HIPAA Logging Howto; New attack bypasses AV protection

June EventSource Newsletter
By Dr. Anton Chuvakin, Security Warrior Consulting

HIPAA Logging HOWTO, Part 1

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security and privacy standards for health information – both electronic and physical. The main mission of the law is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery” (HIPAA Act of 1996 http://www.hhs.gov/ocr/privacy/).

In particular , Title II of the law,  “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform”, contains Security Rule (section 2.3) that covers Electronic Protected Health Information (EPHI) and Privacy Rule (section 2.1) that covers all Protected Health Information (PHI).

A recent enhancement to HIPAA is called Health Information Technology for Economic and Clinical Health Act or HITECH Act. The act  seeks to “promote the adoption and meaningful use of health information technology” and “ addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. “(HITECH Act of 2009 http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html)

Unlike PCI DSS that we covered in previous newsletters, HIPAA itself does not descend to the level of security controls and technologies to implement.  This requires the organizations affected by HIPAA – also known as “covered entities” –to try to follow the spirit of the regulation as opposed to its letter.  What is also interesting to note is that insurance companies and many hospitals that accept payment cards are subject to both HIPAA and PCI DSS. Understandably, the scope of their applicability across the organization might be different since payment processing systems should not store patient health information and vice versa.  Still, considering the same technical and administrative controls for both regulations is prudent and will save money in both the short term and long term.

The following HIPAA requirements are broadly applicable to logging, log review and security monitoring.

  • Section 164.308(a)(5)(ii)(C) “Log-in Monitoring”  calls for monitoring the systems touching patient information for login and access.  The requirement applies to “login attempts” which implies both failed and successful logins.
  • Section 164.312(b)      “Audit Controls”  broadly covers audit logging and other audit trails on systems that deal with sensitive health information.  Review of such audit logs seem to be implied by this requirement.
  • Section 164.308(a)(1)(ii)(D)  “Information System Activity Review” prescribes review of various records of IT activities such as logs, systems utilization reports,  incident reports and other indications of security relevant activities
  • Other requirements in HIPAA might potentially affect logging as well.

The above reveals that, compared to PCI DSS, logging and monitoring requirements inside HIPAA itself do not really help companies answer key questions needed to deploy and operationalize logging and log management – from both technical and policy/procedure point of view.

In particular, the following questions are left unanswered:

  • What information should be logged by “audit controls”? What activities and events? What details for each activity or event?
  • Should the log records be centrally collected?
  • For how long should the records be retained?
  • What particular “activities” should be reviewed? How often?
  • How should security monitoring and “log-in monitoring” be performed?
  • How should audit records be protected?

In light of this, it is often noticed that HIPAA log collection and review seems to be a perpetual stumbling point for organizations of all sizes. Log requirements can be difficult for some companies, such as organizations with complex systems in place, or small shops that lack the time, money and expertise. And vague guidance does not help the organization to get motivated to do logging and log review. On top of this, logging and log review complexity rises dramatically when custom applications – not simply Windows servers or Cisco firewalls – are in scope. Despite the movement away from legacy and custom applications, a lot of medical data still sits inside home-grown applications where logging can be a nightmare to configure.

In addition to the above questions, another issue is unclear: do these controls apply to the actual application that handles sensitive health data or do they apply to the underlying platform as well.  The next newsletter installment will cover application logging issues specific to medical applications.

Fortunately, some additional details for HIPAA Security Rule implementation are covered in NIST Publication 800-66 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” (see http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf)

NIST SP 800-66 guide details log management requirements for the securing of electronic protected health information – based on HIPAA security rule.

Section 4.1 of NIST 800-66 describes the need for regular review of information system activity, such as audit logs, information and system access reports and security incident tracking reports. The section asks questions (“How often will reviews take place?” and “Where will audit information reside (e.g., separate server)?”) rather than provides answers.

Section 4.15 attempts to provide additional guidance on “audit controls.”  While striving to provide the methodology and questions that implementers need to be asking (such as “What activities will be monitored (e.g., creation, reading, updating, and/or deleting of files or records containing EPHI)?” and “What should the audit record include (e.g., user ID, event type/date/time)?”, the document does not really address key implementation concern – in other words, it does not tell covered entities what they must do to be compliant.

Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years – and leaves the discussion of whether security activity records such as logs are considered “documentation” to implementers.

In light of the above ambiguous guidance, what are typical organization actions in response to HIPAA requirements?

A recommended strategy suggests that the company start from information security activity review policy and processes.  Using the guiding questions from NIST 800-66, one can formulate what such policy should cover: requirement applicability, recorded activities and, recorded details, review procedures, exception monitoring process, etc

Quoting from NIST 800-66:

  • “Who is responsible for the overall process and results?
  • How often will reviews take place?
  • How often will review results be analyzed?
  • What is the organization’s sanction policy for employee violations?
  • Where will audit information reside (e.g., separate server)?”

Next, the organization has to actually implement the above process for both logging and log review.  This would make sure that log records are created on covered systems and have sufficient details (logging). By the way, such details can be borrowed from the corresponding PCI DSS guidance.  Also, it will create the procedures to “regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” (log review). While daily log reviews are not required, if they are performed for PCI DSS, they can be expanded to cover HIPAA systems as well.

On this, NIST 800-66 advices:

  • “Develop Appropriate Standard Operating Procedures
  • Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.
  • How will exception reports or logs be reviewed?
  • Where will monitoring reports be filed and maintained?”

Only then is the organization ready to proceed to the next step and initiate logging and then start ongoing log reviews.

To conclude, even though HIPAA does not provide detailed step by step guidance on logging and log management, it gives companies an opportunity to follow the spirit of the regulation and not simply the letter.  Understandably, a few organizations might be waiting for  fines and enforcement activity to be started before taking any action.  Such shortsighted approach to logging simply plays for the “bad guys” side – allowing cyber-criminals to steal the most sensitive data all of us will ever have…

Next newsletter will cover how to approach actually medical application logging for HIPAA, including custom and vertical applications.

Related resource: Learn how EventTracker helps you achieve compliance with multiple HIPAA requirements.

Next Month: Stay tuned for the second part of the 2-article series on Logging for HIPAA by Dr. Chuvakin. Previous articles in the compliance series include Logging for PCI, Part 1 and Part 2.