HIPAA

The Role of AWS in HIPAA Compliance

If you’re considering storing your HIPAA log archives in AWS, it’s important you know the details about how Amazon treats HIPAA compliant data.

Healthcare companies are used to having control over physical storage systems, but many are now struggling when it comes to utilizing a cloud environment. There are many misconceptions about ownership, compliance and how the entire log-to-storage process intersects and works.

HIPAA is a set of federal regulations, meaning there is no explicit certification for remaining compliant. Rather, there are guidelines and laws that needs to be followed. Tools like LogDNA and AWS will ensure that compliance is maintained.

A Primer for AWS Customers

All healthcare users of AWS retain ownership over their data and maintain control in regards to what they can do with it. You can move your own data on and off AWS storage anytime you’d like without restriction. End users are in control of how third party applications (like LogDNA) can access AWS data. This access is controlled through AWS Identity and Access Management.

The most popular services for creating backups come from Amazon S3 and Glacier. AWS is responsible for managing the integrity and security of the cloud, while customers are responsible for managing security in the cloud. It’s a minor difference, but an important one at that. This leads us to the core question many healthcare providers ask about AWS.

Is AWS HIPAA compliant?  

There is no way to answer this with a simple yes or no. The question also leads down a faulty path about understanding how these cloud services work. The question should be reframed as:

How does using AWS lead to HIPAA compliance?

The United States’ Health Insurance Portability and Accountability Act (HIPAA) does not issue certifications. A company and its business associates will instead be audited by the Health & Human Services Office. What AWS does is set companies on the path to compliance. Like LogDNA, Amazon signs a Business Associate Agreement (BAA) with the health company. Amazon ensures that they’ll be responsible for maintaining secure hardware servers and provide their secure data services in the cloud.      

How does Amazon do this?

While there may not be a HIPAA certification per say, there are a few certifications and audit systems Amazon holds that establishes their credibility and trust.

ISO 27001

The International Organization for Standardization specifies the smartest practices for implementing comprehensive security controls. In other words, they’ve developed a meticulous and rigorous security program for Information Security Management Systems (ISMS). In summary, the ISO guarantees the following:

  • Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities.
  • Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks.
  • Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis.

Amazon’s ISO 27001 certification displays the company’s commitment to security and its willingness to comply with an internationally renown standard. Third party audits continually validate AWS and assure customers that they’re a compliant business partner.

AICPA SOC

The company’s Service Organization Control (SOC) audits through third party examiners, and determines how AWS is demonstrating key compliance controls. The entire audit process is prepared through Attestation Standard Section 801 (AT 801) and completed by Amazon’s independent auditors, Ernst & Young, LLP.

The report reviews how AWS controls internal financial reporting. AT 801 is issued by the American Institute of Certified Public Accountants (AICPA).

Secured ePHI Logging Storage

Healthcare companies that use any AWS service and have a BAA will be given a designated HIPAA account. The following is a comprehensive list sourced from Amazon cataloging HIPAA eligible services. This list was last updated on July 31, 2017. These services cannot be used for ePHI purposes until a formal AWS business associate agreement has been signed.

Amazon API Gateway excluding the use of Amazon API Gateway caching
Amazon Aurora [MySQL-compatible edition only]
Amazon CloudFront [excluding Lambda@Edge]
Amazon Cognito
AWS Database Migration Service
AWS Direct Connect
AWS Directory Services excluding Simple AD and AD Connector
Amazon DynamoDB
Amazon EC2 Container Service (ECS)
Amazon EC2 Systems Manager
Amazon Elastic Block Store (Amazon EBS)
Amazon Elastic Compute Cloud (Amazon EC2)
Elastic Load Balancing
Amazon Elastic MapReduce (Amazon EMR)
Amazon Glacier
Amazon Inspector
Amazon Redshift
Amazon Relational Database Service (Amazon RDS) [MySQL, Oracle, and PostgreSQL engines only]
AWS Shield [Standard and Advanced]
Amazon Simple Notification Service (SNS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (Amazon S3) [including S3 Transfer Acceleration]
AWS Snowball
Amazon Virtual Private Cloud (VPC)
AWS Web Application Firewall (WAF)
Amazon WorkDocs
Amazon WorkSpaces

Amazon ECS & Gateway in Focus

Amazon EC2 Container Service (ECS) is a major container management service, which supports Docker container logs and can be used to run apps on a managed cluster of EC2 instances. ECS provides simple API calls that you can use to easily deploy and stop Docker-enabled apps.

