HIPA-22

Does the application log administrative activity, such as user account access changes and password changes, including specific user, date/time of changes, and originating IP or device?

Explanation

This question is asking whether your application maintains detailed logs of administrative actions, specifically focusing on user account management activities like creating/modifying accounts and password changes. For each action, the system should record who performed it (the specific user), when it happened (date/time), and where it originated from (IP address or device identifier). Why this matters in a security assessment: 1. Accountability: These logs create an audit trail that establishes who did what and when, which is crucial for accountability. 2. Forensic investigation: If a security incident occurs, these logs help determine how it happened and who was responsible. 3. HIPAA compliance: The Health Insurance Portability and Accountability Act requires covered entities to implement audit controls that record and examine activity containing protected health information (PHI). 4. Detection of unauthorized access: Unusual patterns in administrative activities might indicate compromised credentials or insider threats. In the context of HIPAA, this question directly relates to the Security Rule's Audit Controls standard (45 CFR ยง 164.312(b)), which requires implementing hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use electronic protected health information. When answering this question, you should: 1. Be specific about what administrative activities are logged 2. Detail exactly what information is captured in each log entry 3. Explain how long these logs are retained 4. Describe how the logs are protected from tampering 5. Mention any automated alerting for suspicious administrative activities

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our application maintains comprehensive logs of all administrative activities For user account access changes and password changes, we record the specific administrator who performed the action, the exact date and time of the change (in UTC), the originating IP address, and device information when available These logs include details of what was changed (e.g., which user account was modified, what specific permissions were altered) All logs are stored in a separate, secured database with write-only access from the application and are retained for a minimum of 6 years as required by HIPAA We also have automated alerts for unusual administrative activities, such as mass permission changes or administrative actions outside of business hours These logs are regularly backed up, encrypted, and protected against tampering through cryptographic hash verification.

Example Response 2

Yes, our application implements detailed audit logging for all administrative activities Each log entry for account access changes and password modifications includes the administrator username, timestamp with millisecond precision, client IP address, browser/device fingerprint, and the specific details of the change made Our system maintains these logs in a separate, immutable storage system that prevents modification even by system administrators The logs are retained for 7 years and are automatically analyzed by our security information and event management (SIEM) system to detect potentially suspicious patterns Additionally, we maintain a separate record of who accessed these audit logs and when, creating a complete chain of accountability All logs are encrypted at rest and in transit, and access to logs requires multi-factor authentication.

Example Response 3

No, our application currently has limited logging capabilities for administrative activities While we do record when user accounts are created, we don't capture who performed these actions, and we don't log password changes or permission modifications We're aware this is a gap in our security controls and doesn't meet HIPAA requirements for audit controls We've prioritized this issue in our development roadmap and expect to implement comprehensive administrative activity logging within the next quarter In the interim, we've implemented compensating controls including strict access limitations to administrative functions and regular manual reviews of user account statuses We recognize this is not ideal and are committed to addressing this deficiency promptly.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron