HIPAA's Information System Activity Review implementation specification (i.e. "Security Control") is one of the most insidious yet seemingly innocuous Security Controls that most covered entities ("CEs") and business associates ("BAs"), even the largest ones, do not implement and execute in a sufficiently rigorous and sophisticated way. This Security Control requirement is stated as follows:
§164.308 (1) (ii) (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
It is "tucked away" as part of Security Controls associated with the Security Rule's first standard ("Standard"):
§164.308 (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
This Standard is arguably the most important of all the Security Rule's standards and contains the following Controls:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
The reason, in part, that not much focus is placed on this Standard is because it is part of a group of Controls that contains the key Security Rule Control that everyone obsesses about (i.e. Risk Analysis). There are good reasons to "obsess" over the Risk Analysis Control (a.k.a. "Risk Assessment") because it is foundational to the Security Rule's implementation. To wit, there is no way to comply with the Security Rule without first performing a rigorous Risk Assessment-notwithstanding the confusion surrounding exactly what this means (fodder for another newsletter article).
Equally important, but less readily understood, is the need to perform Information System Activity Reviews pursuant to all systems that create, update, access or use PHI. There is simply no way that any organization can plausibly ascertain whether their systems are being breached, or otherwise compromised if these reviews are not conducted on a weekly, if not daily basis.
As a young programmer, Carlos Leyva went to work for a huge oil company in Houston, TX. He supported manufacturing's purchasing system nationwide, which was comprised of approximately eight refineries. Every morning, job one was to review the error logs for this distributed application, which, among other things, passed EDI ANSI X.12 transactions from each refinery to the central mainframe in Houston, and then to all the oil company's vendors, with acknowledgments subsequently sent back from the vendors electronically, indicating that the purchase order ("PO") was received. As you might imagine, this application was complex, with lots of opportunities for PO transactions to run amok; reviewing error logs, and resolving said errors, was one of the most import support functions that he performed.
The applications now deployed by CEs and BAs rival, if not exceed in complexity, the aforementioned purchasing system, for example, EHR applications. However, an EHR application is only of one of the dozens of applications that a CE must contend with, all of which require review for the detection of errors, incidents, access reports, etc.
In most organizations, even amongst the largest of CEs, this review is performed in a cursory simplistic manner because the amount of information generated by today's applications quickly overwhelms even the most dedicated and competent support staff. BAs may also have applications that contain PHI and processes that receive and handle a CE's PHI that should be reviewed for errors in the application or the processes. Many organizations are paralyzed by this problem and quickly conclude that reviews are an exercise in futility.
So, what's the answer? There are no panaceas, but big data combined with sophisticated "structural analytics" algorithms offer hope. Join us for this month's webinar to see how others are solving this problem.