Educause Security Discussion mailing list archives
Re: What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data?
From: "Harris, Michael C." <HarrisMC () HEALTH MISSOURI EDU>
Date: Wed, 7 Nov 2007 08:25:11 -0600
My understanding of HIPAA clarified by NIST 800-66 is that it is more a matter of having a definitive policy and actually doing what you say you do. The verbiage in the federal register is intentionally vague, but basically you need to follow defensible best practice. (see links text attached) Pick a windows hardening guide and checklist or write your own, but follow it and prove that you are. How long you keep log data (detail or summary) depends on how you define procedure to utilize it from a diagnostic 24 hour rolling window to 7 years or more or anything in between. Take care because if you have legacy university policy for paper retention of records that may arguably compel you for similar records kept electronically. see 45 CFR 164.316(b)(1)(i) and NIST 800-66 page 84. Being able to tell exactly which user accessed ePHI is the goal but that is often logged at the application or DB level rather than by the OS. Having system logs that can corroborate application log detail is often helpful. For auditing I would recommend at minimum a yearly review as ongoing Risk Assessment or evaluation is mandatory see NIST-800-66 page 44 & 67 Mike -------------------------------------------------------- | Michael C. Harris, CISSP | | Principal Security Analyst & Clinical Instructor | | University Of Missouri Health Care | | harrismc () health missouri edu <mailto:harrismc () health missouri edu> KCØPAH | | | -------------------------------------------------------- ________________________________ From: H. Morrow Long [mailto:morrow.long () YALE EDU] Sent: Saturday, November 03, 2007 7:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data? If you have Windows file servers with files containing ePHI. As part of your HIPAA privacy/security compliance practice: What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data? - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS
Attachment:
links_8435_spring07.txt
Description: links_8435_spring07.txt
Current thread:
- Re: What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data? Harris, Michael C. (Nov 07)