make a good business better

Blog Information Security

Print Divider Print Divider Branding

What You Should Know About SIEM Technology and HIPAA Compliance

05/08/2018  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

HIPAA’s blessing is also a curse. It’s specifically designed to be flexible, which allows its requirements to apply to organizations of all sizes—from single-physician practices to national healthcare chains. But, that flexibility means HIPAA requirements can be purposely ambiguous. That makes it hard to determine what exactly you should be doing to stay compliant.

This is especially true when it comes to your strategy for log monitoring. The HIPAA Security Rule provides high-level guidance with the Information System Activity Review implementation specification [CFR §164.308(a)(1)(ii)(D)]:

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

That sounds nice. But, it doesn’t provide much guidance in the way of “What should I actually be doing? And, how often should I be doing it?” To fully understand this requirement, we need to look at the big picture of HIPAA’s Security Management Process standard, which requires “policies and procedures to prevent, detect, contain, and correct security violations.” This includes:

  • Risk Analysis
  • Risk Management
  • A Sanction Policy
  • Information System Activity Review

The Information System Activity Review is the lynchpin of this requirement. It ensures all the other parts are working properly. And, it’s where the benefits of SIEM for HIPAA compliance come in.

First, let’s talk about where you should be monitoring. During your risk assessment, you should identify the systems that contain most of your organization’s sensitive data. Focus your monitoring efforts there.

While not applicable to all organizations, here are some general areas you may benefit from monitoring: 

  • Security controls at your network perimeter (firewalls, IPS, remote access systems, VPN connections, to name a few)
  • User authentication systems inside the network (Microsoft Active Directory for most organizations, and authentication logs for key business and clinical applications)
  • Any systems that are primary repositories for ePHI (EHR systems and any major clinical systems)

And, what exactly should you look for when monitoring? You’re looking for common security events indicating unauthorized access to sensitive data, financial information, or anything that would have a negative effect on the business. 

So, how does SIEM help with all this? Note the requirement to not just log activity but to review that activity. That can pose a problem for many organizations. Because logs capture a lot of activity, reviewing them can be time-intensive.

SIEM lets you identify exactly what types of activity you want to monitor as well as the specific systems you want to monitor. Then, using logic you program into the system, it can scan the logs for anomalous activity and alerts you in real-time. This lets you filter out the “noise” of irrelevant logs and focus specifically on potentially threatening activities. 

In addition to the ability to respond to events in real-time, you’ll get all your logs in a centralized location in a standardized format, making analysis and review simple. You’ll have clear visibility into whether your risk management processes are operating effectively. If you’re regularly seeing the same type of event, it may be a cue to implement some additional controls.

The ability to program activity-specific logic into the SIEM system helps you identify activity that may indicate problems with HIPAA compliance. And, whenever an auditor comes knocking, you’ll be able to highlight your log review methodology from a logical, defensible position that accounts for risks specific to your organization.

Even though a SIEM system can help you automate and monitor aspects of your HIPAA compliance, consistently monitoring logs can still be a time-intensive process. If you’re handling this on your own, we recommend reviewing logs at least weekly, but preferably daily.

That said, if you’re looking for more involved monitoring, LBMC’s Managed Security Services can provide 24/7 SIEM management and monitoring for your network. 

Just click here to contact us and get started on your free 30-day trial.