Home | Press | Contact Us | Clients | Testimonials
ecfirst Home

Tip of the month of October, 2007 - Week 1

AUDITING AND MONITORING

Organizations should develop an information security audit policy to address HIPAA compliance requirements and establish capabilities to review the state of systems and applications. Typically, this results in two policies that an organization may develop to address compliance requirements: Information Security Audit Policy and an Information System Activity Review Policy

Let us take a look at a sample template for an Information Security Audit Policy:

<<Organization name>> will identify critical systems that require event auditing capabilities. <<Organization name>> will define the events to be audited on all such systems. At a minimal, event auditing capabilities will be enabled on all systems that process, transmit, and/or store sensitive information,  such as Electronic Protected Health Information (EPHI). Events to be audited may include, and are not limited to, logins, logouts, and file accesses, deletions and modifications.

<<Organization name>> will ensure the protection of all audit reports and log files. The <<organization name>> will review the usage of software and application tools to review audit files. When requested, and for the purpose of performing an audit, any access needed will be provided to authorized members of <<organization name>>’s security team. This access may include:

  • User level and/or system level access to any computing or communications device  
  • Access to information (electronic, hardcopy, and so on) that may be produced, transmitted, or stored on <<organization name>>’s equipment or premises
  • Access to work areas (labs, offices, cubicles, storage areas, and so on)     
  • Access to interactively monitor and log traffic on <<organization name>>’s networks

For a quick reference card on ISO 27002, the new international security standard, contact Lorna Waggoner at 1.877.899.9974 x17

Get HIPAA Certified On-line!

HIPAA Academy, the industry’s leading provider of HIPAA training, certification and consulting, has made available on-line the content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP). 2007 clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms such as IBM, HP, E&Y, Kaiser Permanente and others. For details, please visit www.HIPAAAcademy.Net.

For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net

HIPAA Tip

Sample Information System Activity Review Policy

Information System Activity Review is a required implementation specification defined in the HIPAA Security Rule (§ 164.308(a)(1)(ii)(D)).

Now let us examine a template for a policy that addresses the requirement of Information System Activity Review:

<<Organization name>> will clearly identify all critical systems that process sensitive information. <<Organization name>> will implement security procedures to regularly review the records of information system activity on all such critical systems that process sensitive information.

The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible, of the following, as reasonable and appropriate:-  User IDs

  • Dates and times of log-on and log-off
  • Terminal identity, IP address and/or location, if possible
  • Records of successful and rejected system access attempts

Safeguards must be deployed to protect against unauthorized changes and operational problems including:

  • The logging facility being deactivated
  • Alterations to the message types that are recorded
  • Log files being edited or deleted
  • Log file media becoming exhausted, and either failing to record events or overwriting itself

Responsibilities:

The Security Officer will clearly identify:

  • The systems that must be reviewed
  • The information on these systems that must be reviewed
  • The types of access reports that are to be generated
  • The security incident tracking reports that are to be generated to analyze security violations
  • The individual(s) responsible for reviewing all logs and reports

 

For a complete set of templates to comply with HIPAA Security compliance requirements, please visit www.HIPAAAcademy.Net.

 

 

Last updated: October 10, 2007