- Reviewing and securing audit trails, while also ensuring the proper tools to collect, monitor, and review those audit trails are in place are key audit control considerations for covered entities and business associates, according to the Office for Civil Rights (OCR).
In the latest OCR cyber newsletter, the agency urges healthcare organizations to properly safeguard audit logs and audit trails to prevent hackers and malicious insiders from creating a potential data breach.
“Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity,” the newsletter states.
Citing the National Institute of Standards and Technology (NIST), OCR explains that “audit logs are records of events based on applications, users, and systems.” Audit trails on the other hand consist of audit logs of applications, users, and systems, and are designed to “maintain a record of system activity by application processes and by user activity within systems and applications.”
The HIPAA Security Rule also requires covered entities and business associates to implement necessary hardware, software, and/or procedural mechanisms to record and examine information system activity that holds or uses ePHI, OCR maintained.
“The majority of information systems provide some level of audit controls with a reporting method, such as audit reports,” the newsletter explains. “These controls are useful for recording and examining information system activity which also includes users and applications activity.”
Application audit trails, system-level audit trails, and user audit trails are all examples of ways that healthcare organizations can implement audit controls.
However, it is important to understand that the Security Rule does not specify what information should be collected from an audit log or trail or how often the audit reports should be reviewed.
“When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities,” OCR writes.
If a small primary care clinic has less than 10 doctors on staff, and it does not permit employees to use their own mobile devices, it might not be necessary for encryption to be put on the work devices. However, the organization may want to utilize firewalls and multi-factor authentication for its office computers.
The Security Rule lists audit controls as one of four main areas for covered entities and business associates to consider when implementing technical safeguards. Audit controls should be reviewed along with access controls, integrity controls, and transmission security.
Integrity controls are policies and procedures that ensure ePHI is not altered or destroyed, while transmission security is where covered entities implement technical security measures to protect against unauthorized ePHI access transmitted over electronic networks.
Different tools may also benefit organizations, and it is essential for covered entities and business associates to properly assess their own needs.
Reducing risk is a major benefit of audit controls, and healthcare organizations may consider audit controls for the following situations:
- Inappropriate access
- Tracking unauthorized disclosures of ePHI
- Detecting performance problems and flaws in applications
- Detecting potential intrusions and other malicious activity
- Providing forensic evidence during investigation of security incidents and breaches
Audit trails should be regularly reviewed, both during real-time operations and after any type of security incident or data breach has taken place.
“Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach,” OCR stresses in the newsletter. “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”
Covered entities and business associates should also consider if there are necessary upgrades or changes to an information system’s audit capabilities. Furthermore, it is also important to see if implemented audit controls still allow an entity to adhere to their audit control policies and procedures.