ECS workloads required to process ePHI do not require any additional configurations. ECS data flow is consistent with HIPAA regulations. All ePHI is encrypted while at rest and in transit when being accessed and moved by containers through ECS.

The process of complete encryption is upheld when logging through CloudTrail or logging container instance logs through CloudWatch into LogDNA.  

Users can also use Amazon API Gateway to transmit and store ePHI. Gateway will automatically use HTTPS encryption endpoints, but as an extra fail-safe, it’s always a good idea to encrypt client-side as well. AWS users are able to integrate additional services into API Gateway that maintain ePHI compliance and are consistent with Amazon’s BAA. LogDNA helps ensure that any PHI sent through Gateway only parses through HIPAA-eligible services.  

Compliance Resources – A Continued Approach  

Amazon is serious about staying compliant in a number of industries. They’re constantly innovating and are continually creating new security services. LogDNA shares this same tenacity for security and continued innovation.

LogDNA Blog Image

Additional Resources:
CloudWatch Logging: https://docs.logdna.com/v1.0/docs/cloudwatch
Legal: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
AWS Hub: https://aws.amazon.com/compliance/
Technical DevOps Guide: https://aws.amazon.com/blogs/security/how-to-automate-hipaa-compliance-part-1-use-the-cloud-to-protect-the-cloud/

 

HIPAA

Firewall Logging: Importance for the Healthcare Industry

A large number of healthcare companies are at a loss when it comes to understanding their internal security environment. While the HIPAA Security Rule provides a comprehensive legal framework for ensuring secure technical safeguards, it doesn’t give many specifics on which tools to use.

We’ve already established what proper logging brings to a healthcare environment, as well as its importance. But what about the contents of those logs? Security indicators are one of the most crucial logs a system can receive. The majority of these logs and alerts come from your firewall, and firewalls are the number one security measure a healthcare company needs to have.

Section 164.312(c)(1) states that the integrity of ePHI must be upheld through proper technical procedures and policies to stop this information from being altered or destroyed. This is where Firewall Logging comes in.   

Firewall HIPAA Logs – The Wall of Compliant Protection

Patient data may seem mundane to the multitude of healthcare workers keying and plodding away records daily. But it’s important to realize that this data is coveted by unscrupulous characters lurking around the web. Stolen information can cause irreparable damage to the patients and the establishments responsible for safeguarding that data.

Firewalls are just one component there to stop online intruders. Imagine a towering brick wall denying entrance to attackers in the night. In our case, this metaphoric wall is part of a computer system that denies unauthorized access from the outside and limits outward communication deemed unsafe, i.e. the ability for office computers to access unprotected websites. This system is reactive – what we also need is something proactive.

Firewall logs are the sentries posted up on this proverbial wall – the loggers on the wall. They can respond to real time alerts and backtrack to see what happened. HIPAA compliance requires healthcare companies to have configured log monitoring. Our firewall logs – or rather firewall sentries, serve an important function for maintaining the integrity of ePHI. They do this by:

  • Helping to determine if an attack has taken place
  • Alerting system administrators if an attack is currently happening
  • And logging security data for required audits

Firewall logs watch for intrusions and will relay what action the firewall took to block network attacks on either an individual computer, or an entire in-house data system. A firewall log will relay a few pieces of crucial information: incoming network traffic, a description of suspicious network activity, and the location of activity logged.

Our logging platform gives these logs a foundation so that they can be used, stored and monitored to ensure ePHI safety and HIPAA compliance. We give form to the shapeless firewall data that’s usually left floating around and left inaccessible.

There are a few different types of firewalls. All of them will produce logs, but it’s important to understand the distinction between them in order to build a proper foundation.

Different Bulwarks of Safety

For our purposes here, we’ve divided the number of firewalls into three different types of network firewalls. These include software, web applications, and hardware; all are crucial in maintaining HIPAA safety compliance. Remember that the goal of our firewall system is to stop harmful unauthorized traffic and limit dangerous exterior communication. The goal of our firewall logging is to take actionable steps to stay alert and maintain the integrity of the system and thwart any attacks.

Simply having a firewall won’t cut it. Possessing an interconnected system with multiple protected funnels and monitoring means is more effective.

Software Firewall Safeguard

This is a type of firewall that is often overlooked because it’s usually pre-installed on a number of computers. A healthcare entity needs a firewall between the systems responsible for housing ePHI and all other connected systems. This also includes internal systems.

Software firewalls protect lone computers from a few different types of threats – namely mobile devices that can be compromised. Take for example, a remote employee accessing data from home or on the go. If they’re caught in an unlucky phishing debacle, their firewall will act to protect their personal computer or device and save the integrity of any connected medical data in the process.

Software firewalls are easy to maintain and allow for the remote work to take place. While they might not protect an entire system, they patch up an area liable to attack.

Web Applications Firewall Safeguard

Also commonly known as (WAFs), these should be placed at the frontlines of any application that needs to access the internet, which at this point is the vast majority of them. WAFs help detect, monitor and stop attacks online. A bevy of firewall logs will be sourced from here. Note that a WAF is not an all-purpose firewall; it’s main function is to block suspicious web traffic.

Many databases require access to the internet. Cyber security reports can be generated through logging platforms and then acted upon. The WAF logging combination is akin to the heart rate monitor, but for online security health. If everything is going well, there won’t be any dramatic spikes. But if danger strikes, the necessary alerts and response team will be on it.

There needs to be special care when setting up a WAF, since critical functions could be hampered if it’s not setup properly. But nothing beats this firewall when it comes to protected third party modules and quick logged response time.

Hardware Firewall Safeguard

Hardware firewalls are installed company wide throughout the entire organization’s network. Internal systems are protected from the outside internet. They’re also used to create network segments inside the company that divide access to those with ePHI access from those without it.

Other networks inside the company system may need fewer firewall restrictions placed on them. For example, maybe a medical device designer needs to collaborate with an outside agency of some kind. This particular job function doesn’t require ePHI access; their segmented network shouldn’t be affected, nor should they be on the same network with employees handling ePHI.

A secure network will employ these different types of firewalls together ensuring a protected and HIPAA compliant healthcare company.

HIPAA

Best Security Practices for HIPAA Logging

Despite advanced security measures and increased due diligence from healthcare professionals, system attacks are still a constant threat for a majority of medical organizations. Overlooked security weaknesses, outdated systems, or an inadequate IT infrastructure can be just the catalyst an attacker needs to exploit your protected health information (PHI).

Remaining HIPAA compliant and safeguarding your (PHI) can be accomplished by following a few basic security practices. Professionals need to implement a company-wide security control which establishes how your (PHI) data should be created and stored. You’ll also want to create a compliance plan, or for the more theatrically minded – a contingency plan, in the event of a security breach. Most importantly, a proactive logging strategy has to be integrated each step of the way.

These practices serve as a baseline for security. It’s recommended you build off of this foundation and adjust security measures as needed.

(PHI) Entry – A Foundation For Security

There are a unique set of risks you will contend with daily. Attackers on the outside are always looking for a way in. In 2016 alone, the Identity Theft Resource Center (ITRC) found that over thirty percent of healthcare and medical organizations reported data breaches. Outside threats are always a concern, but take into account the additional threat of inept data handling from employees and improper (or even nonexistent) logging practices and you’re asking for trouble.  

The following steps outline basic security measures, establish a (PHI) entry guideline, and show what should be done before the data even enters your system or logging platform.

  1. Develop or implement a company standard for new patient data entry.
  2. Identify where the (PHI) is being created and who is creating it.
  3. Establish the number of different devices used to enter data from.
  4. Electronic Health Records (EHR) – record how many staff members are entering in data and where are they doing this from.
  5. (re)Configure your database and note what records are stored there.
  6. Create communication standards with your business associates – signees of a mutual Business Associate Agreement (BAA).

A detailed (PHI) flowchart can be made from the preceding information. This allows for a detailed analysis that can show whose hands your information passed through and what systems and technologies were used. A diagram can track data points of entry, revealing weak spots during the data exchange.

