Information System Activity Review - Log Analyzer

snoopaloop
snoopaloop used Ask the Experts™
on
We like to delegate the HIPAA (or similar mandates) Security Officer role of monitoring logs, current authorized users, analyze traffic, etc to the HR, Nurse, IT point person, etc in an under 20 maybe even an 100 employee environment .   They will review logs to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.  The reality after reading the "Information System Activity Review" policy and procedure listed below is this task is incredibly arduous task for an individual to take on even for a small network.  I researched Netwrix Auditor, Managed Engine, NetCrunch a few but need feedback on the best system for delegating the task and hand off to a small business.  I'm considering going away from Sonicwalls because Watchguard's log interface apppears to be better.   Alternatively, is there any specific RMM agent that incorporates what we are looking in this policy/procedure featured below.   Regardless, we need easy deployment, elegant interface, and it just works.  It's easy to work with whether or not we hand this off to the client or we decide to incorporate in our ongoing monthly maintenance agreement.

164.308(a)(1)(ii)(D): Security Management Process – “ Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

 

Policy: We will clearly identify all critical systems that process ePHI. We will implement security procedures to regularly review the records of information system activity on all such critical systems that process ePHI.

 

The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible of the following, as reasonable and appropriate:

 

    User IDs
    Dates and times of log-on and log-off
    Terminal identity, IP address and/or location, if possible
    Records of successful and rejected system access attempts

Safeguards must be deployed to protect against unauthorized changes and operational problems including:

 

    The logging facility being deactivated
    Alterations to the message types that are recorded
    Log files being edited or deleted
    Log file media becoming exhausted, and either failing to record events or overwriting itself

Procedure: Our HIPAA Security Officer will oversee the names of current authorized users- Review  reports to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.

 

Review the Active Directory User List with HR to validate that all users are still employed. Check access to other systems requiring authentication, including the EHR system, PACS, online systems with partners, labs, and any device or entity that stores ePHI. Verify that any vendors or subcontractors still need access.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
99% of this can be done within the operating system. i.e. Access Controls, AD Groups.
Accounting doesn't need to have access to HIPAA information
HIPAA users don't need access to Accounting.
Office staff doesn't need access to either the above.
Management staff also doesn't need access to the above
Purchasing doesn't need access to above.
Payroll doesn't need access to the above

Do you get my gist.

This is commonly known as Role Based Access Controls (RBAC)

The OS can provide detailed security logs which can be parsed with SPLUNK or other analysis engine.

Author

Commented:
These are logs generated after the implementation of Access Controls, AD groups, improving the filtered notifications of a firewall, etc.   These logs must reviewed and retained for 6 years. The reality after reading the "Information System Activity Review" policy and procedure listed below is this task is incredibly arduous task for an individual to take on even for a small network.  I researched Netwrix Auditor, Managed Engine, NetCrunch a few but need feedback on the best system for delegating the task and hand off to a small business.  I'm considering going away from Sonicwalls because Watchguard's log interface apppears to be better.   Alternatively, is there any specific RMM agent that incorporates what we are looking in this policy/procedure featured below.   Regardless, we need easy deployment, elegant interface, and it just works. The log analyzer needs to be easy to work with regardless of whether or not we hand this task off to the client or we decide to incorporate in our ongoing monthly maintenance agreement.

Author

Commented:
I'm demoing ManageEngine product called Log 360 tomorrow.  Here are some approximate prices.  Hopefully, it's fairly easy to use and good.

Yearly Subscription
Start at $595  (two device (example: router and AzureAD) $900)
support fee

OneTime Purchase of Log360
3x the subscription model.  
Support Fee 20% of cost
Ended up using Managed Engine

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial