Skip to main content
Skip table of contents

Axon HIPAA Compliance User Guide

The following documented support for the HIPAA content bundle utilizes the mapping and controls for the HIPAA security rules. Additional support and updates to content will be made while bundle is available.

Overview

Support for HIPAA compliance in Axon includes a combination of searches, lists, dashboards, and reports that allow users to monitor defined activities, produce reports, and provide evidence to assessors and auditors as needed. The basis for data gathering in Axon is saved searches. Saved Searches allow a user to filter and surface specific activities that need to be monitored in dashboards or reported to management and assessors. This data is further refined by the usage of framework-specific LogRhythm System Lists. These lists are specific to customer environments and must be updated to include systems and users that are in-scope for the given compliance mandate. Dashboards allow analysts and/or management to monitor compliance-focused activity on a recurring basis to look for anomalous behavior, system health, and environmental trends. Reports are PDF formatted exports of search data that can be scheduled by customers. Reports can be utilized by management and assessors to review activity, provide a population of data for testing, and provide evidence of management reviews as necessary. Where data would be best provided in a spreadsheet format, CSV exports can be run directly from the Search Page.

Getting Started

Update Compliance System Lists

System lists are published without any list items so that you can populate them with values that apply to your organization. Many of the searches included in this bundle are configured to use compliance-focused system lists to outline the scope of your HIPAA environment and surface that data within dashboards and reports.

Follow the Edit Lists workflow to populate the compliance system lists with values. List data should be reviewed and updated annually at a minimum.

Validate Dashboard Output and Search Data

Once system lists have been updated with appropriate users and log sources, data should be populated within the dashboard widgets and underlying searches. It is recommended to review dashboards and all related searches to ensure data is being returned as expected. Customers should refer to the “Tuning Guidance” section within the searches and dashboards tables when modifying search and widget parameters. If logs are not being surfaced by searches due to an unexpected common event assignment, custom log source policies can be built in the Policy Builder. If the log source policy is LogRhythm-created, use the Resource Center to submit a parsing request for updates to existing log sources.

Schedule Reports

Now that searches and dashboards have been validated, reports can be scheduled from the saved searches. It is recommended that all searches within this bundle be scheduled to run on a recurring basis, but can be run ad-hoc if desired. Review the Recommended Scheduling column in the Reports table below during setup and customize as needed.

Searches

The below table contains all the searches included in this content bundle, object types the search supports, list requirements, and optional tuning guidance.

Search Name

Purpose of Search

Supporting Object Types

List Required *

Tuning Guidance

HIPAA - Anti-Malware Audit Activity

Data to show that audit log data for anti-malware solution is captured and retained.

Report

Yes

If data returned in search includes more systems than desired, search criteria can be narrowed to a single log source.

HIPAA - Authentication Failures

Data to verify that all attempted authentication requests to CDE are captured and retained.

Report

Yes

N/A

HIPAA - Axon Audit Logs

Data to verify that access to all audit logs is captured.

Report

Dashboard

No

N/A

HIPAA - In-scope Data Environment Access

Data to verify that all individual user access to in-scope data is logged.

Report

Yes

N/A

HIPAA - In-scope Data Environment Activity

Data to verify that all activities taken place within system components and In-scope data is logged.

Report

Yes

N/A

HIPAA - Common Event Health

Data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events, and logs without assigned events could be missing from searches.

Report

Dashboard

Optional

This search can be updated to exclude log sources that are known to not generate a common event or are not in-scope for HIPAA.

HIPAA - Elevated Privileges

Data to verify that all elevations of privileges are captured and retained.

Report

Dashboard

Optional

This search could be updated to exclude logged systems that are not in-scope for HIPAA or system and service accounts by using a custom list.

HIPAA - Firewall Activity

Data can confirm that traffic and behavior matches expected activity and rule out anomalous activity.

Report

Dashboard

Yes

If data returned in search includes more systems than desired, search criteria can be narrowed to a specific log source.

HIPAA - Firewall Configuration Changes

This search is meant to surface changes to firewall configurations which can be used to evidence that changes to network security controls follow a documented procedure.

Report

Dashboard

Yes

If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source.

HIPAA - Malware Activity

Data related to potential malware to evidence effectiveness of anti-malware solutions.

