Healthcare Security – AI Engine Rules
AI Engine Rule Name | Alarm | Rule Description | Rule ID | Notification Area | Corresponding Investigation | Directly Meet Requirements | Augment Requirements | Alarming | Log Sources |
|---|---|---|---|---|---|---|---|---|---|
HSS: Physical Access Usage Rule | No | This AIE Rule creates events of physical security authentication success and failures. | 950 | Audit : Authentication Success | HSS: Physical Security Auth Activity Inv | §164.310(a)(1) | §164.312(b) | No | Include All Log Sources |
HSS: Door Access Success Rule | No | This AIE Rule provides details on physical door access within the organization infrastructure. Drilldowns from this rule can provide good door activity tracking evidence for sending to Cases, within Case Management. | 951 | Audit : Access Success | HSS: Physical Security Auth Activity Inv | §164.310(a)(1) | §164.312(b) | No | Include All Log Sources |
HSS: Workstation Device Driver Activity Rule | No | This AI Engine rule provides details on workstation driver errors and general activity. Attempts to utilize unapproved devices can be identified with this rule, by evaluating the logging generated when device drivers are being processed. | 952 | Operations : Information | HSS: Workstation Device Driver Inv | §164.310(b), §164.310(c) | §164.312(b) | No | Include All Log Sources |
HSS: ePHI Abnormal Auth Rule | No | This rule will build a whitelist profile of the authentication activity to and from ePHI systems. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire. | 953 | Security : Suspicious | HSS: Unapproved ePHI Account Access Inv | §164.312(a)(1), §164.312(e)(1), §164.308(a)(3), §164.308(a)(4), §13405(c), §495.6(d)(15) | §164.312(b) | No | HSS: Systems Containing ePHI |
HSS: Abnormal Auth Behavior Rule | No | This rule first tracks which hosts an account typically authenticates to. Afterwards, this triggers when a new host or hosts are being accessed by the account. | 954 | Security : Suspicious | HSS: User Authentication Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Disabled Admin Access Failure Rule | No | This rule will fire when a recently disabled or deleted privileged user account tries to authenticate or access resources on the network unsuccessfully. | 955 | Security : Suspicious | HSS: Disabled Accounts Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Account Access Revoked Rule | No | This AIE Rule provides details on account access granting (access revoked, account disabled, account locked, account removed from group, ownership revoked, and privilege revoked) within the organization infrastructure. | 956 | Audit : Access Revoked | HSS: Account Lockout Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Default Act Access Failure Rule | No | This AIE Rule provides details on default account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure. | 957 | Audit : Access Failure | HSS: Default Account Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Default Act Access Success Rule | Yes | This AIE Rule provides details on default account access success (object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure. | 958 | Audit : Access Success | HSS: Default Account Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Priv Act Access Failure Rule | Yes | This AIE Rule provides details on privileged account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure. | 959 | Audit : Access Failure | HSS: Account Management Activity Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Priv Group Access Granted Rule | Yes | This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure. | 960 | Audit : Access Granted | HSS: Account Management Activity Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Recently Disabled Account with Access Failure Activity Rule | No | This AIE Rule provides details on recently disabled/deleted accounts failing to authenticate/access resources. | 961 | Security : Suspicious | HSS: Disabled Accounts Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Term Act Access Failure Rule | Yes | This AIE Rule provides details on terminated account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure. | 962 | Audit : Access Failure | HSS: Terminated Account Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Business Associate Act Access Failure Rule | Yes | This AIE Rule provides details on Business Associate account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove) within the organization infrastructure. | 963 | Audit : Access Failure | HSS: Business Associate UAM Inv | §164.312(a)(1), §164.308(a)(3), §13405(b), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: FIM Add Activity Rule | No | This AIE Rule creates events for all file integrity monitoring add activity. | 964 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Delete Activity Rule | No | This AIE Rule creates events for all file integrity monitoring delete activity. | 965 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Failure Alert | Yes | This AIE Rule creates events for all file integrity monitoring failure activity. | 966 | Operations : Error | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | Yes | HSS: File Integrity Monitoring Systems |
HSS: FIM Group Change Activity Rule | No | This AIE Rule creates events for all file integrity monitoring group change activity. | 967 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Information Rule | No | This AIE Rule creates events for general file integrity monitoring information. | 968 | Operations : Information | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Modify Activity Rule | No | This AIE Rule creates events for all file integrity monitoring modify activity. | 969 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Owner Change Activity Rule | No | This AIE Rule creates events for all file integrity monitoring change of ownership activity. | 970 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Permission Activity Rule | No | This AIE Rule creates events for all file integrity monitoring change of permission activity. | 971 | Security : Activity | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: FIM Abnormal Activity | No | This AIE Rule creates events for all abnormal file integrity monitoring activity. | 972 | Security : Suspicious | HSS: File Integrity Monitor Inv | §164.312(c)(1), §164.308(a)(6) | §164.312(b) | No | HSS: File Integrity Monitoring Systems |
HSS: Ineligible Authentication Activity | No | This AI Engine Rule is designed to identify authentication attempts to EHR systems from accounts that do not qualify as Eligible Professional accounts. | 973 | Security : Suspicious | HSS: Ineligible EHR Account Access Inv | §164.312(d) | §164.312(b) | No | HSS: Systems Containing ePHI |
HSS: Abnormal Amount of Data Transferred | No | This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host. | 974 | Operations : Warning | HSS: Security Event Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Large Out of Scope Data Transfer | Yes | This rule identifies if a single host is seen sending over 1GB of data within 30 minutes out of the network. | 975 | Security : Suspicious | HSS: Security Event Inv | §164.312(e)(1), §164.308(a)(4) | §164.312(b) | Yes | Include All Log Sources |
HSS: Vulnerability Rule | Yes | This AIE Rule provides details on known vulnerabilities within the organization infrastructure. | 976 | Security : Vulnerability | HSS: Vulnerabilities Detected Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | Yes | Include All Log Sources |
HSS: Suspicious Activity Rule | No | This AIE Rule provides details on suspicious activity. | 977 | Security : Suspicious | HSS: Suspicious Activity Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | No | Include All Log Sources |
HSS: Misuse Rule | Yes | This AIE Rule provides details on misuse activity. | 978 | Security : Misuse | HSS: User Misuse Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | Yes | Include All Log Sources |
HSS: Compromise Detected Rule | Yes | This AIE rule creates an event and alerts on potential compromises across the environment. | 979 | Security : Compromise | HSS: Compromises Detected Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | Yes | Include All Log Sources |
HSS: System Critical And Error Conditions Rule | Yes | This AIE rule creates and alert and generates an event for critical or error conditions encountered across all Log Sources | 980 | Operations : Critical | HSS: System Critical And Error Conditions Inv | §164.310(d), §164.308(a)(1), §164.308(a)(7) | §164.312(b) | Yes | Include All Log Sources |
HSS: Attack Detected Rule | Yes | This AIE rule creates an event and alerts on known attacks or failed attack attempts across the environment. | 981 | Security : Attack | HSS: Attacks Detected Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | Yes | Include All Log Sources |
HSS: Unapproved Account Access Rule | No | This AIE Rule generates an event any time a non-privileged account successfully accesses protected HIPAA, HITECH, or Promoting Interoperability systems. | 982 | Security : Suspicious | HSS: Unapproved ePHI Account Access Inv | §164.308(a)(1) | §164.312(b) | No | Include All Log Sources |
HSS: Terminated Account Activity Rule | No | This AIE Rule provides details on terminated accounts attempting to authenticate or access resources. | 983 | Security : Suspicious | HSS: Terminated Account Inv | §164.308(a)(1) | §164.312(b) | No | Include All Log Sources |
HSS: Data Loss Prevention Rule | No | This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured. | 984 | Operations : Information | HSS: LogRhythm Data Loss Defender Log Inv | §164.308(a)(1), §164.308(a)(4), §164.308(a)(6) | §164.312(b) | No | Include All Log Sources |
HSS: System Shutdown Rule | Yes | This AIE Rule provides details on system startup/shutdown activity within the organization infrastructure. | 985 | Audit : Startup and Shutdown | HSS: System Startup And Shutdown Inv | §164.310(d), §164.308(a)(1), §164.308(a)(7) | §164.312(b) | Yes | Include All Log Sources |
HSS: Eligible Professional Act Access Failure Rule | No | This AIE Rule provides details on Eligible Professional account access failure activity (failed object access/add/close/create/delete/download/execute/initialize/modify/move/read/re name/remove). | 986 | Audit : Access Failure | HSS: Eligible Professional Activity Inv | §164.308(a)(1), §164.308(a)(4), §164.308(a)(6) | §164.312(b) | No | HSS: Certified EHR Technologies |
HSS: Physical Access Failure Alert | Yes | This AIE Rule creates events of physical security authentication or access failures across the Physical Security Perimeter. | 987 | Audit : Access Failure | HSS: Physical Security Auth Activity Inv | §164.310(a)(1) | §164.312(b) | Yes | Include All Log Sources |
HSS: Suspicious Door Access Alert | Yes | This AIE Rule provides details on physical door access. | 988 | Security : Suspicious | HSS: Physical Security Auth Activity Inv | §164.310(a)(1) | §164.312(b) | Yes | Include All Log Sources |
