Meeting HIPAA requirements with log management

The healthcare industry today is a bit ahead of where the finance industry was in December 2004, when the PCI-DSS council was formed. Though HIPAA (The Health Insurance Portability Accountability Act) has been in existence far longer than PCI-DSS, it really did not have any teeth until the ARRA-HITECH act of 2009 was passed. With financial as well as civil punishments to healthcare entities, HIPAA has started gaining strength. The January 25, 2013 update (known as the “Omnibus” act) adds even more structure. Along with HIPAA, healthcare institutions also need to follow other regulations such as PCI-DSS, SOX, FISMA and numerous state laws based on their size and business activities. But why do we have this problem of noncompliance or lack of strong security measures in healthcare? Based on the 2012 HIMMS (Healthcare Information and Management Systems Society) Analytics reports, 22% of the hospitals surveyed have identified a large security breach within the year. The CMS (Center for Medicare & Medicaid Services, a division of the US Department of Health & Human Services responsible for the administration of several key federal healthcare programs) mandates on reporting breaches of more than 500 patients immediately; but for breaches of less than 500 patients, only an annual report is required. It’s exclusively the larger incidents, such as the Utah Department of Health breaches of 780,000 records, which garner national press. The challenge lies in how most healthcare entities have started and have grown – either organically or through acquisition, and the resulting growth in the number of applications. The survey also shows that for hospitals managing firewall, IDS, network devices and application logs, these activities constitute 75-85% of the log management needs. And these log management needs grow by 15-20% each year with growth in log sources. Most times, even though a newer technology is implemented, an older one is kept functional for 5+ years before it is decommissioned. The common frustration is the reactive processes and the time it takes to assess the vast amount of data in a breach situation, especially when the looming public embarrassment is the worst nightmare. With better log management comes the ability to detect and prevent unauthorized access, meet regulatory requirements and perform fast forensic analysis and correlation. This needs to be done along with other complementary security technologies, such as isolation of FDA regulated medical devices, DLP, email encryption and vulnerability scanning of all infrastructures.

2012 Top 10 Healthcare Breaches