Report

Dashboard

Optional

N/A

HIPAA - Network Security Controls Access

Data can confirm that systems or files containing network security controls and configurations are protected from unauthorized access.

Report

Dashboard

Yes

If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source.

HIPAA - New Accounts

Data to verify that all newly-created accounts are captured and retained.

Report

Optional

N/A

HIPAA - Physical Security Activity

Data to verify that physical security logs are captured and retained.

Report

Dashboard

Yes

N/A

HIPAA - Privileged Account Activity

Data to verify that all privileged account activities are logged within system components, in-scope data, and systems in relation to HIPAA.

Report

Dashboard

Yes

List ‘HIPAA - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches.

HIPAA - Privileged Account Modification

Data to verify all privileged account modifications are captured and retained.

Report

Yes

List ‘HIPAA - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches.

HIPAA - Security Controls Monitoring

Data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place.

Report

Dashboard

Optional

If a sub-set of LogRhythm Threat Detection analytics are being used, a custom list could be used to exclude the other analytics. For tuning guidance related to analytics rules, refer to the MITRE ATT&CK Module.

HIPAA - Shared Account Activity

Data to show shared account authentication activity to demonstrate to management/auditors that use of shared accounts is limited.

Report

Dashboard

Yes

List ‘HIPAA - Shared Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches.

HIPAA - System and Service Account Activity

Data to verify that system and service account activity is logged and aligns with principles of least privilege.

Report

Dashboard

Yes

List ‘HIPAA - System and Service Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches.

HIPAA - System-Level Object Activity

Data to demonstrate that all system-level object creation and deletion is captured.

Report

Dashboard

Optional

This search could be updated to focus on specific systems and/or file locations by using a custom list. If a FIM solution is in place to monitor this activity, it is highly recommended that this search be updated to either utilize that log source specifically or tuned for events it generates

HIPAA - Third-Party Activity

Data to show all third-party access and activity during a period of time.

Report

Dashboard

Yes

List ‘HIPAA - Third-Party Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches.

* Searches can be modified to remove the list requirement, especially if all logged users and systems are in-scope for a given framework. Please note that searches are based on common event activity and without list filtering could become noisy and/or include more data than is necessary.

LogRhythm System Lists

The below table contains all the lists that are utilized in this content bundle. Each list has a specific purpose and what searches utilize that list as well as examples of systems and users that should be included.

List Name

Purpose of List

Examples

Linked Search

HIPAA - In-scope Data Systems

This list should be populated with systems that contain in-scope data in your environment.

Any systems containing data, including databases.

HIPAA - Authentication Failures

HIPAA - In-scope Data Environment Access

HIPAA - In-scope Data Environment Activity

HIPAA - Common Event Health

HIPAA - Physical Security Systems

This list should be populated with physical security systems (badge/card readers & door access).

Any system used to authenticate access to physical locations.

HIPAA - Physical Security Activity

HIPAA - Common Event Health

HIPAA - Network Security Systems

This list should be populated with production network security systems.

Firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning.

HIPAA - Firewall Configuration Changes

HIPAA - Firewall Activity

HIPAA - Anti-Malware Audit Activity

HIPAA - Network Security Control Access

HIPAA - Common Event Health

HIPAA - Privileged Users

This list should be populated with all privileged accounts and updated accordingly based on periodic reviews.

Any user with privileged access to production systems.

HIPAA - Privileged Account Activity

HIPAA - Privileged Account Modification

HIPAA - Third-Party Users

This list should be populated with contractors, vendors, other third-party members.

Any users that are considered contractors, vendors, or third parties to your organization.

HIPAA - Third-Party Activity

HIPAA - Shared Accounts

This list should be populated with any user accounts that have been identified as shared accounts.

Any accounts that multiple people have access to should be listed.

HIPAA - Shared Account Activity

HIPAA - System & Service Accounts

This list should be populated with default, service, and automation accounts.

Any accounts that are default to a system, service, or automation accounts.

HIPAA - System and Service Account Activity

Reports

The below table contains all the recommended Reports for this content bundle.

Customers must enable reporting in the Saved Search for these reports to be produced on a recurring basis.

Search Name

HIPAA Statutes

Use of Report

Recommended Audience

Recommended Scheduling *

HIPAA - Anti-Malware Audit Activity

§164.312(b)

This report will contain log data of anti-malware solution which can be reviewed by management or provided to auditors for evidence of captured and retained log data.

Management & Auditors

Quarterly

HIPAA - In-scope Data Environment Activity

§164.308(a)(3), §164.308(a)(4)

This report will capture data to verify that all activities taking place within system components and in-scope data is logged and can be reviewed by management or provided to auditors for evidence of CDE log activity.

Management & Auditors

Quarterly

HIPAA - In-scope Data Environment Access

§164.308(a)(3), §164.308(a)(4)

This report will contain data to verify that all individual user access to In-scope data is logged. The report can be used by management for periodic reviews or provided to auditors for evidence of all access to the CDE.

Management & Auditors

Quarterly

HIPAA - Elevated Privileges

§164.308(a)(3), §164.308(a)(4), §164.312(a)

This report will contain data to verify that all elevations of privileges are captured and retained. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. The report can also be used by management for periodic reviews and auditors for proof of evidence and retention.

Management, Analysts, & Auditors

Quarterly

HIPAA - Authentication Failures

§164.312(b)

This report will contain data to verify that all invalid authentication attempts are captured and retained. This report can be used by analysts for reviewing and investigating anomalous authentication activity. The report can also be used by management for periodic reviews and auditors for evidence of logging and retention.

Management, Analysts, & Auditors

Quarterly

HIPAA - Firewall Activity

§164.312(e)(1)

This report will contain data to confirm that traffic and behavior matches expected activity. This report can be used by analysts for monitoring activity that is not approved. The report can also be used by management for periodic reviews and auditors for proof of logging and that data aligns with system configurations.

Management, Analysts, & Auditors

Quarterly

HIPAA - Firewall Configuration Changes

§164.312(c)

This report will contain changes to firewall configurations. This report can be used by analysts for reviewing and investigating unusual configuration change activity. The report can also be used by management for periodic reviews and auditors for evidence that changes follow documented procedures and/or population of changes for auditors to verify via testing.

Management, Analysts, & Auditors

Quarterly

HIPAA - Common Event Health

§164.312(b)

This report will contain data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events and logs without assigned events could be missing from searches. The report can be used by management for periodic reviews and auditors for helping support that report data is complete and accurate.

Management & Auditors

Monthly

HIPAA - Axon Audit Logs

§164.312(b)

This report will contain data to verify that access to all audit logs is captured. This report can be used by management for periodic reviews of activity in the Axon environment and auditors for proof of evidence and retention of logging audit data.

Management & Auditors

Quarterly

HIPAA - Malware Activity

§164.312(c)

This report will contain data related to potential malware to evidence effectiveness of anti-malware solutions. This report can be used by analysts for monitoring malware activity. The report can also be used by management for periodic reviews of malware activity and mitigation and auditors for evidence of logging.

Management, Analysts, & Auditors

Quarterly

HIPAA - Network Security Controls Access

§164.312(c)

This report will contain data to confirm that network security files are protected from unauthorized access. This report can be used by analysts for reviewing and investigating anomalous access to network security control environments and file configurations. The report can also be used by management for periodic reviews and auditors for evidence of logging.

Management, Analysts, & Auditors

Quarterly

HIPAA - New Accounts

§164.312(a)

This report will contain data to verify that all newly created accounts are captured and retained. This report can also be used by management for periodic reviews and auditors for proof of logging of new users.

Management & Auditors

Quarterly

HIPAA - Physical Security Activity

§164.310(a)

This report will contain data to verify that physical security logs are captured and retained. This report can be used by analysts for reviewing Physical Access to to sensitive areas within an In-scope Data Environment. The report can also be used by management for periodic reviews and auditors for evidence of logging.

Management, Analysts, & Auditors

Monthly

HIPAA - Privileged Account Activity

§164.308(a)(3)

This report will contain data verify that all privileged account activities are logged within system components, in-scope data, and systems in relation to HIPAA. This report can be used by analysts for reviewing and investigating anomalous privileged activity. The report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing.

Management, Analysts, & Auditors

Monthly

HIPAA - Privileged Account Modification

§164.312(a)

This report will contain data to verify all privileged account modifications. This report can also be used by management for periodic reviews and auditors for proof of logging.

Management & Auditors

Quarterly

HIPAA - Security Controls Monitoring

§164.312(b)

This report will contain data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. The report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing.

