By Connor Walsh, CISSP
In the world of medical devices, audit logging is a concept that is often overlooked. This practice has many benefits including appropriate incident response, detailed after action reports and ensuring the confidentiality, integrity and availability of medical systems. Ultimately, successful audit logging holds users accountable for all actions they take when they log in to your systems. We will explore starting and maintaining a successful audit log policy in this article.
Before we begin, you may be asking why audit logging is important for healthcare technology management (HTM) professionals. Let’s say you had a shared radiology PACS database where many personnel have access. If a user were to go into the database and accidentally (or maliciously) delete patient data, do you currently have a way to know who it was? Another example, many of us have service agreements with various manufacturers to perform remote support. Is there currently an automated method of notifying you when a vendor remotes in to access your systems? Are you able to track all changes that the vendor is making? These are some questions that a successful audit log policy can help answer.
The first step in creating a log policy is identifying what type of logs you want to capture. There are multiple types, including security, system, application, firewall and change logs. A good technique to start with is to identify which operating system (OS) is most prevalent in your environment. Then, you can research which options are natively available. For example, if Microsoft is the primary OS that you want to track, they have made it easy by publishing their audit-log recommendations here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations. It can be modified to fit the needs of your facility.
After you have identified what you want to audit, you need to determine a platform that can do this effectively. There are many products available, including Splunk and Solarwinds Kiwi Syslog, that are not expensive and can be installed quickly. These products will analyze all your log data and can be customized to send real-time alerts when a user triggers something, such as remoting into a server. Most of them come with an interactive web-based application, so that setting filters and analyzing alerts is very easy, and something that would be near impossible if trying to do manually. This is where holding users accountable becomes manageable, as you can filter and pinpoint a user’s actions in a few minutes.
The final steps in setting up your audit policy are determining where to store them, how long they should be stored and how much storage is needed. Most systems do not have adequate storage local on the system, so a centralized remote location will be needed. This remote location should be extremely secure, as it will hold vital information from all your systems, and this is often referred to as a bastion host. Lastly, defining how long the data should be held will be vital for determining how much storage is needed. A typical audit storage location will hold audit logs for at least a year.
Setting up an audit policy for your department is an easy way to improve overall cybersecurity posture. It brings peace of mind knowing that you have detailed records of all activity on your network, and that all users are held accountable. If your site experiences a cyber-attack, you will be able to respond quickly and provide detailed after-action reports to leadership. As health care system attacks continue to increase, audit policies should be developed and rolled out for any environment an HTM professional manages.
Connor Walsh, CISSP, is a biomedical engineer for the Department of Veterans Affairs.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.
