System event logging

Audit logs make it easier to detect problems in organizational security.

Tod Ferran, CISSP, QSA
By: Tod Ferran
System logs are part of HIPAA compliance and specifically mentioned in two different requirements. System event logs are recorded tidbits of information regarding the actions taken on computer systems like operating systems, office computers, electronic health record (EHR) systems, printers, routers, etc.

If I logged into my computer with my username and password at 9:05 today, that event, date, and time should be recorded by my operating system’s logging software and saved in a giant database of all the events and actions taken on my computer. If I also reviewed John Smith’s health information, that action should be logged by my EHR.

What this means for HIPAA compliance is, system and access logs make it easier to look after organizational security of both simple (single practice) and complex (hospital) networks.

System event logging

How?

Well, here’s a short list of what system event logs can be set up to record:
  • When employees login
  • The number of failed login attempts on a computer
  • The last time you conducted a software update
  • Who downloaded a new program, and when
  • When you changed your password
  • Who logged into the EHR at a certain time
  • What information was accessed by the person logged in
  • What protected health information (PHI) was changed and by whom

Pretty useful information, right? Keep reading to learn when you would need to access this information.

Watch this video to learn more about HIPAA-approved system logs.


When would I ever use an access or system event log?

Logs are only useful if they are regularly reviewed.
Monitoring and analyzing user and system activity can help detect either ordinary or irregular action patterns. For example, you can see if Sally keeps accessing a certain patient’s data, or if someone (perhaps a hacker?) logged onto your EHR system at 3:00 a.m. when no one was in the office.

Here are a few more scenarios.

Sometimes hackers attempt to attack a system by trying thousands of username and password combinations. A system log will record the fact that someone tried (and failed) to access your system 1,000 times on Thursday. You can probably conclude that a hacker was trying to access your PHI, and perhaps you should change your usernames and passwords, just in case.

Say your company gets accused of looking at patient records unlawfully. As we all know, that’s a violation of the HIPAA Privacy Rule, and your organization could go to court and pay serious fines or civil penalties. Just look at an incident that happened at a single Walgreens. Logs could tell you which employee (if any) accessed the patient’s records, on what day, and what other records they accessed.

During your HIPAA audit, your auditors will ask for your access and system audit logs. They will be looking to validate that you are storing them for six years or more, that all pertinent information is included, and that there is some form of daily review. An analysis tool such as Splunk or Logwatch will do a daily review of logs for you.

Lastly, if your organization happens to get hacked, logs help forensic investigators find out how hackers got into your system and what data was exfiltrated so you can close the holes and avoid future attacks. Without solid logs to prove what was impermissibly accessed, investigators must assume all patient records were accessed and stolen.

What do HIPAA regulations say about system logging?

Event, audit, and access logging is a requirement for HIPAA compliance. HIPAA requires you to keep logs on each of your systems for a total of six years. These three HIPAA requirements apply to logging, and log monitoring:
  • Section 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
  • Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  • Section 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
SEE ALSO: Understanding HIPAA Firewall Logging

In conclusion, if you aren’t already collecting logs, get started now!

When setting up your systems to record logs, remember these three things:
  • Collect logs from every system, application and program.
  • Make the logs difficult to alter by consolidating them real-time on a centralized logging server, or writing them daily to an optical drive or other of media that cannot be changed.
  • Implement a log analysis tool or subscribe to a Security Operations Center for a real-time review of logs with alerting of staff for suspicious behavior.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.