[BreachExchange] Focusing on Audit Controls to Maintain PHI Security

Wed Jan 18 20:19:13 EST 2017

http://healthitsecurity.com/news/focusing-on-audit-controls-to-maintain-phi-
security

Reviewing and securing audit trails, while also ensuring the proper tools
to collect, monitor, and review those audit trails are in place are key
audit control considerations for covered entities and business associates,
according to the Office for Civil Rights (OCR).

In the latest OCR cyber newsletter, the agency urges healthcare
organizations to properly safeguard audit logs and audit trails to prevent
hackers and malicious insiders from creating a potential data breach.

“Protecting audit logs and audit trails prevent intruders from tampering
with the audit records and protecting their integrity,” the newsletter
states.

Citing the National Institute of Standards and Technology (NIST), OCR
explains that “audit logs are records of events based on applications,
users, and systems.” Audit trails on the other hand consist of audit logs
of applications, users, and systems, and are designed to “maintain a record
of system activity by application processes and by user activity within
systems and applications.”

The HIPAA Security Rule also requires covered entities and business
associates to implement necessary hardware, software, and/or procedural
mechanisms to record and examine information system activity that holds or
uses ePHI, OCR maintained.

“The majority of information systems provide some level of audit controls
with a reporting method, such as audit reports,” the newsletter explains.
“These controls are useful for recording and examining information system
activity which also includes users and applications activity.”

Application audit trails, system-level audit trails, and user audit trails
are all examples of ways that healthcare organizations can implement audit
controls.

However, it is important to understand that the Security Rule does not
specify what information should be collected from an audit log or trail or
how often the audit reports should be reviewed.

“When determining reasonable and appropriate audit controls for information
systems containing or using ePHI, Covered Entities and Business Associates
must consider their risk analysis results and organizational factors, such
as their current technical infrastructure, hardware, and software security
capabilities,” OCR writes.

If a small primary care clinic has less than 10 doctors on staff, and it
does not permit employees to use their own mobile devices, it might not be
necessary for encryption to be put on the work devices. However, the
organization may want to utilize firewalls and multi-factor authentication
for its office computers.

The Security Rule lists audit controls as one of four main areas for
covered entities and business associates to consider when implementing
technical safeguards. Audit controls should be reviewed along with access
controls, integrity controls, and transmission security.

Integrity controls are policies and procedures that ensure ePHI is not
altered or destroyed, while transmission security is where covered entities
implement technical security measures to protect against unauthorized ePHI
access transmitted over electronic networks.

Different tools may also benefit organizations, and it is essential for
covered entities and business associates to properly assess their own needs.

Reducing risk is a major benefit of audit controls, and healthcare
organizations may consider audit controls for the following situations:

Inappropriate access
Tracking unauthorized disclosures of ePHI
Detecting performance problems and flaws in applications
Detecting potential intrusions and other malicious activity
Providing forensic evidence during investigation of security incidents and
breaches

Audit trails should be regularly reviewed, both during real-time operations
and after any type of security incident or data breach has taken place.

“Regular review of information system activity should promote awareness of
any information system activity that could suggest a security incident or
breach,” OCR stresses in the newsletter. “Access to audit trails should be
strictly restricted, and should be provided only to authorized personnel.”

Covered entities and business associates should also consider if there are
necessary upgrades or changes to an information system’s audit
capabilities. Furthermore, it is also important to see if implemented audit
controls still allow an entity to adhere to their audit control policies
and procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170118/7662712b/attachment.html>