status of your organization. This documentation should give you and executive management an overall picture of your HIPAA compliance. You will likely want to share your compliant report with your partners, business associates, and customers,

Your patient data security will increase
Onsite auditors provide the information you need to fix security and privacy vulnerabilities that could potentially lead to a data breach. Like I said above, these guys are security experts. They know the common holes hackers look for when compromising an organization. After you implement your auditor’s suggestions, your security will skyrocket.

You’ll feel more prepared for the future
Depending on which company you hire, your onsite auditor may help you create a risk analysis and risk management plan based on what they found during the compliance assessment. This entire audit process will help you prepare for an OCR audit and feel more secure about your organization’s HIPAA compliance posture.

Learn more about SecurityMetrics’ HIPAA auditing process

Cons of an onsite HIPAA audit

Things change
Your systems and processes change over time, so the results from a HIPAA audit will not remain accurate for long. If you do decide to hire a company to conduct an onsite HIPAA audit, it’s important to take their recommendations into consideration immediately during and after their visit. Because environment change is unavoidable, prepare to invest in annual audits.

You have to spend time researching your auditor
While the HHS does not certify a single auditing authority, not all auditing companies are created equal. Don’t settle with an accountant or internal financial auditor, who has lots of experience with auditing, but virtually no experience in data security implementation. Ultimately, you must find a company you trust.

You have to explain your environment
The auditor you hire is familiar with the generalities of the healthcare industry, but every organization is set up differently. Be prepared to spend time walking him through your office, data center, or server room, and give a detailed explanation of how patient data travels within your organization. A PHI map will help make the process go faster.

It costs money

A HIPAA audit can cost from $5,000 to well over $100,000, depending on your size, infrastructure, and proximity from the auditor’s location. As you consider your data security budget, you should also consider the cost of a data breach to your organization. After all, a lack of patient data security can affect your bottom line. If you undergo a data breach, 40% of your patients will find a new provider. If you are found not to be compliant, the HHS can fine you up to $50,000 per violation, per day. If your patient data is compromised, your patients can file a civil lawsuit against you for not following HIPAA compliance. On top of all this, state and local governments are fining HIPAA violators as well.

You actually have to follow up on recommendations
There’s no point in getting an audit if you don’t plan on making changes after the fact. If your auditor finds problems or vulnerabilities (which he/she will) and you don’t fix them, you just wasted a lot of resources. If the OCR ever audits you and discovers you chose not to fix vulnerabilities, they will probably fine you for willful negligence.


Analysis: Is a HIPAA audit worth it?

So, now that we know the pros and cons, is a HIPAA compliance audit valuable? It depends. Here are some things to consider:
  • Your size: If you are a small doctor’s office, a HIPAA audit will probably not be worth the time and money spent. If you are looking for HIPAA assistance, you are probably better off getting help through a Guided HIPAA Compliance service instead. However, if you are a BA, regardless of size, you should have an onsite HIPAA audit.
  • Your budget: HIPAA audits cost from $5,000 to $100,000+, depending on your size and infrastructure. Obviously, an audit will cost more for a multi-location hospital than a medium-sized practitioner.
  • Your experience: Are you a security expert? If so, a HIPAA audit may be overkill. However, don’t underestimate the value of a good conversation with a third party professional. You may wish to talk to a HIPAA consultant to ensure you’ve adequately met all HIPAA requirements.
Hopefully this analysis helped you decide if a HIPAA audit is right for you and your organization. If you’re interested in hiring me to conduct your onsite HIPAA audit, request a quote for a HIPAA audit here, and we’ll get in touch.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.


7 Internal Communication Best Practices for IT Security

Hurt feelings, techspeak, and process errors all lead to compromise.

Brand Barney, Security Analyst
By: Brand Barney
Lack of interdepartmental communication is ruining your security. And not just yours. Everyone’s. This problem spans departments, companies, industries, and state-lines. This is the giant elephant in the room that everyone lives with. It’s ruining products, destroying employee morale, and even causing data breaches
How poor communication compromises business security

The struggle is real folks.

How does a communication error result in a data breach, you ask? To put it simply, if departments don’t work together, security doesn’t happen. 
  • If there is no process for IT to communicate with the CISO, IT might forget to tell him/her that a security assessor is coming on Thursday to audit the security of their company (true story)
  • If the head of customer support refuses to speak with the director of development because of an age-old feud, he won’t have the chance to tell him that a customer found a security bug in their website (true story)
  • If a salesman gets annoyed at IT because the Wi-Fi goes down again and his paycheck is on the line, he might choose to secretly connect to a free, unverified, vulnerable Wi-Fi signal (also a true story)
See what I’m getting at?

Ultimately, department heads aren’t the only ones affected by interdepartmental communication problems. If these problems lead to a breach, the entire company gets egg on its face. Not to mention the poor customers whose data was stolen by a hacker in the midst of this rampant communication debacle.
So, how do you avoid communication problems at your organization? Keep reading to find out how to fix this problem.Tweet: How do you avoid IT communication problems at your organization? http://bit.ly/1zjqdYF #infosecTweet
First, let’s dig into company culture.

How did this backwards communication culture begin?

Each department hires like-minded people, which can lead to problems if each department cannot communicate effectively. Departments or teams often work against each other because of pride or elitism. Maybe they feel the other group is not competent. For example, a team may decide to branch off and handle an issue on their own because they feel the other group is too busy or isn’t up to snuff. “I’ll just do it myself. Those guys don’t know what they are doing.” Yikes. 

To make it worse, the poor communication culture from other companies gets thrown in the mix when employees are hired on from the outside. If an IT department hires three new employees from three very different technology companies, each will have a different expectation of how their team should operate. Does this phrase sound familiar? “But at my old company…” 

Another contributing factor to communication problems is what I like to call techspeak, endearingly called technobabble in some circles. All industries and even companies within the same industry use different lingo to mean different things. In some circles only certain verbiage is considered appropriate or accurate. You could be speaking about the exact same process, but using entirely different terms to describe it.

Here’s an example. I use the term ‘grep’ all the time, like a total geek. As in, “I’ll go ahead and grep for it.” Only a tech geek would understand that ‘grep’ is a Unix term for ‘search’. If I said ‘grep’ to upper management, they would probably think I was going to fix the problem, when I only meant I would search for a solution.

Once all these factors start muddling up departments, the tension starts to build. Pent up frustration is taken out in meetings. Departments forget to talk to each other. Lack of communication becomes part of company culture. Department goals polarize. Pretty soon, the left hand has no idea what the right is doing. Congratulations, now your company has tiny clusters of semi-functional groups instead of working as a whole.

What is at risk?

Before you put your blinders on and think, “This isn’t a problem in my company.” Think again. Your policies don’t protect against this. Your policies don’t protect against raw human anger or pride. Your employees aren’t saints. Internal communication problems are an epidemic, no matter what industry you’re in. And they’re costing you.

In my opinion, communication problems are the #1 reason you lose star employees. Communication problems are extremely demotivating to an employee. Mountains of hurt feelings, department feuds, and poor security gets tiring after a few years. “Nobody even cares about security around here.” “Nobody even likes me in this company.” “Nobody even asked me for that security report last month.” IT guys are especially susceptible to this demotivating environment.

I’ve actually spoken with several recruiters in the security, IT, and medical spaces. Do you know what they capitalize on in their LinkedIn, email, and phone pitches? Surprisingly, it’s not always salary. They will often upsell a better company culture over salary. Sure, salary will always play a role in their pitch, but they realize from talking to a never-ending stream of unhappy employees that company culture and team communication is the key to success and happiness. I have talked with numerous developers and salesman who weren’t even looking for a job, but jumped at the opportunity when posed a better work environment. Obviously, you can’t keep everyone happy. But if you don’t want to lose your superstar employees, this is a good point to remember.

