Procedure - Information Systems Activity Review and Audit Procedures

PURPOSE

The purpose of this procedure is to establish Pacific University's compliance with federal HIPAA regulations including standard practices for reviewing system activity within information systems. These types of reviews may include the activity and access logs of Pacific University medical record systems which store ePHI.  

University colleges, schools, and departments should follow these procedures to comply with the Information System Activity Review and Audit Policy, Policy Number POL-UIS4509.

PROCEDURE

Procedures which support this policy may be created and used by each individual college, school, or department but in general should adhere to the following:

  • General Security Management
    • Each college, school or department will designate a workforce member or members to act as the Application Specialist(s) for their respective system(s). This/these Application Specialist(s) will be responsible for system activity reviews.
    • The Application Specialist shall document and define the logs and reports produced by their respective system(s), determine which are meaningful and appropriate for collection, and determine the appropriate frequency that the logs and reports should be reviewed.
    • The Application Specialist shall, on a periodic basis, no less than annually, record and retain evidence of the review processes for information systems activities.
    • University Information Services will collect and monitor network and operating systems activity on university managed systems and retain evidence of the review processes.
  • Determine Activities to Track/Audit
    • Pacific University Application Specialists shall include in the documentation a description of which activities within the information system(s) are reviewed. This may include items such as failed logins or viewing of Protected Data by users.
    • University Information Services shall document activities reviewed and investigate unexplained activities which may include administrative account accesses, software changes, or unexpected network traffic.
  • Select Activity Review Tools
    • Pacific University Application Specialists may develop or obtain tools that can assist with the activity review process. Such tools may include third party applications or native functions within an application or system.
    • Pacific University Application Specialists shall create, update, and periodically review the procedures for identifying and selecting tools and/or applications intended to capture appropriate audit information.
    • University Information Services will obtain tools to collect and monitor network and operating systems activity on the university managed systems.
  • Audit Procedures
    • Pacific University Application Specialists shall create and/or periodically review procedures they use to successfully perform audits on the systems and/or applications within their departments. The procedures will describe how logs and/or reports are reviewed and contain details describing actions taken as a result of the review.
    • Management within each school, college or department is responsible for ensuring system activity review audits are performed on a periodic basis.
    • The University Information Services Chief Information Security Officer is responsible for performing periodic audits to ensure that operations staff are performing and documenting review processes.