HIPAA Compliance Suite
Prove data confidentiality. Immutable Logs.
LogLogic products help businesses meet recurring compliance requirements in a cost-effective way with information they already are generating in-house. The LogLogic HIPAA reporting suite is one of a series of reports that are helping companies handle key business issues, is designed to make it easier manage policies and controls associated with HIPAA and be able to prove that patients data is secured.
Overview
In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was signed into US law. HIPAA was designed to allow employees to change jobs without concern about continuation of health insurance coverage, provide improved access to health insurance for patients, reduce inefficiencies in the health care industry and protect the electronic health information of patients.
"LogLogic puts logic into our raw logs. We found it to be an affordable, standalone log management solution. Before this solution, I used to see more than 1,800 messages per second that were generated from my firewalls and VPNs. After we put LogLogic in place and did the necessary machine cleanup, that number dropped to 350 messages per second. It is a reduction of five times. The numbers show that the solution does work. This has happened because of LogLogic's technology, and carefully crafted processes and procedures that we employed to take control of the situation"
— Asad Syed, Northwestern Memorial Hospital
The HIPAA Security Rule directs that The Department of Health and Human Services (HHS) Medicare Program, Other Federal agencies operating health plans or providing health care, State Medicaid agencies, Private health plans, Health care providers and Health care clearinghouses assure their patients that the integrity, confidentiality, and availability of Electronic Protected Health Information they collect, maintain, use, or transmit is protected. Today, the amount of electronic health information is staggering and its integrity, confidentiality and availability are threatened by worms, viruses, unauthorized disclosure and misuse.
Compliance with HIPAA requires that ‘Covered Entities’ implement various standards to safeguard electronic health information. HIPAA implementation standards are either required (R) or addressable (A). If an Implementation Specification is “required”, the Covered Entity must implement the Implementation Specifications. If the Implementation Specification is “addressable” the Covered Entity must:
Assess whether each Implementation Specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s Electronic Protected Health Information; and As applicable to the entity Implement the Implementation Specification if reasonable and appropriate; or If implementing the Implementation Specification is not reasonable and appropriate Document why it would not be reasonable and appropriate to implement the Implementation Specification Implement an equivalent alternative measure if reasonable and appropriate.
What is the LogLogic Compliance Suite: HIPAA Edition
The LogLogic Compliance Suite: HIPAA Edition is the first solution of its kind. It delivers automated process validation, reporting and alerts based on infrastructure data to evidence and enforce business, and IT policies related to compliance. By automating compliance reporting and alerting based on critical infrastructure data collected and stored by LogLogic’s appliances, the LogLogic Compliance Suite eliminates the complexity and resource requirements for implementing HIPAA security standards and implementation specifications.
LogLogic’s Compliance Suite:
- Automates compliance activities and dramatically improves audit accuracy.
- Provides risk assessment data and accelerates time to risk mitigation.
- Allows organizations to use infrastructure data to provide evidence of and enforce IT controls.
- Provides industry-leading reporting depth and breadth, including real-time reporting and alerting
- on HIPAA compliance.
- Delivers 50 out-of-the-box Compliance Reports and 50 out-of-box alerts with executive-level views.
- Enables customization of any Compliance Report to map reports against your company’s policies.
Organizations can use the LogLogic Compliance Suite: HIPAA Edition to
- Enforce controls using LogLogic technologies
- Show auditors alerts and reports to prove your compliance status with LogLogic
- Monitor continuously with LogLogic to ensure continuous compliance
- Provide auditors LogLogic unaltered evidence of log data review and follow-up
- Provide assurances of the integrity of the log data collected and reports
Compliance Categories
Log data allows organizations to manage the extreme challenges of meeting major HIPAA implementation specifications. LogLogic’s compliance reports and alerts satisfy the following categories:
Identity and Access
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to show that all HIPAA-related systems (i.e., networks, applications, and databases) are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. The risks of non-compliance may result in unauthorized and/or inappropriate access to key systems, which may negatively impact the security, integrity, accuracy and completeness of healthcare information.
Monitoring and Reporting
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to continuously monitor the IT infrastructure for any security violations. Reports are provided in a meaningful format. The monitoring statistics should be analyzed and acted upon to identify negative and positive trends for individual services as well as for services overall.
Risks of non-compliance in this area could significantly impact service availability as well as security of the IT infrastructure, which may negatively impact the security, integrity, accuracy and completeness of healthcare information.
Change Management
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to show that all systems and system changes are appropriately requested, approved, tested, and validated by authorized personnel prior to implementation to the production environment. These reports and alerts can also show that division of roles and responsibilities have been implemented to reduce the possibility for a single individual to subvert a critical process. Management needs to make sure that personnel are performing only authorized duties relevant to their respective jobs and positions.
Risks of non-compliance may result in unauthorized changes and/or improper roll-out of new source code to key systems. This may negatively impact the security, integrity, accuracy and completeness of healthcare information.
Security Management
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to show that all network security devices, including firewalls which control computer traffic into a company’s network, as well as IDS systems which monitor the computer traffic, have been configured appropriately to allow only the requested and approved traffic in and out of the network.
The risks of non-compliance may result in unauthorized access from the Internet. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Availability Management
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to monitor the availability of critical IT infrastructure components. Alerts can be setup to monitor when critical components are sending abnormal amounts of log data, which could indicate attacks on the component or that there are system errors, or have stopped sending log data, which could indicate failure of these components.
The risk of non-compliance could significantly impact the business viability and could prevent an organization from recording healthcare transactions and thereby undermine its integrity.
Continuity Management
LogLogic Compliance Suite: HIPAA Edition includes reports and alerts to monitor that data are backed up on a regular basis. Reports can be automatically generated to ensure that backups and restores are performed successfully.
Deficiencies in this area could impact the resilience of the infrastructure as well as the availability of critical resources.
Satisfied HIPAA Implementation Specifications
HIPAA’s Security Rule contains over forty implementation specifications covering areas including Administrative Safeguards and Technical Safeguards. Twenty HIPAA implementation specifications were identified that can be evidenced or audited by LogLogic reports and alerts.
| Standards | Sections | Implementation Specification (R) = Required, (A) = Addressable |
|---|---|---|
| § 164.308 — Administrative Safeguards | ||
| Workforce Security | 164.308(a)(3) | Authorization and/or Supervision (A) Termination Procedures (A) |
| Information Access Management | 164.308(a)(4) | Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) |
| Security Awareness and Training | 164.308(a)(5) | Security Reminders (A) Log-in Monitoring (A) Password Management (A) |
| Security Incident Procedures | 164.308(a)(6) | Response and Reporting (R) |
| Contingency Plan | 164.308(a)(7) | Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) |
| § 164.312 — Technical Safeguards | ||
| Access Control | 164.312(a)(1) | Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) |
| Audit Controls | 164.312(b) (R) | |
| Integrity | 164.312(c)(1) | Mechanism to Authenticate Electronic Protected Health Information (A) |
| Person or Entity Authentication | 164.312(d) (R) | |
Contact me
Have someone contact you within 24-hours.
Weekly Webcast
Join our experts every Tuesday.
3-Minute Tour
View a LogLogic introductory tour
New White Paper