Even more important than your decreasing employee morale is your company’s diminishing security. The reasons for that insecurity are extremely simple to fix. On an audit I conducted a few months ago, a company supervisor and I were confused why logs from the IDS/IPS weren’t being checked. When we asked, the IT employee simply stated, “The alerts from the IDS were noisy, so I turned them off.” A simple communication from IT to the supervisor would have allowed the supervisor to assist the IT employee with proper IDS/IPS configuration, allowing for a much better security posture.

That’s just a simple example that could extend to any point in your security process. Are product managers communicating the implementation dates for new products to developers? If not, security might go on the backburner while developers scramble to launch the product. Etcetera.  

SEE ALSO: Coding Culture Will Ruin Your Audit…And Your Security

How do you fix the internal communication problem?

Obviously communication is a giant problem, which means you won’t be able to fix it overnight. But you can be the one to start the change at your company. Here are seven things to consider when instigating your communication transformation. 

1. Be honest with yourself. You have a problem. 
HR departments, department directors, CIOs, guess what? You’ve got a problem. It’s costing you money. It’s costing you employees. It’s costing you customers. That problem is poor internal communication. 

Just for a second, think of the one problem that keeps you up at night. I bet in 90% of cases, whatever problem you are thinking of boils down to communication issues across departments. I’m definitely guilty of hastily glazing over an issue just to later realize it was a communication problem. It could have been solved right away, but since I prolonged it, it only got worse.

Now that you’ve passed the 'admit-you-have-a-problem’ stage…

2. Have defined training. (Yes, I’m serious)
It sounds fluffy, but training is how you can prevent hurt feelings and process screw-ups. I know you don’t want to be micromanaged (I know I don’t), but this culture we’ve all created needs to be scooped out and replaced with communication processes. This somewhat painful transformation happens through regular training.

Your trainings should probably address:
  • The problem itself
  • How the problem is damaging your company, employees, and customers
  • Your clearly defined process for how communication should happen 
  • What to do if your feelings have been hurt
  • How you can bring up complaints  
3. Hold interdepartmental ‘needs’ meetings.
I know, the last thing you need is another meeting, but these don’t need to be long diatribes. They should focus on discussing what each department needs from the other, including timelines, milestones, and goals. Proactively and honestly talk about what’s going well, and what’s not.

4. Address hurt feelings. 
Everyone has their own view on how certain issues, including security issues, should be handled. All it takes is one misguided or misspoken piece of feedback to hurt someone’s feelings and completely derail the course of your team’s security efforts. 

I’ve worked with companies where both new and seasoned security experts’ knowledge is questioned. So when departments come together for a combined security effort, everyone is walking on eggshells. Be mindful of this.

5. Tell your employees why. 
Sometimes employees just want to know the ‘why’ of things. Why are we buying this product? Why didn’t we buy the product I researched and suggested? Why didn’t we implement this solution? Why? WHY? WHY????

When employees don’t get answers to their ‘why’s’, they decide to take matters into their own hands. And that’s when security and process problems start. Remember, your employees have the keys to the kingdom. You rarely hold anything other than the checkbook. Answer those employee questions as quickly and succinctly as possible.

You don’t always have to spell it out to your IT team, but having a reason will give your team a direction and will keep their motivation up. Otherwise they may just throw in the towel (and your security with it.)

6. Hold your own department accountable. 
You can’t get mad at other departments for a faulty communication process if your departments’ communication process is also fundamentally flawed. So how do you prove to other departments that you are, in fact, dependable? I recommend setting up a ticketing system as transparent communication into what your department does, and how quickly they do it.

