In the iconic western, Butch Cassidy and the Sundance Kid, Butch and Sundance are hard pressed to evade a posse led by the semi-mythical lawman, Joe Lefors, who is so adept that he manages to track them across solid rock. The latest newsletter from the DHHS Office of Civil Rights highlights the use of critical tools that can track, much like Joe Lefors, malicious or unauthorized access to protected health information.
The January OCR newsletter spotlights the Technical Safeguards provision in the Security Rule, found at 45 C.F.R. § 164.312, where a number of mandatory and addressable safeguards to maintain the confidentiality, integrity and availability of Protected Health Information are set forth. One of the Technical Safeguards is the use of Audit Controls, which the rule defines as: “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Without these measures in place, it will be difficult to identify a threat early on, to limit the damage, or to prove an incident had no impact on PHI.
The terms audit controls, audit logs, or audit trails are often used interchangeably to refer to a record of events or activity on an information system, and in keeping with our western theme, we’ll stick with audit trails as a term to denote any compilation of the records of usage of an information system. OCR’s January 2017 edition of its Cyber Awareness Newsletter illustrates the importance of audit trails in identifying incipient or ongoing threats to PHI, and it provides several examples of how electronic footprints detected in audit trails can be used to protect electronic PHI:
So the idea is to record individual events on a computer system and compile the record of those events for review and future reference.
Covered Entities and Business Associates should review audit trail data to detect suspicious patterns or levels of activity. The Administrative Safeguards provision of the HIPAA Security Rule, found at 45 C.F.R. § 164.308, requires regular reviews of information system activity.
Audit trails are also important in assessing whether a hacking attempt was successful. Under HIPAA, there is no breach to report if an organization can conclusively demonstrate that even though there was a security incident, data was not accessed, viewed, downloaded or altered. The only way to demonstrate that, although the burden of proof is high, is having strong data audit trails in place to document exactly what happened during an the event, and to demonstrate that PHI was not accessed. Having an audit trail capability in place could save thousands or even millions of dollars in investigation, remediation, compliance, and public relations expenses after an event.
Audit trails also reinforce individual user accountability throughout the workforce. A user’s awareness that a record of the access and use of data is being maintained will enhance compliance with system protocols, and many of the cases of unauthorized access to PHI by members of a workforce have been uncovered through Audit Trails.
OCR’s January newsletter emphasizes the HIPAA Security Rule leaves decisions about what data should be collected, and how often it should be analyzed, to each organization, based on its risk analysis: “When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.” So an organization’s data auditing procedures will be a natural outgrowth of the individualized risk analysis required under the Administrative Safeguards provision of the HIPAA Security Rule.
The OCR newsletter outlines a framework of key questions covered entities and business associates should consider in implementing audit controls:
OCR’s January Newsletter also cautions about the need to secure Audit Controls from malicious access: “Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associates to not only recover from breaches, but to prevent them before they happen.”
Audit trails are a critical tool in detecting unauthorized access and use of systems and software that contain ePHI, enforcing workforce compliance, and in being able to show that a malicious attempt to access, alter, or export PHI was unsuccessful, or that it only had a limited impact. The OCR newsletter is a reminder of how important these measures can be in securing ePHI and provides links to these other resources:
National Institute of Standardization and Technology (NIST) http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf - (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)
Department of Health and Human Services, Office for Civil Rights (OCR) https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html - (Technical Safeguards)
Join us for an instructional webinar on Family Law on March 2nd from 11:00am-12:00pm. Poyner Spruill divorce attorney Steve Epstein will explain the fundamental components of divorce, child custody, child support, alimony, equitable distribution, and alienation of affections. He will also answer questions submitted by attendees.
Protect Your Business and Preserve More Income. You are invited to a panel discussion exploring what captives are, when you should consider setting up one, how the tax code can help the captive pay for itself, and more.
Advertising Law 101 for Tech Marketing Professionals This presentation will educate attendees on the "need-to-know" basics of advertising law. Marketing professionals in the Tech Industry regularly navigate issues that require a familiarity with truth in advertising, disclosure and endorsement rules for social media marketing, and privacy law - just to name a few. Knowing the basics of advertising law can insulate a company from a host of sanctions, fees, and other consequences.
We are pleased to announce Chase Johnson has joined the firm as an associate lawyer in the Raleigh office. Her law practice involves representing investment banks and financial institutions in their roles as issuers, underwriters, and mortgage loan sellers in both public and private offerings of mortgage-backed securities.
We are pleased to announce that Stephanie Sanders has been elected as Partner in the firm. She represents clients in connection with commercial real estate matters, including acquisition, disposition, financing, development and leasing of commercial real estate.