Auditing & Overall guidance for HIPAA compliance - with Group Policies etc...

- 2008 functional-level
- approximately 300 users, 300 computers, 15 servers (2 files servers and 5 domain controllers)
- Office 365 email
After reading a bit on this huge topic...
I have some favorite (broad) snippets (below).

My question is broad I know but from a standpoint of auditing with:
1. log-level auditing
2. file-level auditing
3. user-level auditing
4. ?

What native Windows tools should I use?
Should I create a server to collect all the audit data?  What type & OS/Applications?
Should I use native tools or third party tools?
What type of tools has worked best for you?
What mix of auditing is best?
Am I even mentioning the best type? If not, what should I use?
What about encryption? Bit locker?

Thank you for your help in advance!

HIPAA 164.312(b) Audit Controls: Implement hardware, software and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information, or ePHI.

HIPAA Password Compliance - The HIPAA Privacy Regulations require that appropriate administrative, technical, and physical safeguards are in place to protect the privacy of protected health information. To meet this requirement, XYZ has implemented a change to the password policy for all accounts used for accessing the XYZ, Inc. web site.
The following represents the minimum requirements for your XYZ password.

      * Password complexity: Must not contain significant portions (three or more contiguous characters) of your account name or full name, must be at least eight (8) characters in length, must not use control characters and other non-printing characters, and must contain characters from at least three of the following four categories arranged in any order.

            * English uppercase characters (A through Z)
            * English lowercase characters (a through z)
            * Base 10 digits (0 through 9)
            * Non-alphabetic characters: ~!@#$%^*&;?.+_

      * Maximum age: All passwords must be changed at least every sixty (60) days.
      * History: Set at six (6), meaning the password needs to be set six times before it can be reused.
      * Account Lockout Threshold: After five (5) unsuccessful attempts to enter a password, the involved user-ID will be temporarily disabled for five (5) minutes after which the account will be automatically unlocked.

Guide to Creating A Secure Password - Passwords must be a minimum of eight (8) characters long and alphanumeric. Passwords should not be based on one's user name, actual name or any dictionary name; i.e., a good password should not contain standard words. The longer your password is the more secure it will be.
K BAsked:
Who is Participating?
You are on a domain controller so the location of ADMX I think is not an issue for HIPAA.
It is used to simplify/centralize the accessibility of ADMX files without the need to have one copied to each DC.

I think the following article helps in identifying what the central store is and to what it applies (you might have seen it, just for completeness)
Your likely major exposure is o365 I.e. Conveyance of PT information via Email.

Windows server 2098 has the event log forwarding.  GPO audit, share where apt information is stored needs to have auditing enabled.
Spelunking is a tool that can aggregate eventlog data.

SNMP, snmptrapd server and then use evntwin to configure the eventlog to SNMP map.

On the snmptrapd server, you can use syslog/r syslog processor to add the events into a searchable DB as well as trigger certain events/notifications.

What application does your organization use, is it a web based interface to the data or a windows application.  Often that application will maintain audit information about which user accessed which Pt and what they did......
K BAuthor Commented:
One last question if I may...
What about Group Policy specifically?
Are there any gotchas or items I should remember moving forward with our Group Policies specific to HIPAA?
What about Central Store vs the way they are now..

Policy definitions (ADMX files) retrieved from the local machine
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Central store for what? are you talking about the file server i.e. you have two meaning one has one type of data and the other another?

Copy of the data aggregated to a single system where it can be proactively analyzed and is less susceptible to a rogue Admin or a user who obtains an admin's access through whatever means.

Group policy deals with uniformly enabling Auditing on the servers login/logout object access.
The AD DC's have auditing enabled, the local computer have more information on the source of the request i.e. user logs in remotely the AD DC login request will appear/reflect that it is comming from serverA the security log on Server A, will reflect the connection attempt as originating from an External IP....
Unfortunately, all auditing does it provides a way to track things back, unless you have a criteria that could proactively, i.e. user A, accessing PT accounts beyond normal expectation or threshold.
This type of proactive depends on the application used and the granularity of the configuration.

If the option exists, using a document management system versus file based shares will go a long way to centralize control and auditing over documents. (Document management often has a DB backend with the files stored on a file share, but reference and access is through the document management system. It might be beneficial depending on the environment you are in, since document management systems often include versioning, and "deletes" are not "permanent" in many cases. I.e. the modifications when in correct can be rolled back, an errorneously deleted file can be "undeleted" provided this/it was noticed in time, etc.

Unfortunately, the regulation is a maze that one has to navigate and determine on ones own best judgement whether the steps taken, ........

The answer unfortunately is incomplete, does your firm use a custom application provided by someone, checking with said vendor whether their software is HIPAA compliant, will get you part way there. i.e. the software includes auditing, etc.
Your computer/system access complex passwords, that expire. and having restricted access...... no open systems, etc. GPOs enabling auditing on the server/workstations, preventing installation of unauthorized application i.e. such that one may have external access.
K BAuthor Commented:
I have to check on the application.  This is a new client.
But I will be armed with your questions so thank you!!

This is what I mean regarding Central Store

K BAuthor Commented:
Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.