What to Look for in a HIPAA-Compliant Log Management Tool

Learning Objectives

  • Learn why logging is essential for HIPAA compliance
  • Learn how to make the most of your HIPAA logs
  • Understand best practices for retaining and storing your logs
  • See what to look for in a HIPAA-compliant log management provider

Most modern log management solutions claim to be HIPAA-compliant, and indeed, most logging tools can be used in a HIPAA-compliant way—provided that you spend enough time configuring them to meet HIPAA rules.

That does not mean, however, that all logging solutions are created equal when it comes to HIPAA. The extent to which logging tools offer out-of-the-box support for HIPAA compliance varies widely depending on the specific logging features that the tools offer and how easy those features are to implement.

Here's a look at which log management features are most important for meeting HIPAA compliance rules.

HIPAA and Logging: A Brief Overview

Overall, HIPAA is a rather vague framework. When it comes to logging, however, HIPAA imposes several fairly specific requirements:

  • Organizations must monitor events that involve access or updates to Protected Health Information, or ePHI.
  • Organizations must have "audit controls" in place to "record and examine" activity on systems that store ePHI.
  • Organizations must "regularly review" records of activity on systems that contain ePHI.


These rules are spelled out in HIPAA sections 164.308(a)(5)(ii)(C), 164.312(b), and 164.308(a)(1)(ii)(D), respectively.

HIPAA doesn't specify that logs in particular have to be used to record and track the information described above. However, it's hard to imagine how else you would systematically record and audit these events without logs. For most organizations that work with ePHI, then, the ability to maintain logs that record ePHI access events, as well as enable audits of access to ePHI data and the systems that store it, is essential.

Making the Most of HIPAA Logs

You can create the HIPAA logs described above in any way. HIPAA is not specific about how the data has to be structured. However, when it comes to managing HIPAA log data, there are several specific considerations to bear in mind.

HIPAA Log Retention

Chief among them is log retention and log rotation. HIPAA generally requires that event, access, and audit data remain available for six years after it is generated. For that reason, it's important to be able to configure log management tools so that historic log data can be maintained for the HIPAA retention period.

Mezmo, formerly known as LogDNA, offers plans for different needs, both our Oak and HIPPA plans retain 30 days of searchable log data. For longer retention, Mezmo provides an archiving service that automatically exports older logs to your preferred cloud storage service. In addition, Mezmo recommends to request a Business Associate Agreement (BAA) from your preferred cloud storage provider and secure your storage bucket before enabling archives.  

HIPAA-Compliant Log Storage

The rules surrounding the storage of data that is subject to HIPAA rules are complicated. When it comes to logs—which generally shouldn't contain ePHI, but could—the simplest way to meet those requirements is to use a SaaS log management solution that stores logs on infrastructure that is certified for HIPAA compliance. That way, you can outsource your HIPAA storage challenges to your log management provider.

Of course, you may prefer to store log data on your own infrastructure if you are confident in your ability to meet HIPAA requirements yourself. You should thus look for a log management solution that offers the flexibility to run on any cloud as well as to use an SaaS model.

Business Associate Agreement

Likewise, look for a log management provider that will sign a Business Associate Agreement, or BAA, with you. Under HIPAA, a BAA is required if you work with a third-party organization that manages ePHI on your behalf. Because logs may contain ePHI (and even if they don't, they typically contain sensitive data related to systems that store ePHI, which in itself presents a potential security risk), having a BAA in place with your log management provider helps to reduce potential HIPAA compliance risks. It also formalizes the log management provider's guarantee to store and manage your log data in a HIPAA-compliant way.

Use Encryption

When sending logs to your log management provider, use HTTPS or TLS encryption techniques to encrypt your logs in transit, or else your logs will be sent in plain text, making them trivial to intercept by a malicious third party.

Encryption is enabled by default in the Mezmo agent and within official code libraries. Mezmo also encrypts your logs when storing them and only allows access to the web application over secure HTTPS. If you are archiving your logs, be sure to encrypt your storage bucket before enabling the archiving process.

Control Access to Log Data

Whether or not your logs contain ePHI, the data they store about your infrastructure could give attackers the information they need to gain unauthorized access to your systems and therefore to ePHI.

To mitigate this risk, your log management solution should allow you to control, in a granular way, who in your organization has access to logs. You shouldn't need to give all of your engineers unfettered access to all logs; instead, each engineer should be able to access logs only for the specific systems he, she, or they maintains.

Mezmo lets you set granular permissions using Role Based Access Control (RBAC). You can restrict each user’s ability to view, create, or modify Mezmo resources, as well as restrict their access to logs based on source or content.

Identify Logging Failures

Logs only help you meet HIPAA auditing requirements if the logs actually exist and are accurate. To guard against the risk that some HIPAA-relevant data is not logged properly due to an issue like a log agent failure or the exhaustion of log storage space, choose a log management tool that allows you to configure alerts that will notify you when something goes wrong in your logging routine. You don't want to wait for an audit to learn that you haven't actually logged all the data you need to meet HIPAA requirements due to a technical failure.

Conclusion

In short, there are lots of logging solutions available, and all of them can manage logs that store HIPAA-related data. But not all of them offer the rich set of features that you need for meeting HIPAA compliance requirements easily.

Log management tools that natively lack features for restricting access to log data, alerting you to logging failures, or storing logs in a HIPAA-compliant way will require you to implement workarounds or custom extensions to meet HIPAA rules. Likewise, if your log management provider can't sign a BAA or guarantee compliance of its own systems with HIPAA requirements, you face an uphill battle in using logs to reinforce your HIPAA compliance.

With Mezmo, you can avoid these pitfalls and stay HIPAA-compliant. Mezmo offers sophisticated features for securing access to logs and monitoring logging failures. In addition, Mezmo itself is certified by an external assessor to meet HIPAA requirements, and Mezmo will sign BAAs with customers.

To learn more about how Mezmo can simplify HIPAA compliance for your organization, contact the Mezmo team.


Most modern log management solutions claim to be HIPAA-compliant, and indeed, most logging tools can be used in a HIPAA-compliant way—provided that you spend enough time configuring them to meet HIPAA rules.

It’s time to let data charge