Friday, October 24, 2008

Cool Technology of the Week

At BIDMC and other Caregroup hospitals, auditing is a critical component of HIPAA compliance and ensuring patient privacy. We currently have 1 billion rows of audit data from 146 mission critical clinical applications. Our comprehensive audits of every clinical lookup yield 300,000 – 500,000 transactions per day. HIPAA requires an audit system to record who is looking up what, where and why. We need to keep these audit logs for 20 years.

The graphic above describes the unique approach we've taken with Microsoft SQL Server 2008 Enterprise Edition to implement a federated audit system that consolidates all our audit logs from multiple SQL Servers and non-SQL sources into one place. We use a SQL Server Integration Service (SSIS) package every 15 minutes to fetch through the Audit files and upload the data to Central SQL Audit DB Repository to capture:

i. Server level: all login in/out/failed events, and server configuration changes

ii. Database level: Create/Alter/Drop db events

iii. Object level: Create/Alter/Drop object events

iv. Data level: Insert/Update/delete and select events (we didn’t enable Select events in phase I)

Then, we use SQL Reports to query and view the audited data (i.e. who made this change, who modified a table, who insert/update/del a record)

Our next step is to process all audit data with SQL Server Analysis Services, create cubes to analyze the collected data, and build reports/alerts based on threshold (e.g. on average there are 10,000 logins/day, an alert will raise if we exceed the threshold)

Microsoft will be releasing soon a Compliance SDK on Security and Auditing based on their collaboration with BIDMC's SQL team. The SDK will be available for download so that other companies can use our Auditing solution as a model.

Creating an enterprise tool for consolidated storage, reporting and alerting of all application audit data - that's cool!

5 comments:

  1. Great post, thanks! Just a couple of comments...

    Audit logs serve two purposes:

    1) Evidentiary - to produce a trail of evidence to know, for example, what that rogue employee accessed and when.
    2) Prospective - to detect suspicious behavior which might be a sign of a security issue.

    Collecting massive amounts of audit logs isn't hard, that is task #1. What is hard is going through them to find something of security value, #2. Any insights into how BIDMC does #2?

    [Lastly, just a point of clarification: your requirement to store logs for 20 years is a local requirement. The HIPAA Security Rule only requires that covered entities store the documentation of log reviews for 6 years, but not the logs themselves.]

    ReplyDelete
  2. I am interested in this post from a policy perspective, not from IT.

    The 500-600,000 lookups per day is an incredible figure.

    Do you have any idea how many new (transactions (results, orders, histories, etc.) are added daily?

    I once read a factoid (but cannot find it now) that the typical 350 bed hospital creates as many transactions on a daily basis as a 100 branch bank does in a month, and of a much greater variety.

    The shear mass of information added to health care information systems should not be an excuse for any organization contemplating implementation such a system but it does give one a measure of just how complicated such systems are to implement and run.

    ReplyDelete
  3. Anyone interesting in trying a secure keyboard for blackberry and giving us feedback call or email me at Man and Machine. We're the manufacturer of the only secure blackberry keyboard created in partnership with RIM( Research in Motion) We are so secure that the 1st Army uses our keyboards in Iraq.We think that the medical community would love these keyboards as well. Go to Man-Machine.com Products- CoolMir... check it out and call me 301-341-4900 or email me susan@MMIMD.COM

    ReplyDelete