Healthcare Security – Investigations
Investigation Name | Investigation Description | Investigation ID | Directly Meet Requirements | Augment Requirements | Data Source | Classification | Intelligent Indexing | Log Sources |
|---|---|---|---|---|---|---|---|---|
HSS: Account Lockout Inv | This investigation is for reviewing account lockouts. Direct: §164.312(b) Augment: §164.312(a)(1) | 446 | §164.312(b) | §164.312(a)(1) | Data Processor | Access Revoked | No | All Log Sources |
HSS: Account Management Activity Inv | This investigation is for reviewing all account management activity for production systems. Direct: §164.312(b) Augment: §164.312(a)(1), §164.308(a)(3) | 447 | §164.312(b) | §164.312(a)(1), §164.308(a)(3) | Data Processor | Account Modified | No | All Log Sources |
HSS: Applications Accessed By User Inv | This investigation provides information about user accessed applications. Direct: §164.312(b) Augment: §164.308(a)(3) | 448 | §164.312(b) | §164.308(a)(3) | Data Processor | Activity | No | All Log Sources |
HSS: Attacks Detected Inv | This investigation provides a summary of detected attacks by Entity and Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 449 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Attack | Yes | All Log Sources |
HSS: Audit Failure Inv | This investigation provides information about failed access and logins by Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 450 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Other Audit Failure | No | All Log Sources |
HSS: Compromises Detected Inv | This investigation provides a summary of detected compromises of security by Entity and Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | 451 | §164.312(b) | §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | Data Processor | Compromise | Yes | All Log Sources |
HSS: Default Account Inv | This investigation provides information about when a default account has been used. Direct: §164.312(b) Augment: §164.312(a)(1) | 452 | §164.312(b) | §164.312(a)(1) | Data Processor | Authentication Success | No | All Log Sources |
HSS: Disabled Accounts Inv | This investigation summarizes disabled account activity for all production systems. Direct: §164.312(b) Augment: §164.312(a)(1) | 453 | §164.312(b) | §164.312(a)(1) | Data Processor | Activity | No | All Log Sources |
HSS: Failed Application Access Inv | This investigation summarizes failed access attempts. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 454 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Access Failure | No | All Log Sources |
HSS: Failed File Access Inv | This investigation provides a summary of failed file access. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 455 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Access Failure | No | All Log Sources |
HSS: Failed Host Access Inv | This investigation provides a summary of failed logins. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 456 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Access Failure, Authentication Failure | No | All Log Sources |
HSS: File Integrity Monitor Inv | This investigation provides summary information on data generated by the LogRhythm File Integrity Monitor. Events are grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the investigation period. Direct: §164.312(b) Augment: §164.312(c)(1) | 457 | §164.312(b) | §164.312(c)(1) | Data Processor | Access Success | No | HSS: File Integrity Monitoring Systems |
HSS: Host Access Granted And Revoked Inv | This investigation summarizes all access granted and revoked for production systems. Direct: §164.312(b) Augment: §164.312(a)(1) | 458 | §164.312(b) | §164.312(a)(1) | Data Processor | Access Granted, Access Revoked | No | All Log Sources |
HSS: Host Change Inv | This investigation summarizes change activity for production systems. Direct: §164.312(b) | 459 | §164.312(b) | N/A | Data Processor | Configuration Policy | No | All Log Sources |
HSS: Logout Inv | This investigation summarizes all user logouts. Direct: §164.312(b) Augment: §164.312(a)(1) | 460 | §164.312(b) | §164.312(a)(1) | Data Processor | Authentication Success | No | All Log Sources |
HSS: LogRhythm Data Loss Defender Log Inv | This investigation provides summary information on data generated by the LogRhythm Data Loss Defender. Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the investigation period. Direct: §164.312(b) Augment: §164.312(e)(1), §164.308(a)(4), §164.308(a)(6) | 461 | §164.312(b) | §164.312(e)(1), §164.308(a)(4), §164.308(a)(6) | Data Processor | Activity | No | All Log Sources |
HSS: Malware Detected Inv | This investigation summarizes detected malware by Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | 462 | §164.312(b) | §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | Data Processor | Malware | Yes | All Log Sources |
HSS: New Account Inv | This investigation summarizes new account activity for all production systems. Direct: §164.312(b) Augment: §164.312(a)(1) | 463 | §164.312(b) | §164.312(a)(1) | Data Processor | Information | No | All Log Sources |
HSS: Object Access Inv | This investigation summarizes object access. Direct: §164.312(b) | 464 | §164.312(b) | N/A | Data Processor | Access Success | No | All Log Sources |
HSS: Security Event Inv | This investigation provides a summary of security relevant events. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 465 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Suspicious | Yes | All Log Sources |
HSS: Suspicious Activity Inv | This investigation provides a summary of detected suspicious activity by Entity and Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | 466 | §164.312(b) | §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | Data Processor | Suspicious | No | All Log Sources |
HSS: System Critical And Error Conditions Inv | This investigation summarizes critical and error conditions for production servers and network infrastructure devices. Direct: §164.312(b) Augment: §164.310(d), §164.308(a)(1), §164.308(a)(7), §13405(c), §495.6(d)(15) | 467 | §164.312(b) | §164.310(d), §164.308(a)(1), §164.308(a)(7), §13405(c), §495.6(d)(15) | Data Processor | Critical, Error | Yes | All Log Sources |
HSS: System Startup And Shutdown Inv | This investigation lists startup and shutdown activity for production servers and network infrastructure systems. Direct: §164.312(b) Augment: §164.310(d), §164.308(a)(7) | 468 | §164.312(b) | §164.310(d), §164.308(a)(7) | Data Processor | Activity | No | All Log Sources |
HSS: Terminated Account Inv | This investigation summarizes terminated account activity for production systems. Direct: §164.312(b) Augment: §164.312(a)(1), §164.308(a)(3) | 469 | §164.312(b) | §164.312(a)(1), §164.308(a)(3) | Data Processor | Suspicious | No | All Log Sources |
HSS: Use Of Non-Encrypted Protocols Inv | This investigation lists any use of non-encrypted protocols. Direct: §164.312(b) Augment: §164.312(e)(1), §164.308(a)(4) | 470 | §164.312(b) | §164.312(e)(1), §164.308(a)(4) | Data Processor | Configuration Policy | Yes | All Log Sources |
HSS: User Authentication Inv | This investigation looks for successful and failed authentications to services and applications. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | 471 | §164.312(b) | §164.308(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | Data Processor | Authentication Success | No | All Log Sources |
HSS: User Misuse Inv | This investigation summarizes detected misuse by user. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | 472 | §164.312(b) | §164.308(a)(1), §164.308(a)(6), §13405(c), §495.6(d)(15) | Data Processor | Misuse | No | All Log Sources |
HSS: User Object Access Inv | This investigation summarizes successful object access activity by user. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 473 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Access Success | No | All Log Sources |
HSS: Vulnerabilities Detected Inv | This investigation provides a summary of detected vulnerabilities. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 474 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Vulnerability | Yes | All Log Sources |
HSS: Top Hosts Experiencing Errors Inv | This investigation provides a summary of hosts experiencing errors. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(8), §164.314(b)(1), §13405(c), §13411, §495.6(d)(15) | 475 | §164.312(b) | §164.308(a)(1), §164.308(a)(8), §164.314(b)(1), §13405(c), §13411, §495.6(d)(15) | Data Processor | Critical, Error | No | All Log Sources |
HSS: Top Applications Experiencing Errors Inv | This investigation provides a summary of applications experiencing errors. Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(8), §164.314(b)(1), §13405(c), §13411, §495.6(d)(15) | 476 | §164.312(b) | §164.308(a)(1), §164.308(a)(8), §164.314(b)(1), §13405(c), §13411, §495.6(d)(15) | Data Processor | Critical, Error | No | All Log Sources |
HSS: Eligible Professional Activity Inv | This investigation will generate a list of Eligible Professional activity based on the users specified in the primary and secondary "Eligible Professional" lists. The investigation is grouped by Login, then Common Event. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(d)(15), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5) | 477 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(1), §495.6(d)(2), §495.6(d)(4), §495.6(d)(11), §495.6(d)(12), §495.6(d)(14), §495.6(d)(15), §495.6(e)(9), §495.6(e)(10), §495.6(e)(1), §495.6(e)(5) | Data Processor | Activity | No | All Log Sources |
HSS: Covered Entity Acct Auth Failure Inv | This investigation provides summary information around Business Associate (user list) authentication failure from Covered Entity IPs (host list). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 478 | §164.312(b) | §13402(b), §13405(b), §13411 | Platform Manager | Authentication Failure | No | All Log Sources |
HSS: Covered Entity Acct Auth Success Inv | This investigation provides summary information around Business Associate (user list) authentication success from Covered Entity IPs (host list). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 479 | §164.312(b) | §13402(b), §13405(b), §13411 | Data Processor | Access Success | No | All Log Sources |
HSS: Covered Entity Acct Access Failure Inv | This investigation provides summary information around Business Associate (user list) access failure from Covered Entity IPs (host list). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 480 | §164.312(b) | §13402(b), §13405(b), §13411 | Platform Manager | Access Failure | No | All Log Sources |
HSS: Covered Entity Acct Access Success Inv | This investigation provides summary information around Business Associate (user list) access success from Covered Entity IPs (host list). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 481 | §164.312(b) | §13402(b), §13405(b), §13411 | Data Processor | Authentication Success | No | All Log Sources |
HSS: Covered Entity Acct Disabled/Enabled Inv | This investigation provides summary information when a Business Associate (user list) has access revoked (disabled) or granted (enabled) across Covered Entity IPs (host list). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 482 | §164.312(b) | §13402(b), §13405(b), §13411 | Platform Manager | Access Granted, Access Revoked | No | All Log Sources |
HSS: Business Associate UAM Inv | This investigation provides a summary of various access modifications to Business Associates (use list) occurring within all Healthcare Security Compliance Automation Suite parent entities (entity structure). Direct: §164.312(b) Augment: §13402(b), §13405(b), §13411 | 483 | §164.312(b) | §13402(b), §13405(b), §13411 | Data Processor | Activity | Yes | All Log Sources |
HSS: Ineligible EHR Account Access Inv | This investigation provides summary information around access success for Eligible Professionals (user lists) within the certified EHR technology scope (log source list). Direct: §164.312(b) Augment: §164.308(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | 484 | §164.312(b) | §164.308(a)(1), §164.308(a)(3), §13405(c), §495.6(d)(15) | Data Processor | Access Success, Authentication Success | No | HSS: Certified EHR Technologies |
HSS: ePHI Threat IP Activity Inv | This investigation provides a summary of threat IP activity by Entity and Impacted Host. Direct: §164.312(b) Augment: §164.312(d), §164.312(e)(1), §164.308(a)(4) | 485 | §164.312(b) | §164.312(d), §164.312(e)(1), §164.308(a)(4) | Data Processor | Suspicious | Yes | HSS: Systems Containing ePHI |
HSS: Unapproved ePHI Account Access Inv | This investigation provides summary information around access and authentication success for users who are not included in the active Healthcare Security Compliance Automation Suite user lists within the Systems Containing ePHI (log source list). Direct: §164.312(b) Augment: §164.312(a)(1), §164.308(a)(3) | 486 | §164.312(b) | §164.312(a)(1), §164.308(a)(3) | Data Processor | Suspicious | No | HSS: Systems Containing ePHI |
HSS: Workstation Device Driver Inv | This investigation is designed to provide a summary of general workstation device driver activity, including but not limited to driver failure and success. Direct: §164.312(b) Augment: §164.310(b), §164.310(c) | 487 | §164.312(b) | §164.310(b), §164.310© | Data Processor | Other Audit | No | All Log Sources |
