HIPAA Audit Logs: What Are the Requirements for Compliance?
HIPAA audit log requirements are not difficult to follow, and they can help bolster your company’s overall security posture.
What are HIPAA audit logs? HIPAA audit logs are records of who accessed the network, at what time, what actions they took, and what documents or data they viewed in order to create a trail of activities. Audit logs are a requirement for HIPAA compliance.
What Is the Purpose of an Audit Log?
IT systems process thousands of individual events each day: security incident events, user access events, configuration adjustment events, and so on. Understanding these events is critical for administrators and security experts because they show when and how things happen and whether they went wrong. They are a critical component of security risk management.
To maintain records of these events in a useful way, a secure system keeps audit logs that provide a trail of evidence that can be used for compliance reporting and forensics in cases of a HIPAA breach.
Uses of Audit Log Trails
Typical uses of audit logs include the following:
- Compliance: Most security regulations (including HIPAA) require audit logs. These logs serve the dual purpose of ensuring that an organization can investigate data breaches and provide evidence of compliance during audits.
- Forensics: Once a data breach occurs, an organization must work fast to mitigate the issue and understand it to remediate security problems. This process is impossible in large IT infrastructures without reliable audit trails.
- Disaster Recovery: If a non-security issue occurs, which results in data loss or system interoperability, enterprises must move fast to get things back up and running. Automated and manual recovery efforts will rely on audit logs to ensure that they understood and solved the problem and avoid it in the future.
Features of Audit Logs
A proper audit log system for modern enterprise infrastructure typically includes at least some, if not all, of the following features:
- Automation: Logs must register in a system automatically upon the occurrence of an event. This can include attempts to log into a system, monitor access to specific resources, and track changes to files, folders, and databases. Furthermore, administrators should be able to streamline system audits in quick workflows with little or no overhead.
- Immutability: An audit log isn’t worth much if it isn’t reliable, and hacks or data corruption related to audit logs can render a chain of evidence worthless. A natural audit log system must include some way to guarantee that a record is accurate, untouched, and trustworthy.
- Robust information: Audit logs can track almost any piece of information you want, but some information is more valuable than others. A complete audit log system should store key information about any event, including data and time stamps, descriptions of events, affected systems, and any errors or warnings.
It’s important to note that cybersecurity and IT audit logs aren’t necessarily the same as financial audit logs, although they often overlap.
HIPAA Laws and Audit Logs
HIPAA regulations define specific HIPAA security requirements for all electronic protected health information (PHI) and the systems that contain it, as well as maintaining logs of system activity.
The Privacy and Security Rules designate that all healthcare providers and insurance companies (Covered Entities) and their business partners (Business Associates) must maintain physical, technical, and administrative controls over confidentiality, integrity, and availability of patient information. This includes maintaining critical audit logs around the access and processing of that data.
Per HIPAA regulations, a compliant system will include the following types of audit logs:
- Application audit trails: Audit logs must monitor user activity for people using any applications, including workstation and cloud applications. These logs will monitor how files are opened and closed, created, edited, and deleted.
- System-level audit trails: System audit logs will record system-wide events, including system shutdowns or reboots, user authentication and authorization, and resource access by specific users.
- User Audit Trails: These audit logs might seem similar to system-level trails, but they focus more specifically on user activity, including access to PHI and any system commands executed by that user.
HIPAA Audit Log Requirements
Following these requirements, a CE or BA must track the following events through audit logs:
- User login attempts, successful or unsuccessful
- Changes to databases storing PHI
- Adding, removing, or changing permissions and roles for users in the system
- Access to files, databases, or directories by users
- Firewall logs tracking attempted connections into and out of the security perimeter of the system
- Logs of anti-malware software
- Access to paper records
Additionally, because HIPAA regulations are so widespread and prioritized, the National Institute of Standards and Technology (NIST) released Special Publication 800-66, a document that outlines how organizations can meet HIPAA security requirements. This publication includes guidelines on how organizations can think about implementing audit logs, including questions that guide organizations to implementing audit logs.
