Logging and Review: HIPAA Style - PowerPoint PPT Presentation

Loading...

PPT – Logging and Review: HIPAA Style PowerPoint presentation | free to download - id: 585ec9-OTcxM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Logging and Review: HIPAA Style

Description:

Title: Logging and Review: HIPAA Style Created Date: 5/5/2004 2:07:08 PM Document presentation format: On-screen Show Other titles: Arial Times New Roman Monotype ... – PowerPoint PPT presentation

Number of Views:920
Avg rating:3.0/5.0
Slides: 45
Provided by: nchicaOrg
Learn more at: http://www.nchica.org
Category:
Tags: hipaa | final | hipaa | logging | review | rule | style

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Logging and Review: HIPAA Style


1
Logging and Review HIPAA Style
  • AMC Security Privacy
  • Progress Prospects
  • Research Triangle Park, NC

2
Panelists
  • Chip Nimick
  • Information Security Officer
  • University of Rochester/Strong Health
  • Lee Olson
  • Chief Security Officer
  • Mayo Foundation
  • Don Sweezy
  • Senior Security Analyst
  • Duke University Health System

3
Activity Review and Monitoring Requirements in
Security Reg
  • Information Systems Activity Review 164.308(a)(1)
    (ii)(D)
  • Log-in Monitoring 164.308(a)(5)(ii)(C)
  • Audit Controls 164.312(b)

4
Issues
  • What risks that can be effectively addressed by
    review of operating system logs and application
    logs?
  • What are some practical heuristics for
    highlighting log event patterns that are worth
    further investigation?
  • Which tools are most useful for applying these
    heuristics commerical, open source, or
    home-grown?

5
URMC / Strong Health
6
URMC / Strong Health
  • Rochester, Monroe County, New York
  • Employees 10500 FT 2400 PT
  • Inpatient 1050 beds
  • Ambulatory 1.16M visits per year
  • Emergency 113K visits per year
  • Laboratory 1.5M orders, 10M tests per year
  • Radiology 400K exams per year (85 digital)
  • NIH Research Funding 155M in FY04 (ranks 30th)

7
URMC / Strong Health
  • University of Rochester Medical Center
  • Strong Memorial Hospital
  • School of Medicine Dentistry
  • School of Nursing
  • Medical Faculty Group
  • Eastman Dental Center
  • University Health Service (student care)
  • Highland Hospital (community hospital)
  • The Highlands (long term care)
  • Visiting Nurse Service (home care)

8
Top Current Risks Addressable by Log Review
  • Inappropriate access using authorized ePHI access
    privileges
  • UserID/password sharing
  • Malicious / erroneous use of privileged userIDs

9
Current Practice is Still Reactive
10
Next Steps
  • RFP for log aggregation, pattern analysis, and
    alerting system
  • Handles application access logs, not just OS and
    network logs
  • Flexible raw log parsing language/specification
  • Flexible pattern description language/specificatio
    n
  • Manufacturer-developed inputs and reports are
    nice as templates, but
  • Alerting via syslog, SMS text, SNMP to MOM

11
Next Steps
  • RFP for controlling privileged userID activities
  • Temporary privilege escalation - authorization
    and logging
  • Safe directories - command logging
  • Keystroke logging

