Information System Activity Review - Log Analyzer

We like to delegate the HIPAA (or similar mandates) Security Officer role of monitoring logs, current authorized users, analyze traffic, etc to the HR, Nurse, IT point person, etc in an under 20 maybe even an 100 employee environment .   They will review logs to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.  The reality after reading the "Information System Activity Review" policy and procedure listed below is this task is incredibly arduous task for an individual to take on even for a small network.  I researched Netwrix Auditor, Managed Engine, NetCrunch a few but need feedback on the best system for delegating the task and hand off to a small business.  I'm considering going away from Sonicwalls because Watchguard's log interface apppears to be better.   Alternatively, is there any specific RMM agent that incorporates what we are looking in this policy/procedure featured below.   Regardless, we need easy deployment, elegant interface, and it just works.  It's easy to work with whether or not we hand this off to the client or we decide to incorporate in our ongoing monthly maintenance agreement.

164.308(a)(1)(ii)(D): Security Management Process – “ Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

 

Policy: We will clearly identify all critical systems that process ePHI. We will implement security procedures to regularly review the records of information system activity on all such critical systems that process ePHI.

 

The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible of the following, as reasonable and appropriate:

 

    User IDs
    Dates and times of log-on and log-off
    Terminal identity, IP address and/or location, if possible
    Records of successful and rejected system access attempts

Safeguards must be deployed to protect against unauthorized changes and operational problems including:

 

    The logging facility being deactivated
    Alterations to the message types that are recorded
    Log files being edited or deleted
    Log file media becoming exhausted, and either failing to record events or overwriting itself

Procedure: Our HIPAA Security Officer will oversee the names of current authorized users- Review  reports to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.

 

Review the Active Directory User List with HR to validate that all users are still employed. Check access to other systems requiring authentication, including the EHR system, PACS, online systems with partners, labs, and any device or entity that stores ePHI. Verify that any vendors or subcontractors still need access.
LVL 1
snoopaloopAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPRetiredCommented:
99% of this can be done within the operating system. i.e. Access Controls, AD Groups.
Accounting doesn't need to have access to HIPAA information
HIPAA users don't need access to Accounting.
Office staff doesn't need access to either the above.
Management staff also doesn't need access to the above
Purchasing doesn't need access to above.
Payroll doesn't need access to the above

Do you get my gist.

This is commonly known as Role Based Access Controls (RBAC)

The OS can provide detailed security logs which can be parsed with SPLUNK or other analysis engine.
snoopaloopAuthor Commented:
These are logs generated after the implementation of Access Controls, AD groups, improving the filtered notifications of a firewall, etc.   These logs must reviewed and retained for 6 years. The reality after reading the "Information System Activity Review" policy and procedure listed below is this task is incredibly arduous task for an individual to take on even for a small network.  I researched Netwrix Auditor, Managed Engine, NetCrunch a few but need feedback on the best system for delegating the task and hand off to a small business.  I'm considering going away from Sonicwalls because Watchguard's log interface apppears to be better.   Alternatively, is there any specific RMM agent that incorporates what we are looking in this policy/procedure featured below.   Regardless, we need easy deployment, elegant interface, and it just works. The log analyzer needs to be easy to work with regardless of whether or not we hand this task off to the client or we decide to incorporate in our ongoing monthly maintenance agreement.
austin minorCommented:
snoopaloopAuthor Commented:
I'm demoing ManageEngine product called Log 360 tomorrow.  Here are some approximate prices.  Hopefully, it's fairly easy to use and good.

Yearly Subscription
Start at $595  (two device (example: router and AzureAD) $900)
support fee

OneTime Purchase of Log360
3x the subscription model.  
Support Fee 20% of cost
snoopaloopAuthor Commented:
Ended up using Managed Engine

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.