(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Tell Me More:
The objective the Audit Controls Standard / implementation specification is to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (EPHI).
Audit controls refer to the capability to record and examine system activity. The audit control standard provides a means to assess activities regarding the electronic protected health information in an entity’s care. Audit controls should generate system audit logs that serve as input into the Information System Activity Review that is required under the Security Rule.
Entities must implement this standard but have flexibility to implement the Audit Controls standard in a manner appropriate to their needs as deemed necessary by their own risk analyses. Risk assessment and risk analysis can be used to determine how intensive any audit control function should be.
All computers that are used in business today have the ability to capture system activity that shows details of the work performed by the computers. However, it is important to turn the audit system ON. The audit system can be taxing on system resources and difficult to manage. Therefore it is important to work with the IT Department to tailor and secure the audit system and audit logs. Industry best practices include the use of automated audit analysis tools to manage the audit systems as well as the audit logs or records that are generated by the audit system and determine significant events and trends. These tools (like other monitoring mechanisms) must be fine-tuned over time to eliminate false alarms and ensure that significant occurrences are made known. These audit analysis tools should provide the audit log reports in a human-readable and intelligible format that will facilitate the internal systems review process of audit logs.
There are a wide variety of approaches to auditing systems. These range from tracking at the keystroke level (which may degrade system performance) to more generalized tracking, e.g., log-on tracking, which may not provide enough specific information to identify problems. It is important that system activity audits (1) are specific enough to identify security problems and (2) give the organization the ability to identify such potential problems which may be a time consuming task. There is great deal of discussion regarding what is the appropriate balance.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Are activity audit logs currently created?
- If so, are they sufficiently detailed to identify potential security problems and is the organization reviewing the logs in enough detail to identify such potential problems? If audit logs are not created or are not sufficient, the organization will have to change its current procedures.
- Has the organization documented and implemented hardware, software and procedures that audit file/record accesses, access attempts, modifications, or deletions for all systems and applications containing ePHI?
- Does the organization have procedures in place for the regular review of audit logs?
- Are there reporting process procedures in place for violations found within the audit log review?
- Does the organization have procedures implemented to use software or hardware solutions that will provide notification of abnormal conditions that may occur in a networked system?
- NIST SP 800-12 chapter 18 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-33 Underlying Technical Models for Information Technology Security
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations