Friday, October 24, 2008

Cool Technology of the Week

At BIDMC and other Caregroup hospitals, auditing is a critical component of HIPAA compliance and ensuring patient privacy. We currently have 1 billion rows of audit data from 146 mission critical clinical applications. Our comprehensive audits of every clinical lookup yield 300,000 – 500,000 transactions per day. HIPAA requires an audit system to record who is looking up what, where and why. We need to keep these audit logs for 20 years.

The graphic above describes the unique approach we've taken with Microsoft SQL Server 2008 Enterprise Edition to implement a federated audit system that consolidates all our audit logs from multiple SQL Servers and non-SQL sources into one place. We use a SQL Server Integration Service (SSIS) package every 15 minutes to fetch through the Audit files and upload the data to Central SQL Audit DB Repository to capture:

i. Server level: all login in/out/failed events, and server configuration changes

ii. Database level: Create/Alter/Drop db events

iii. Object level: Create/Alter/Drop object events

iv. Data level: Insert/Update/delete and select events (we didn’t enable Select events in phase I)

Then, we use SQL Reports to query and view the audited data (i.e. who made this change, who modified a table, who insert/update/del a record)

Our next step is to process all audit data with SQL Server Analysis Services, create cubes to analyze the collected data, and build reports/alerts based on threshold (e.g. on average there are 10,000 logins/day, an alert will raise if we exceed the threshold)

Microsoft will be releasing soon a Compliance SDK on Security and Auditing based on their collaboration with BIDMC's SQL team. The SDK will be available for download so that other companies can use our Auditing solution as a model.

Creating an enterprise tool for consolidated storage, reporting and alerting of all application audit data - that's cool!

5 comments:

Unknown said...

That is cool.

Unknown said...

Great post, thanks! Just a couple of comments...

Audit logs serve two purposes:

1) Evidentiary - to produce a trail of evidence to know, for example, what that rogue employee accessed and when.
2) Prospective - to detect suspicious behavior which might be a sign of a security issue.

Collecting massive amounts of audit logs isn't hard, that is task #1. What is hard is going through them to find something of security value, #2. Any insights into how BIDMC does #2?

[Lastly, just a point of clarification: your requirement to store logs for 20 years is a local requirement. The HIPAA Security Rule only requires that covered entities store the documentation of log reviews for 6 years, but not the logs themselves.]

AlanHP said...

I am interested in this post from a policy perspective, not from IT.

The 500-600,000 lookups per day is an incredible figure.

Do you have any idea how many new (transactions (results, orders, histories, etc.) are added daily?

I once read a factoid (but cannot find it now) that the typical 350 bed hospital creates as many transactions on a daily basis as a 100 branch bank does in a month, and of a much greater variety.

The shear mass of information added to health care information systems should not be an excuse for any organization contemplating implementation such a system but it does give one a measure of just how complicated such systems are to implement and run.

Susan@STATEOFMARYLAND said...

Anyone interesting in trying a secure keyboard for blackberry and giving us feedback call or email me at Man and Machine. We're the manufacturer of the only secure blackberry keyboard created in partnership with RIM( Research in Motion) We are so secure that the 1st Army uses our keyboards in Iraq.We think that the medical community would love these keyboards as well. Go to Man-Machine.com Products- CoolMir... check it out and call me 301-341-4900 or email me susan@MMIMD.COM

Anonymous said...

米蘭情趣用品,情趣用品,飛機杯,自慰套,充氣娃娃,AV女優.按摩棒,跳蛋,潤滑液,角色扮演,情趣內衣,自慰器
免費視訊聊天,辣妹視訊,視訊交友網,美女視訊,視訊交友,視訊交友90739,成人聊天室,視訊聊天室,視訊聊天,視訊聊天室,情色視訊,情人視訊網,視訊美女
一葉情貼圖片區,免費視訊聊天室,免費視訊,ut聊天室,聊天室,豆豆聊天室,尋夢園聊天室,聊天室尋夢園,影音視訊聊天室,

辣妹視訊,美女視訊,視訊交友網,視訊聊天室,視訊交友,視訊美女,免費視訊,免費視訊聊天,視訊交友90739,免費視訊聊天室,成人聊天室,視訊聊天,視訊交友aooyy
哈啦聊天室,辣妺視訊,A片,色情A片,視訊,080視訊聊天室,視訊美女34c,視訊情人高雄網,視訊交友高雄網,0204貼圖區,sex520免費影片,情色貼圖,視訊ukiss,視訊ggoo,視訊美女ggoo
080苗栗人聊天室,080中部人聊天室ut,ut影音視訊聊天室13077,視訊做愛,kk777視訊俱樂部
A片下載,成人影片下載,免費A片下載,日本A片,情色A片,免費A片,成人影城,成人電影
影音視訊聊天室,辣妹視訊