The Importance of Audit Logs

By: Jodie Cannon, BS, HCISPP

Some of the top breaches happen due to unauthorized users accessing ePHI. What exactly is an unauthorized user? An unauthorized user is any individual(s) who have not been authorized or have not been given access to ePHI. It is the person or persons who used the protected health information or to whom the disclosure of protected health information was made. Under HIPAA, this is considered a breach and by law is reportable. Breaches of ePHI can be caused by mistakes (someone loses a laptop) or by a bad actor (hacker, rogue employee).

Former employees and even current employees could be considered unauthorized users. Consider the case of the Kentucky Counseling Center. KCC discovered a current employee was copying and accessing patient information. The current employee uploaded the data to an anonymous file and shared the data with a former employee. 16,440 patients were affected. This breach is still currently under investigation by the OCR (Office of Civil Rights). We will see KCC in the media again once the penalties for the breach are assessed.

It is not uncommon for organizations to discover and report breaches a few months or even a year or two after they have happened or an unauthorized user has been discovered. Insufficient ePHI access controls and snooping on health care records are the two most common HIPAA violations that we should be aware of in the medical industry.

Under the HIPAA Security Rule, covered entities and their business associates are required to limit access to ePHI to authorized individuals. Remember the case of Anthem Inc. which was penalized $16 million for access control failures. Anthem Inc. was one of the largest breaches in U.S. history. Attackers had gained access originally through a phishing email incident and were eventually able to gain further access to their systems over time. Two of the alleged HIPAA violations from the OCR (Office of Civil Rights) were:

45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to implement procedures to regularly review records of information system activity.

5 C.F.R. § 164.502(a) – The failure to prevent the unauthorized access of the ePHI of 78.8 million individuals that was maintained in its data warehouse.

Accessing patient health records for reasons other than those permitted by the Privacy Rule is a violation of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers,
celebrities, or accessing records of patients that you are not treating is considered a violation of patient privacy. University of California Los Angeles Health System was fined by the Office of Civil Rights $865,000 for failing to restrict access to medical records. A physician accessed the medical records of celebrities and other patients without authorization a total of 323 times. The University was fined for not having the required safeguards in place restricting access and fined for the lack of access management of performing audit trails.

Q&A

Q. Are audit logs really a HIPAA requirement?
A. Yes, here are the sections of the HIPAA Security Rule that discuss this:

•  
  • Administrative Safeguards:
    • Information system activity review (Required): 45 CFR § 164.308(a)(1)(ii)(D): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
    • Log In Monitoring (Addressable): Security Awareness & Training: 45 CFR §164.308(a)(5)(ii)(c): Procedures for monitoring log-in attempts and reporting discrepancies.
  • Technical Safeguards:
    • Audit controls (Standard): 45 CFR § 164.312(b): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information.

Q. What systems or software programs should I run audit report logs on?
A. Audit logs should be performed on any software programs or systems containing ePHI. For example: practice management software, digital x-ray software, electronic claims software, server. Your software vendors should be able to assist you with the type of audit log reports in the software programs. Your software vendors should already be aware of this type of HIPAA requirement and have reports already designed for this purpose.

Work with your IT specialist regarding server audit logs. Authorized users in addition to the IT Specialist, to include certain staff members, may have direct access to the server or have access to remote into the server. The server audit log will indicate who is accessing the server, and these type of audit logs are usually run periodically by the IT Specialist. Make sure you log that the audit report was viewed, date viewed, which software, and who viewed the report. This can be documented on the System Activity Review Log.

Q. What other types of audit report logs should I run?
A. Types of audit report logs include deleted entry reports, logins, and claim adjustment reports, to name a few. Your software should contain a list of audit reports to run.

Q. How often should I run the reports?
A. The Security Rule does not identify data that must be gathered by audit controls or how often the audit reports should be reviewed. This will be up to the covered entity to determine the periodic review of audit trails. Centers for Medicare & Medicaid Services states, “A covered entity must consider its risk analysis and organization factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain ePHI.’

Computer logs can be voluminous and difficult to interpret. So, you have to be very smart and efficient when checking logs in order to minimize time spent on this. You need a reporting system that can summarize who accessed the system over a certain timeframe and other relevant information.

Preferably the report would only point out what MIGHT be unauthorized access so you can investigate further. Check with your IT staff, IT provider and your software vendors on how to optimize reports to analyze logs and system access.

Q. What do I do with the reports once I have reviewed them?
A. In most software programs, the audit trails are automatically saved in the software program;
however, you should always back up your data. We recommend saving them to a limited secure area such as encrypted jump drive, encrypted server, etc. There have been incidents with previous practices where the former employee remotely logged in and deleted the audit trails from the practice management software. The former employee was considered an unauthorized user and was not properly deactivated from the system containing ePHI. Best practice would be to upload them to the HIPAA Secure Now! portal. In the event that you do have a breach, investigators will ask you for a copy of your log reviews. Being able to produce these will tremendously improve your standing in the case of an investigation or audit.

The goal you are trying to achieve by performing and reviewing audit logs is to determine whether
inappropriate access has occurred, identify risks, and prevent a possible breach. Applying additional security controls may be required to prevent further inappropriate access. This is a best practice for cybersecurity.

If your Practice does not have HIPAA policies in place such as access management, audit controls, login monitoring, and system activity review policy and logs, please reach out to our office at (931) 232-7738 or email [email protected].

We also offer an extensive Advanced HIPAA Course specifically designed for Privacy/Security Officers and upper office management. This course breaks down privacy/security policies, security incidents, how to report breaches, Business Associates, and so much more. For more information or to register, reach out to [email protected] or call (931) 232-7738.

Classes fill quickly, so reserve your spot soon!

Additional resource: https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf