From Splunk Wiki
Health Insurance Portability and Accountability Act (HIPAA) is a legislation that governs the security and confidentiality of identifiable, protected health information associated with the provisioning of health benefits and payment of health-care services. Requirements include improved efficiency in health-care delivery by standardizing electronic data interchange, and protection of confidentiality and security and privacy of health data through setting and enforcing standards.
There are two parts to HIPAA: security and privacy rules.
It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.
Monitoring Privacy Rules
Splunk customers that fall under HIPAA compliance do not generally implement much in this area, but focus on the technical safeguards in the security rules. If anything gets implemented, users are monitoring PHI and monitor where the data flows. Generally a product like a DLP (data leakage prevention) is needed to monitor that data. In addition, monitoring stored PHI data is another task that is implemented. This is generally done via monitoring database audit logs. You can find some information about collecting information from databases via Splunk.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). There are three types of security safeguards required for compliance:
- Administrative Safeguards - policies and procedures designed to show how the entity will comply with the act
- Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
- Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
Monitoring Security Rules
Splunk customers that fall under HIPAA compliance put emphasis on the technical safeguards.
- Implement data signing of all the log files coming into Splunk.
- Information systems housing PHI must be protected from intrusion. Users implement the traditional security mechanisms to monitor these systems, such as intrusion detection and prevention systems (IDS and IPS), firewalls, access control, etc. A good way to get insight into these data sources is to use the [Apps:Splunk_for_Network_Security Splunk for Network Security] application.
- Ensuring that the data within systems has not been changed or erased in an unauthorized manner. Users enable file system auditing on Windows, or on UNIX, or use the Splunk file system monitoring input to capture the changes.
- Monitoring access to systems containing EPHI information. All kinds of authentication reports and authorization monitoring get implemented here. Users frequently use the authentication reports from the Splunk for Network Security application to report on this information.
- Monitor and audit access records (also check privacy rules)
- Capture configuration settings on the components of the network (See Splunk for Network Management for more information on how to capture information from network devices)
- Risk analysis and risk management is a more advanced topic that users frequently implement in Splunk through a comprehensive monitoring of their IT environment and the assignment of risk values.