HSS: Threat IP Access Attempt Alert | Yes | This rule alarms when a user makes multiple failed access attempts within a short time period, in association with IP addresses from threat lists. | 989 | Security : Suspicious | HSS: ePHI Threat IP Activity Inv | §164.312(d), §164.312(e)(1), §164.308(a)(1), §164.308(a)(3), §164.308(a)(4) | §164.312(b) | Yes | Include All Log Sources |
HSS: Threat IP Auth Activity Alert | No | This rule alarms when a user makes attempts to access protected HIPAA, HITECH, and Promoting Interoperability systems, in association with IP addresses from threat lists. | 990 | Audit : Authentication Success | HSS: ePHI Threat IP Activity Inv | §164.312(d), §164.312(e)(1), §164.308(a)(1), §164.308(a)(3), §164.308(a)(4) | §164.312(b) | No | Include All Log Sources |
HSS: Ineligible Account Access to EHR Systems Alert | Yes | This AIE Rule generates an event any time a non-privileged account that does not qualify as an Eligible Professional account, successfully accesses protected EHR systems. | 991 | Security : Suspicious | HSS: Ineligible EHR Account Access Inv | §164.308(a)(1) | §164.312(b) | Yes | HSS: Certified EHR Technologies |
HSS: Malware Detected Alert | Yes | This AIE Rule is designed to Alarm when malware has been detected. | 992 | Operations : Warning | HSS: Malware Detected Inv | §164.308(a)(1), §164.308(a)(6) | §164.312(b) | Yes | Include All Log Sources |
HSS: Suspicious Business Associate Activity | No | This rule identifies suspicious activity deriving specifically from Business Associate accounts associated with Covered Entity IPs. The Business Associates list can be removed to broaden alarming to all accounts associated with Covered Entity IPs. | 993 | Security : Suspicious | HSS: Business Associate UAM Inv | §164.312(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | §164.312(b) | No | Include All Log Sources |
HSS: Covered Entity Act Access Fail Alert | Yes | This AIE rule alerts on the occurrence of any Covered Entity's (list) access failures to the organization's production environment, including remote access. The Business Associates list can be removed to broaden alarming to all accounts. | 994 | Audit : Access Failure | HSS: Covered Entity Acct Access Failure Inv | §164.312(a)(1), §164.308(a)(3), §13402(b), §13405(b), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Covered Entity Auth Failure Alert | Yes | This AIE rule alerts on the occurrence of any Covered Entity's (list) authentication failures to the organization's production environment, including remote access. The Business Associates list can be removed to broaden alarming to all accounts. | 995 | Audit : Authentication Failure | HSS: Covered Entity Acct Auth Failure Inv | §164.312(a)(1), §164.308(a)(3), §13402(b), §13405(b), §13405(c), §495.6(d)(15) | §164.312(b) | Yes | Include All Log Sources |
HSS: Backup Failure Alert | Yes | More than 10 backup failure events are detected. | 996 | Operations : Error | HSS: ePHI and Backup System Failure/Error Inv | §164.310(d), §164.308(a)(1), §164.308(a)(7), §164.316(b)(1) | §164.312(b) | Yes | HSS: Systems Containing ePHI |
HSS: TST Environment Error Alert | No | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures. | 997 | Operations : Critical | HSS: TST Environment Error Inv | §13201(a), §13201(b) | §164.312(b) | No | Include All Log Sources |
HSS: TST Activity | Yes | This AIE rule creates a common event any time ten or more activity logs are received from the systems or servers assigned to the Test Systems (entity structure), within five minutes. This rule assists with change management testing procedures. | 998 | Security : Activity | HSS: TST AIE Inv | §13201(a), §13201(b) | §164.312(b) | Yes | Include All Log Sources |
HSS: TST Logon Failure | Yes | This AIE rule creates a common event any time a logon failure occurs on systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures. | 999 | Security : Failed Attack | HSS: TST Authentication Failure Inv | §13201(a), §13201(b) | §164.312(b) | Yes | Include All Log Sources |
HSS: TST Logon Success | Yes | This AIE rule creates a common event any time a logon success occurs on systems or servers assigned to the Test Systems (entity structure). This rule assists with change management testing procedures. | 1000 | Security : Compromise | HSS: TST Authentication Success Inv | §13201(a), §13201(b) | §164.312(b) | Yes | Include All Log Sources |
HSS: Primary Eligible Professional Utilization Statistics | No | This statistical rule is designed to determine whether or not an Eligible Professional is utilizing certified EHR technologies. Low access activity or an unusually high amounts of access activity is monitored over a span of 7 days. | 1001 | Security : Activity | HSS: Eligible Professional Activity Inv | §495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5) | §164.312(b) | No | HSS: Certified EHR Technologies |
HSS: Secondary Eligible Professional Utilization Statistics | No | This statistical rule is designed to determine whether or not an Eligible Professional is utilizing certified EHR technologies. Low access activity or an unusually high amounts of access activity is monitored over a span of 7 days. | 1002 | Security : Activity | HSS: Eligible Professional Activity Inv | §495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5) | §164.312(b) | No | HSS: Certified EHR Technologies |