For example, a patient’s sensitive information might languish in a filing cabinet or float through an unprotected third party portal online. Your diagram of the (PHI) flow can account for these types of discrepancies in security. A (PHI) flowchart is best used in tandem with a logging compliance report.

Compliance Reports & Safeguard Plans

One of the major failsafes of HIPAA – amended through the HITECH Act, is the requirement in maintaining an audit trail and submitting routine reports if a data breach is suspected. The ability to generate and distribute these reports is important for maintaining and proving compliance.  

A proper log management system will be able to create automated reports that demonstrate compliance. LogDNA has the ability to generate automated audit reports from event logs within your system. Conversely, if an unexpected audit request occurs, you’ll be able to quickly query the necessary results to respond to the auditor and create a report for them manually as well.

Additionally, plans should be made that take into account other areas of the HIPAA Security Rule. This means issuing policies around device access, workstation data safety, employee authentications, mobile use restrictions and encryption.  

Think about utilizing an Incident Response Plan (IRP) –  or creating one if not already in place – while ensuring to amend it and make it useful. An (IRP) is best used to designate a planned response if a security incident arises. HIPAA logging solutions can and should be integrated into this plan.  

This will provide concrete guidelines in the event of a (PHI) data breach. It will also make the team more efficient in the aftermath and allow them to give the proper compliant information to government agencies and individuals affected.

Take Advantage of Your Logging Environment

Logging takes the guesswork out of detecting threats – both internal and external. You’ll be able to commence a quick response and enact the correct procedures to patch any data leaks. It’s crucial to detect an attack before it happens. Sensitive data cannot afford to be lost. HIPAA logging gives the end user the ability to identify events across the whole system (file changes, account access and health data inquiries) while they occur.

These security strategies will help you get the most out of your HIPAA logging platform:

  • Determine what type of logs will be generated and stored(while keeping Compliance in mind).
  • Ensure a secured storage place for logs that can be saved up to six years. This can be accomplished through storage in an encrypted archive by using AWS, Azure, or other  certified and protected service.  
  • Designate an employee who will check logs on a daily basis.
  • Create a plan for reviewing suspect alerts.
  • Enact fail safes so that stored logs cannot be tampered with internally.
  • Adjust log collection accordingly.

Event logs are bits of information coming from a myriad of sources. Firewalls, printers, (EHR) systems and more all contribute to the data that the logging platform will receive. A majority of organizations have a mixed IT environment; it’s essential to have the ability to collect and support a wide range of user activity and log file types.

Log analysis not only ensures you comply with HIPAA, but also gives you the tools you need to defend against attacks and faulty data practices.

Think of LogDNA as the sentry lookout that warns you of incoming danger.

We’re using our digital eyes to spot all incoming risks and provide the raw data to create audit records and maintain HIPAA compliance.

While it’s important to focus on security indicators, logging can also monitor a number of other events inside the system. Event logs can point towards malfunctioning applications, outdated hardware or faulty software. All events are monitored and can be traced back to where they originated from.  

An internal structure that places an importance on HIPAA security will be able to utilize logging to stay compliant and keep crucial healthcare information safe.

Have questions?  Reach out to us at sales@logdna.com.

HIPAA

What is HIPAA Compliant Log Management?

The medical establishment stretches far and wide; it is a behemoth creator of data. Data that must be protected and secured at all times away from prying eyes. Hospitals, medical networks, pharmaceutical establishments, electronic billing systems, medical records – all of these medical industries and more run on communally shared data. Due to the critical nature of this data and its need to be accessed by a multitude of professionals, certain laws have been put into place so that this information can be exchanged freely and securely.   

The Health Insurance Portability and Accountability Act of 1996 Title II (HIPAA) is the most important law of the land that addresses these concerns. Regulations have been created to protect electronic health information and patient information. Log management and auditing requirements are covered extensively by HIPAA as well.

Records of all kinds are produced and logged daily. To secure this protected information, it’s important to know who has access to your internal systems and data. Syslog files are the most commonly logged files across your network of servers, devices and workstations. Some of this information includes: patient records, employee data, billing, and private account data – information that can’t afford to be lost or stolen.   

It’s grown increasingly more important for healthcare professionals and business partners alike to maintain HIPAA compliance indefinitely. Log files (where healthcare data exists) must be collected, protected, stored and ready to be audited at all times. A data breach can end up costing a company millions of dollars.

