??? pgHead ???
 
  • Achieve HIPAA compliance using ManageEngine Log360

Take the lead in data protection best practices with our unified SIEM solution!

Log360 is a unified security information and event management (SIEM) solution with integrated DLP and CASB capabilities. It helps IT teams detect, investigate, and respond to security threats. Furthermore, Log360 helps organizations meet compliance mandates, such as HIPAA, by offering tailored reports and analytics that help covered entities and business associates comply with stringent data protection requirements.

As a SIEM solution, Log360 is focused on simplifying compliance with the Security Rule, Privacy Rule, and Data Breach Notification Rule of the HIPAA law.

The following table details all the ways in which Log360 can help organizations comply with each standard or implementation specifications within that standard.(A) next to an entry title indicates that it is addressable, while (R) next to an entry titleindicates that it is a mandatory requirement.

 
Requirement Description Pre-requisites Capabilities Alerts
164.306(a)(1) Your organization must safeguard all electronic patient health information (ePHI) to ensure its privacy, accuracy, and accessibility. 1. Enable auditing for file shares, file systems, object access, and handle manipulation.

2. SACLs should be enabled for the monitored files and folders.

Added resources: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/Configurations/file-monitoring.html
Log360 offers:1. The ability to delete or quarantine files, stop data transfers to storage devices, and identify who accessed what data and when.

2. Detection, prioritization, investigation, and response to threats.3. Threat intelligence, anomaly detection, and rule-based attack detection.
Create an alert profile to notify the SOC team of changes and accesses to critical files and folders.
164.306(a)(2) Your organization must be able to protect ePHI against any reasonably anticipated threats. None Log360 provides predefined correlation rules for attacks—like ransomware attacks (multiple variants), DoS attacks, and cryptojacking—which commonly target healthcare organizations. You can create alerts to notify security professionals of possible ransomware attacks and other attacks you might anticipate.
164.306(a)(3) Your organization must protect ePHI against illegitimate use or access that can be reasonably anticipated. None Log360 has UEBA capabilities that allows you to monitor user activity and spot anomalous behavior on your network. You can use Log360's alerting feature to setup alerts for suspicious user behavior like accessing ePHI at odd times.
164.306(a)(4) Your organization must ensure that all employees comply with the Security Rule. Ensure that you have enabled real-time monitoring 1. Log360 offers monitoring of all user activity on the network and provides an alerting capability as well.

2. You can also setup scheduled HIPAA compliance reports to be delivered periodically to check whether compliance standards are met.
You can use Log360's alerting feature to setup alerts for suspicious user behavior, like accessing ePHI at odd times or an irregular number of downloads.
164.306(b)(2)(i) Your organization must use security measures that take into account your business complexity, size, and capabilities. None 1. Log360 streamlines resource management and monitoring via a single console.

2. Log360 is deployable to monitor any number of devices, and it offers customizable add-ons for specialized features.3. Log360 scaleseffortlessly to monitor thousands of network resources, ensuring a perfect fit for your organization while optimizing costs.
 
164.306(b)(2)(ii) Your organization must use security measures that take into account your technical or network infrastructure, hardware, and software capabilities. Ensure that you have installed the appropriate agent for Windows and syslog devices for smooth device discovery. 1. Log360 offers log collection capabilities from both on-premises and cloud (AWS) environments.

2. Log360 automatically discovers devices on your network, allowing you to then configure those devices for monitoring.
 
164.306(b)(2)(iii) Your organization must use cost-effective security measures while not compromising on the quality. None Log360 offers multiple pricing plans that—depending on the edition—offer various capabilitieslike log collection, search retention, reporting, compliance reporting, and AD auditing, as well as FIM, CASB, UEBA, and SOAR functionalities.There are also add-ons like advanced threat analytics for improved threat intelligence.  
164.306(b)(2)(iv) Your organization must use security measures that take into account the probability of potential risks to ePHI. Enable alert profiles for known threats. Log360 offers threat intelligence capabilities like:1. IP risk scoring, where a risk score is provided for an IP address that was spotted on the network.

2. Built-in correlation rules that detect attacks and determine the probability of certain attack variant occurring, such as DoS attacks, ransomware, and cryptojacking.
You can also create alerts for attack patterns that were noticed on your network and respond to them immediately.
164.308(a)(1)(i) Your organization must implement policies to detect and contain security violations. None 1. With Log360, you can detect security violations through built-in and custom correlation rules.

