Skip to main content
Skip table of contents

Healthcare Security – AI Engine Rules

AI Engine Rule Name

Alarm

Rule Description

Rule ID

Notification AreaCorresponding InvestigationDirectly Meet RequirementsAugment RequirementsAlarmingLog Sources

HSS: Physical Access Usage Rule

No

This AIE Rule creates events of physical security authentication success and failures.

950

Audit : Authentication Success

HSS: Physical Security Auth Activity Inv

§164.310(a)(1)

§164.312(b)

No

Include All Log Sources

HSS: Door Access Success Rule

No

This AIE Rule provides details on physical door access within the organization infrastructure. Drilldowns from this rule can provide good door activity tracking evidence for sending to Cases, within Case Management.

951

Audit : Access Success

HSS: Physical Security Auth Activity Inv

§164.310(a)(1)

§164.312(b)

No

Include All Log Sources

HSS: Workstation Device Driver Activity Rule

No

This AI Engine rule provides details on workstation driver errors and general activity. Attempts to utilize unapproved devices can be identified with this rule, by evaluating the logging generated when device drivers are being processed.

952

Operations : Information

HSS: Workstation Device Driver Inv

§164.310(b), §164.310(c)

§164.312(b)

No

Include All Log Sources

HSS: ePHI Abnormal Auth Rule

No

This rule will build a whitelist profile of the authentication activity to and from ePHI systems. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire.

953

Security : Suspicious

HSS: Unapproved ePHI Account Access Inv

§164.312(a)(1), §164.312(e)(1), §164.308(a)(3), §164.308(a)(4), §13405(c), §495.6(d)(15)

§164.312(b)

No

HSS: Systems Containing ePHI

HSS: Abnormal Auth Behavior Rule

No

This rule first tracks which hosts an account typically authenticates to. Afterwards, this triggers when a new host or hosts are being accessed by the account.

954

Security : Suspicious

HSS: User Authentication Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Disabled Admin Access Failure Rule

No

This rule will fire when a recently disabled or deleted privileged user account tries to authenticate or access resources on the network unsuccessfully.

955

Security : Suspicious

HSS: Disabled Accounts Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Account Access Revoked Rule

No

This AIE Rule provides details on account access granting (access revoked, account disabled, account locked, account removed from group, ownership revoked, and privilege revoked) within the organization infrastructure.

956

Audit : Access Revoked

HSS: Account Lockout Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Default Act Access Failure Rule

No

This AIE Rule provides details on default account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure.

957

Audit : Access Failure

HSS: Default Account Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Default Act Access Success Rule

Yes

This AIE Rule provides details on default account access success (object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure.

958

Audit : Access Success

HSS: Default Account Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Priv Act Access Failure Rule

Yes

This AIE Rule provides details on privileged account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure.

959

Audit : Access Failure

HSS: Account Management Activity Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Priv Group Access Granted Rule

Yes

This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure.

960

Audit : Access Granted

HSS: Account Management Activity Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Recently Disabled Account with Access Failure Activity Rule

No

This AIE Rule provides details on recently disabled/deleted accounts failing to authenticate/access resources.

961

Security : Suspicious

HSS: Disabled Accounts Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Term Act Access Failure Rule

Yes

This AIE Rule provides details on terminated account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure.

962

Audit : Access Failure

HSS: Terminated Account Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Business Associate Act Access Failure Rule

Yes

This AIE Rule provides details on Business Associate account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure.

963

Audit : Access Failure

HSS: Business Associate UAM Inv

§164.312(a)(1), §164.308(a)(3), §13405(b), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: FIM Add Activity Rule

No

This AIE Rule creates events for all file integrity monitoring add activity.

964

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Delete Activity Rule

No

This AIE Rule creates events for all file integrity monitoring delete activity.

965

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Failure Alert

Yes

This AIE Rule creates events for all file integrity monitoring failure activity.

966

Operations : Error

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

Yes

HSS: File Integrity Monitoring Systems

HSS: FIM Group Change Activity Rule

No

This AIE Rule creates events for all file integrity monitoring group change activity.

967

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Information Rule

No

This AIE Rule creates events for general file integrity monitoring information.

968

Operations : Information

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Modify Activity Rule

No

This AIE Rule creates events for all file integrity monitoring modify activity.

969

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Owner Change Activity Rule

No

This AIE Rule creates events for all file integrity monitoring change of ownership activity.

970

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Permission Activity Rule

No

This AIE Rule creates events for all file integrity monitoring change of permission activity.

971

Security : Activity

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: FIM Abnormal Activity

No

This AIE Rule creates events for all abnormal file integrity monitoring activity.

