Maintaining Computer Logs for HIPAA Compliance

Millions of dollars are spent on costly HIPAA settlements due to violations and a lack of compliance.  Overlooking risk can result in a security breach.  

Covered entities are required to not only make a security risk assessment to safeguard the electronic protected health information (ePHI) but also to act on those assessments.  This article explores the maintenance of computer logs and how this procedure can detect an unauthorized access.

Breaches of ePHI can be caused by simple mistakes (someone loses a laptop) or by a bad actor (a hacker or rogue employee). One of the more common, and least expected cases is the example of a rogue employee. Let’s take a look at that type of case, and what can be done.

Rogue employees typically look to access and copy patient records for sale on the black market or to commit fraud. As an example, a practice in Memphis had an employee that stole patient information and committed $1.6 million in bank fraud!

What could have been done to prevent this? The employee probably had authorized access to the practice’s systems, but was that access used properly?

• Was anyone checking on the access? Most likely not!
• Did the practice know if the employee was accessing the system at 3 AM from home?
• Was the employee looking at an unusually large volume of records? Was the employee looking at records they had no business reason to be accessing?

Therein lies the value of checking access logs! Spotting potential problems before they become real problems is the key to preventing an ePHI breach from a rogue employee. When your employees know their access is logged, and the logs are regularly checked, it reduces their temptation to do anything inappropriate.

“When your employees know their access is logged, and the logs are regularly checked, it reduces their temptation to do anything inappropriate.”

It is not uncommon for organizations to discover and report breaches a year or two after they happened because they delayed or failed to check their logs. Don’t let this happen to you!

Keep in mind, computer logs can be voluminous and difficult to interpret, so you have to be very smart when checking logs. This will help to minimize the time spent, while still doing your due diligence.

First, you need a reporting system that can summarize who accessed the system over a certain timeframe, along with other relevant information. Preferably, the report would only point out what MIGHT be unauthorized access, so you can investigate further. Check with your IT staff, IT provider and your software vendors on how to optimize reports to analyze logs and system access.

Here are some commonly asked questions about logs:

Q. Is this really a HIPAA requirement?

A. Yes, here are the sections of the HIPAA Security Rule that discuss ePHI:

• Section 164.308(a)(1)(ii)(d): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• Section 164.308(a)(5)(ii)(c): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
• Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Q. How often should I run the reports?

A. As with many items in HIPAA, it is up to your discretion. Once per month is probably fine, but think through your situation and what is best for you. Larger practices may allocate this task to their contracted IT vendor.

Q. Which systems should I run reports on?

A. All systems that contain ePHI. Hopefully your software vendors are aware of this type of requirement for HIPAA and have reports already designed for this purpose.

Q. What information should the reports contain?

A. It depends on the goal you are trying to achieve, but primarily it will be to determine if inappropriate access has occurred. Some of the information that could be analyzed includes:

• What time an employee logs in. From where (local or remote)
• The number of failed login attempts on a computer or using a specific ID
• Who downloaded new software, and when
• When and how often passwords are changed
• What information was accessed by the person logged in
• What protected health information (PHI) was changed and by whom

Q. What do I do if I suspect wrong doing?

A. Review the information with your IT staff, IT vendor or software vendor to see if they agree with your conclusions. If you still think something is wrong, contact your contracted IT vendor or Modern Practice Solutions and we can review the situation with you.

Q. What should I do with the reports once I have reviewed them?

A. Best practice would be to upload them to the Modern Practice Solutions Mycase portal. Make sure the report indicates the time frame of the analysis, date of the analysis and who performed the analysis. In the event that you do have a breach, investigators will ask you for a copy of your log reviews. Being able to produce these will tremendously improve your standing in the case of an investigation or audit.

Q. How long should it take to review the reports?

A. Properly configured reports should only take a few minutes to run and analyze assuming no irregularities are discovered.

Q. Is there any other value to this?

A. Yes! This is something that every organization should be doing (regardless of what industry they are in), and is a best practice for cybersecurity. Don’t think there is no value in this – early discovery and prevention of problems will avoid enormous time and expense later.

Remember, your practice has the resources it needs to successfully prevent a breach of ePHI, you just need to know who to ask and how to effectively use them. We at Modern Practice Solutions are here to help in any way possible. If you have additional questions on this subject, do not hesitate to contact us at [email protected] or by giving us a call at (931) 232-7738 Learn more about us and our services at DentalComplianceTN.com.  Schedule your comprehensive Security Risk Assessment today!