the logs from a time-keeping system may be used to verify
if an employee was on the clock when an unauthorized access occurred.
x Present reports in an easy-to-read Web page or dashboard.
Third-party tools can be expensive to purchase and install.
Up-front costs may include audit software, server and operating system for running the software, and labor costs for installation, training, and modification. In addition, there may be
annual licensing and support fees, which must be factored
into an organization’s operating budget.
Some vendors offer audit tools as software as a service, or
SaaS. This eliminates many of the up-front costs because the
vendor supplies and owns the necessary hardware and software and provides the programming support. The healthcare organization pays a monthly fee to use the tool, usually
through a Web interface.
Determining When and How Often to Audit
Due to a lack of resources, organizations typically examine
their audit trails only when there is a suspected problem. Although this is a common practice, it is definitely not a best
It is imperative an organization’s security audit strategy
outlines the appropriate procedure for responding to a security incident. However, it must also define the process for
the regular review of audit logs. At a minimum, review of user
activities within clinical applications should be conducted
monthly. It is best to review audit logs as close to real time
as possible and as soon after an event occurs as can be managed.† This is especially true for audit logs, which could signal an unauthorized access or intrusion into an application
or system. Automated audit tools can be helpful for providing
near real-time reports.
Evaluating Audit Findings
Department managers and supervisors are in the best position
to determine the appropriateness of staff access. Therefore,
they should review the audit reports.
The organization’s information security and privacy officials
must provide education to the directors, managers, and supervisors responsible for reviewing security audit report findings
so they are equipped to interpret results and determine appropriate versus inappropriate access based on defined and approved access permissions.†
Presenting Audit Report Findings to Employees
In the event that an audit reveals potentially unauthorized access by an employee, human resources, risk management, and
legal counsel (as appropriate) may need to be involved before
addressing the report findings with the employee.
Organizations should consider factors such as education,
experience, privacy and security training, and barriers to
learning (e.g., language) when evaluating an employee’s ac-
tions. They should remember that an individual may have had
a good reason for out-of-the-ordinary access, even if the initial
review indicates otherwise. In addition, organizations should
consider treating the questioning of an employee as an inquiry, rather than an interrogation.
Organizations must be consistent in the application of their
security and privacy audit policies and sanctions with no exceptions. Making exceptions to the policy risks the trust of the
workforce and consumers and poses a risk to legal defense.†
Healthcare facilities leave themselves open to both individual
and class action lawsuits when they do not have a strong, consistent enforcement program. 1
Organizations should develop and implement graduated
sanctions so that the punishment fits the incident. Sanction
policies should allow management some limited flexibility.
For example, sanctions to physicians and other licensed caregivers with specialized skills may negatively affect patient
care and business operations if these individuals are removed
from their job as a result of a violation.
In conjunction with sanction policies, organizations must
develop and implement strong policies and procedures to address the processing of breaches, compliant with federal and
state laws and regulations, in the event any security audit findings indicate a breach has occurred.
Protecting and Retaining Audit Logs
HIPAA requires that covered entities maintain proof that they
have been conducting audits for six years. Such documents
may include policies, procedures, and past audit reports. State
statutes of limitations relative to discoverability and an organization’s records management policies may require that this
information be kept longer.
Organizations must review pertinent regulatory require-
ments, including applicable federal and state laws, in deter-
mining the appropriate retention period for security audit
logs. Security and privacy officials should collaborate to estab-
lish the most effective schedule for the organization. †
The Payment Card Industry Data Security Standard requires
organizations “retain audit trail history for at least one year,
with a minimum of three months’ online availability.”
At a minimum, an organization’s audit strategy must stipu-
late the following actions to protect and retain audit logs:
x Storing audit logs and records on a server separate from
the system that generated the audit trail
x Restricting access to audit logs to prevent tampering or
altering of audit data
x Retaining audit trails based on a schedule determined
collaboratively with operational, technical, risk manage-
ment, and legal staff †
Prevention through Education
The new mantra in healthcare should be, “Just because you
can, doesn’t mean you should.” Education is a preventive measure that must be executed and re-executed to ensure optimal