NewslettersRelated Resources
EventSource June 2010– HIPAA Logging Howto; New attack bypasses all AV protection Featured Article HIPAA Logging HOWTO, Part 1 Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security and privacy standards for health information – both electronic and physical. The main mission of the law is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery” (HIPAA Act of 1996 http://www.hhs.gov/ocr/privacy/). In particular , Title II of the law, “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform”, contains Security Rule (section 2.3) that covers Electronic Protected Health Information (EPHI) and Privacy Rule (section 2.1) that covers all Protected Health Information (PHI). A recent enhancement to HIPAA is called Health Information Technology for Economic and Clinical Health Act or HITECH Act. The act seeks to “promote the adoption and meaningful use of health information technology” and “ addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. “(HITECH Act of 2009 http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule Unlike PCI DSS that we covered in previous newsletters, HIPAA itself does not descend to the level of security controls and technologies to implement. This requires the organizations affected by HIPAA – also known as “covered entities” –to try to follow the spirit of the regulation as opposed to its letter. What is also interesting to note is that insurance companies and many hospitals that accept payment cards are subject to both HIPAA and PCI DSS. Understandably, the scope of their applicability across the organization might be different since payment processing systems should not store patient health information and vice versa. Still, considering the same technical and administrative controls for both regulations is prudent and will save money in both the short term and long term. The following HIPAA requirements are broadly applicable to logging, log review and security monitoring.
The above reveals that, compared to PCI DSS, logging and monitoring requirements inside HIPAA itself do not really help companies answer key questions needed to deploy and operationalize logging and log management – from both technical and policy/procedure point of view. In particular, the following questions are left unanswered:
In light of this, it is often noticed that HIPAA log collection and review seems to be a perpetual stumbling point for organizations of all sizes. Log requirements can be difficult for some companies, such as organizations with complex systems in place, or small shops that lack the time, money and expertise. And vague guidance does not help the organization to get motivated to do logging and log review. On top of this, logging and log review complexity rises dramatically when custom applications – not simply Windows servers or Cisco firewalls – are in scope. Despite the movement away from legacy and custom applications, a lot of medical data still sits inside home-grown applications where logging can be a nightmare to configure. In addition to the above questions, another issue is unclear: do these controls apply to the actual application that handles sensitive health data or do they apply to the underlying platform as well. The next newsletter installment will cover application logging issues specific to medical applications. Fortunately, some additional details for HIPAA Security Rule implementation are covered in NIST Publication 800-66 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” (see http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf) NIST SP 800-66 guide details log management requirements for the securing of electronic protected health information – based on HIPAA security rule. Section 4.1 of NIST 800-66 describes the need for regular review of information system activity, such as audit logs, information and system access reports and security incident tracking reports. The section asks questions (“How often will reviews take place?” and “Where will audit information reside (e.g., separate server)?”) rather than provides answers. Section 4.15 attempts to provide additional guidance on “audit controls.” While striving to provide the methodology and questions that implementers need to be asking (such as “What activities will be monitored (e.g., creation, reading, updating, and/or deleting of files or records containing EPHI)?” and “What should the audit record include (e.g., user ID, event type/date/time)?”, the document does not really address key implementation concern - in other words, it does not tell covered entities what they must do to be compliant. Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years – and leaves the discussion of whether security activity records such as logs are considered “documentation” to implementers. In light of the above ambiguous guidance, what are typical organization actions in response to HIPAA requirements? A recommended strategy suggests that the company start from information security activity review policy and processes. Using the guiding questions from NIST 800-66, one can formulate what such policy should cover: requirement applicability, recorded activities and, recorded details, review procedures, exception monitoring process, etc Quoting from NIST 800-66:
Next, the organization has to actually implement the above process for both logging and log review. This would make sure that log records are created on covered systems and have sufficient details (logging). By the way, such details can be borrowed from the corresponding PCI DSS guidance. Also, it will create the procedures to “regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” (log review). While daily log reviews are not required, if they are performed for PCI DSS, they can be expanded to cover HIPAA systems as well. On this, NIST 800-66 advices:
Only then is the organization ready to proceed to the next step and initiate logging and then start ongoing log reviews. To conclude, even though HIPAA does not provide detailed step by step guidance on logging and log management, it gives companies an opportunity to follow the spirit of the regulation and not simply the letter. Understandably, a few organizations might be waiting for fines and enforcement activity to be started before taking any action. Such shortsighted approach to logging simply plays for the “bad guys” side – allowing cyber-criminals to steal the most sensitive data all of us will ever have… Next newsletter will cover how to approach actually medical application logging for HIPAA, including custom and vertical applications. About author Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice www.securitywarriorconsulting.com, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.
Industry News New attack bypasses virtually all AV protection
NASA security chief orders bold change to secure networks
SQL injection attack used in breach of 168,000 travelers
Like falling off a log
Prism Microsystems supercharges IT troubleshooting and security monitoring with powerful, enhanced Log Search Featured Webinar Top 5 Daily Reports for Monitoring Windows Servers When: Wednesday, June 23, 1:00 PM There's no escaping that every compliance framework and regulation requires monitoring and audit trails. Moreover it's an indispensable part of good information security. Randy Franklin Smith will discuss a list of 5 daily reports for Windows servers that will help you cover all the bases in terms of technology, compliance frameworks and good information security. Then Isaac Thompson will demonstrate how to implement these reports in Prism's EventTracker log management platform. LogTalk * Log Management use #65 Secure Auditing
************************************************* Legal
|
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use