Management, Analysts, & Auditors

Quarterly

HIPAA - Shared Account Activity

§164.312(a)

This report will contain data to show shared account activity to demonstrate to management/auditors that use of shared accounts is limited. This report can be used by analysts for reviewing and investigating anomalous usage of shared accounts privileges. The report can also be used by management for periodic reviews and auditors to demonstrate limited usage.

Management, Analysts, & Auditors

Quarterly

HIPAA - System and Service Account Activity

§164.312(a)

This report will contain data to verify that system and service account activity is logged and aligns with principles of least privilege. This report can be used by analysts for reviewing activity that is anomalous for the related system and service accounts privileges. The report can also be used by management for periodic reviews and auditors for evidence of accounts being limited to their privileges.

Management, Analysts, & Auditors

Quarterly

HIPAA - System-Level Object Activity

§164.312(c)(1)

This report will contain data to demonstrate that all system-level object creation and deletion is captured. This report can be used by analysts for reviewing for creation, deletion, and modification. Unexpected changes to these files can compromise system security. The report can also be used by management for periodic reviews and auditors for evidence that no files were changed.

Management, Analysts, & Auditors

Quarterly

HIPAA - Third-Party Activity

§164.312(a)

This report will contain data to show all third-party access and activity during a period of time. This report can be used by analysts for reviewing and investigating anomalous third-party activity. The report can also be used by management for periodic reviews and auditors for evidence of captured third-party activity.

Management, Analysts, & Auditors

Quarterly

* HIPAA does not prescribe a specific review period for most controls. The frequency of periodic reviews should be determined by the entity as appropriate for the size and complexity of their environment. As such, these are recommendations based on an average review schedule.

Dashboards

The two dashboards contained in this bundle are targeted at different users of the Axon platform. The HIPAA - Analyst dashboard is intended for power users of the Axon platform performing active monitoring and contains data they might need to utilize during the course of their work. The HIPAA - Management dashboard is intended for users that might not be in Axon on a day-to-day basis but need to get an understanding of the platform health and activities being performed on the platform. Widgets and the underlying searches from either dashboard can be incorporated and used by any Axon user to fit their needs. The default time period for the management dashboard is the last 7 days worth of log data, and the analyst dashboard is the last 24 hours of data. It is recommended that analysts and management use the date and time picker to evaluate multiple time periods for which the dashboard displays results throughout monitoring.

The below tables contain details of the two dashboards. Each widget and the underlying search are listed with tuning guidance for customers to optimize their dashboard deployment.

HIPAA - Analyst Dashboard Widgets

Search Name

HIPAA Statutes

Use of Widget

Widget Type

Tuning Guidance

HIPAA - Elevated Privileges

§164.308(a)(3)

Audit Logs for elevations of privileges are required to be captured and maintained. This widget should be monitored for anomalous usage of elevated privileges.

Bar Chart

Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Firewall Activity

§164.312(e)(1)

Firewall services, protocols, and ports should have a defined and approved business need. Monitor this widget for activity that is not approved.

Tree Map

Widget metrics are set to view Network Protocol Name and the target host IP Port. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Firewall Configuration Changes

§164.312(c)

Firewall configurations should be approved and managed with change control process. Monitor this dashboard for unusual configuration change activity.

Trend Chart

Widget metric shows the trend in a linear curved graph to indicate trends of configuration changes to firewall. If additional detail of activity is needed, change widget style to bar chart and add metrics.

HIPAA - Malware Activity

§164.312(c)

Anti-malware solutions should periodically scan, detect, block, and remove known malware. Monitor this widget for malware activity.

Donut Chart

Widget metrics are set to view Threat Severity and Policy Name to indicate priority of threat and policy affected. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Network Security Controls Access

§164.312(c)

Monitor this widget for users that should not have access to network control systems or network configuration files and investigate unfamiliar users.

Bar Chart

Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Physical Security Activity

§164.310(a)

Physical Access to sensitive areas within a In-scope Data Environment are to be monitored.

Bar Chart

Widget metric is set to view origin account name. If Physical Security log source contains entry and exit data adjust sub metric to include this field information.

HIPAA - Privileged Account Activity

§164.308(a)(3)

Privileged account activity is required to be captured and retained. Monitor this widget for anomalous behavior.

