HIPAA’s blessing is also a curse. It’s specifically designed to be flexible, which allows its requirements to apply to organizations of all sizes—from single-physician practices to national healthcare chains. But, that flexibility means HIPAA requirements can be purposely ambiguous.
That makes it hard to determine what exactly you should be doing to stay compliant. This is especially true when it comes to your strategy for log monitoring.
First off, what is Security Information and Event Management (SIEM)?
SIEM solutions offer a way to operate security under one security management system that provides real-time analysis of your security measures.
Having a managed SIEM solution in place generates alerts to help you stay on top of your security. Here’s how SIEM and HIPAA work together.
How to meet HIPAA Requirements
The HIPAA Security Rule provides high-level guidance with the Information System Activity Review implementation specification [CFR §164.308(a)(1)(ii)(D)]:
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
That sounds nice. But, it doesn’t provide much guidance in the way of “What should I actually be doing? And, how often should I be doing it?” To fully understand this requirement, we need to look at the big picture of HIPAA’s Security Management Process standard, which requires “policies and procedures to prevent, detect, contain, and correct security violations.”
- Risk Analysis
- Risk Management
- A Sanction Policy
- Information System Activity Review
The Information System Activity Review is the lynchpin of this requirement. It ensures all the other parts are working properly. And, this is where SIEM Technology and HIPAA compliance come in.
Why are SIEM solutions effective for HIPAA Compliance?
First, let’s talk about where you should be monitoring. During your risk assessment, you should identify the systems that contain most of your organization’s sensitive data. Focus your monitoring efforts there.
While not applicable to all organizations, here are some general areas you may benefit from monitoring:
- Security controls at your network perimeter (firewalls, IPS, remote access systems, VPN connections, to name a few)
- User authentication systems inside the network (Microsoft Active Directory for most organizations, and authentication logs for key business and clinical applications)
- Any systems that are primary repositories for ePHI (EHR systems and any major clinical systems)
And, what exactly should you look for when monitoring? You’re looking for common security events indicating unauthorized access to sensitive data, financial information, or anything that would have a negative effect on the business.
So, how do SIEM Technology and HIPAA Compliance work?
Note the requirement from HIPAA is not just to log activity but to review that activity. That can pose a problem for many organizations. Because logs capture a lot of activity, reviewing them can be time-intensive.
SIEM lets you identify exactly what types of activity you want to monitor as well as the specific systems you want to monitor. Then, using logic you program into the system, it can scan the logs for anomalous activity and alerts you in real-time. This lets you filter out the “noise” of irrelevant logs and focus specifically on potentially threatening activities.
In addition to the ability to respond to events in real-time, you’ll get all your logs in a centralized location in a standardized format, making SIEM technology great for HIPAA Compliance. You’ll have clear visibility into whether your risk management processes are operating effectively. If you’re regularly seeing the same type of event, it may be a cue to implement some additional controls.
The ability to program activity-specific logic into the SIEM system helps you identify activities that may indicate problems with HIPAA compliance. And, whenever an auditor comes knocking, you’ll be able to highlight your log review methodology from a logical, defensible position that accounts for risks specific to your organization.
Even though a SIEM system can help you automate and monitor aspects of your HIPAA compliance, consistently monitoring logs can still be a time-intensive process. If you’re handling this on your own, we recommend reviewing logs at least weekly, but preferably daily.