2. You can also use the incident management feature to create workflows to respond to threats and assign personnel to resolve each incident.
You can set alerts to notify you of compliance violations.
164.308(a)(1)(ii)(A) (R) Your organization must perform a risk analysis and assess the vulnerabilities to the confidentiality, integrity, and availability of the ePHI. None Log360 gives a risk score for various threat categories like insider threats, data breaches, compromised accounts, unusual logins, and overall anomalies. When activity differs from the norm, the risk score goes up. You can setup alerts for suspicious user or entity behavior detected on the network.
164.308(a)(1)(ii)(D) (R) Your organization must implement procedures to review records of information system activity on a regular basis. None 1.Log360 offers extensive auditing and reporting capabilities that give individuals tasked with security checks something they can refer to.

2.You can also setup scheduled compliance reports to be delivered periodically to check whether compliance standards are met.
You can use the alerting mechanism to notify you of security incidents.
164.308(a)(3)(ii)(A) (A) Your organization must implement procedures to authorize and supervise employees who work with ePHI. None Log360 allows you to audit privileged employee activity on the network. 1. You can setup alerts to notify you of suspicious activity associated with privileged accounts.

2. You can also be alerted of unauthorized tampering with ePHI.
164.308(a)(3)(ii)(B) (A) Your organization must implement procedures to determine whether access levels and privileges an employee has for a specific file or folder are appropriate. 1. Enable auditing for file shares, file systems, object access, and handle manipulation.

2. SACLs should be enabled for the monitored files and folders.
1. Log360 helps you audit access to important files and file servers.

2. Log360's UEBA mechanism can also detect anomalous activity on files and folders.
You can setup alert profiles to notify you of unauthorized accesses or failed access attempts of sensitive information.
164.308(a)(3)(ii)(C) (A) An employee who has access to ePHI should no longer have access to it once their job has been completed. None 1. Log360 can track whether ePHI is being accessed by a disabled account.

2. Although Log360 doesn't allow you to manage users' permissions and access to sensitive files, ManageEngine ADManager Plus does.
You can setup alert profiles to notify you of unauthorized accesses from a disabled account.
164.308(a)(4)(ii)(A) (R); 164.308(a)(4)(ii)(B) (A); 164.308(a)(4)(ii)(C) (A) Policies and procedures for authorizing and granting access to ePHI must be followed, along with the ability to modify a user's privileges as needed. Ensure file auditing is enabled 1. You can monitor these changes to permissions and other events like unauthorized accesses to ePHI through Log360's reports.

2. Although Log360 doesn't allow you to set up MFA to access sensitive files and servers,ManageEngine SelfService Plus does.
You can setup alert profiles to notify you of changes to the permissions of sensitive files and folders.
164.308(a)(5)(ii)(B) (A) Your organization needs procedures for detecting, guarding against, and reporting on malicious software. None Log360's built-in correlation mechanism can identify suspicious software downloads. You can set up an alert to be notified ifa blocklisted application or software is downloaded.
164.308(a)(5)(ii)(C) (A) Your organization needs procedures for monitoring log-in attempts and reporting discrepancies. Enable real-time auditing 1. Log360 has the capability to monitor all login and logoff events and can generate reports on these.

2. The UEBA capability (powered by ML-based algorithms) can also detect anomalous logins.
You can choose to be alerted on anomalous login attempts and raise an incident for further investigation.
164.308(a)(5)(ii)(D) (A) Your organization needs to safeguard your users' passwords. None 1. Log360 allows admins to build correlation rules to spot activities that could compromise credentials (e.g., brute-force attacks, pass-the-hash, etc).

2. Log360's MITRE reports presentanalyses on multiple credential stealing techniques attackers use on networks.
You can setup alerts to be notified of attacks like brute-force attacks or other credential theft attacks.
164.308(a)(6)(i) In the case of a security incident, your organization needs to be able to respond effectively. None Log360 offers several incident management features. For example, the automated workflow feature allows you to predefine which responses should be executed automatically when a particular incident takes place. Once an alert is triggered for a security incident, automated workflows can kickin, which can stop an attack from progressing further.
164.308(a)(6)(ii) (R) In case of a security incident, your organization needs to be able to mitigate the incident as much as possible. None 1. Log360 provides enhanced incident investigation capabilities, like the incident workbench feature, which enables you to add, compare, and analyze core digital entities like users, devices, and processes.

2. The automated workflow feature allows you to predefine which responses should be executed automatically when a particular incident takes place.
Once an alert is triggered for a security incident, automated workflows can kickin, which can stop an attack from progressing further.
164.312(b), (c)(1) Your organization needs to implement a solution that can audit, record, and analyze any activity on servers that contain ePHI. It also needs to protect against tampering and destruction. 1. Enable auditing for file shares, file systems, object access, and handle manipulation.

2. SACLs should be enabled for the monitored files and folders.3. Configure threat servers.
1. Log360 can audit your files and file servers and generate in-depth reports on activity related to these objects.

2. It also has FIM capabilities that track changes to the data within your ePHI or any other sensitive files. 3. The Advanced Threat Analytics (ATA) feature in Log360 Cloud pulls data about malicious IPs and domains that have an assigned reputation score. Ituses that data to alert the administrators whenever any suspicious IPtries to connect to your network.
You can create alert profiles that notify concerned individuals of accesses and modifications made to ePHI.
164.312(c)(2)(A); 164.312(d) Your organization must protect ePHI from improper access. None 1. Log360 helps you audit both successful and failed access attempts made on ePHI.

2. Although Log360 doesn't help you implement MFA in your network (which would ensure only authorized users are provided with access), ManageEngine ADSelfService Plus does.
You can create alert profiles that notify concerned individuals of accesses modifications made to ePHI.
160.308 Your organization must cooperate during compliance reviews. None Log360's easy search and retention capabilities can help you look for specific events. You can setup an alert that notifies you of changes made to retention settings.
160.310(a) Your organization must provide records and compliance reports during an investigation. None 1. Log360 has dedicated reports on network activity. These are also designed specifically by keeping HIPAA standards in mind. Auditors can refer to these reports to see whether HIPAA standards were met.

2. You can also setup scheduled compliance reports to be delivered periodically to check whether compliance standards are being met.
 
160.310(c) Your organization must permit access to relevant information to the auditors appointed by the HHS. None Log360 allows you to provide role-based access to people in charge of security.  
164.316b(2)(i) Your organization must retain relevant documentation for at least 6 years from when the security policy was last implemented or first created. None Log360 retains log data in its database for a customizable time period. The database contains two sets of log data: raw logs and formatted logs. You can customize separate time periods for both sets of log data.  
164.404(2)(c)(A) Your organization needs to generate the necessary content to populate a notification that will be sent to an individual whose information was disclosed in a breach. None Log360's reporting styles provide all the relevant data on breach information—like the date of breach and a description of events—making it easy to notify an individual affected by a breach. Log360's alerting mechanism can notify you if specific rules of HIPAA have been breached.
164.404(2)(c)(B) When a breach occurs, your organization needs to generate a description of what information was disclosed during the breach. None Log360's reporting styles provide accurate information on what information was breached. Log360's alerting mechanism can notify you if specific rules of HIPAA have been breached.
164.406(2)(c) Your organization needs to generate the necessary content to populate a notification that will be made to media about a breach. None Log360's reports give all information regarding the breach—like the date of breach and the description—so that proper notifications can be made to the media. Log360's alerting mechanism can notify you if specific rules of HIPAA have been breached.
164.410(c)(2) Your organization needs to generate the necessary content to populate a notificationmade by business associates to covered entities about a breach. None Log360's reports give adequate information on the breach—like date of breach and description—sothat business associates can inform covered entities according to HIPAA guidelines. Log360's alerting mechanism can notify you ifspecific rules of HIPAA have been breached.
         
164.524 Your organization must ensureaccess of individuals to their protected health information (with some terms for denial). None 1. Log360's monitoring capability provides security teams the ability to track whether ePHI has been accessed only by authorized individuals.

2. It can also track what informationwas accessed by those individuals (i.e., the file(s) or folder(s) were accessed).
 
164.526(d)(4) Your organization must ensure the right to amend ePHI. 1. Enable auditing for file shares, file systems, object access, and handle manipulation.

2. SACLs should be enabled for the monitored files and folders.
Log360 can track modifications made to ePHI to ensure only an authorized person makes amendments to the patient information.  
164.528 Your organization must comply with the right to an accounting of disclosures of protected health information. 1. Enable auditing for file shares, file systems, object access, and handle manipulation.

2. SACLs should be enabled for the monitored files and folders.
Log360 tracks all events, including accesses to ePHI. Its predefined reports can be used to provide an account of all users and entities that had access to the ePHI as per the accounting disclosures request.