12
At Other AMCs
  • Reactive Methods
  • Proactive Methods

13
Logging and Review HIPAA Style
  • Questions?

14
Logging Review HIPAA Style
  • August 2005
  • Lee Olson
  • Mayo Clinic

15
Std Number Standard Implementation Specifications (R)Required (A)Addressable Compliance Documentation Site
Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R The compliance baseline is established at the EMR which has 20,000 users. Log data from six high-risk of 12 Mayo Integrated Systems applications (Documents Browser, Clinical Notes, PPI, CDM, Medical Indexing and Master Sheet) are evaluated against relationship and sensitivity criteria as approved by the Rochester Information Security Subcommittee. The MICS Security Administrator investigates security-relevant accesses through further reviews of LastWord, Orders 97 and other applications as necessary. Culpable individuals identified are referred to appropriate departmental oversight authorities. The MICS Security Administrator maintains operational documentation. MCR
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R A proactive audit of medical records access is being conducted to determine trends of inappropriate use. Information, based on pre-defined criteria is provided by the Data Warehouse IT function to the Security Officer. The Security Officer creates a report of likely abuse cases and passes them on to the Privacy Officer for evaluation. Based on the Privacy Officers input (including a possible request for more information to the Security Officer) the report goes to HR for investigation. Reactive and Proactive Audit process MCA
1 Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations. Information System Activity Review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. R Additional Policies/Procedures HR Policy Confidential and Privileged Information Procedure is in place for the Jacksonville Information Security Office to review and report suspected violations of access to the EMR. Security incident tracking reports are maintained locally. MCJ
16
Security standard Audit
  • STANDARD System Administrators must be able to
    audit access and access attempts to Mayo
    confidential information. Audits will be
    conducted when unauthorized accesses and attempts
    are identified. Audit records shall be kept at
    least six months, and administrators shall
    periodically review the audit records for
    evidence of violations or system misuse.
  • GUIDELINE Implementation procedures are
    developed at the local and business unit levels.
    Stewards should specify audit controls based on
    business needs and risk levels.

17
Security standard Violations
  • STANDARD Any deviation from the Mayo Information
    Security Policies and Standards is a violation.
    Everyone must report instances of noncompliance.
    Violations will be reviewed for appropriate
    disciplinary action in accordance with
    appropriate personnel policy and procedures.
    Corrective action may include termination of
    employment and/or criminal prosecution.
  • GUIDELINE The Information Security Office, the
    personnel function and an appropriate level of
    department management will review standards
    violations and recommend corrective or
    disciplinary action.
  • GUIDELINE Users should report security
    violations to a supervisor, the personnel
    function, system administrator, information
    steward, information security, physical security
    or Internal Audit Services, as appropriate.

18
Administrative Policy
  • Strongly discourage employees from accessing
    their own records
  • Prohibit employees from accessing the records of
    their
  • Children (if not the documented medical provider)
  • Adult family members (without signed
    authorization and proper notation)
  • Co-workers, friends and neighbors
  • Outline process for requesting a copy of medical
    record (same as patient process)

19
New Way to Protect Confidentiality
Investigation of employees who are reported to
have breached confidentiality
Systematic audits will flag employees who may be
breaching confidentiality
20
Considering intent, we classify inappropriate
medical information access into three buckets.
Instances in the first bucket are fairly
unambiguous, pose the highest institutional risk
and threaten patient confidence. Audits focus on
the first bucket.
Malice or habitual Family members Neighbors Co-wo
rkers Habitual surfing Legal ammo
Convenience Own record Minor children Family
members
Error or mistaken judgment Wrong patient
Pattern will disclose intent
21
(No Transcript)
22
CRITERIA METHOD OF AUDITING -Matches from same
last names (user/patient) -Matches name on
emergency contact -Matches name on insurance
guarantor -Department name searches
23
(No Transcript)
24
Duke Medicine
  • Logging Review - HIPAA Style
  • Don Sweezy, CISSP

Duke Medicine / NCHICA Use Only
25
Basic Model
OS and Apps
Extract Security Events
Filter Incidents
Log Files or Syslog
26
Log Review Standard - Highlights
  • Part of the risk management practice for each
    system.
  • Server logs will be reviewed at least daily
  • By software with no human intervention.
  • Logs from workstations will be reviewed for cause
    (i.e. not on a scheduled basis).