Not complying with HIPAA regulations can be costly.

Understanding HIPAA and the HITECH Act: Log Compliance

Before we look into how log management and HIPAA compliance interact, an overview of the laws is needed. This will provide you with the knowledge to understand relevant compliance regulations and how they might affect your logging strategy.

HIPAA

This act has created a national standard in upholding privacy laws inherent to all protected health information. These standards have been put in place to enhance the United States’ health care system’s use and efficiency of electronic data exchange.    

Organizations that handle protected information must have a dedicated IT infrastructure and strategies to ensure data privacy to stay HIPAA compliant. This is where a log management system comes in handy. Compliant organizations must be prepared to deal with a number of different circumstances. These include:

  • Investigation of a Suspected Security Breach
  • Maintaining an Audit Trail
  • Tracking A Breach (What Caused it & When Did it Occur)

A HIPAA audit needs archived log data, specific reports and routine check-ups completed regularly. HIPAA requires a compliant log management system that can hold up to six years retention of log data. This is the minimum amount of time that records need to be held – LogDNA complies with HIPAA by giving users the option to store and control their own data. We allow users the ability configure a nightly archiving of their LogDNA logging data and send it to an external source. This would include an S3 bucket, Azure Blog Storage, Openstack Swift or other storage method. Users can then of course store this data for a minimum of six years.

Compliant log management allows for all of these regulations to be met. LogDNA augments an IT infrastructure, ensures data privacy and can comply with regular automated audit requests.

HITECH Act

This act was an amendment to HIPAA in 2010, which required an additional audit trail be created for each medical transaction (logged health information).

The audit regulations highlighted above reflect the need to keep an around-the-clock logging solution that protects the integrity of all medical health records. These stipulations in HIPAA point towards a levied importance on maintaining compliant log records.

Specific HIPAA Logging Regulations: Cybersecurity Safeguards

The following HIPAA sections were created to set a standard for logging and auditing. If a logging system doesn’t meet these requirements, they are noncompliant.

The following stipulations aren’t all that complicated – though they may appear it. We’ll use LogDNA as a relational example. Essentially each section below shows how LogDNA’s built-in features meet compliance according to each individual law. (The bullet points corresponds to the listed section.)

Beware, legalities ahead.

Logging

Section 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable) – “Procedures necessary for monitoring log-in attempts and reporting discrepancies.”

  • LogDNA’s basic functionality logs “login attempts” and reports discrepancies

Section 164.308(b)(1): Business Associate Contracts And Other Arrangements – “A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).”

  • LogDNA will happily sign a Business Associate Agreement (BAA) ✔

Section 164.312(a)(1):Access Control – “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”

  • LogDNA has a secure system that will only allow select users access to protected data

Auditing

Section 164.312(b): Audit Controls – “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

  • LogDNA records activity from all information systems within a protected environment

Section 164.312(c)(1): Integrity“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

  • LogDNA gives the user the opportunity to archive their own data outside of our system, which is then under their own control and management. ✔

LogDNA – A Commitment to Compliance

LogDNA’s platform helps healthcare companies meet their own HIPAA compliance requirements in a number of ways. We’re audited for HIPAA and HITECH compliance ourselves on an annual basis by a qualified security assessor.

Here are just some of the few events we can log.

  • Protected information being changed/exchanged
  • Who accessed what information when
  • Employee logins
  • Software and security updates
  • User and system activity
  • Irregular Usage patterns

Logs are best used when they’re being reviewed regularly. A system that monitors your log data can see if a specific user has been looking at a patient’s file too much, or if someone has logged into the system at a strange hour. Often times a breach can be spotted by looking over the data. For example, a hacker may be trying thousands of different password combinations to break in.

This will show up in the log and can then be dealt with.

Tracked and managed logs are able to comply with audit requests and help your health organization get a better grasp of the data streaming in and protect it.  It’s never too late to have an intelligent logging solution. You’ll be able to have a better grasp over your system, protect your crucial information and always stay compliant.

To ensure you’re HIPAA compliant, either:

  1. Visit the LogDNA HIPAA page to sign up for an account, or
  2. Get your specific HIPAA questions answered at sales@logdna.com