Educause Security Discussion mailing list archives

Re: What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data?

From: "Harris, Michael C." <HarrisMC () HEALTH MISSOURI EDU>
Date: Wed, 7 Nov 2007 08:25:11 -0600

 
My understanding of HIPAA clarified by NIST 800-66 is that it is more a matter of having a definitive policy and 
actually doing what you say you do.  The verbiage in the federal register is intentionally vague, but basically you 
need to follow defensible best practice. (see links text attached) Pick a windows hardening guide and checklist or 
write your own, but follow it and prove that you are. How long you keep log data (detail or summary) depends on how you 
define procedure to utilize it from a diagnostic 24 hour rolling window to 7 years or more or anything in between.  
Take care because if you have legacy university policy for paper retention of records that may arguably compel you for 
similar records kept electronically.  see 45 CFR 164.316(b)(1)(i)  and NIST 800-66 page 84.
 
Being able to tell exactly which user accessed ePHI is the goal but that is often logged at the application or DB level 
rather than by the OS.  Having system logs that can corroborate application log detail is often helpful.
 
For auditing I would recommend at minimum a yearly review as ongoing Risk Assessment or evaluation is mandatory see 
NIST-800-66 page 44 & 67
 
Mike
 
     --------------------------------------------------------
     |   Michael C. Harris,                         CISSP   |
     |   Principal Security Analyst & Clinical Instructor   |
     |   University Of Missouri Health Care                 |
     |   harrismc () health missouri edu <mailto:harrismc () health missouri edu>               KCØPAH   |
     |                                                      |
     --------------------------------------------------------
    
 
________________________________

From: H. Morrow Long [mailto:morrow.long () YALE EDU] 
Sent: Saturday, November 03, 2007 7:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? 
How long do you keep the data?


If you have Windows file servers with files containing ePHI. 
As part of your HIPAA privacy/security compliance practice:

What level of logging do you turn on (and keep) on Windows file servers with ePHI?  Do you audit?  How long do you keep 
the data?

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS

Attachment: links_8435_spring07.txt
Description: links_8435_spring07.txt

Current thread:

Re: What level of logging do you turn on (and keep) on Windows file servers with ePHI? Do you audit? How long do you keep the data? Harris, Michael C. (Nov 07)