We like to delegate the HIPAA (or similar mandates) Security Officer role of monitoring logs, current authorized users, analyze traffic, etc to the HR, Nurse, IT point person, etc in an under 20 maybe even an 100 employee environment . They will review logs to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI. The reality after reading the "Information System Activity Review" policy and procedure listed below is this task is incredibly arduous task for an individual to take on even for a small network. I researched Netwrix Auditor
, Managed Engine
a few but need feedback on the best system for delegating the task and hand off to a small business. I'm considering going away from Sonicwalls because Watchguard's log interface
apppears to be better. Alternatively, is there any specific RMM agent that incorporates what we are looking in this policy/procedure featured below. Regardless, we need easy deployment, elegant interface, and it just works. It's easy to work with whether or not we hand this off to the client or we decide to incorporate in our ongoing monthly maintenance agreement.
164.308(a)(1)(ii)(D): Security Management Process – “ Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
Policy: We will clearly identify all critical systems that process ePHI. We will implement security procedures to regularly review the records of information system activity on all such critical systems that process ePHI.
The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible of the following, as reasonable and appropriate:
Dates and times of log-on and log-off
Terminal identity, IP address and/or location, if possible
Records of successful and rejected system access attempts
Safeguards must be deployed to protect against unauthorized changes and operational problems including:
The logging facility being deactivated
Alterations to the message types that are recorded
Log files being edited or deleted
Log file media becoming exhausted, and either failing to record events or overwriting itself
Procedure: Our HIPAA Security Officer will oversee the names of current authorized users- Review reports to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.
Review the Active Directory User List with HR to validate that all users are still employed. Check access to other systems requiring authentication, including the EHR system, PACS, online systems with partners, labs, and any device or entity that stores ePHI. Verify that any vendors or subcontractors still need access.