Welcome back, you Cyberia compliance cosmonauts to implementing a HIPAA compliance program for leadership. And this lesson is the monitoring, logging and reporting of our HIPPA compliance program. Specifically the control surrounding the hip of security rule and the technology we're gonna use to protect the confidentiality, integrity and availability of our electronic protected health information. So if you're ready,
turn your sensors and communicators on
our lunar lander is about ready to make a touchdown.
So this lecture is about viewing our program from space. How does the outside viewer little hip, a village and the best way we can map out our village just like Google Maps does with their vans, You always see driving around. They have all the cameras mounted to the roofs and sidewalls. Well, it's with the right data and the right inputs. Three auditor can go into our reporting and monitoring tools and look at our security program's capabilities.
So monitoring, logging and reporting of our controls is what this lecture is going to cover.
We're gonna talk about key performance indicators, KP ice and how we define monitoring of e P h I. We're gonna talk about six logs and the data about data that is generated that are tools we're gonna monitor and report on. We want to be a tool rich environment so we can accurately report all our programs activities, Especially when the auditor walks in and asked for a report on who went where
and what they did last month.
So we can say Click, click. Here you go. There is nowhere for the auditor to go. When your answer is that simple, the auditor usually hears answers like I think I can get that. Well, let's put that on the list of items I owe you. Before you leave for our program, we're gonna make it easy for the auditor to get their answers. And then we will gladly and quickly show them the exit
so we can get back to our very important spacewalk.
So if you love spreadsheets and you dream and rows and columns, well, that might mean you're anti psychotics your therapist has prescribed for you. Well, they're not working, and you need to refund or just might mean that this lecture is right up your alley. Key performance indicators refer to a set of quantifiable measurements used to gauge your company's overall long term performance
organizations use KP ice to measure their company's strategic, financial
and operational achievements, especially when compared to their competition. And we will use KP ice to measure the rial indicators of our network and our security program services and metrics like failure rates and outage intervals on our critical E h R systems metrics like meantime, between failure and mean time to repair
up and down status I A systems availability percentage of service intervals like downtime and percentage
of systems that require firmware and software patching. And how often the team managed service required during the service interval. How many times did the team run long and thus cause system downtime, monitor real time and historical and report out to any device? This is where our program needs to go.
So I want to keep it out of the technical weeds and a high level reporting and analytics or a requirement of HIPPA. I wanna call out a few criteria that air looked at. Confidentiality is about access. Keeping the records away from prying eyes is key to protecting the privacy of the individual, so we need to monitor who access to electronic record win what was viewed or printed. And then this information can be
compared to privilege
as long as it was on a need to know basis. All good. But this is where what is called forensic auditing comes in. Maintaining an audit trail like our example allows us to review criteria around access to make sure there hasn't, for example, been an escalation of privilege. Too much access has been granted to a person who doesn't need to know or doesn't require access.
This is how breaches happen.
But Hip wants to make sure your program has these kinds of capabilities. There are consequences to not having a knack cess monitoring or auditing program. A covered entity was fined $5.5 million by failing to implement procedures to regularly review records of information security and the requirement of being able to review information security activity has been in place.
It's in HIPPA since 2000 and five,
so there's a lot of hip a high tech requirements driving, logging and auditing, or things like risk management information system activity reviews, audit controls, accounting of patient information disclosure, meaningful use, reporting, breach, notification requirements, data retention policies, account management reviews, process audits and use their education and awareness.
We gather and review this information in various different ways. We have to monitor real time devices,
interfaces, services pretty much everything in our network, and everything in our network can have a software or hardware center attached and report toe a monitoring collector, our network management system or an M s. And we could have collectors like a SIM session incident and event manager
who will take all of the sensors and the devices and all of the information from these sensors and devices and network logs.
And we're talking about thousands of logs a minute are generated by our network, and then the same can help us make sense of all of it. And then our collectors and managers, Well, they're gonna have reporting engines that will kick out reports to us on demand or via scheduling. I get my pretty reports every Monday ahead of the managers meeting. It's a really good stuff.
So if you love spreadsheets and you dream and rows and columns, well, that might mean you're anti psychotics your therapist has prescribed for you. Well, they're not working and you need a refund or just might mean that this lecture is right up your alley. Key performance indicators refer to a set of quantifiable measurements used to gauge your company's overall long term performance.
Organizations use KP ice to measure their company's strategic, financial
and operational achievements, especially when compared to their competition. And we will use KP ice to measure the rial indicators of our network and our security program services and metrics like failure rates and outage intervals on our critical E h R systems. Metrics like meantime, between failure and mean time to repair up and down status I A systems availability percentage
of service intervals like downtime and percentage
of systems that require firmware and software patching. And how often the team managed service required during the service interval. How many times did the team run long and thus cause system downtime, monitor real time and historical and report out to any device? This is where our program needs to go,
so there's some good stuff on the slide, and I'm not going to cover all of it. So make a note and dig deeper into the concepts on the slide as they're called out. But for now, keep these things in mind. Collect logs from every system, application and program. Consolidate your logs on a centralized logging server or in a mess that is protected by security controls, such as role based access control and file integrity. Monitoring.
Include logging servers In your data backup plan,
Implement a log analysis tool or SIM, for a real time review of logs with alerting of staff for suspicious behavior. Monitor all aspects of your E P H i systems to physical access who swiped their key card and walked into the data center to sensors that are monitoring the up time of your hard drives in the database server where you're keeping your electronic records.
If it has to do with EPA H I monitor it,
log it and report it. Period. End of story turned out the lights. The party's over
on the last concept I want to review real quick is what will the auditor be looking for? Policies and procedures for accessing eh Ph. I reports and who has access and maybe even a report on access over the last 30 days. This is all about determining if you can generate the report and not about the information in the report. Can you kick out a list of new hires and show the auditor there granted access rules?
And what is the status of your ability to monitor, log and report
on E p h I. The proof will be in the pudding. You wanna be able to show the audit or painted glass with real time monitoring of P H I and then put on paper in front of the auditor reports on your Ph I activity. If you could do this, I guarantee you three check boxes and you're out and onto the next control.
So we've covered a lot. So now it's time to test our monitoring and reporting capabilities before the auditor shows up. So give three reasons why monitoring a Chinese like Cerner and epic are important what we want to control the risk of access. Specifically, we wanna make sure that we're controlling privilege creep. So individuals that air, for some reason, have too much access.
We want to be able to have digital forensics so that we can take a specific health record
and cradle to grave know who accessed it. When who touched it, who changed it, etcetera. We want to make sure that we're controlling escalation of privilege. And at the end of the day, guess what, folks? It's the law. So well, we better get it right.
So in this video we learned about the importance and hipper requirements around monitoring, logging and reporting of our e p h i infrastructure. We looked at the differences around monitoring, logging and reporting and called out the auditing flags that we don't want to see waived and the auditing warning alarms that we don't want to hear. And we became really close chummy friends with our auditor. So much so
when we ran out of coffee, we upgraded to the hard stuff
energy drinks. And in our next lecture, we're gonna be learning all about assessing risk and the US government's free risk assessment tool, the Security Risk Assessment tool or S R. A.
So, on behalf of all of us that Sai Buri thanks for sitting in today's lecture on reporting and monitoring. We hope you found the information a real blast. Take care and until next time, happy zero gs travels and good luck with your astronaut meals ready to eat memories by just adding water and eating your liquid dinner with the straw. Yummy. Yeah, Maybe not so until then, until next time.
Thanks so much for joining.
We hope you had a little bit of fun. We hope you learned a lot about monitoring, reporting and logging until then. Until next time, take care