Want to Protect PHI? Review Your System Logs

Want to Protect PHI?  Review Your System Logs

By Tracy Martin – Senior Information Security Consultant – Intrinium

Consider all of the data that your organization routinely gathers, generates and stores on company servers (as well as on offsite servers maintained by a third party if you rely on cloud computing services for backup). This sensitive information is a tempting target for cyber criminals bent on committing identity theft and fraud.

Failure to protect this information could lead to a massive departure of individuals (patients, customers, clients) as well as lawsuits prompted by the resulting cyber crimes. This is why you and your fellow stakeholders must pay careful attention to how you are safeguarding computer files. You may need to review your policies or hire a consultant to help you identify holes in your security protocols.

Keep in mind that your organization’s information system activity review requires you to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,” as noted in “An Introductory Resource Guide for Implementing the HIPAA Security Rule” from the National Institute of Standards and Technology.

Read on to learn more about the importance of HIPAA compliant system logs.


In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability ACT. The Department of Health and Human Services is in charge of setting HIPAA regulations as well as enforcing HIPAA compliance.

HIPAA is designed to protect individuals’ health data, especially since the information is stored in digital format and will need to be transmitted over secure networks, such as when an employee changes jobs and needs to arrange for health insurance to continue.

Three types of organizations are subject to HIPAA compliance:

  • Health care providers
  • Health plan providers
  • Health care information clearinghouses

What’s more, business associates of these types of organizations will also need to comply with HIPAA guidelines to safeguard information, such as companies that handle accounting, legal, data or management services for health providers.

All affected organizations must store access and event logs for six years in order to be HIPAA compliant, according to the Centers for Medicare and Medicare Services report on “Medical Record Retention and Media Formats for Medical Records.”

What Are HIPAA Compliant System Logs?

System logs keep track of small pieces of data having to do with activity on computers, ranging from operating system activities, database read/write sessions and events taking place in devices such as routers and printers.

For example, when you log in after a lunch break, the system will take note of this fact, with a time and date stamp marking exactly when this happened. The system log will also record what actions you took, such as opening up a record or making a modification.

In a medical practice, insurance company or clearinghouse, not all employees will necessarily need access to patient information. Since only authorized personnel should be looking at these files, you must have a system in place to let you perform audits. Otherwise, you wouldn’t have a record of unauthorized attempts to get into the system.

Types of data you can record in system logs include:

  • Employee login dates and times
  • How many attempts at login failed?
  • What record or records were accessed?
  • What is the name of the person who logged in at a specific date and time or from a particular workstation?
  • What information was removed or changed?

A benefit of system logs is that you can quickly spot patterns in the data, such as a series of login attempts by the same employee for three afternoons in a row, when this employee typically only accesses the system in the morning to prepare reports for staff meetings. This potentially suspicious behavior would be easier to notice.

Or, the system shows a number of brute force attempts to log in, prompting your information security team to upgrade the firewall or require all users to change their passwords.

Not only do you want to maintain system logs in case of a HIPAA audit so you can demonstrate your organization’s compliance to the auditors, the information you store will be helpful to computer security professionals to figure out how the intruders got in and how to keep them from coming back.

It’s not enough to just compile system logs. You should assign someone to review them on a regular basis and to generate reports of any discrepancies or other issues having to do with unauthorized access.

Do You Need Help Securing Your System Against Intruders Seeking HIPAA-Protected Data?

If your organization is in need of a cyber security overhaul or if you think you would benefit from an objective third party to evaluate your current security policy and protocols, we would love to connect with you.

Pin It on Pinterest

Share This