In the iconic western, Butch Cassidy and the Sundance Kid, Butch and Sundance are hard pressed to evade a posse led by the semi-mythical lawman, Joe Lefors, who is so adept that he manages to track them across solid rock. The latest newsletter from the DHHS Office of Civil Rights highlights the use of critical tools that can track, much like Joe Lefors, malicious or unauthorized access to protected health information.
The January OCR newsletter spotlights the Technical Safeguards provision in the Security Rule, found at 45 C.F.R. § 164.312, where a number of mandatory and addressable safeguards to maintain the confidentiality, integrity and availability of Protected Health Information are set forth. One of the Technical Safeguards is the use of Audit Controls, which the rule defines as: “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Without these measures in place, it will be difficult to identify a threat early on, to limit the damage, or to prove an incident had no impact on PHI.
Audit Control Features
The terms audit controls, audit logs, or audit trails are often used interchangeably to refer to a record of events or activity on an information system, and in keeping with our western theme, we’ll stick with audit trails as a term to denote any compilation of the records of usage of an information system. OCR’s January 2017 edition of its Cyber Awareness Newsletter illustrates the importance of audit trails in identifying incipient or ongoing threats to PHI, and it provides several examples of how electronic footprints detected in audit trails can be used to protect electronic PHI:
- Application audit trails – Monitor and log user activities in a particular application. This includes the opening and closing of application data files and the creating, reading, editing, and deleting of application records associated with ePHI.
- System-level audit trails – Capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, identify devices used to log-on to a system, and the application that the user successfully (or unsuccessfully) accessed.
- User audit trails – Monitor and log user activity in an ePHI system or application by recording events initiated by the user, such as the commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files.
So the idea is to record individual events on a computer system and compile the record of those events for review and future reference.
Covered Entities and Business Associates should review audit trail data to detect suspicious patterns or levels of activity. The Administrative Safeguards provision of the HIPAA Security Rule, found at 45 C.F.R. § 164.308, requires regular reviews of information system activity.
Audit trails are also important in assessing whether a hacking attempt was successful. Under HIPAA, there is no breach to report if an organization can conclusively demonstrate that even though there was a security incident, data was not accessed, viewed, downloaded or altered. The only way to demonstrate that, although the burden of proof is high, is having strong data audit trails in place to document exactly what happened during an the event, and to demonstrate that PHI was not accessed. Having an audit trail capability in place could save thousands or even millions of dollars in investigation, remediation, compliance, and public relations expenses after an event.
Audit trails also reinforce individual user accountability throughout the workforce. A user’s awareness that a record of the access and use of data is being maintained will enhance compliance with system protocols, and many of the cases of unauthorized access to PHI by members of a workforce have been uncovered through Audit Trails.
Implementing Audit Controls
OCR’s January newsletter emphasizes the HIPAA Security Rule leaves decisions about what data should be collected, and how often it should be analyzed, to each organization, based on its risk analysis: “When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.” So an organization’s data auditing procedures will be a natural outgrowth of the individualized risk analysis required under the Administrative Safeguards provision of the HIPAA Security Rule.
The OCR newsletter outlines a framework of key questions covered entities and business associates should consider in implementing audit controls:
- What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
- What are the audit control capabilities of information systems with ePHI?
- Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
- Are changes or upgrades of an information system’s audit capabilities necessary?
OCR’s January Newsletter also cautions about the need to secure Audit Controls from malicious access: “Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associates to not only recover from breaches, but to prevent them before they happen.”
Audit trails are a critical tool in detecting unauthorized access and use of systems and software that contain ePHI, enforcing workforce compliance, and in being able to show that a malicious attempt to access, alter, or export PHI was unsuccessful, or that it only had a limited impact. The OCR newsletter is a reminder of how important these measures can be in securing ePHI and provides links to these other resources:
National Institute of Standardization and Technology (NIST) http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf – (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)
Department of Health and Human Services, Office for Civil Rights (OCR) https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html – (Technical Safeguards)