rsyslog

The rocket-fast system for log processing

HIPAA compliance through rsyslog

HIPAA, the Health Insurance Portability and Accountability Act, is defining the standard for protecting sensitive patient data. This concerns every company that has to deal with protected health information and must ensure that all data must be secure in a physical way, on the network and in the process of data usage. Affected by this act is anyone who provides treatment, payment and operations in healthcare, as well as business associates who provide this as well.

The goal of HIPAA is to have the patient data protected. A security breach and thus a leak of patient data can cause extensive damage. Not only is it inflicting the trust of the patient into the organization, but also there are significant fines that come with a HIPAA violation.

The American Medical Association broke down the cost for several scenarios:

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

And though, the annual maximum for violations lies at $1.5 million, the actual cost might be higher than such a basic cost. Patients may take legal action after their data is comprised and organizations are required to notify their patients if they are affected. Thus, the overall cost for non-compliance may quickly escalate. And even without being HIPAA compliant, significant cost can occur withough an incident even happening, just because an audit failed, fines will incur and remediation steps need to be taken.

rsyslog and it’s strong logging structure can help you minimizing the risks for such violations. One of the main requirements to become HIPAA compliant is to ensure, that patient data is handled with the right confidentialiy, ensure its integrity and its availability. Also one needs to identify common threats and implement solutions. On IT systems, some more or less basic tools give additional help to achieve these goals. Syslog servers like rsyslog receive and consolidate a lot of data that an auditor needs to review, identify problems and act accordingly.

Thus rsyslog can be escpecially valuable to achieve HIPAA compliance because it can ease the job for administrators and auditors by autonomously receiving, filtering and archiving log data, so review of the data becomes a lot easier if stored properly.