Best Practices: Log Management & Compliance for the Healthcare Industry

To protect and secure electronic protected health information or patient records, you need to know who is accessing which systems and data, and what users are doing at all times. Records of all events taking place in your environment are being logged right now into event logs, W3C logs or Syslog files across your servers, workstations and networking devices. Think about it†log files contain complete audit trails of access, additions, deletions or manipulation of key information (i.e. employee records, patient health data, etc.).

Therefore, log files need to be collected, stored, analyzed and reported on to have near real-time security event detection and response as well as maintain historical compliance assurance and forensics with key regulations such as HIPAA. Non-compliance with HIPAA can be costly ‟ recently, the Department of Veterans Affairs committed $20 million to correct a data breach which could affect almost one million VA physicians and patients. How can you effectively collect, store, analyze and report on log files for measures such as this? WhatsUp Log Management is an effective start.

Key compliance initiatives

Before we dive into best practices for a healthcare log management solution, a quick background of the relevant laws and standards below will provide you with a high-level overview to understand compliance regulations in the healthcare industry and how they can affect your log management strategy.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) established national standards for maintaining the privacy of protected health information. These standards are aimed at improving the efficiency and effectiveness of the US healthcare system by encouraging widespread use of electronic data interchange of health-related data. The Administrative Simplifications (AS) provisions of HIPAA address the health data security and privacy requirements. It mandates that entities handling protected health information must put in place technical safeguards including access controls, encrypted communication, event logging and written records of detailed device configuration files. Covered entities must also document their HIPAA practices and make the records available to the Government for assessing compliance.

According to the Centers for Medicaid and Medicare, organizations must build an IT infrastructure and strategies to protect against “threats or hazard to the security of the information” and, most importantly, prepare for investigation of potential security breaches. HIPAA requires the existence of a reliable audit trail to protect the electronic personal data of medical patients, which must be able to provide “sufficient information to establish what events occurred, when they occurred, and who (or what) caused them.” Failure to comply with HIPAA regulations can mean costly civil or criminal penalties up to $25,000 or $250,000, respectively, with criminal penalties ranging up to 10 years of imprisonment.

HITECH Act

The HITECH Act of 2010 amended HIPAA to require Covered Entities to provide notification to individuals, the Office of Civil Rights (OCR) and others when certain breaches of unsecured protected health information (UPHI) occur (Section 13402(e)(3)). The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

The standards highlighted above reflect a need to ensure the protection and integrity of electronic health and patient records, and that an audit trail is available for each transaction. Now that you know the importance of these compliance regulations for healthcare institutions, we can detail best practices for establishing an LM strategy that effectively encompasses these regulations.

Best Practice #1: Automatically collect log files and store them as long as you need

HIPAA regulations mandate a period of six years for log data retention. Healthcare organizations need a solution that will collect and store log files and provide the multi-year storage necessary for this key regulation. In a typical setup, an administrator will configure an LM tool to gather event log, Syslog or W3C records nightly (or periodically) from servers, devices and workstations throughout their network. This process involves saving and clearing the active log files from each system, reading log entries out of the log files into a central database (e.g. Microsoft SQL), and finally compressing the saved log files and storing them centrally on a secure server. With WhatsUp Log Management, you can automatically collect Syslog, Microsoft Event or W3C/IIS logs across your entire infrastructure -- devices, systems, web servers, load balancers, firewalls, proxy servers, or content security appliances.

Keeping your log data in two formats—as database records and as compressed flat files—offers a distinct storage/auditing advantage. Event log data in flat files compresses extremely well, often down to 5% of the original size. Therefore, in terms of storage cost, it costs very little to keep archived log data for many years should an auditor ever need it. However, flat files are a very poor medium for analysis and reporting, so keeping an active working set of data (often 60 to 90 days) in a database allows ad hoc reporting as well as scheduled reporting to be available for recent events. WhatsUp Log Management provides an easy mechanism for rapid re-import of older saved log files back into your database should they ever be needed. Having data at the ready in a central database greatly reduces the potential for lost hours of chasing files when an auditor comes knocking, especially when HIPAA requires lengthy log data retention periods.

With WhatsUp Log Management, you can not only collect Syslog, W3C/IIS or Windows Event log files and utilize its multi-year storage capabilities to comply with HIPAA, but also leverage the solution’s cryptographic hashing capabilities to prevent tampering with your archived log files ‟ this gives you the peace of mind knowing that data cannot be tampered with -- key for evidentiary use.

Best Practice #2: Establish real-time alerts for key events and Syslog files

You can rapidly detect internal or external threats and initiate rapid response procedures in your healthcare environment. This is especially critical for sensitive patient data and other electronic health records ‟ you need to be able to immediately identify key events (i.e. access and permission changes to files, folders and objects containing protected health data) the moment they happen. WhatsUp Log Management provides this critical functionality, as the WhatsUp Event Alert module within constantly watches over Syslog and Windows Event log files, immediately sending out alert notifications at the first sign of trouble. In addition, with advance warning from Event Alarm, network personnel can initiate investigate and triage processes as per their established security policies and compliance requirements.

Most organizations have a heterogeneous IT environment, with a broad mix of operating systems, devices and systems. Therefore, you need to look for Windows Event log support to track user activity in Microsoft environments or Syslog support (across routers, switches, IDS, firewalls, and UNIX or LINUX systems).

Most software products require the use of agents to perform real time monitoring of log files. If any factor influences your choice of a solution, this should be the one. A no-agents-required implementation of a monitoring solution will save a lot of headaches in the initial implementation, as your network grows, and in the ongoing maintenance of your monitoring solution. WhatsUp Log Management provides both agent- or agentless-based monitoring.

When developing a log monitoring plan, every organization has different rules on what sorts of events they must monitor. IT departments will frequently focus on security events as the sole indicator of any issues. While monitoring the security event log is essential, other event logs can also indicate issues with applications, hardware issues or malicious software. At a minimum, all monitored events should be traceable back their origination point. In addition to the fact that WhatsUp Log Management can immediately identify unauthorized events and zero in into the original breach culprit, the Rapid configuration tool eases deployment and setup by recommending commonly audited event types (i.e. new user additions, login failures, group membership changes, etc.) And, if you have frequent known events that don’t pose a threat to security, WhatsUp Log Management’s intelligent flood control feature limits repeat notification from the same set of alarms and allows administrators to routinely ignore some event types from alarming.

Best Practice #3: Generate and distribute the reports you need to prove compliance

Reporting is a key area because it provides you with significant data on security trends and proves compliance. Reporting can also help you substantiate the need to change security policies based on events that could result or have resulted in compromised security. Any LM solution that you implement needs to answer the following questions:

• What report formats are available?
• How much of your work is already done for you in prepackaged event log reports?
• Are you tied to a particular format? Will HTML and the availability of that HTML report to multiple users play a role?
• Can customized filters be easily recalled for repeat use?
• From what data sources can reports be generated? Does it include EVT, text, Microsoft Access, and ODBC?
• Can you create custom reports?
• Will the solution be compatible with your event archiving solution?