Audit trails and implementing HIPAA best practices

Question

Are there any best practices for audit trail implementation for HIPPA starting with database design.

Answer 1

The HIPAA compliance requires access control, information integrity, audit control, user authentication and transmission security. Similarly as with other compliance regulations, it’s necessary to use software, hardware, or other methods that provide monitoring and capturing of user activities in information systems that contain or use electronic PHI. The security and integrity of electronic PHI must be ensured against any unauthorized access, modification, and deletion

“As required by Congress in HIPAA, the Privacy Rule covers:

• Health plans

• Health care clearinghouses

• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers"

To be able to meet the HIPAA requirements, the entity must constantly audit and report all access attempts and events related the databases and objects that contain sensitive PHI records Depending on the structure of health institution entities, supervisors periodically perform verification of HIPAA compliance to ensure its effectiveness. The verification frequency depends on the last verification report, and it’s less frequent in case of previous or constant positive HIPAA compliance The HIPAA act requirements do not strictly address methods for database and IT security. However, according to the regulation requirements on providing integrity, confidentiality, privacy, and availability of patient health information, the following steps provide compliance with HIPAA:

• Define and document the required permissions for each health institution employee

• Periodically review permission configurations on database objects and modify access rights in order to maintain the integrity, confidentiality, and accuracy of the PHI records

• Audit the system that keeps and provides use of the PHI records

• Analyze the audit information that show events related to the PHI records periodically, and take action where needed

The following general actions are recommended in order to comply with HIPAA regulations:

• A SQL Server environment that’s secure and controlled constantly. Provide SQL Server system security with continuous auditing of system events, whether the events are internal or external. Ensure this by enforcing strict rules unchangeable by unauthorized parties. Apply the rules to all SQL Server objects related to confidential PHI data (logins, databases, users, tables, etc.)

After the rules are set, audit and periodically analyze all events related to security - particularly pay attention to permission changes on the SQL Server objects, and access to databases/tables with PHI records

• Whatever the user origin is (internal or external), his/her actions must be monitored and documented in appropriate audit reports when related to database/table access permission changes. Administrative personnel actions must be documented as well – there must be no difference between regular users and administrators when it comes to auditing

• Use secure and officially verified hardware and software. Pay attention to common security configuration omissions, like default logins and passwords, that are often used by intruders in attack attempts

Modify all default system supplied security parameters on SQL Server. If possible, do not use the mixed mode (enables both Windows and SQL Server authentication), switch to the Windows authentication only. When used for accessing SQL Server, the Windows authentication ensures the Windows password policy - checking the password history, and the password length and life duration. The most important feature of the Windows password policy is the login lockout – it gets locked for further use after a number of consecutive failed logon attempts

• Any changes or tampering of captured audit information must be evident, whether it was done by an external or internal party. Tampering attempts monitoring is required in terms of compliance regulations, intrusion prevention, and potential security breach investigations