To protect companies and customers from data loss or theft, many industries and government organizations are subject to regulatory compliance. The 2013 Gartner CEO Survey noted that the second overall business risk is regulatory change.
A common theme in all compliance standards is auditing user activities, particularly access to confidential customer data. This can be a time consuming and laborious process, but non-compliance can mean heavy penalties and fines, in addition to loss of reputation and customer goodwill.
EventTracker’s solutions helps to automate the steps required by each standard to insure compliance, and maintain it going forward. With EventTracker, organizations can secure the environment, establish the baseline, track user activity, alert on potential violations, and generate audit ready reports.
The Health Insurance Portability and Accountability (HIPAA) regulation impacts health care organizations that exchange and store patient information. HIPAA regulations were established to protect the integrity of patient information and compliance is intended to secure health information against unauthorized use, theft or disclosure of the information.
As part of the requirements, HIPAA states that a security management process must exist in order to protect against “attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations”. Further an organization must be able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive patient information.
Gartner analysis of data from the U.S. Centers for Medicare and Medicaid Services’ (CMS’s) Office for Civil Rights (OCR) shows that almost two-thirds of organizations regulated by HIPAA do not have complete or accurate risk assessment capabilities.
Sample Pre-defined HIPAA Audit-ready Reports
- User Logon report – HIPAA requirements (164.308 (a) (5) – log-in/log-out monitoring) state that user accesses to the system be recorded and monitored for possible abuse.
- User Logoff report – HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
- Logon Failure report – The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
- Audit Logs access report – HIPAA requirements (164.308 (a) (3) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.