Logging and Review: HIPAA Style - PowerPoint PPT Presentation

Loading...

PPT – Logging and Review: HIPAA Style PowerPoint presentation | free to download - id: 440493-NWI3Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Logging and Review: HIPAA Style

Description:

... Implementation procedures are developed at the local and business unit ... Medicine HIPAA Security Regulation * Duke Medicine MCJ ... law. girlfirend's ... – PowerPoint PPT presentation

Number of Views:246
Avg rating:3.0/5.0
Slides: 46
Provided by: nchicaOrg
Learn more at: http://www.nchica.org
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Logging and Review: HIPAA Style


1
Logging and Review HIPAA Style
  • Chip Nimick, University of Rochester/Strong
    Health
  • Lee Olson, Mayo Clinic
  • Don Sweezy, Duke University Health System

2
Activity Review and Monitoring Requirements in
Security Reg
  • Information Systems Activity Review 164.308(a)(1)
    (ii)(D)
  • Log-in Monitoring 164.308(a)(5)(ii)(C)
  • Audit Controls 164.312(b)

3
Issues
  • What risks that can be effectively addressed by
    review of operating system logs and application
    logs?
  • What are some practical heuristics for
    highlighting log event patterns that are worth
    further investigation?
  • Which tools are most useful for applying these
    heuristics commercial, open source, or
    home-grown?

4
Auditing HIPAA Style
  • August 2005
  • Lee Olson
  • Mayo Clinic

5
Std Number Standard Implementation Specifications (R)Required (A)Addressable Compliance Documentation Site
Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R The compliance baseline is established at the EMR which has 20,000 users. Log data from six high-risk of 12 Mayo Integrated Systems applications (Documents Browser, Clinical Notes, PPI, CDM, Medical Indexing and Master Sheet) are evaluated against relationship and sensitivity criteria as approved by the Rochester Information Security Subcommittee. The MICS Security Administrator investigates security-relevant accesses through further reviews of LastWord, Orders 97 and other applications as necessary. Culpable individuals identified are referred to appropriate departmental oversight authorities. The MICS Security Administrator maintains operational documentation. MCR
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R A proactive audit of medical records access is being conducted to determine trends of inappropriate use. Information, based on pre-defined criteria is provided by the Data Warehouse IT function to the Security Officer. The Security Officer creates a report of likely abuse cases and passes them on to the Privacy Officer for evaluation. Based on the Privacy Officers input (including a possible request for more information to the Security Officer) the report goes to HR for investigation. Reactive and Proactive Audit process MCA
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R Additional Policies/Procedures HR Policy Confidential and Privileged Information Procedure is in place for the Jacksonville Information Security Office to review and report suspected violations of access to the EMR. Security incident tracking reports are maintained locally. MCJ
6
Security standard Audit
  • STANDARD System Administrators must be able to
    audit access and access attempts to Mayo
    confidential information. Audits will be
    conducted when unauthorized accesses and attempts
    are identified. Audit records shall be kept at
    least six months, and administrators shall
    periodically review the audit records for
    evidence of violations or system misuse.
  • GUIDELINE Implementation procedures are
    developed at the local and business unit levels.
    Stewards should specify audit controls based on
    business needs and risk levels.

7
Security standard Violations
  • STANDARD Any deviation from the Mayo Information
    Security Policies and Standards is a violation.
    Everyone must report instances of noncompliance.
    Violations will be reviewed for appropriate
    disciplinary action in accordance with
    appropriate personnel policy and procedures.
    Corrective action may include termination of
    employment and/or criminal prosecution.
  • GUIDELINE The Information Security Office, the
    personnel function and an appropriate level of
    department management will review standards
    violations and recommend corrective or
    disciplinary action.
  • GUIDELINE Users should report security
    violations to a supervisor, the personnel
    function, system administrator, information
    steward, information security, physical security
    or Internal Audit Services, as appropriate.

8
Administrative Policy
  • Strongly discourage employees from accessing
    their own records
  • Prohibit employees from accessing the records of
    their
  • Children (if not the documented medical provider)
  • Adult family members (without signed
    authorization and proper notation)
  • Co-workers, friends and neighbors
  • Outline process for requesting a copy of medical
    record (same as patient process)

9
New Way to Protect Confidentiality
Investigation of employees who are reported to
have breached confidentiality
Systematic audits will flag employees who may be
breaching confidentiality
10
Considering intent, we classify inappropriate
medical information access into three buckets.
Instances in the first bucket are fairly
unambiguous, pose the highest institutional risk
and threaten patient confidence. Audits focus on
the first bucket.
Malice or habitual Family members Neighbors Co-wo
rkers Habitual surfing Legal ammo
Convenience Own record Minor children Family
members
Error or mistaken judgment Wrong patient
Pattern will disclose intent
11
(No Transcript)
12
CRITERIA METHOD OF AUDITING -Matches from same
last names (user/patient) -Matches name on
emergency contact -Matches name on insurance
guarantor -Department name searches
13
(No Transcript)
14
Duke Medicine
  • Logging Review - HIPAA Style
  • Don Sweezy, CISSP

Duke Medicine / NCHICA Use Only
15
Basic Model
OS and Apps
Extract Security Events
Filter Incidents
Log Files or Syslog
16
Log Review Standard - Highlights
  • Part of the risk management practice for each
    system.
  • Server logs will be reviewed at least daily
  • By software with no human intervention.
  • Logs from workstations will be reviewed for cause
    (i.e. not on a scheduled basis).

17
Frequency and Retention
Server logs Review daily by software
Workstation logs Available for 30 days. Review for cause
Changes to filters Retain 6 years
False positives Retain 6 years
Non-logging app Not required
Security logs 1 month online
Incremental backup daily 1 month online
Monthly backup 2 years
Security tests 6 years
18
Basic Model
Filter for Incidents
Extract Security Events
Security Controls
Log Files or Syslog
19
Central Logging
Extract Normalize Events
Filter for Incidents
Security Controls
Security Reports
20
Systems and Strengths
IBM Integration with Tivoli
Consul / BMC GUI and Profiling
SenSage Scale and Storage
21
Critical Issues
  • Scalability
  • Distributed Administration
  • HIPAA Compliance Reports
  • Customer Defined Agents
  • OS Deployment

22
URMC / Strong Health
23
URMC / Strong Health
  • Rochester, Monroe County, New York
  • Employees 10500 FT 2400 PT
  • Inpatient 1050 beds
  • Ambulatory 1.16M visits per year
  • Emergency 113K visits per year
  • Laboratory 1.5M orders, 10M tests per year
  • Radiology 400K exams per year (85 digital)
  • NIH Research Funding 155M in FY04 (ranks 30th)

24
URMC / Strong Health
  • University of Rochester Medical Center
  • Strong Memorial Hospital
  • School of Medicine Dentistry
  • School of Nursing
  • Medical Faculty Group
  • Eastman Dental Center
  • University Health Service (student care)
  • Highland Hospital (community hospital)
  • The Highlands (long term care)
  • Visiting Nurse Service (home care)

25
Current Privacy Practice is Still Reactive
  • Compliance Hotline receives complaints
  • Word of mouth use the training team and the IT
    support staff in clinical areas
  • Publish the privacy officers contact info widely

26
Network OS Security Practice is More Pro-Active
  • Network activity logs trigger
  • dynamic firewall rules
  • e-mail and paging alerts
  • Operating system log-in multiple failures trigger
  • short-term account locks
  • paging alerts for administrator/operator accounts

27
Top Risks Addressable by Proactive Log Review
  • Inappropriate access using authorized ePHI access
    privileges
  • UserID/password sharing
  • Malicious / erroneous use of privileged userIDs

