Search the web
Sign In
New User? Sign Up
ShareHIPAA · Share HIPAA
  • Members Only
  • Post
  • Files
  • Photos
  • Links
  • Database
  • Polls
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Want your group to be featured on the Yahoo! Groups website? Add a group photo to Flickr.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
Information System Activity Review 45 CFR 164.308(a)(1)(D)   Message List  
Reply | Forward Message #209 of 641 |
Complying with 164.308(a)(1)(D) Information System Activity Review (Required) will take  some effort.  What is the standard and implementation specification and how were they derived?  This information may be obtained from the Final Security Rule and the responses and comments found in preamble of the Final Rule.  For convenience I have provided them below.

Administrative Safeguards - § 164.308

A covered entity must, in accordance with § 164.306:

    1. Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

    2. Implementation specifications

      1. Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

      2. Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

      3. Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

      4. Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

From the preamble to the Final Rule
Security management process (§ 164.308(a)(1)).
We proposed the establishment of a formal security management process to involve the creation, administration, and oversight of policies to address the full range of security issues and to ensure the prevention, detection, containment, and correction of security violations. This process would include implementation features consisting of a risk analysis, risk management, and sanction and security policies.
We also proposed, in a separate requirement under administrative procedures, an internal audit, which would be an in-house review of the records of system activity (for example, logins, file accesses, and security incidents) maintained by an entity.
In this final rule, risk analysis, risk management, and sanction policy are adopted as required implementation specifications although some of the details are changed, and the proposed internal audit requirement has been renamed as "information system activity review" and incorporated here as an additional implementation specification.

Comment: We proposed a requirement for internal audit, the in-house review of the records of system activity (for example, logins, file accesses, and security incidents) maintained by an entity. Several commenters wanted this requirement deleted. One suggested the audit trail requirement should not be mandatory, while another stated that internal audits would be unnecessary if physical security requirements are implemented.

A number of commenters asked that we clarify the nature and scope of what an internal audit covers and what the audit time frame should be. Several commenters offered further detail concerning what should and should not be required in an internal audit for security purposes. One commenter stated that ongoing intrusion detection should be included in this requirement. Another wanted us to specify the retention times for archived audit logs.

Several commenters had difficulty with the term "audit" and suggested we change the title of the requirement to "logging and violation monitoring."

A number of commenters stated this requirement could result in an undue burden and would be economically unfeasible.

Response: Our intent for this requirement was to promote the periodic review of an entity's internal security controls, for example, logs, access reports, and incident tracking. The extent, frequency, and nature of the reviews would be determined by the covered entity's security environment. The term "internal audit" apparently, based on the comments received, has certain rigid formal connotations we did not intend. We agree that the implementation of formal internal audits could prove burdensome or even unfeasible, to some covered entities due to the cost and effort involved. However, we do not want to overlook the value of internal reviews. Based on our review of the comments and the text to which they refer, it is clear that this requirement should be renamed for clarity and that it should actually be an implementation specification of the security management process rather than an independent standard. We accordingly remove "internal audit" as a separate requirement and add "information system activity review" under the security management process standard as a mandatory implementation specification.

Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA) tasked NIST with responsibilities for standards and guidelines, including the development of:
 
1.  Standards to be used to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security; [NIST published this guidance in FIPS 199 (http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf]
 
2.  Guidelines recommending the types of information and information systems to be included in each category; and [NIST provided this guidance in DRAFT NIST SP 800-60 http://csrc.nist.gov/publications/drafts/800-60v1f.pdf (Vol. 1) and http://csrc.nist.gov/publications/drafts/sp800-60V2f.pdf  (Vol. 2), Vol. 2 has the recommended security categories of Health Information Systems]
 
3.  Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. [NIST provides this guidance in DRAFT NIST SP 800-53 http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf]
 
FISMA defines 3 security objectives for information and information systems:
 
Confidentiality "Preserving authorized restrictions on information access and disclosure, including means of protecting personal privacy and proprietary information..." [44 U.S.C., Sec. 3542]
 
Integrity "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity..." [44 U.S.C., Sec. 3542]
 
Availability "Ensuring timely and reliable access to and use of information..." [U.S.C., Sec. 3542]
 
FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).  The application of these definitions must take place within the context of each organization's interest.
 
The potential impact is LOW if --
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
Amplification:  A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
 
The potential impact is MODERATE if --
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
Amplification: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
 
The potential impact is HIGH if --
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Amplification: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a severe degradation in a loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
 
If the systems security categorization is low, here are the basic technical controls provided in NIST SP 800-53 for Accountability (including Audit Trails) identified by the two letters "AU".  These are

Au-1.b User Association

AU-2.b Content of Audit Records

AU-3.b Auditable Events

Au-4.b Audit Processing

AU-5.b Audit Reduction and Report Generation

AU-6.b Non-Repudiation

From AU-3.b The Auditable Events include:

1. start-up and shutdown of the audit functions

2. successful and unsuccessful logons and logoffs

3. successful and unsuccessful attempts to access security relevant files and utilities including user authentication information

4. operations performed to read, modify or destroy the audit information

5. modifications to the audit configuration that occur while the audit functions are operating

6. actions taken due to exceeding of a threshold or audit storage failure

7. unsuccessful use of the user identification or authentication mechanisms including the identify provided

8.  unsuccessful revocations of security attributes

9.  modifications to the group of users that are part of a role

10.  key recovery requests and associate responses including who made the request and when

11.  changes to the time

12.  denial of access resulting from an excessive number of logon attempts

13.  blocking or blacklisting a user ID, terminal, or access port and the reason for the action

14.  detected replay attacks

15. rejections of new sessions based upon any limitation on the number of concurrent sessions

16. other activities that modify, bypass, negate security controls with the information system

17. use of compilers

18. use of privileged accounts.

I have found two types of approaches towards policy making.  
 
Policy Approach A: If all system capabilities and all system users' capabilities are known and there are no variables to consider, then having one enterprise-wide detailed policy and procedure should be effective, and could be integrated into the day-to-day actions of the workforce. 
 
Policy Approach B: If you have variables in technology and a broad user base with varying roles, functions and capabilities, a very general and flexible policy at the organization level with detailed procedures created and implemented at the department and/or system/application levels that comply with the policy should be effective. Also, your application vendors should be able to provide recommended procedures for using the "system activity review" functions and features provided with the system.
 
Regardless if you have only one procedure regarding Information System Activity Review, or there are different procedures to address role, function, or system you may want to look at the NIST guidance and consider which if any NIST recommended security controls might assist with the development of your policies and procedures.  For those technical security controls that you have identified as reasonable, but your current technical capabilities do not have those security features, you may have to use administrative and/or physical safeguards.  You should document them. The desired technical security controls should be included in current or future RFIs or RFPs for system upgrades or system replacements.  This would be part of system development life cycle management. 
 
The following is a list of NIST publications DRAFT NIST SP 800-66 recommends for Administrative Safeguards 45 CFR section 164.308.  These are:
 
NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-27 Rev A Engineering Principles for Information Technology Security (Baseline for Achieving Security)
NIST SP 800-30 Rev A Risk Management Guide for Information Technology Systems
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
 
DRAFT NIST SP 800-65* Integrating IT Security into Capital Planning and Investment Control Process*
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook
*This draft came out after DRAFT NIST SP 800-66.  I added it on my own initiative as it is very beneficial in the management of a Security Risk Management Program.

The access audit logs on their own are useless, unless a human reviews their results and takes action when inappropriate access is identified.  The logic for this requirement is understood and the requirement to review these logs in a timely fashion is also understood. However, logging all accesses to ePHI, whether authorized or not, places an inordinate burden on an organization by essentially replicating through a log review the very functions which the identification, authentication and authorization control system is specifically designed to provide.

1. Who or how will this logging be reviewed/audited?
2. How will the reviewer know if it was an unauthorized access?

A technical security control in the Logical Access Control (AC) Family of recommended NIST security controls (DRAFT NIST SP 800-53) might be used for system users to "self-audit". It is AC-2.b Logon Notification Message.

"Control Objective: In accordance with organizational policy, automated mechanisms are in place and detailed supporting procedures are developed, documented, and effectively implemented to provide users with information about previous logons both successful and unsuccessful.

Upon successful logon, the user is notified of the date and time of the user's last logon, the location of the user's last logon, and the number of unsuccessful logon attempts using this user ID since the last successful Logon. A warning/notification message is displayed upon successful logon and before gaining system access. The message:
(i) is approved and standardized; (ii) remains on the screen until
explicit user action to remove it; (iii) warns all users that they
have accessed a U.S. Government information system [this may not
apply to your organization, so you will need to modify]; (iv)
provides appropriate privacy and security notices; (v) notifies the
user that system usage may be monitored, recorded, and subject to
audit, and (vi) notifies the user that use of the information system
indicates (a) the consent of the user to such monitoring and
recording and (b) the unauthorized use is prohibited and subject to
criminal and civil penalties."

This may be a way for individual system users to audit their own access log and notify the appropriate contact should unsuccessful attempts, or the prior successful logon was/are in error (i.e., someone did/or attempted to access the system pretending to be the authorized system user).

Thought I would mention this technical security control, as I can't figure out how auditing sign-ons to a system by anyone other than the authorized system user could flag an unauthorized access if an authorized user's ID and password were used. Also, most systems have this technical capability available. The resources involved in
implementing this may be very marginal. The hardest part will most likely be getting authorized system users to read the screen before taking the explicit action to remove it and getting the authorized system users to inform the appropriate entity that the prior log-on information or attempted log-on information is suspicious.

I have made an audio/video presentation titled "DeMystify Security - NISTify IT!"  It is web accessible and made freely available to all 24/7 by Blass Consulting, LLC.  It spends about 30 minutes showing how to use Draft NIST SP 800-53.  It also steps you through each phase of the NIST Security Risk Management Program from "defining the scope" to monitoring and audit.  I have provided information below my signature block providing access information to this presentation and additional information about HIPAA ComplyAssistant, a HIPAA compliance management.

Regards,

Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.

 

HIPAA ComplyAssistant (HCA) www.complyassistant.com is the leading tool in providing NIST functions and features for HIPAA privacy and security compliance management, and HCA provides the only tool to help manage a TCS compliance plan. 

How does HCA automate your compliance?  By providing functions to document and manage surveys, issues, incidents, complaints, gap assessment, and mitigation work plan and budget development.  The software provides work plans and budget reports, trending snapshot graphs and reports, links to valuable websites, and policy management.  In addition, HCA includes a function to document and manage PHI (protected health information) data exchange.

The end result is a central database of project management and due diligence documentation

One of HCA’s user-friendly functions is the flexible and easy to customize question master.  Because of this function, HCA may now be delivered with its standard HIPAA content or with the NCHICA HIPAA EarlyView™ Privacy and Security content. Or, use your own HIPAA privacy or security survey!

The following audio/video recordings are available and freely accessible.  Just click “Presentations” at www.complyassistant.com

DeMystify Security – NISTify IT! 

HIPAA TCS – Become Compliant and Avoid Fines

Providers’ Current Realities of HIPAA Privacy, Security, and TCS

Payers’ Current Realities of HIPAA Privacy, Security, and TCS

Seeing is believing!!!!  Request a live demo anytime at: www.complyassistant.com/online_meeting_req.htm
Mon Aug 23, 2004 6:31 pm

Show Message Option
hitrecruiting
Offline Offline
Send Email Send Email

Forward 		Message #209 of 641 |
Expand Messages Author Sort by Date

Complying with 164.308(a)(1)(D) Information System Activity Review (Required) will take some effort. What is the standard and implementation specification... 		Barbara McGowin
hitrecruiting
Offline Send Email 		Aug 23, 2004
6:40 pm
< Prev Topic  |  Next Topic >
Message #
Search:
Advanced
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help