HSS: Physical Security Auth Activity Inv | This investigates on physical security authentication, showing up within the Healthcare Security Compliance Automation Suite environment. The Physical Access Systems list needs to be populated for this investigation to work properly. Direct: §164.312(b) Augment: §164.310(a)(1) | 488 | §164.312(b) | §164.310(a)(1) | Data Processor | Access Success, Access Failure | No | All Log Sources |
HSS: Suspicious EHR System Activity Inv | This investigation provides a summary of detected suspicious activity by Entity and Impacted Host. Direct: §164.312(b) Augment: §164.308(a)(1), §13405(c), §495.6(d)(15) | 489 | §164.312(b) | §164.308(a)(1), §13405(c), §495.6(d)(15) | Data Processor | Suspicious, Activity | No | HSS: Certified EHR Technologies |
HSS: AIE Rule Inv | This investigation provides a summary of AI Engine rule activity for the Healthcare Security Compliance Automation Suite (HIPAA/HITECH/Promoting Interoperability). Direct: §164.312(b) Augment: §164.308(a)(8), §13411 | 490 | §164.312(b) | §164.308(a)(8), §13411 | Platform Manager | Other Audit | No | All Log Sources |
HSS: Backup Activity Inv | This investigation provides a summary of activity from backup events across Systems Containing ePHI (log source list). Direct: §164.312(b) Augment: §164.310(d), §164.308(a)(7), §164.316(b)(1) | 491 | §164.312(b) | §164.310(d), §164.308(a)(7), §164.316(b)(1) | Data Processor | Activity, Other Audit | No | HSS: Systems Containing ePHI |
HSS: ePHI and Backup System Failure/Error Inv | This investigation provides a summary of critical and error messages received from Systems Containing ePHI (log source list), including, but not limited to backup failures. Direct: §164.312(b) Augment: §164.310(d), §164.308(a)(7), §164.316(b)(1) | 492 | §164.312(b) | §164.310(d), §164.308(a)(7), §164.316(b)(1) | Data Processor | Critical, Error | No | HSS: Systems Containing ePHI |
HSS: AIE Backup Failure Alert Inv | This investigates on AI Engine backup failure alerts from Systems Containing ePHI (log source list). The Backup Failure Alert AI Engine rule must be enabled for this investigation Direct: §164.312(b) Augment: §164.310(d), §164.308(a)(7), §164.316(b)(1) | 493 | §164.312(b) | §164.310(d), §164.308(a)(7), §164.316(b)(1) | Platform Manager | Critical, Error | No | HSS: Systems Containing ePHI |
HSS: TST Access Failure Inv | This investigation provides summary information around access failures for accounts within the test systems (entity structure). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 494 | §164.312(b) | §13201(a), §13201(b) | Platform Manager | Access Failure | No | All Log Sources |
HSS: TST Access Success Inv | This investigation provides summary information around access success for accounts within the test systems (entity structure). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 495 | §164.312(b) | §13201(a), §13201(b) | Data Processor | Access Success | No | All Log Sources |
HSS: TST Authentication Failure Inv | This investigation provides summary information around authentication failures across test systems (entity structure). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 496 | §164.312(b) | §13201(a), §13201(b) | Platform Manager | Authentication Failure | No | All Log Sources |
HSS: TST Authentication Success Inv | This investigation provides summary information around authentication success across test systems (entity structure). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 497 | §164.312(b) | §13201(a), §13201(b) | Data Processor | Authentication Success | No | All Log Sources |
HSS: TST Environment Error Inv | This investigation provides summary details around critical or error messages received from test servers or systems (entity structure) to support change management procedures. Direct: §164.312(b) Augment: §13201(a), §13201(b) | 498 | §164.312(b) | §13201(a), §13201(b) | Platform Manager | Critical, Error | No | All Log Sources |
HSS: TST Priv Acct Authentication Inv | This investigation provides summary information around authentication success and failures for defined privileged and test accounts (lists) within the test environments (entity structure). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 499 | §164.312(b) | §13201(a), §13201(b) | Data Processor | Authentication Success, Authentication Failure | No | All Log Sources |
HSS: TST AIE Inv | This investigates on Healthcare Security Compliance Automation Suite AI Engine rule activity, within the test environment (entity list). Direct: §164.312(b) Augment: §13201(a), §13201(b) | 500 | §164.312(b) | §13201(a), §13201(b) | Platform Manager | Activity, Other Audit | No | All Log Sources |