Our most downloaded episode is from way back in May of 2016. HIPAA Access Logs Audits was our 54th episode. It is hard to believe it was that long ago! Today we are doing a deeper dive into how many log layers exist when it comes to access logs to see if you have thought of all of them. Which of the logs really matter and what do you do with them?
In this episode:
Do you know where your logs are?
Today’s Episode is brought to you by:
Want to be part of Help Me With HIPAA? Donate to the cause at www.HelpMeWithHIPAA.com/give
HMWH App now has more features. You can now access a PDF with the show notes ready for your HIPAA training documentation! Find it under the bonus feature in the app for both the Apple and Android versions. It is a little gift box on the app bar.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Do you know where your logs are?
Logs are being generated on most systems constantly. The ones that aren’t creating some logs are the ones you should keep a close eye on for firmware updates. The ones that do keep logs are the ones we are going to talk about today.
Workstations and Devices
Your devices create things constantly. Those scam calls from “Microsoft” use the Windows logs to scare you into thinking something is wrong with your computer. They know that the information in these logs overwhelms the average person immediately. Windows creates logs for several areas and groups them in the Event Viewer app. That is the tool the scammers have you launch. In my list of Windows Logs I see the following logs:
- Forwarded Events
Then, it adds Applications and Services Logs to the mix. Now, that is where things get really messy since all the Windows applications can have a log plus your other applications you run on your Windows device can have logs.
On here the ones you should worry about the most are the Windows logs in the first batch listed above. Those are the ones where you see what is happening on your devices the most.
Of course, there could also be Ubuntu workstations and MAC workstations plus medical devices, printers, and much more. Refer to your hardware inventory to make sure you have accounted for everything important.
It’s a tough call on which workstations would be most important to monitor. On one hand, the most basic users may also be the ones most likely to fall for phishing and click bait scams so you need to see what they are doing. On the other hand, the power users and the users with escalated privileges have access to so much more stuff so you want to see what they are doing also.
Windows servers are very similar to the workstations for the logs process. There are just more of them. Those are definitely logs you want to make sure you have someone checking and monitoring periodically if not with a SIEM tool. More on those tools in a minute.
Many servers are set at the default log size and never changed. The size of hard drives out there now means you shouldn’t be doing that anymore. As long as your server has space you need to be keeping more logs before they disappear. The log sizes should be configured to 500 MB, but no less than 200 MB on all windows devices, if possible, but especially servers.
Servers in your office are the key to much of your traffic. If you don’t have servers then the cloud services will take the place of servers in your plans and programs.
Network Management Devices
These are often the most important ones to tech folks. This section includes things like:
- Intrusion Prevention Systems
- VPN connections both site to site and individual
- Wireless Access Points
These devices allow you to see what kind of traffic is flowing on your network. When it comes to addressing a potential security breach these logs are imperative for being able to prove there was no infiltration or exfiltration of data.
A security information and event management tool or SIEM, which is pronounced “sim” lets your IT team send all of the various standardized logs to a single repository that has software to analyze them and look for problems. The commercial versions of these can be expensive. The solution requires the same kinds of things you expect from something like an onsite EHR. You need hardware, software, support on both of those, support to help you with the installation and ongoing management, updates to the systems from threat feeds. Then, you add the fact that your own people must be initially trained and keep them trained regularly to stay up to date on all the changes and threats to watch out for.
Some big names in the SIEM space include LogRhythm, IBM, AlienVault, Splunk, and SolarWinds.
The good news is there are some smaller versions out there that are free. You still have to consider the hardware to install the free software on and the space to maintain the logs for a period of time.
Cloud Services and Tools
These services and tools are creating logs just like everything else. If you are a heavy user of cloud tools and services it is certainly worth your time to look into your options. Many groups forget about these logs completely and they can be some of the most valuable places to find a problem.
Some of these logs may have the option to export them into files or even import them into a SIEM tool.
Your other applications
It isn’t just your systems and services that you worry about access. We always think about EHR access but there are also logs that come out of most of your applications. Your financial applications also have logs out there. Even an app like Quickbooks creates logs. If you haven’t considered reviewing them from time to time, it is certainly worth it. The logs tell you when someone is trying to force their way in as well as what is happening.
You know the EHR/PM logs must be tracked in some way. We refer to SPHER for our information on how important automated access log management is at this level. If you know that insider actions are often the number one way things go awry, being able to see anomalies in their activity automatically is essential to keeping things under wraps or at least being able to mitigate them quickly.
Access logs management
If you have an incident, you need will need access to some of these logs. It is very important that you understand now what you would be able to do when the incident occurs instead of wishing you had changed things when it is too late. It is best to prioritize these things just like anything else you have to worry about with security. There are only so many resources. This is our recommended list for your access log analysis projects.
- Make sure you know what logs are being generated in your environment and get the Windows devices log file size changed to 500 MB.
- Evaluate if an EHR/PM access evaluation tool like SPHER would be reasonable and appropriate in your environment. This is its own project separate from the technical logs.
- Work with IT to determine if any SIEM tool is in place or would be reasonable and appropriate for your environment for:
- Network devices
- Workstation and Devices
- Cloud Services (this priority could vary if you are highly invested in cloud services and tools)
Worst case you need the IT folks to have a plan to review the logs on your network devices to look for problems on a regular basis. Save the files off periodically so that you have a history of logs files you can pull if needed.
As with anything else, if you aren’t looking at anything then all kinds of things may be happening.
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!