publications full of ideas
Tracking the Data Bandits

1.24.2017

In the iconic western, Butch Cassidy and the Sundance Kid, Butch and Sundance are hard pressed to evade a posse led by the semi-mythical lawman, Joe Lefors, who is so adept that he manages to track them across solid rock. The latest newsletter from the DHHS Office of Civil Rights highlights the use of critical tools that can track, much like Joe Lefors, malicious or unauthorized access to protected health information.

The January OCR newsletter spotlights the Technical Safeguards provision in the Security Rule, found at 45 C.F.R. § 164.312, where a number of mandatory and addressable safeguards to maintain the confidentiality, integrity and availability of Protected Health Information are set forth. One of the Technical Safeguards is the use of Audit Controls, which the rule defines as: “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Without these measures in place, it will be difficult to identify a threat early on, to limit the damage, or to prove an incident had no impact on PHI. 

Audit Control Features

The terms audit controls, audit logs, or audit trails are often used interchangeably to refer to a record of events or activity on an information system, and in keeping with our western theme, we’ll stick with audit trails as a term to denote any compilation of the records of usage of an information system. OCR’s January 2017 edition of its Cyber Awareness Newsletter illustrates the importance of audit trails in identifying incipient or ongoing threats to PHI, and it provides several examples of how electronic footprints detected in audit trails can be used to protect electronic PHI:

  • Application audit trails – Monitor and log user activities in a particular application. This includes the opening and closing of application data files and the creating, reading, editing, and deleting of application records associated with ePHI.
  • System-level audit trails – Capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, identify devices used to log-on to a system, and the application that the user successfully (or unsuccessfully) accessed. 
  • User audit trails – Monitor and log user activity in an ePHI system or application by recording events initiated by the user, such as the commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files.

So the idea is to record individual events on a computer system and compile the record of those events for review and future reference. 

Covered Entities and Business Associates should review audit trail data to detect suspicious patterns or levels of activity. The Administrative Safeguards provision of the HIPAA Security Rule, found at 45 C.F.R. § 164.308, requires regular reviews of information system activity.

Audit trails are also important in assessing whether a hacking attempt was successful. Under HIPAA, there is no breach to report if an organization can conclusively demonstrate that even though there was a security incident, data was not accessed, viewed, downloaded or altered. The only way to demonstrate that, although the burden of proof is high, is having strong data audit trails in place to document exactly what happened during an the event, and to demonstrate that PHI was not accessed. Having an audit trail capability in place could save thousands or even millions of dollars in investigation, remediation, compliance, and public relations expenses after an event.

Audit trails also reinforce individual user accountability throughout the workforce. A user’s awareness that a record of the access and use of data is being maintained will enhance compliance with system protocols, and many of the cases of unauthorized access to PHI by members of a workforce have been uncovered through Audit Trails.

Implementing Audit Controls

OCR’s January newsletter emphasizes the HIPAA Security Rule leaves decisions about what data should be collected, and how often it should be analyzed, to each organization, based on its risk analysis: “When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.” So an organization’s data auditing procedures will be a natural outgrowth of the individualized risk analysis required under the Administrative Safeguards provision of the HIPAA Security Rule.

The OCR newsletter outlines a framework of key questions covered entities and business associates should consider in implementing audit controls:

  • What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
  • What are the audit control capabilities of information systems with ePHI?
  • Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
  • Are changes or upgrades of an information system’s audit capabilities necessary?

OCR’s January Newsletter also cautions about the need to secure Audit Controls from malicious access: “Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associates to not only recover from breaches, but to prevent them before they happen.”

Conclusion 

Audit trails are a critical tool in detecting unauthorized access and use of systems and software that contain ePHI, enforcing workforce compliance, and in being able to show that a malicious attempt to access, alter, or export PHI was unsuccessful, or that it only had a limited impact. The OCR newsletter is a reminder of how important these measures can be in securing ePHI and provides links to these other resources: 

Additional Resources:

National Institute of Standardization and Technology (NIST) http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf  - (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)

Department of Health and Human Services, Office for Civil Rights (OCR) https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html - (Technical Safeguards)

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

Captive Insurers Seminar

what's new at the firm

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.

Five Poyner Spruill Attorneys Recognized for Pro Bono Efforts

5/31/2017

Raleigh, NC – Four Poyner Spruill attorneys have been inducted into the inaugural cohort of the Pro Bono Honor Society by the N.C. Supreme Court.