LOG MANAGEMENT & COMPLIANCE BEST PRACTICES: HEALTHCARE INDUSTRY SECTOR By Ipswitch, Inc. Network Management Division www.whatsupgold.com September 2011
Table of Contents Key Compliance Initiatives 3 HIPAA.3 HITECH Act.....4 Best Practice #1: Automatically collect log files and store them as long as you need.4 Best Practice #2: Establish real-time alerts for key events and Syslog files...5 Best Practice #3: Generate and distribute the reports you need to prove compliance.6 What should a log management solution provide for healthcare institutions?...9 Summary.........11 Introducing WhatsUp Log Management Suite.....11 Log Management & Compliances Best Practices: Healthcare Industry Sector 2
To protect and secure electronic protected health information or patient records, you need to know who is accessing which systems and data, and what users are doing at all times. Records of all events taking place in your environment are being logged right now into event logs, W3C logs or Syslog files across your servers, workstations and networking devices. Think about it log files contain complete audit trails of access, additions, deletions or manipulation of key information (i.e. employee records, patient health data, etc.). Therefore, log files need to be collected, stored, analyzed and reported on to have near real-time security event detection and response as well as maintain historical compliance assurance and forensics with key regulations such as HIPAA. Non-compliance with HIPAA can be costly recently, the Department of Veterans Affairs committed $20 million to correct a data breach which could affect almost one million VA physicians and patients. How can you effectively collect, store, analyze and report on log files for measures such as this? WhatsUp Log Management is an effective start. Key compliance initiatives Before we dive into best practices for a healthcare log management solution, a quick background of the relevant laws and standards below will provide you with a high-level overview to understand compliance regulations in the healthcare industry and how they can affect your log management strategy. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) established national standards for maintaining the privacy of protected health information. These standards are aimed at improving the efficiency and effectiveness of the US healthcare system by encouraging widespread use of electronic data interchange of health-related data. The Administrative Simplifications (AS) provisions of HIPAA address the health data security and privacy requirements. It mandates that entities handling protected health information must put in place technical safeguards including access controls, encrypted communication, event logging and written records of detailed device configuration files. Covered entities must also document their HIPAA practices and make the records available to the Government for assessing compliance. Your logs are a treasure trove of information. If properly set up, they record every network event on your servers, devices and applications -- for example, Access and permission changes to Files, Folders, and Objects containing financial, customer or compliance data, object access attempts, login failures, etc. This information is critical when launching an immediate incident response when you face a network outage or a security threat. It also presents the means for you to prove compliance for HIPAA. However, you know that sifting through the volumes of logs from every possible network source is an unmanageable exercise. You need the tools to filter, correlate, export and report on logs in a way that presents the right information to your team and your management. According to the Centers for Medicaid and Medicare, organizations must build an IT infrastructure and strategies to protect against threats or hazard to the security of the information and, most importantly, prepare for investigation of potential security breaches. HIPAA requires Log Management & Compliances Best Practices: Healthcare Industry Sector 3
the existence of a reliable audit trail to protect the electronic personal data of medical patients, which must be able to provide sufficient information to establish what events occurred, when they occurred, and who (or what) caused them. Failure to comply with HIPAA regulations can mean costly civil or criminal penalties up to $25,000 or $250,000, respectively, with criminal penalties ranging up to 10 years of imprisonment. HITECH Act The HITECH Act of 2010 amended HIPAA to require Covered Entities to provide notification to individuals, the Office of Civil Rights (OCR) and others when certain breaches of unsecured protected health information (UPHI) occur (Section 13402(e)(3)). The implementing interim Breach Notification For Unsecured Protected Health Information regulations (Breach Regulation) published by OCR require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a breach of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations. The standards highlighted above reflect a need to ensure the protection and integrity of electronic health and patient records, and that an audit trail is available for each transaction. Now that you know the importance of these compliance regulations for healthcare institutions, we can detail best practices for establishing an LM strategy that effectively encompasses these regulations. Best Practice #1: Automatically collect log files and store them as long as you need HIPAA regulations mandate a period of six years for log data retention. Healthcare organizations need a solution that will collect and store log files and provide the multi-year storage necessary for this key regulation. In a typical setup, an administrator will configure an LM tool to gather event log, Syslog or W3C records nightly (or periodically) from servers, devices and workstations throughout their network. This process involves saving and clearing the active log files from each system, reading log entries out of the log files into a central database (e.g. Microsoft SQL), and finally compressing the saved log files and storing them centrally on a secure server. With WhatsUp Log Management, you can automatically collect Syslog, Microsoft Event or W3C/IIS logs across your entire infrastructure -- devices, systems, web servers, load balancers, firewalls, proxy servers, or content security appliances. Keeping your log data in two formats as database records and as compressed flat files offers a distinct storage/auditing advantage. Event log data in flat files compresses extremely well, often down to 5% of the original size. Therefore, in terms of storage cost, it costs very little to keep archived log data for many years should an auditor ever need it. However, flat files are a very poor medium for analysis and reporting, so keeping an active working set of data (often 60 to 90 days) in a database allows ad hoc reporting as well as scheduled reporting to be available for recent events. WhatsUp Log Management provides an easy mechanism for rapid re-import of older saved log files back into your database should they ever be needed. Having data at the ready in a central database greatly Log Management & Compliances Best Practices: Healthcare Industry Sector 4
reduces the potential for lost hours of chasing files when an auditor comes knocking, especially when HIPAA requires lengthy log data retention periods. With WhatsUp Log Management, you can not only collect Syslog, W3C/IIS or Windows Event log files and utilize its multi-year storage capabilities to comply with HIPAA, but also leverage the solution s cryptographic hashing capabilities to prevent tampering with your archived log files this gives you the peace of mind knowing that data cannot be tampered with -- key for evidentiary use. Tips: 1) Automatically collect, store, backup and archive your log files for 6 years as mandated by HIPAA 2) Keep your log files as: Flat files to save on storage costs Database records for on-demand analysis & reporting Active event log files in servers for fast analysis in response to a security incident 3) Protect your log files from tampering with cryptographic hashing protection Best Practice #2: Establish real-time alerts for key events and Syslog files You can rapidly detect internal or external threats and initiate rapid response procedures in your healthcare environment. This is especially critical for sensitive patient data and other electronic health records you need to be able to immediately identify key events (i.e. access and permission changes to files, folders and objects containing protected health data) the moment they happen. WhatsUp Log Management provides this critical functionality, as the WhatsUp Event Alert module within constantly watches over Syslog and Windows Event log files, immediately sending out alert notifications at the first sign of trouble. In addition, with advance warning from Event Alarm, network personnel can initiate investigate and triage processes as per their established security policies and compliance requirements. Most organizations have a heterogeneous IT environment, with a broad mix of operating systems, devices and systems. Therefore, you need to look for Windows Event log support to track user activity in Microsoft environments or Syslog support (across routers, switches, IDS, firewalls, and UNIX or LINUX systems). Most software products require the use of agents to perform real time monitoring of log files. If any factor influences your choice of a solution, this should be the one. A no-agents-required implementation of a monitoring solution will save a lot of headaches in the initial implementation, as your network grows, and in the ongoing maintenance of your monitoring solution. WhatsUp Log Management provides both agent- or agentless-based monitoring. Log Management & Compliances Best Practices: Healthcare Industry Sector 5
When developing a log monitoring plan, every organization has different rules on what sorts of events they must monitor. IT departments will frequently focus on security events as the sole indicator of any issues. While monitoring the security event log is essential, other event logs can also indicate issues with applications, hardware issues or malicious software. At a minimum, all monitored events should be traceable back their origination point. In addition to the fact that WhatsUp Log Management can immediately identify unauthorized events and zero in into the original breach culprit, the Rapid configuration tool eases deployment and setup by recommending commonly audited event types (i.e. new user additions, login failures, group membership changes, etc.) And, if you have frequent known events that don t pose a threat to security, WhatsUp Log Management s intelligent flood control feature limits repeat notification from the same set of alarms and allows administrators to routinely ignore some event types from alarming. Tip: Look for solutions which provide: Real-time monitoring of Windows Event logs and Syslog files from one console - Application, System, Security, DNS Server, Directory Service, and File Replication Service Logs - Syslog messages from Unix/Linux systems, routers, switches and firewalls Remote or agent-based monitoring Pre-packaged alarms so you don t have to remember which event IDs you should be overseeing Best Practice #3: Generate and distribute the reports you need to prove compliance Reporting is a key area because it provides you with significant data on security trends and proves compliance. Reporting can also help you substantiate the need to change security policies based on events that could result or have resulted in compromised security. Any LM solution that you implement needs to answer the following questions: What report formats are available? How much of your work is already done for you in prepackaged event log reports? Are you tied to a particular format? Will HTML and the availability of that HTML report to multiple users play a role? Can customized filters be easily recalled for repeat use? From what data sources can reports be generated? Does it include EVT, text, Microsoft Access, and ODBC? Can you create custom reports? Will the solution be compatible with your event archiving solution? Log Management & Compliances Best Practices: Healthcare Industry Sector 6