28
Next Steps
  • RFP for log aggregation, pattern analysis, and
    alerting system
  • Handles application access logs, not just OS and
    network logs
  • Flexible raw log parsing language/specification
  • Flexible pattern description language/specificatio
    n
  • Manufacturer-developed inputs and reports are
    nice as templates, but
  • Alerting via syslog, SMS text, SNMP to MOM

29
Next Steps
  • RFP for controlling privileged userID activities
  • Temporary privilege escalation - authorization
    and logging
  • Safe directories - command logging
  • Keystroke logging

30
An Unscientific Survey of Other AMCs
  • University of Pittsburgh
  • Vanderbilt University
  • Ohio State University
  • Johns Hopkins
  • University of North Carolina
  • Indiana University

31
Pro-Active Methods
  • Manual review of access to current VIP records
  • Manual review of all access by randomly selected
    users, both internal users and vendors
  • Pre-designated access reviewers in each inpatient
    and outpatient unit
  • Spot audit both internal users and business
    partners
  • Centrally developed log audit guidelines
    pro-active execution distributed to sysadmins

32
Pro-Active Methods
  • Automated highlighting of after hours access
    from unlikely locations
  • Automated highlighting of patient or guarantor
    lastname user lastname
  • If the user accessing a patients record has ever
    entered documentation into the record, then the
    access is OK
  • If access is questionable, follow up with
    accessor first, rather than supervisor

33
Pro-Active Methods
  • Let all application users see which users have
    accessed a given patients record
  • Let patients see who has accessed their record

34
Top Risks
  • More concern about an improper disclosure of 1000
    patient records than improper accesses to
    individual patient records.
  • More concern about disclosures from the hundreds
    of Access databases and Web front-ends than from
    the central systems.

35
Logging and Review HIPAA Style
  • Current practice is still reactive!
  • Strongly disagree ____
  • Disagree ___
  • Neither agree nor disagree ___
  • Agree ___
  • Strongly agree __
  • What practices ___

36
Logging and Review HIPAA Style
  • Business associates and non-employee treatment
    providers are of equal concern as employees.
  • Strongly disagree ____
  • Disagree ___
  • Neither agree nor disagree ___
  • Agree ___
  • Strongly agree __

37
Logging and Review HIPAA Style
  • Network logs (from routers, firewalls, IDS, etc.)
    are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • Network logs are reviewed by software, humans or
    both
  • software ___
  • humans ___
  • both ___

38
Logging and Review HIPAA Style
  • Server logs (from host operating systems, domain
    controllers, etc.) are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • Server logs are reviewed by software, humans or
    both
  • software ___
  • humans ___
  • both ___

39
Logging and Review HIPAA Style
  • PHI access logs (from healthcare software,
    database daemons, etc.) are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • PHI access logs are reviewed by software, humans
    or both
  • software ___
  • humans ___
  • both ___

40
Logging and Review - Innovative Technologies
  • My AMC manually audits log files ___
  • My AMC uses third party audit compliance tools
    ___
  • My AMC uses internally developed audit and
    compliance tools ___
  • My AMC uses some combination of the above ___

41
Logging and Review HIPAA Style
  • The top priority over the coming year for
    implementing pro-active review of logs is for
  • Network logs ___
  • Server logs ___
  • PHI access logs __

42
Logging and Review - Experience
  • What was involved in the implementation at your
    AMC?
  • What have been the successes/failures/issues?
  • What are the lessons learned?

43
What follow-up activities would be helpful to
AMCs in dealing with this topic?
  • Audience/panelists responses

44
Engagement Quality Instant Poll
  • This session did a good job of engaging the
    panelists and the audience on the topic.
  • 1 - Strongly Disagree ___
  • 2 - Disagree ___
  • 3 - Neither agree not disagree ___
  • 4 - Agree ____
  • 5 - Strongly agree ____

45
Logging and Review HIPAA Style
  • Questions?
About PowerShow.com