I’m going to talk a little bit today about audit trails — sometimes called “audit logs” — and the vital role they can play in your ongoing efforts to keep Protected Health Information (PHI) safe, your workforce honest, and hackers at bay.
What is an audit trail?
According to Fundamentals of Law for Health Informatics and Information Management, an audit trail is basically a “record that shows who has accessed a computer system, when it was accessed, and what operations were performed.” As that definition makes clear, one of the main functions of an audit trail is access management.
But an audit log has other uses, too, among them: pinpointing places within the computer where the system has failed — or could.
Information gained from an audit trail provides answers to questions like these:
- Are staff members accessing information — especially PHI — outside of the scope of their job descriptions?
- Are staff members sharing their user IDs? (Evidenced by a user logged-on from two or more workstations at the same time.)
- Has an intruder found a way into the system? And if so, when did it happen?
Minus an audit trail, you could be toast.
HIPAA mandates that you — the covered entity –“implement procedures and regularly review records of information system activity.” So an audit trail isn’t something that would be nice to have; it’s actually something you’ve got to have.
And having one will serve you well in the event of a HIPAA audit by Health and Human Services (HHS). Why? Because a recent amendment to the Federal Rules of Civil Procedure recommends leniency to those healthcare practices that manage their information with “good faith practices” — like generating, reviewing, and saving audit logs.
“OK. How do I start one?”
An auditing subsystem is already built-in to Windows operating systems. Simply enable that feature, and you’re off and running on The Ol’ Audit Trail. That’s the good news.
The bad news is that an audit trail generates a ton-load of data — approximately 3,500 lines per log-in per day. Generating an audit report can mean having to sift through a lot of confusing technical content. And let’s face it, spending hours trying to make sense of an audit trail is not why most doctors and dentist chose to go into healthcare.
I can hear you thinking, “Great. First you tell me an audit log is important. Then you tell me it’s almost impossible to figure out.” But actually, there is a simpler way. Touchstone Compliance has recently added to its services an easy-to-deploy automated tool that scans workstations and networks and produces reports that do everything from analyzing user behavior to documenting the login history for each computer. And you don’t have to have a degree in computer science to figure those reports out.
When breaches or unauthorized activity go undetected for long periods of time, an issue that could have been handled quickly and without serious repercussions can grow into something that threatens a healthcare practice. Don’t let that happen. Put your audit trail to good use — and stay on the path to HIPAA compliance.