972

Security : Suspicious

HSS: File Integrity Monitor Inv

§164.312(c)(1), §164.308(a)(6)

§164.312(b)

No

HSS: File Integrity Monitoring Systems

HSS: Ineligible Authentication Activity

No

This AI Engine Rule is designed to identify authentication attempts to EHR systems from accounts that do not qualify as Eligible Professional accounts.

973

Security : Suspicious

HSS: Ineligible EHR Account Access Inv

§164.312(d)

§164.312(b)

No

HSS: Systems Containing ePHI

HSS: Abnormal Amount of Data Transferred

No

This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host.

974

Operations : Warning

HSS: Security Event Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Large Out of Scope Data Transfer

Yes

This rule identifies if a single host is seen sending over 1GB of data within 30 minutes out of the network.

975

Security : Suspicious

HSS: Security Event Inv

§164.312(e)(1), §164.308(a)(4)

§164.312(b)

Yes

Include All Log Sources

HSS: Vulnerability Rule

Yes

This AIE Rule provides details on known vulnerabilities within the organization infrastructure.

976

Security : Vulnerability

HSS: Vulnerabilities Detected Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

Yes

Include All Log Sources

HSS: Suspicious Activity Rule

No

This AIE Rule provides details on suspicious activity.

977

Security : Suspicious

HSS: Suspicious Activity Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

No

Include All Log Sources

HSS: Misuse Rule

Yes

This AIE Rule provides details on misuse activity.

978

Security : Misuse

HSS: User Misuse Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

Yes

Include All Log Sources

HSS: Compromise Detected Rule

Yes

This AIE rule creates an event and alerts on potential compromises across the environment.

979

Security : Compromise

HSS: Compromises Detected Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

Yes

Include All Log Sources

HSS: System Critical And Error Conditions Rule

Yes

This AIE rule creates and alert and generates an event for critical or error conditions encountered across all Log Sources

980

Operations : Critical

HSS: System Critical And Error Conditions Inv

§164.310(d), §164.308(a)(1),

§164.308(a)(7)

§164.312(b)

Yes

Include All Log Sources

HSS: Attack Detected Rule

Yes

This AIE rule creates an event and alerts on known attacks or failed attack attempts across the environment.

981

Security : Attack

HSS: Attacks Detected Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

Yes

Include All Log Sources

HSS: Unapproved Account Access Rule

No

This AIE Rule generates an event any time a non-privileged account successfully accesses protected HIPAA, HITECH, or Promoting Interoperability systems.

982

Security : Suspicious

HSS: Unapproved ePHI Account Access Inv

§164.308(a)(1)

§164.312(b)

No

Include All Log Sources

HSS: Terminated Account Activity Rule

No

This AIE Rule provides details on terminated accounts attempting to authenticate or access resources.

983

Security : Suspicious

HSS: Terminated Account Inv

§164.308(a)(1)

§164.312(b)

No

Include All Log Sources

HSS: Data Loss Prevention Rule

No

This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured.

984

Operations : Information

HSS: LogRhythm Data Loss Defender Log Inv

§164.308(a)(1), §164.308(a)(4),

§164.308(a)(6)

§164.312(b)

No

Include All Log Sources

HSS: System Shutdown Rule

Yes

This AIE Rule provides details on system startup/shutdown activity within the organization infrastructure.

985

Audit : Startup and Shutdown

HSS: System Startup And Shutdown Inv

§164.310(d), §164.308(a)(1),

§164.308(a)(7)

§164.312(b)

Yes

Include All Log Sources

HSS: Eligible Professional Act Access Failure Rule

No

This AIE Rule provides details on Eligible Professional account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove).

986

Audit : Access Failure

HSS: Eligible Professional Activity Inv

§164.308(a)(1), §164.308(a)(4), §164.308(a)(6)

§164.312(b)

No

HSS: Certified EHR Technologies

HSS: Physical Access Failure Alert

Yes

This AIE Rule creates events of physical security authentication or access failures across the Physical Security Perimeter.

987

Audit : Access Failure

HSS: Physical Security Auth Activity Inv

§164.310(a)(1)

§164.312(b)

Yes

Include All Log Sources

HSS: Suspicious Door Access Alert

Yes

This AIE Rule provides details on physical door access.

988

Security : Suspicious

HSS: Physical Security Auth Activity Inv

§164.310(a)(1)

§164.312(b)

Yes

Include All Log Sources

HSS: Threat IP Access Attempt Alert

Yes

This rule alarms when a user makes multiple failed access attempts within a short time period, in association with IP addresses from threat lists.

