Detect security incidents with the power of logging and auditing
Healthcare has a high risk of cybersecurity incidents because, by nature, healthcare is a system that puts a lot of trust in people. Providers engage in sensitive activities on behalf of patients and need to exchange or access confidential patient information.
Outsiders (e.g. hackers) are a threat but, sometimes, insiders (e.g. employees) can be too. Insiders sometimes make mistakes; they send confidential information to the wrong person or look at things that they shouldn’t look at simply because they have access. Or, their credentials might be abused by another person.
How logging and auditing helps
Logging and auditing are basic controls that ensure accountability and security. Essentially, we’re talking about:
- logging activity that’s going on in your environment, and then
- auditing that activity to identify the signs that something is not normal.
It is important because if you can’t see abnormal activity – if it’s not being logged – you can’t analyse it to understand and limit the potential malicious activity, and prevent it from happening again or protect patient information.
For example, logs were analysed during the investigation of a well-publicised cyber security incident in the New Zealand health sector. However, the logs were not adequate and could not show the full history of the security breach. There was evidence that a breach had occurred, but the logs did not allow definitive proof of what happened.
The second part of this equation is of course analysing the logs. This is not a manual task – you will have pages and pages of logs, so you will need an automated system to collect and correlate the logs and then generate alerts. For example, an automated system, like a Security Incident and Event Management (SIEM) system, can tell you if someone from outside of New Zealand tried to log in to an account 3 times in 1 minute.
You also need to consider how long you keep the logs for. You need a full picture with plenty of useful history, but without the cost of storage (including backups). Financial information must be kept for 7 years and medical information is also governed by rules, so you need to understand your regulatory obligations. Our advice is to store logs for as long as you practically can – 1 year if possible, or a minimum of 6 months. The median time to discover a cyber security incident is 230 days, so if you have 365 days of history you can look back in time and understand the circumstances behind the abnormal activity.
It’s very easy and cost effective to implement logging. The CERT NZ website has useful information about centralised logging and configuring centralised logging. Don’t panic if these terms are unfamiliar – your IT service provider will be able to give you advice about implementation.
If in doubt, please reach out to Patients First and we can work with you to create a plan based on what’s best for you and your circumstances. We can even simulate an attack to test that the logs are working and show you the results.
The 80/20 rule
While logging and auditing accounts for about 20% of the cyber security critical controls that we would recommend to you, it will cover 80% or most of the threats that are out there. You can see why we think it’s a worthwhile investment.