Information System Activity Review

0 Comments read eagle associates staff
Information System Activity Review

HIPAA’s Security Rule requires in paragraph 164.308(a)(1)(ii)(D) that covered entities “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Many organizations are not in full compliance with this required specification.

The purpose of reviewing system activity is to identify whether any EPHI is used or disclosed in an inappropriate manner. In many cases, audit logs are only reviewed when a problem arises, and an investigation is launched. However, the intent of this specification is to have entities schedule reviews on a regular basis to proactively look for potentially problematic activity.

An ideal process would be to schedule reviews approximately monthly. Constrain reports to one- or two-day’s worth of data, as a longer period would lead to overwhelming information. Review the report to determine whether access has been appropriate, or if anything requires further investigation. You may need to contact a support representative from your EHR system to find out how to run summary audit logs or access reports. Retain reports electronically or in printed form for a minimum of six years.

If audit log/access reports are not available through your EHR system, you could utilize an alternate approach in which you randomly select a couple users each month, reviewing their activity to ensure it has been consistent with their job duties/function. Document this process in the same manner.

Some questions to answer include:

  • What are the audit and activity review functions of the current information systems?
  • Are the functions adequately used and monitored to promote continual awareness of information system activity?
  • What logs or reports are generated by the information systems?
  • Is there a policy that establishes what reviews will be conducted? (Subscribers to the Eagle Associates HIPAA Compliance System have a policy in Section 4.06d of the HIPAA policy manual.)
  • Is there a procedure that describes specifics of the reviews?

When reviewing access logs/audit reports, some things to look for are failed login attempts, logins at inappropriate times or from unauthorized locations, credentials being utilized of a user who is no longer with your organization, credentials being used when a user is scheduled to be out of the office, etc.

In addition, your IT vendor likely monitors activity on your firewall to ensure that there is no improper access to your network, shared drives, etc. Verify this fact with your IT vendor/support staff or establish monitoring if it is not already in place. You might also have a conversation about the security specifications of your firewall, ensuring it is robust enough to protect EPHI and other sensitive data, etc.

If your review finds something that might qualify as a security incident or breach, be sure to follow the procedures to document and investigate the incident thoroughly. Corrective actions and disciplinary action (sanctions) might be necessary. Early detection will help to reduce the impact of improper access.

You May Also Like

OCR Risk Analysis Initiative OCR Risk Analysis Initiative Updated Guidance for COVID-19 Infection Control Updated Guidance for COVID-19 Infection Control OIG Exclusion Search Tips OIG Exclusion Search Tips