7. Start fun communication exercises. 
I’m not talking about conference room trust falls here. Make your exercises fun! Learn what your employee’s culture is, and adapt. For example, have your departments get together to play laser tag every month. Or get your teams to intermingle in a weekly LAN game. People that play together, stay together! Do what is feasible for your company, but make sure each group and team knows their roles, responsibilities, and are able to work cooperatively together. It really can be fun.


Start communicating, stay secure!

I’ve rarely seen a breach happen due to highly advanced cyberwarefare (although they do happen). Most breaches boil down to employee communication problems, which lead to real world problems and security vulnerabilities (firewalls not properly configured, employees not trained, systems not patched, logging not enabled, etc.). The bad guys take advantage of those problems while we are arguing amongst ourselves. If you start in your own department to be more open and willing to communicate with others, I promise your security environment will begin to improve.

Brand Barney (CISSP, HCISPP) is an Associate Security Analyst at SecurityMetrics and has over 10 years of compliance, data security, and database management experience. Follow him on Twitter and check out his other blog posts.
7 HIPAA Myths and Misunderstandings, Debunked

Don’t fall prey to these common HIPAA misunderstandings.

Tod Ferran, CISSP, QSA
By: Tod Ferran
Myths about HIPAAWhen was the last time you researched HIPAA compliance? You may have seen the latest HIPAA news on the HHS website, heard something in a conversation with your neighboring practitioner, scanned a conversation in a LinkedIn group, read an email, or heard a HIPAA speaker at last summer’s healthcare conference. There is so much information to absorb about HIPAA compliance!

There is a lot of really good information out there. But there’s also a lot of misconceptions.
Here are the 7 worst myths I’ve heard about HIPAA compliance.Tweet: Here are the 7 worst myths I’ve heard about HIPAA compliance. http://bit.ly/1ACN8BQTweet

Myth #1: “HIPAA doesn’t apply to me.”

Here are some excuses I regularly hear that do not actually disqualify an entity from HIPAA compliance.
  • We’re too small. Actually, HIPAA applies to all shapes and sizes. As long as you store, process, transmit, maintain, or touch protected health information (PHI) in any way, you must be compliant.  
  • My EHR system meets all my entity’s HIPAA requirements. While your EHR may decrease your HIPAA compliance requirements, it definitely doesn’t exempt you from HIPAA altogether. 
  • All our data is in the cloud. Even if you have a fully HIPAA compliant cloud vendor, your patient data still has to go through all of your systems to get to the cloud. 
  • My entity type is exempt. HIPAA applies to clearinghouses, health plans, HIEs, healthcare providers (most of you), and business associates. Chances are, you’re not exempt.
  • We’re all paper. HIPAA privacy requirements cover all patient records, not just electronic health records. So even if you only have paper patient records, you still must be compliant with the HIPAA Privacy Rule.
  • We don’t accept/bill insurances. Accepting insurance isn’t a prerequisite of HIPAA compliance.
  • We don’t belong to a HIE/clearinghouse. Belonging to an HIE or clearinghouse isn’t a prerequisite for HIPAA. HIPAA applies to any healthcare entity that transmits, stores, or handles PHI.
  • We don’t have PHI. Protected health information (PHI) includes a patient’s name, their Social Security Number, address, birthday, or a dozen other data points. So as long as you store, process, transmit, maintain, or touch PHI in any way, you must be compliant.
  • We accept only cash. Payment processing methods have nothing to do with HIPAA. You’re probably thinking of PCI DSS compliance. If you accept only cash, congrats! You are exempt from PCI DSS! However…you still have to comply with HIPAA.
SEE ALSO: HIPAA FAQ

Myth #2: “I can skip HIPAA.”

Lots of organizations think, “Even if I get breached, it won’t matter. So why should I bother wasting resources on HIPAA compliance?”

Wrong! Did you know, according to Cintas, 40% of patients would change doctors/dentists if theirs were breached? Not to mention, if you are breached, the cost per patient record is $359, not including litigation. 