The WhatsUp Log Management Suite effectively answers these questions with robust point-and-click reporting to produce the compliance reports you need for your boss or security/compliance officer. With the aid of WhatsUp Event Analyst within the suite, network professionals can easily filter through stores of log file data for specific logs and then view, filter, export and report on those events of interest. The ability to efficiently search vast amounts of log data and report the findings is vital to the health of network securityconscious businesses of any size. And with the ability to define, store, schedule and send automated reporting as needed WhatsUp Event Analyst makes log reporting reliable, accountable and auditable. Any compromise on reporting will negate the all the other benefits of an LM solution, so be sure to leverage the robust benefits that WhatsUp Log Management offers with its reporting capabilities. Tip: Look for: Predefined filters Pre-packaged compliance-centric reports for HIPAA Easy-to-use custom report designer Automated report distribution The following table highlights suggested reporting requirements for security and compliance officers to specific requirements of HIPAA, along with the point-and-click reporting available within WhatsUp Log Management for the initiative: Log Management & Compliances Best Practices: Healthcare Industry Sector 7
Choose from several prepackaged compliance-centric reports within WhatsUp Log Management HIPAA Legal Requirements Security Rule 164.306 and Privacy Rule 164.530(c) All of the following must be addressed for logging and reporting: Password Aging Consolidated Change Logs User Privileges NTFS Permissions System Privileges Role Permissions & Membership Remote Access User Access Auditing Enabled WhatsUp Log Management point-and-click HIPAA report includes Account Management Success/Failure Directory Service Access - Success/Failure System Events - Success/Failure Object Access Attempts Success/Failure Object Deletions Group Management Password Reset Attempts by Users Password Reset Attempts by Administrators or Account Operators Computer Account Management Directory Service Access Attempts Logon Failures Active Directory Logon Failures Local Logons Log Management & Compliances Best Practices: Healthcare Industry Sector 8
What should a log management solution provide for healthcare institutions? The Log Management Solution Requirements table below represents a general consensus of the most important features that a best fit solution would provide. Beyond robust monitoring and reporting which are key for security of sensitive patient records and electronic health data, and for compliance with HIPAA, there are many more important log management features healthcare institutions must keep in mind: Log Management Solution Requirements Checklist Log Collection Automated collection of Syslog, Microsoft Event or W3c/IIS log files Configure to clear or not clear log files Collects all generated events Collects only certain types of events Choice of remote or agent-based collection Ability to configure log collection settings for multiple servers at once Allows leave a copy collection of active log data on the server Scheduled collection of logs from one console Log Consolidation and Storage Secure log aggregation and storage for Windows Event Logs, W3C/IIS logs and Syslog data from devices and OSs (UNIX, Linux) Supports Microsoft Access or SQL databases for log data Provides log normalization Supports automated compression Multi-year log data storage to comply with key Log Archiving Can provide email notification of failed archive attempts Can automatically retry failed archive attempts Continues from last collected event Scheduled time Percent full (threshold) Opens zipped event log files (.evt) for review Protects archived files from tampering via cryptographic hashing Handles automatic database maintenance tasks Facilitates database filtering to import only selected events Data Formats Syslog SQL MS Access Windows Event (.EVT and.evtx) Log Format Comma Delimited Text File HTML Report Format Comma-Delimited Report Format Log Management & Compliances Best Practices: Healthcare Industry Sector 9