989

Security : Suspicious

HSS: ePHI Threat IP Activity Inv

§164.312(d), §164.312(e)(1), §164.308(a)(1), §164.308(a)(3), §164.308(a)(4)

§164.312(b)

Yes

Include All Log Sources

HSS: Threat IP Auth Activity Alert

No

This rule alarms when a user makes attempts to access protected HIPAA, HITECH, and Promoting Interoperability systems, in association with IP addresses from threat lists.

990

Audit : Authentication Success

HSS: ePHI Threat IP Activity Inv

§164.312(d), §164.312(e)(1), §164.308(a)(1), §164.308(a)(3), §164.308(a)(4)

§164.312(b)

No

Include All Log Sources

HSS: Ineligible Account Access to EHR Systems Alert

Yes

This AIE Rule generates an event any time a non-privileged account that does not qualify as an Eligible Professional account, successfully accesses protected EHR systems.

991

Security : Suspicious

HSS: Ineligible EHR Account Access Inv

§164.308(a)(1)

§164.312(b)

Yes

HSS: Certified EHR Technologies

HSS: Malware Detected Alert

Yes

This AIE Rule is designed to Alarm when malware has been detected.

992

Operations : Warning

HSS: Malware Detected Inv

§164.308(a)(1), §164.308(a)(6)

§164.312(b)

Yes

Include All Log Sources

HSS: Suspicious Business Associate Activity

No

This rule identifies suspicious activity deriving specifically from Business Associate accounts associated with Covered Entity IPs. The Business Associates list can be removed to broaden alarming to all accounts associated with Covered Entity IPs.

993

Security : Suspicious

HSS: Business Associate UAM Inv

§164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15)

§164.312(b)

No

Include All Log Sources

HSS: Covered Entity Act Access Fail Alert

Yes

This AIE rule alerts on the occurrence of any Covered Entity's (list) access failures to the organization's production environment, including remote access. The Business Associates list can be removed to broaden alarming to all accounts.

994

Audit : Access Failure

HSS: Covered Entity Acct Access Failure Inv

§164.312(a)(1), §164.308(a)(3), §13402(b), §13405(b), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Covered Entity Auth Failure Alert

Yes

This AIE rule alerts on the occurrence of any Covered Entity's (list) authentication failures to the organization's production environment, including remote access.

The Business Associates list can be removed to broaden alarming to all accounts.

995

Audit : Authentication Failure

HSS: Covered Entity Acct Auth Failure Inv

§164.312(a)(1), §164.308(a)(3), §13402(b), §13405(b), §13405(c), §495.6(d)(15)

§164.312(b)

Yes

Include All Log Sources

HSS: Backup Failure Alert

Yes

More than 10 backup failure events are detected.

996

Operations : Error

HSS: ePHI and Backup System Failure/Error Inv

§164.310(d), §164.308(a)(1), §164.308(a)(7), §164.316(b)(1)

§164.312(b)

Yes

HSS: Systems Containing ePHI

HSS: TST Environment Error Alert

No

This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures.

997

Operations : Critical

HSS: TST Environment Error Inv

§13201(a), §13201(b)

§164.312(b)

No

Include All Log Sources

HSS: TST Activity

Yes

This AIE rule creates a common event any time ten or more activity logs are received from the systems or servers assigned to the Test Systems (entity structure), within five minutes. This rule assists with change management testing procedures.

998

Security : Activity

HSS: TST AIE Inv

§13201(a), §13201(b)

§164.312(b)

Yes

Include All Log Sources

HSS: TST Logon Failure

Yes

This AIE rule creates a common event any time a logon failure occurs on systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures.

999

Security : Failed Attack

HSS: TST Authentication Failure Inv

§13201(a), §13201(b)

§164.312(b)

Yes

Include All Log Sources

HSS: TST Logon Success

Yes

This AIE rule creates a common event any time a logon success occurs on systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures.

1000

Security : Compromise

HSS: TST Authentication Success Inv

§13201(a), §13201(b)

§164.312(b)

Yes

Include All Log Sources

HSS: Primary Eligible Professional Utilization Statistics

No

This statistical rule is designed to determine whether or not an Eligible Professional is utilizing certified EHR technologies. Low access activity or an unusually high amounts of access activity is monitored over a span of 7 days.

1001

Security : Activity

HSS: Eligible Professional Activity Inv

§495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5)

§164.312(b)

No

HSS: Certified EHR Technologies

HSS: Secondary Eligible Professional Utilization Statistics

No

This statistical rule is designed to determine whether or not an Eligible Professional is utilizing certified EHR technologies. Low access activity or an unusually high amounts of access activity is monitored over a span of 7 days.

1002

Security : Activity

HSS: Eligible Professional Activity Inv

§495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5)

§164.312(b)

No

HSS: Certified EHR Technologies

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.