By Dominique Levin EVP Marketing and Strategy Updates to HIPAA (HITECH, part of Economic Stimulus Bill) increase log management requirements of health providers. By February 2010, healthcare providers and others handling protected healthcare information need to comply or face stiff penalties ($1.5 million per year) and potential criminal prosecution. HIPAA's other major change for covered entities is they must now disclose if and when they have a security breach and client data is exposed. All users whose data has been lost must be notified, and if more then 500 individuals' data is lost, the organization must notify the Secretary of the Department of Health and Human Services (HHS), who will publicly post the breach on the HHS website. Under HITECH, business associates (those handling protected healthcare information that are not healthcare providers) are subject to the same civil and criminal penalties as covered entities, as well the disclosure requirements outlined above. More specific guidelines by Secretary of Health and Human Services are due by the end of this week so stay tuned, but important lessons can be learnt from past audits by the U.S. Department of Health and Human Services. In March 2007, the department audited the information security practices of Atlanta's Piedmont Hospital to determine whether the facility met HIPAA requirements. The audit revealed several areas in which the hospital failed to comply. That was just the beginning; recent HIPAA-related fines imposed on Providence Health & Services and CVS Caremark Corp. have caused many organizations, hospitals, healthcare clearinghouses and business associates to take HIPAA compliance more seriously. Some lessons learnt are articulated clearly in a recent Search Security article: In a nut shell:

1. 1) Establish clear organizational responsibility for ensuring the security of the protected health information
2. 2) Only accessible to those who have a business need
3. 3) Stored and processed on systems that are strictly controlled and backed up
4. 4) Monitored during all access
5. 5) Only moved to authorized locations and is encrypted in storage and while transmitted on unprotected networks

An important part of maintaining control over PHI is knowing who has had access to the information. HIPAA requires that all access to protected information be monitored. This means that systems and applications that provide the access need to be instrumented to capture access events. Further, an organization needs to look at its captured log information regularly. Our recent survey with the SANS Institute revealed that many organizations now take log management very seriously and, in fact, are collecting and archiving log data. The rub comes with the second part of the log management requirement: “an organization needs to look at its captured log information regularly”. This is much harder than it sounds. LogLogic has worked with its blue-chip customer base to make period log review easier and to this end we today released a workflow automation product called Compliance Manager. Compliance Manager guides compliance administrators through the process of deciding who should review which log information and how frequently, guides reviewers through their daily tasks and rolls this all up for auditors and managers alike to evaluate overall adherence to the compliance process.