Information System Activity Review. Business Associate will regularly capture and review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Business Associate will employ Security Event and Incident Monitoring (XXXX) technology such as intrusion detection and prevention systems on IT systems that create, receive, transmit, transact, or store PHI and will review and analyze activity records for indications of inappropriate or unusual activities daily. Business Associate will retain the activity logs for a minimum of six (6) years. Business Associate shall make such logs available to Sutter, upon request, as Sutter reasonably determines is necessary to investigate a potential unauthorized Use or Disclosure.
Information System Activity Review. Section 164.308(a)(1)(ii)(D) of the rule states: “Covered entities will implement procedures to regularly review records of the information systems activity, such as audit logs, access reports, and security incident tracking reports”. MCC has implemented the following procedures to address these requirements: The IS Director will ensure that information system activity logs are implemented and maintained for all applications that process ePHI on MCC computers. The IS Director will assign a person(s) to conduct quarterly reviews of the MCC information systems’ ac- tivity logs, this activity may entail the use of an outside entity if desired. Selected reviewer(s) must have the appropriate technical skills and authorized access to enable them to interpret the audit logs correct- ly. The designated reviewer(s) will prepare reports to summarize their reviews. The report will include the reviewer’s name, date and time of the review, application or process reviewed, and any significant find- ings, and describing any events that require additional action (incident reporting). Reviewers will look at system/application logs to identify events such as multiple failed login attempts, patient file accesses, and unauthorized access attempts. Based on the periodic reviews, the IS Director may implement new procedures or technologies to im- prove the security management process. As necessary, the Security Officer, in conjunction with the IS Director, will make modifications or addi- tions to the policies implemented to protect ePHI on MCC computer systems. SECURITY POLICIES AND PROCEDURES: WORKFORCE SECURITY Effective Date: January 1, 2005 Background: 45 CFR §164.308(a)(3) of the Security standards states “a covered entity must implement policies and proce- dures to ensure that all members of its workforce have appropriate access to electronic protected health infor- mation, as provided under paragraph (a)(4) of this section [Information Access Management], and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” Purpose: To establish the Medical Center Clinic’s (MCC) Workforce Security policies, including the required subordinate implementation specifications of authorization and/or supervision, workforce clearance procedures, and termina- tion procedures. Policy: MCC is committed to maintaining formal procedures to ensure that all workforce members whose jobs r...
Information System Activity Review. 1. ISU shall provide HHS with documentation of implementation of its policies and procedures regarding information system activity review across all of its covered health care component clinics. ISU shall provide the documentation to HHS within 60 days of the Effective Date for review and approval.
Information System Activity Review. GCHD will implement procedures to regularly review records of information system activity.
