Skip to content

System Audits, Monitoring and Assessments

2020.1

Changineers shall audit, monitor, and assess the access and activity of systems and applications that process or store production and/or sensitive data such as electronic protected health information (ePHI) in order to ensure compliance.

It is required by compliance, for example the HIPAA Security Rule, that healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. Changineers shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is the policy of Changineers to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, Changineers shall audit access and activity to detect, report, and guard against:

  • Network vulnerabilities and intrusions;
  • Breaches in confidentiality and security of patient protected health information;
  • Performance problems and flaws in applications;
  • Improper alteration or destruction of ePHI;
  • Out of date software and/or software known to have vulnerabilities.

This policy applies to all Changineers systems that store, transmit, or process ePHI.

Policy Statements

Changineers policy requires that:

(a) All critical computing systems and software, both virtual and physical, must enable audit logging.

(b) Audit logs must include sufficient information to identify who did what, when, where.

(c) An annual audit of Changineers security controls must be conducted, either by a designated internal audit team or a qualified external audit firm.

Controls and Procedures

Security Events Analysis

Security logs, events, and audit trails are reviewed by the security team with the assistance of automated systems and processes.

  • AWS audit logs are collected by AWS CloudTrail and Application audit logs are collected by Amazon CloudWatch.
  • Auditing logs are automatically analyzed and correlated by the monitoring solutions and/or a centralized security information and event management system.
  • The systems are configured with rules/policies to identify suspicious activities, vulnerabilities and misconfigurations.
  • Alerts are triggered upon identification of an issue based on the policy configuration.
  • The alerts are sent immediately to the responsible staff (e.g. security team) for analysis. The alerts may be sent via email, Slack messaging, or as notification on the monitoring dashboard.
  • Analysis is prioritized based on alert severity. High severity alerts are typically reviewed within 12 hours.
  • Incident response process is followed, as needed.
  • Patches and updates will be applied to all systems in a timely manner.

Authentication and Authorization Systems

In the Changineers Platform authentication is managed by Amazon Cognito which provides several advanced features out-of-the-box to identify suspicious activity that is specialised to authentication systems.

When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and based on configuration can choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator. Changineers developers are notified whenever there is unusual activity in Cognito following the Application Observability processes.

All access to Changineers Platform is logged for audit purposes.

Audit Requests

  1. A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Privacy Officer, Security Officer, Customer, Partner, or an Application owner or application user.

  2. A request for an audit for specific cause must include time frame, frequency, and nature of the request.

  3. A request for an audit must be reviewed and approved by Changineers’s Privacy Officer and/or Security Officer before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.

    • Should the audit disclose that a workforce member has accessed ePHI inappropriately, the minimum necessary/least privileged information shall be shared with Changineers’s Security Officer to determine appropriate sanction/corrective disciplinary action.
    • Only de-identified information shall be shared with Customer or Partner regarding the results of the investigative audit process. This information will be communicated to the appropriate personnel by Changineers’s Privacy Officer or designee. Prior to communicating with customers and partners regarding an audit, it is recommended that Changineers consider seeking guidance from risk management and/or legal counsel.

Audit Trails and Application Security Events Logging Standard

Changineers logging standards requires application and system logs to contain sufficient information to determine who did what, when, where to ensure recording of security and audit events and to generate evidence for unauthorized activities.

All systems and software developed at Changineers must have the following security events logging enabled as part of or in addition to standard application logging.

  1. All security log events must have the following attributes at minimum:

    • Timestamp of the event (synchronized to approved time server)
    • Identifier of the principal performing the action (such as user ID)
    • Location including both origin (such as hostname/IP) and target (such as host/service/resource)
    • Activity or action (such as log in, log out, create, read, update, delete of a resource)
    • the action may be logged as and determined by the HTTP request method and the API endpoint
    • Event description and additional details may be logged depending on the system or application

  2. The following types of security events must be logged at minimum:

    • User and group administration activities (user or group added, updated, deleted, access granted/revoked)
    • All login attempts, successful and unsuccessful including the source IP address
    • All interactive logoffs
    • Privileged actions (configuration changes, application shutdown/restart, software update etc)
    • Major application events (e.g. application failure, start and restart, shutdown)
    • Any and all actions performed on critical resources such as production data

  3. All application and system logs must not include (removed or masked):

    • Any sensitive information, protected health information (PHI), personally identifiable information (PII)

    • except for IP addresses

    • usernames/logins may/should be logged as part of authentication logging

    • for user action auditing, opaque IDs should be used instead of usernames/logins whenever possible

    • Authentication and session tokens, user credentials

  4. Security events and audit logs must be:

    • Always accessible to the monitoring system/team
    • Protected from any changes
    • Monitored with alerting mechanism in place (including alert for not receiving log events for a certain period of time)

  5. All Changineers IT infrastructure must have system clock synchronized

  6. Records stored in databases should be annotated with metadata about any changes that have occurred, such as when the record was last modified, by whom, and for what reason.

Examples of recommended application events for logging and their auditing purpose:

Events Purpose
Client requests and server responses forensics and debugging - details level is defined by application
Successful and unsuccessful login attempts authentication
Successful and failed access to application resources authorization, escalation of privileges
Excessive amount of requests from the client brute-forcing, malicious bots, denial of service attacks
E-mails sent by an application spamming, social engineering

Audit Trail Integrity - Security Controls and Log Retention

  1. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
  2. All audit logs are protected in transit and encrypted at rest to control access to the content of the logs.

  3. Whenever possible, audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.

    • Separate systems are used to apply the security principle of “separation of duties” to protect audit trails from hackers.
    • Changineers logging servers include AWS CloudWatch.

  4. Reports summarizing audit activities shall be retained for a period of seven years.

  5. Audit log data is retained in CloudWatch for a minimum of one year.
  6. Raw event data may be purged after one month / 90 days as long as the required details are sufficiently covered in aggregated audit logs/reports.

Auditing Customer and Partner Activity

  1. Periodic monitoring of Customer and Partner activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between Changineers and the 3rd party. Changineers makes every effort to ensure Customers and Partners do not have access to data outside of their own Environments.

  2. If it is determined that the Customer or Partner has exceeded the scope of access privileges, Changineers’s management and security must remedy the problem immediately.

  3. If it is determined that a Customer or Partner has violated the terms of the HIPAA business associate agreement or any terms within the HIPAA regulations, Changineers must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.

Auditing and Assessment Tools

Changineers’s Security Officer is authorized to select and use assessment tools that are designed to detect vulnerabilities and intrusions. Use of such tools against Changineers systems and environments are prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:

  • Scanning tools and devices;
  • Password cracking utilities;
  • Network “sniffers”;
  • Security agents installed locally on servers and endpoints;
  • Passive and active intrusion detection systems; and
  • Penetration testing tools.

Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.