Activity Logs and User Monitoring Standard

- Audit Log/Trails
  - Include information to establish what events occurred and who (or what) caused them
- Event Records
  - Must specify when event occurred, attributes (e.g., Host Name, UserID, IP Address, MAC Address), program or comm and used to initiate the event and result
- External-facing Systems or Technologies
  - Must write audit logs to secure, centralized, internal log server or media device in real-time
- PCI-DSS Compliance
  - Audit logs/trails maintained for at least one year
  - At least three months of history must be immediately available for analysis

- Log Files
  - Saved to tape or other media and secured in off-site or other appropriate storage
  - Backed up
  - Are Confidential
  - Protected so an individual cannot modify or delete the logs
  - Roll logs (activate a new log, save the old log) instead of overwriting them (use the same log again, losing data)
  - Write logs for external-facing systems or technologies to secure, centralized, internal log server or media device
- Authorized Individuals
  - Compliance staff
  - Internal audit staff
  - Systems security staff
  - Systems management staff
  - Other individuals must get approval from Tenet Facility Information Security Officer
- Backup Retention
  - Retain log files per record management policy
- Clock Synchronization
  - Internal clocks of Tenet systems must reflect current time
  - Functionality for clock synchronization is provided by the Home Office Information Systems Department
- Deactivation, Modification, or Deletion
  - Mechanisms to detect and record significant security events must be resistant to attacks

- Intrusion Activity
  - Failed login attempts
  - Failed password change attempts
- UserID Administration Activity
  - Modifications
  - Additions
  - Deletions
  - Disabling
  - Changes to the privileges of users
- System Activity
  - Start-up
  - Shut-down
- Hardware
  - Hardware and disk media errors
  - Maintenance activity
- System Anomalies
  - Initialization sequences
  - Logons and errors
  - System processes and performance
  - System resources utilization

- Device Activity
  - Packet screening denials originating from trusted and un-trusted networks
  - User account management
  - Modification to security configuration changes (e.g., Access Control Lists, Firewall rules, Intrusion Protection rules)
  - Application errors (e.g., Web Application errors, Web Services)
  - System errors (e.g., Kernel failure, Kerberos)
  - System shutdown and reboot

- User Activity Logged at the Field Level
  - UserIDs
  - Access date/time
  - User Access
  -  Success or failure indication
  - Origination of event
  - Record access
  - Field access
  - User Actions
  - Additions at the record and field level
  - Modifications at the record and field level
  - Deletions at the record and field level
- User Activity Logged at the Record Level
  - UserIDs
  - Action date/time
  - User Access
  - Success or failure indication
  - Origination of event
  - Identity of affected record
  - Record access
  - User Actions
  - Additions at the record level
  - Modifications at the record level
  - Deletions at the record level
- User Activity Logged at the System Access Level
  - UserIDs
  - Logon date/time
  - Logoff date/time
  - Password change date/time
  - Applications invoked
  - Success or failure indication
  - Origination of event Identity of affected data, system component, or resource
  - Attempted access to unauthorized data
  - Use of authorized advanced privileges (security bypass, etc.)
  - Changes to critical application system files
  - Other auditable events, where available
  

- User Audit Log/Trail logs
  - User activity in a system or application by recording events initiated by the user
- Designated Tenet Facility Reviewer
  - Must have knowledge of workforce members’ roles and responsibilities
- Monitoring Reports
  - All activity monitoring reports must be maintained in Compliance Matters
  - Reports for clinical systems must not be combined with a patient’s clinical record
  - See guidelines for User Activity Monitoring to identify risk and create other report
- Incident Reporting and Notification
  - Suspicious activity is handled based on the Information Privacy and Security Incident Handling Standard
  - Remediation plan must be in place in Compliance Matters and approved by the Corporate Information Security Department

- High Risk Report
  - High risk scenarios (e.g., monitoring employee access to VIP or high-profile patients)
- Break the Glass Report
  - Users who have performed the Break the Glass function to access a patient record
- Same Last Name Report
  - Users who may have accessed their own patient record or medical records of family members without proper authorization
- User Print Job Report
  - User who printed far more patient records than peers
- Remote Access Report
  - Users may be accessing the system remotely outside the scope of their job to avoid detection

- Business Impact Assessment
  - Possible business impacts to the Tenet Facility
- Threat and Risk Assessment
  - Risk that identified threats could happen
- Security Exposure Rating
  - Business impacts and threats determine overall exposure to the Tenet Facility
- User Activity Monitoring
  - Monitoring Goals
    - Prevent an incident/breach from ever occurring
    - Detect if an incident/breach is occurring
    - Ensure controls are effective after an incident/ breach has occurred

- Potential Risks to Consider
  - Does the system maintain or display social security numbers?
  - Does the system maintain or display “highly sensitive” information as defined in the Hospital’s Notice of Privacy Practices (NPP)?
  - Do non-workforce members have access to your system?
  - Can the system send a fax?
  - Does the system log failed login attempts?
  - Does the system log print jobs?

- Examples of Risks
  - Patient record with the same last name or address as the employee
  - VIP patient records (e.g., board members, celebrities, government figures, physician providers, management staff)
  - Records of those involved in high-profile events (e.g., motor vehicle accident, attempted homicide)
  - Patient files with isolated activity after no activity for 120 days
  - Employee files across departments and within departments
  - Records with sensitive health information (e.g., psychiatric disorders, drug and alcohol records, domestic abuse reports, AIDS)
  - Files of minors being treated for pregnancy or sexually transmitted diseases
  - Records of patients the employee was not involved in treating
  - Records of terminated employees
  - Parts of a record that normally is not accessed for your job (e.g., a speech pathologist accessing a pathology report)