regulations Monitoring Remote or agent-based monitoring Real-time monitoring of Windows Event and Syslog log files Configurable polling Servers go offline/online System shutdowns/restarts Detect and track changes to users/ groups/ computers Detect and track unauthorized account usage Detect and track printer activity Detect policy or key event changes Detect account lockouts Track logon activity Track errors and warnings Track changes/deletions on files/folders/registry keys Ability to create custom alarms for log monitoring Ability to normalize EVT and EVTX log files Reporting Provides out-of-the-box predefined reports (SOX, HIPAA, FISMA, PCI DSS, MiFID, etc.) Provides access to log reports via browser Can report daily, weekly, or monthly results for defined data Ability to create, schedule and distribute custom reports Configurable report formats HTML-based reports W3C/IIS Alerts and Notifications Define alerts for events of interest Define alert for a single event Alerts on devices and OSs supporting Syslog Recommendation of commonly audited event types Sends notifications to multiple email addresses Limitation of repeat notification from the same set of alarms Allows the creation of logical workgroups for easier management of multiple log file sources Flexible configuration of alarm notification settings by hour and day of the week Supports multiple notification options including email, network popup, pager, Syslog forwarding Allows custom thresholds before notifications are sent Enables grouping of commonly used alarms Alarm history tracking & reports Log Analysis and Management Supports extensive, pre-defined filtering options Create custom filters for review Ability to jump to specific dates, sift through logs or scroll them chronologically Correlate and analyze across events and event descriptions across multiple log files at once Log Management & Compliances Best Practices: Healthcare Industry Sector 10
Automated report distribution Ability to eport on EVT and EVTX log files Summary Healthcare providers, hospitals, insurance companies and social services are under tremendous pressure to not only comply with HIPAA and HITECH, but also ensure that electronic health records and other sensitive assets are secure every second of every day. Not only can healthcare institutions not afford a patient s health chart and subsequently his or her trust to be compromised, but they simply cannot afford a costly audit which could cost millions. In order to ensure that these goals are met, healthcare institutions must choose a log management solution that can: provide the automatic collection of log files and log data multi-year storage capabilities, the ability to establish real-time alerts for key events and Syslog files, and robust reporting capabilities that generate and distribute the reports needed for compliance initiatives. Enter WhatsUp Log Management. Introducing WhatsUp Log Management Suite The WhatsUp Log Management Suite is a modular set of applications that can automatically collect store, analyze and report on Windows Event, W3C/IIS and Syslog files for real-time security event detection and response, and historical compliance assurance and forensics. Event Archiver: Automate log collection, storing, backup and consolidation. It supports auditing, regulatory compliance and log forensics activities. Event Alarm: Monitor log files and receive real-time alerts and notifications. Quickly react and initiate rapid response processes to network outages or security threats. Event Analyst: Analyze and report on log data and trends. Automatically distribute reports to management, security officers, auditors and other key stakeholders Event Rover: Single console to view and mine log all data across all servers and workstations. Supports ad-hoc forensics relying on patented Log Healer Technology, for handling and repairing potentially corrupt Microsoft.EVTX log files. The Auditing Volume Analyzer tool will aid administrators in determining database/flat file storage requirements for archiving logs on their networks. The Event Archiver Importing tool will aid administrators of distributed networks that need to consolidate log files over WAN links into a central database. Do you already own WhatsUp Gold? The LM/WUG integration tool will allow you to visualize both performance and log information from a WhatsUp Gold dashboard SINGLE pane of glass. Learn more at: http://community.whatsupgold.com/blogs/discoveringwug/identifysecuritythreads Log Management & Compliances Best Practices: Healthcare Industry Sector 11
Did you know that Ipswitch s WhatsUp Event Archiver was awarded US s Army Certificate of Networthiness # 201004611? You can find out more about the WhatsUp Gold Log Management Suite at: http://www.whatsupgold.com/log-management/ About the Network Management Division of Ipswitch, Inc. The Network Management Division of Ipswitch, Inc. is the developer of the WhatsUp Gold suite of innovative IT management software. WhatsUp Gold delivers comprehensive network, system, application and log monitoring and management solutions for small and medium businesses and enterprises. Built on a modular, yet integrated architecture, the affordable and easy-to-use solutions scale with the size and complexity of any physical or virtual IT infrastructure. From a single console, WhatsUp Gold supports standard IT management tasks including automated discovery, mapping, real-time monitoring, alerting, troubleshooting and reporting. More than 100,000 networks worldwide use WhatsUp Gold solutions to assure the availability, health and security of their critical business infrastructure today. Ipswitch, Inc. s Network Management Division recently added to its product line complete, easy-to-use solutions for Windows Security Event Management (SEM) and Log Management for small businesses and enterprise-level organizations suite with the acquisition of Dorian Software Creations, Inc. WhatsUp Gold was named Network Management Product of 2010 by Network Computing Magazine and earned the Network Products Guide 2010 Product Innovation Award in Network Management. To learn more about WhatsUp Gold the best value in IT Management software, download a free trial or to make a purchase, please visit: http://www.whatsupgold.com/products/download/. *All mentioned trademarks, product and company names cited herein are the property of their respective owners.* Log Management & Compliances Best Practices: Healthcare Industry Sector 12