If you lost a third of your patient database, and had to pay $359 per lost/stolen patient record, would your business survive? 

Myth #3: “My IT guy/attorney has me covered.”

IT specialists may be good at implementation, but they require additional security direction. For example, most IT guys know how to configure a firewall, but don’t know how to configure it securely to make sure hackers can’t get in.

Now, an attorney is great for understanding policies, procedures, and legalese, but HIPAA’s Security Rule is completely different than the Privacy Rule. Attorneys typically don’t know a thing about technical controls and have no experience with security. 

If you’re looking for someone to help you get HIPAA compliant, look for a seasoned HIPAA expert.

Myth #4: “No one wants my data because it has no value.”

Actually, health data is even more lucrative than credit card numbers on the black market. Credit card numbers only go for about $1 to $2. PHI sells for $20 to $200, depending on the type of patient data. 

Why is healthcare data so much more profitable? 

If you steal credit card data, you can make a purchase. If you steal health care data, you can create an identity. Recovering from identity theft is a lot harder and costlier than recovering from credit card fraud.

Myth #5: “Providers can’t exchange email with patients and still be HIPAA compliant.” 

Actually, they can! As long as they do it securely. I’ve actually already explained how providers can securely send emails to patients in this blog post.

Myth #6: “A Business Associate Agreement (BAA) puts all my liability on the business associate.”

This answer has already been answered in this post about business associate agreements, but in short, even with a BAA, there is still shared liability between the covered entity and business associates. Even if you’re breached and it’s the business associate’s fault, healthcare providers may still share monetary penalties or fines with their business associates. 

The biggest thing to remember here is that you should share only minimal need-to-know data with your business associates, and regularly validate that they are handling your patient’s PHI in a HIPAA compliant manner. That should keep your liability to a minimum.

Myth #7: “Demonstrable progress is difficult and expensive.”

Many have heard that in order to avoid OCR fines, you must show ‘demonstrable progress’. Don’t worry, demonstrable progress isn’t hard, and it’s definitely not expensive. In fact, it has everything to do with documentation, basically proving to the OCR that you are working your hardest to get compliant with the limited resources you have. Check out how this organization survived their OCR audit.

PHI flow charts are a great first start and act as a fantastic piece of documentation if the OCR ever comes knocking. If you’re still feeling overwhelmed, here is a blog post to help you with the first 21 days of HIPAA compliance


What do you think? Are there any HIPAA compliance myths I missed?

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.
 Free SecurityMetrics PCI Compliance Demo

SecurityMetrics PCI 3.0 solution simplifies, syndicates, and standardizes.

We made a bunch of great changes to our customer PCI validation portal to accommodate for PCI version 3.0.

Even though PCI 3.0 brings about new standards, longer SAQs, additional scanning requirements, and complex answering options, we kept it simple with our new portal.


SEE ALSO: The Ultimate Guide to PCI DSS 3.0

Watch the demo




Here’s a sneak peak into the coolest new features. 


Pre-populating SAQ answers
Even though PCI DSS 3.0 requires all merchants to re-scope, SecurityMetrics will save and populate existing customers' applicable PCI DSS 2.0 Self-Assessment Questionnaire (SAQ) answers to their PCI DSS 3.0 SAQ to ensure a smooth transition.

Combination SAQs for merchants with multiple processing methods
In PCI DSS 3.0 SAQs are applied per processing environment, which could mean many merchants' validation types will change, even if their processing method hasn't. It also means merchants may be required to fill out multiple SAQs. SecurityMetrics' PCI DSS 3.0 validation portal intelligently combines multiple SAQs, deletes duplicate questions, and syndicates questions to avoid confusion.

A prioritized compliance to-do list
Oftentimes, merchants are left not knowing the next step to finish compliance validation. The actionable to-do list keeps them on track to ensure a straightforward PCI DSS experience.