Donut Chart

Widget metrics are set to view origin account name and common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Security Controls Monitoring

§164.312(b)

Monitor this widget for activity that could indicate compromise. Visit LogRhythm Threat Detection Rules for more information on Threat Detection Analytics by LogRhythm.

Bar Chart

Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Shared Account Activity

§164.312(a)

Shared Accounts should only be used when necessary on an exception basis. This widget should be monitored for anomalous levels of shared account activity.

Trend Chart

Widget metric shows the trend in a linear curved graph to indicate trends of shared account activity. If additional detail of activity is needed, change widget style to bar chart and add metrics.

HIPAA - System and Service Account Activity

§164.312(a)

System and Service Accounts should be limited to least privilege. This widget should be monitored for activity that is anomalous for the related system and service accounts privileges.

Bar Chart

Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - System-Level Object Activity

§164.312(c)(1)

Critical Files and System-Level Objects should be monitored for creation, deletion, and modification. Unexpected changes to these files can compromise system security.

Bar Chart

Widget metrics are set to view Target Host Name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

HIPAA - Third-Party Activity

§164.312(a)

Third-Party Activity in HIPAA environments should be monitored for unexpected activity.

Bar Chart

Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information.

Management Dashboard Widgets

Search Name

HIPAA Statutes

Use of Widget

Widget Type

Tuning Guidance

HIPAA - Axon Audit Logs

§164.312(b)

Audit Logs should capture all access to audit data and read access to that data should be limited to those with job-related need. Monitor these widgets for unexpected users and activity taken.

Bar Chart

Donut Chart

The donut chart widget is set to view origin account name and the action command statement to showcase users taking actions and actions being taken.

The bar chart widget is set to view action type and the action command statement to showcase what types of Axon Objects are having actions taken on them.

Adjust chart primary and sub metric for desired field information within Audit Logs.

HIPAA - Common Event Health

§164.312(b)

The basis for all compliance searches utilizes the common event schema. Logs without event assignment could become excluded from widgets and/or reports. Monitor these widgets for logs and log sources without event assignment and correct as needed.

Trend Chart

Bar Chart

The trend chart widget shows the trend in a linear curved graph to indicate trends of logs without common event assignment.

The bar chart widget is set to view log source type and the log source to showcase what types of log sources do not have event assignment and what specific log sources of that type do not have common even assignment.

Adjust chart primary and sub metric for desired field information.

Additional Axon Support

The below sections contain additional product features and functionality that can help customers support their HIPAA compliance.

Log Integrity, Availability, & Security

Users of Axon do not have the capability to delete log data from the application interface, ensuring the integrity of logs collected. Additionally, LogRhythm issues a SOC 2, Type 2 report for the Axon Platform that includes controls relevant to the Security, Availability, and Confidentiality of customer data. This inability to modify log data and SOC 2 attestation supports HIPAA statute §164.312(b) related to Audit Log integrity, availability, and security. Customers interested in reviewing the Axon SOC 2 attestation can request access to a copy through their account representative.

Log Retention

LogRhythm Axon licensing options allow customers to fit their personal log retention needs. HIPAA statute §164.312(b) requires that businesses record and examine activity in information systems that contain or use electronic protected health information. To ensure this HIPAA requirement is met, customers should confirm their licensing Time-to-Live (TTL) options with their account representative.

Scheduled Reporting to Automate Log Review

LogRhythm’s comprehensive reporting capabilities provide the flexibility of custom and pre-configured reports. The Schedule Reporting feature allows you regularly capture data from the Dashboard or from specific searches and deliver a report to selected recipients. Scheduled Reporting supports HIPAA statute §164.308(a)(1) by automating the delivery of the reports in this bundle that provide the normalized and filtered data for completing log reviews.

Case Management

The Axon Case Management feature is a collaborative forensic tool for creating cases to track and document suspicious logs that are believed to be related to the same threat. The ability to create, own, and update cases, as well as to collaborate on cases that are created and owned by others, is available to all Axon users by default. Case Management supports HIPAA statute §164.308(a)(1) by facilitating the review process for exceptions and anomalies.

Silent Log Source Alerting

The Axon Silent Log Source Alerting feature can be used to alert personnel if specific data sources stop sending data for a configurable amount of time. A log source that has not sent data for a specified amount of time is referred to as a “silent log source.” Silent Log Source Alerting supports HIPAA statute §164.312(b) by alerting to potential audit logging process failure.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.