27
Frequency and Retention
Server logs Review daily by software
Workstation logs Available for 30 days. Review for cause
Changes to filters Retain 6 years
False positives Retain 6 years
Non-logging app Not required
Security logs 1 month online
Incremental backup daily 1 month online
Monthly backup 2 years
Security tests 6 years
28
Basic Model
Filter for Incidents
Extract Security Events
Security Controls
Log Files or Syslog
29
Central Logging
Extract Normalize Events
Filter for Incidents
Security Controls
Security Reports
30
Systems and Strengths
IBM Integration with Tivoli
Consul / BMC GUI and Profiling
SenSage Scale and Storage
31
Critical Issues
  • Scalability
  • Distributed Administration
  • HIPAA Compliance Reports
  • Customer Defined Agents
  • OS Deployment

32
This is the Peer Engagement Part of this
Session
  • This part is designed to engage you (the
    audience) in exploring this topic. It is your
    opportunity to
  • - hear how your AMC peers see the topic and how
    their AMCs are handling it and
  • -for you to provide information about how your
    AMC is handling the topic.

33
Engagement Process
  • Facilitators
  • Stimulate audience discussion with
  • requests for questions and comments ,
  • Pre-designed questions and instant polls that
    are designed to assess how the audience of AMC
    peers sees the topic and to start further
    questions and comments from the audience.
  • Collect the results for reporting in the track
    reporting part of each plenary session and a
    planned GASP (Guidelines for AMCs on Security and
    Privacy) update.
  • Audience (and panelists) Respond to the
    questions, comments, provide your own.

34
Instant Poll Rules
  • Facilitators role
  • Require audience members and panelists to shut
    their eyes (to promote more honest voting)
  • Ask for a show of hands for each item to be voted
    on.
  • Audience role
  • Vote as you see fit.
  • Voting is anonymous.
  • Follow-up questions may ask voters to describe
    why they voted as they did, if they are
    comfortable doing so.
  • Anonymity
  • For some issues, you may wish to keep your vote
    private the eyes-shut voting rule is the main
    rule that assures this.
  • Also, the facilitators will take only the notes
    that you see on the screen and will not identify
    you by name or institution unless you explicitly
    say that you are willing to be so identified.

35
Logging and Review HIPAA Style
  • Current practice is still reactive!
  • Strongly agree ____
  • Disagree ___
  • Neither agree nor disagree ___
  • Agree ___
  • Strongly agree __
  • What practices ___

36
Logging and Review HIPAA Style
  • Business associates and non-employee treatment
    providers are of equal concern as employees.
  • Strongly agree ____
  • Disagree ___
  • Neither agree nor disagree ___
  • Agree ___
  • Strongly agree __

37
Logging and Review HIPAA Style
  • Network logs (from routers, firewalls, IDS, etc.)
    are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • Network logs are reviewed by software, humans or
    both
  • software ___
  • humans ___
  • both ___

38
Logging and Review HIPAA Style
  • Server logs (from host operating systems, domain
    controllers, etc.) are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • Server logs are reviewed by software, humans or
    both
  • software ___
  • humans ___
  • both ___

39
Logging and Review HIPAA Style
  • PHI access logs (from healthcare software,
    database daemons, etc.) are reviewed
  • daily ___
  • weekly ___
  • monthly ___
  • only when an incident occurs __
  • PHI access logs are reviewed by software, humans
    or both
  • software ___
  • humans ___
  • both ___

40
Logging and Review - Innovative Technologies
  • My AMC manually audits log files ___
  • My AMC uses third party audit compliance tools
    ___
  • My AMC uses internally developed audit and
    compliance tools ___
  • My AMC uses some combination of the above ___

41
Logging and Review HIPAA Style
  • The top priority over the coming year for
    implementing pro-active review of logs is for
  • Network logs ___
  • Server logs ___
  • PHI access logs __

42
Logging and Review - Experience
  • What was involved in the implementation at your
    AMC?
  • What have been the successes/failures/issues?
  • What are the lessons learned?

43
What follow-up activities would be helpful to
AMCs in dealing with this topic?
  • Audience/panelists responses

44
Engagement Quality Instant Poll
  • This session did a good job of engaging the
    panelists and the audience on the topic.
  • 1 - Strongly Disagree ___
  • 2 - Disagree ___
  • 3 - Neither agree not disagree ___
  • 4 - Agree ____
  • 5 - Strongly agree ____
About PowerShow.com