Simplified language for select standards
The PCI DSS is written in a very technical manner that some merchants may not fully understand. To ensure merchants have the ability to accurately and honestly answer their self-assessment questions, SecurityMetrics offers both simplified and original SAQ questions for select standards.

Want more information?

Learn more about how we simplify PCI compliance for small businesses, or request a full demonstration of the new portal.



What Are HIPAA Compliant System Logs?

System event logging

Audit logs make it easier to detect problems in organizational security.

Tod Ferran, CISSP, QSA
By: Tod Ferran
System logs are part of HIPAA compliance and specifically mentioned in two different requirements. System event logs are recorded tidbits of information regarding the actions taken on computer systems like operating systems, office computers, electronic health record (EHR) systems, printers, routers, etc. 

If I logged into my computer with my username and password at 9:05 today, that event, date, and time should be recorded by my operating system’s logging software and saved in a giant database of all the events and actions taken on my computer. If I also reviewed John Smith’s health information, that action should be logged by my EHR.

What this means for HIPAA compliance is, system and access logs make it easier to look after organizational security of both simple (single practice) and complex (hospital) networks.

System event logging

How?

Well, here’s a short list of what system event logs can be set up to record:
  • When employees login
  • The number of failed login attempts on a computer
  • The last time you conducted a software update
  • Who downloaded a new program, and when
  • When you changed your password
  • Who logged into the EHR at a certain time
  • What information was accessed by the person logged in
  • What protected health information (PHI) was changed and by whom

Pretty useful information, right? Keep reading to learn when you would need to access this information.

Watch this video to learn more about HIPAA-approved system logs.


When would I ever use an access or system event log?

Logs are only useful if they are regularly reviewed. Tweet: System logs are only useful if they are regularly reviewed: http://bit.ly/1yTgOXq #HIPAATweet
Monitoring and analyzing user and system activity can help detect either ordinary or irregular action patterns. For example, you can see if Sally keeps accessing a certain patient’s data, or if someone (perhaps a hacker?) logged onto your EHR system at 3:00 a.m. when no one was in the office. 

Here are a few more scenarios. 

Sometimes hackers attempt to attack a system by trying thousands of username and password combinations. A system log will record the fact that someone tried (and failed) to access your system 1,000 times on Thursday. You can probably conclude that a hacker was trying to access your PHI, and perhaps you should change your usernames and passwords, just in case.

Say your company gets accused of looking at patient records unlawfully. As we all know, that’s a violation of the HIPAA Privacy Rule, and your organization could go to court and pay serious fines or civil penalties. Just look at an incident that happened at a single Walgreens. Logs could tell you which employee (if any) accessed the patient’s records, on what day, and what other records they accessed.

During your HIPAA audit, your auditors will ask for your access and system audit logs. They will be looking to validate that you are storing them for six years or more, that all pertinent information is included, and that there is some form of daily review. An analysis tool such as Splunk or Logwatch will do a daily review of logs for you.

Lastly, if your organization happens to get hacked, logs help forensic investigators find out how hackers got into your system and what data was exfiltrated so you can close the holes and avoid future attacks. Without solid logs to prove what was impermissibly accessed, investigators must assume all patient records were accessed and stolen.

What do HIPAA regulations say about system logging?

Event, audit, and access logging is a requirement for HIPAA compliance. HIPAA requires you to keep logs on each of your systems for a total of six years. These three HIPAA requirements apply to logging, and log monitoring:
  • Section 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
  • Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  • Section 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
SEE ALSO: Understanding HIPAA Firewall Logging

In conclusion, if you aren’t already collecting logs, get started now!

When setting up your systems to record logs, remember these three things:
  • Collect logs from every system, application and program. 
  • Make the logs difficult to alter by consolidating them real-time on a centralized logging server, or writing them daily to an optical drive or other of media that cannot be changed.
  • Implement a log analysis tool or subscribe to a Security Operations Center for a real-time review of logs with alerting of staff for suspicious behavior. 

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.