Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security

A new law signed into effect in February 2009 requires that health care providers and organizations shortstory subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject.

Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com on Thursday that there are security and privacy concerns with the move to digital health care records.

“Hospitals are now targeted by insiders and professional criminals trying to access health information for financial gain,” Levin said.

But, ultimately, computerized health care records could reduce costs, result in easy backups and data recovery, and actually improve security, Levin said.

“Electronic health care records can be more secure than paper records,” Levin said.

For example, companies can implement technologies that keep a record of everyone that has accessed the records -- something they can't do with paper records, Levin said.

The example of “better security” here is the implementation of a record, i.e. audit/log file, of everyone that accesses the records. 

Audit files do not improve security. Neither do log files. Both are simply tracking mechanisms that are little more than CYA mechanisms for organizations that help in the event security is breached. They are part of the forensic trail of evidence that can be used to assist in determining who may have had access and ultimately whether everyone who did access the resource was authorized to do so. Just take a look at the number of “hidden camera” footage videos on the Internet and you’ll quickly discover it’s not really a deterrent, it just forces criminals to take greater pains at disguising themselves and hiding their tracks. Take a good look at any generalized rootkit and you’ll find tools included for mucking with the log file – either to remove evidence or obfuscate it in such a way as to make it useless. Taking care of log files is merely one more item to be covered on the lengthy “to do after a successful breach list” of miscreants.

This is a recording of activity, it is not preventative. It does not improve security at all and it does absolutely nothing to assuage the concerns of those who may be able to see that making anything electronic – and available over the Internet – immediately degrades the security of those records because there are suddenly myriad additional attack vectors that must be identified and secured.

Paper records – health care records in this case – are accessed by medical folks. If you’ve ever tried to get a copy of your own personal records you know it requires signatures, notes from your parents, a completely filled out form specifying why you want the thing in the first place, and who can access it. HIPAA regulations require that only those so designated be allowed to see your records – at least those outside the medical organization – and even restrict to whom information can be given over the phone or e-mail. It is unlikely that electronic versions of these same records would involve the running of the gauntlet of forms and signatures required to access paper versions. They’ll be electronic - consumers and advocates hope available via the Internet - and absolutely open to attack.

That’s less secure, not more secure.

Now I’ll be more forgiving for a moment and note that Levin is quoted as saying electronic health care records can be more secure, not they will be.

But that’s a fine line to walk and the reality is that adding log or audit files does not improve security. Log and audit files are created after the event. The fact that Johnny asked for access is noted and that he was granted access is noted. There’s no participation, no collaboration, no prevention involved in logging an event. It is the recording for posterity (or the police) of an event. Period. It neither degrades nor improves security, it merely is what it is: another record. It is likely true that electronic records can provide better and more complete logs of who accessed records and when, but it doesn’t do anything to control that access in the first place.

Is it important? Yes. Should you have such records? Yes, you should. Are they required by some regulations? Absolutely.

Do they improve security? No.


There are plenty of options for improving security of any kind of records that are stored and accessed digitally:

  1. Data leak prevention (DLP) The security of “last resort” that prevents the breach from succeeding. A security breach has happened, technically, but the results are kept from being delivered [PDF] and thus the sanctity of the records.
  2. Context-Aware Authentication A username and password is good, but when it’s coming from a Starbucks in New Foundland and the user is sitting in the office in Seattle, well, c’mon – there’s something fishy about that situation, isn’t there? Context-aware authentication systems and specifically those employing endpoint inspection capable of enforcing specific conditions such as location or peculiar identifying applications/machine properties before allowing access go a long way toward improving security.
  3. Web-application Firewall If access is provided via a web application, this should be a default additional solution. Preventing some of the ways in which people unlawfully gain access (XSS, SQLi) reduces the chances of a successful breach in the first place.
  4. Full stack security Security of the entire OSI stack – from layer 1 to layer 7 – is important in preventing existing and new vulnerabilities in platforms and protocols from being exploited at the expense of the security of data.

That’s in addition to – not in place of – a secure development life cycle (SDLC), well-defined organizational-wide security policy, and auditing of that policy and its technical implementation to ensure that every possible precaution against a breach is taken.

Logging is an integral part of organizational security policies and best practices and well it should be. But don’t make the mistake of thinking that logging access to records is the same as securing them.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share