What to Look for in a HIPAA-Compliant Log Management Tool

Learning objectives

That does not mean, however, that all logging solutions are created equal when it comes to HIPAA. The extent to which logging tools offer out-of-the-box support for HIPAA compliance varies widely depending on the specific logging features that the tools offer and how easy those features are to implement.

Here's a look at which log management features are most important for meeting HIPAA compliance rules.

HIPAA and Logging: A Brief Overview

Overall, HIPAA is a rather vague framework. When it comes to logging, however, HIPAA imposes several fairly specific requirements:

  • Organizations must monitor events that involve access or updates to Protected Health Information, or ePHI.
  • Organizations must have "audit controls" in place to "record and examine" activity on systems that store ePHI.
  • Organizations must "regularly review" records of activity on systems that contain ePHI.


These rules are spelled out in HIPAA sections 164.308(a)(5)(ii)(C), 164.312(b), and 164.308(a)(1)(ii)(D), respectively.

HIPAA doesn't specify that logs in particular have to be used to record and track the information described above. However, it's hard to imagine how else you would systematically record and audit these events without logs. For most organizations that work with ePHI, then, the ability to maintain logs that record ePHI access events, as well as enable audits of access to ePHI data and the systems that store it, is essential.

Making the Most of HIPAA Logs

You can create the HIPAA logs described above in any way. HIPAA is not specific about how the data has to be structured. However, when it comes to managing HIPAA log data, there are several specific considerations to bear in mind.

HIPAA Log Retention

Chief among them is log retention and log rotation. HIPAA generally requires that event, access, and audit data remain available for six years after it is generated. For that reason, it's important to be able to configure log management tools so that historic log data can be maintained for the HIPAA retention period.

LogDNA offers plans for different needs, both our Oak and HIPPA plans retain 30 days of searchable log data. For longer retention, LogDNA provides an archiving service that automatically exports older logs to your preferred cloud storage service. In addition, LogDNA recommends to request a Business Associate Agreement (BAA) from your preferred cloud storage provider and secure your storage bucket before enabling archives.  

HIPAA-Compliant Log Storage

The rules surrounding the storage of data that is subject to HIPAA rules are complicated. When it comes to logs—which generally shouldn't contain ePHI, but could—the simplest way to meet those requirements is to use a SaaS log management solution that stores logs on infrastructure that is certified for HIPAA compliance. That way, you can outsource your HIPAA storage challenges to your log management provider.

Of course, you may prefer to store log data on your own infrastructure if you are confident in your ability to meet HIPAA requirements yourself. You should thus look for a log management solution that offers the flexibility to run on any cloud as well as to use an SaaS model.

Business Associate Agreement

Likewise, look for a log management provider that will sign a Business Associate Agreement, or BAA, with you. Under HIPAA, a BAA is required if you work with a third-party organization that manages ePHI on your behalf. Because logs may contain ePHI (and even if they don't, they typically contain sensitive data related to systems that store ePHI, which in itself presents a potential security risk), having a BAA in place with your log management provider helps to reduce potential HIPAA compliance risks. It also formalizes the log management provider's guarantee to store and manage your log data in a HIPAA-compliant way.

Use Encryption

When sending logs to your log management provider, use HTTPS or TLS encryption techniques to encrypt your logs in transit, or else your logs will be sent in plain text, making them trivial to intercept by a malicious third party.

Encryption is enabled by default in the LogDNA agent and within official code libraries. LogDNA also encrypts your logs when storing them and only allows access to the web application over secure HTTPS. If you are archiving your logs, be sure to encrypt your storage bucket before enabling the archiving process.

Control Access to Log Data

Whether or not your logs contain ePHI, the data they store about your infrastructure could give attackers the information they need to gain unauthorized access to your systems and therefore to ePHI.

To mitigate this risk, your log management solution should allow you to control, in a granular way, who in your organization has access to logs. You shouldn't need to give all of your engineers unfettered access to all logs; instead, each engineer should be able to access logs only for the specific systems he, she, or they maintains.

LogDNA lets you set granular permissions using Role Based Access Control (RBAC). You can restrict each user’s ability to view, create, or modify LogDNA resources, as well as restrict their access to logs based on source or content.

Identify Logging Failures

Logs only help you meet HIPAA auditing requirements if the logs actually exist and are accurate. To guard against the risk that some HIPAA-relevant data is not logged properly due to an issue like a log agent failure or the exhaustion of log storage space, choose a log management tool that allows you to configure alerts that will notify you when something goes wrong in your logging routine. You don't want to wait for an audit to learn that you haven't actually logged all the data you need to meet HIPAA requirements due to a technical failure.

Conclusion

In short, there are lots of logging solutions available, and all of them can manage logs that store HIPAA-related data. But not all of them offer the rich set of features that you need for meeting HIPAA compliance requirements easily.

Log management tools that natively lack features for restricting access to log data, alerting you to logging failures, or storing logs in a HIPAA-compliant way will require you to implement workarounds or custom extensions to meet HIPAA rules. Likewise, if your log management provider can't sign a BAA or guarantee compliance of its own systems with HIPAA requirements, you face an uphill battle in using logs to reinforce your HIPAA compliance.

With LogDNA, you can avoid these pitfalls and stay HIPAA-compliant. LogDNA offers sophisticated features for securing access to logs and monitoring logging failures. In addition, LogDNA itself is certified by an external assessor to meet HIPAA requirements, and LogDNA will sign BAAs with customers.

To learn more about how LogDNA can simplify HIPAA compliance for your organization, contact the LogDNA team.


Most modern log management solutions claim to be HIPAA-compliant, and indeed, most logging tools can be used in a HIPAA-compliant way—provided that you spend enough time configuring them to meet HIPAA rules.


Chris Tozzi
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
Table of contents

Logging in the Age of DevOps eBook