These questions include the following:
- Where is ePHI within IT systems, and where is it vulnerable?
- What activities, applications, or processes render ePHI vulnerable, including locations where it is available to access by internal or external stakeholders?
- What activities inside and outside an IT system should be monitored for specific or potential interaction with ePHI?
- How will logs be reviewed? By whom, on what schedule, and through what mechanisms?
- How will reporting work, who will handle reports, and how will they be processed?
- How will suspect activity, confirmed breaches, and security investigations operate, and how will they utilize existing logs?
- How can the system administrators protect the integrity of these logs within HIPAA standards?
A full rundown of HIPAA audit log suggestions can be found in NIST SP 800-66.
It becomes apparent after reviewing such questions that audit trails cover several practices, media, and processes. For example, an employee checking out a tablet might complete a paper sign-out sheet and log into the device, both of which provide a record of procurement (one a relatively accurate paper record with a date and time and the other a digital user event).
There is some debate over whether or not audit logs fall under the six-year rule for document retention under HIPAA. On the one hand, audit logs in IT systems handling PHI seem to be a clear candidate for audit log retention. On the other hand, audit logs don’t always contain or disclose PHI. Requiring mandatory retention could unintentionally expose business secrets or cause undue burden on organizations.
HIPAA rules and the Department of Health and Human Services don’t specify 100% what information must be logged and thus what should be maintained for six years. The short answer that many experts give is that if risk analysis and clear justifications are given to why some logs are retained and others or not, HHS can make a supportive ruling for compliance requirements.
How Does Kiteworks Help With HIPAA Audit Log Compliance?
Using a centralized platform to handle documents and files can support HIPAA compliance by bringing together the tools necessary to maintain that compliance, including comprehensive audit logging.
The Kiteworks platform brings together several key features for HIPAA compliance:
- Security and compliance: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Its hardened virtual appliance, granular controls, authentication, other security stack integrations, and comprehensive logging and audit reporting enable organizations to easily and quickly demonstrate compliance with security standards. It has out-of-the-box compliance reporting for industry and government regulations and standards, such as HIPAA, PCI DSS, SOC 2, and the General Data Protection Regulation (GDPR).
In addition, Kiteworks touts certification and compliance with various standards that include, but are not limited to, FedRAMP, FIPS (Federal Information Processing Standards), FISMA (Federal Information Security Management Act), CMMC (Cybersecurity Maturity Model Certification), and IRAP (Information Security Registered Assessors Program).
- Audit logging: With the Kiteworks platform’s immutable audit logs, organizations can trust that attacks are detected sooner and maintain the correct chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified Syslog and alerts save security operations center teams crucial time and help compliance teams to prepare for audits.
- SIEM integration: Kiteworks supports integration with major SIEM solutions, including IBM QRadar, ArcSight, FireEye Helix, LogRhythm, and others. It also has the Splunk Forwarder and includes a Splunk App.
- Visibility and management: The CISO Dashboard in Kiteworks gives organizations an overview of their information: where it is, who is accessing it, how it is being used, and if sends, shares, and transfers of data comply with regulations and standards. The CISO Dashboard enables business leaders to make informed decisions while providing a detailed view of compliance.
- Single-tenant cloud environment: File transfers, file storage, and user access occur on a dedicated Kiteworks instance, deployed on-premises, on an organization’s Infrastructure-as-a-Service (IaaS) resources, or hosted as a private single-tenant instance by Kiteworks in the cloud by the Kiteworks Cloud server. This means no shared runtime, shared databases or repositories, shared resources, or potential for cross-cloud breaches or attacks.
To learn more about how Kiteworks enables custom HTML audit logs, schedule a custom demo of Kiteworks today.
- Blog Post How to Send HIPAA-compliant Email
- Blog Post What to Look for in a HIPAA-compliant MFT Solution
- Blog Post What Is HIPAA and What You Need to Know