Skip to main content
Splunk Lantern

HIPAA authentication controls

In a healthcare organization, you must implement procedures to verify the authenticity of a person or entity seeking access to electronic protected health information (e-PHI). These searches show whether credentials entered into an information system match those stored in that system and, if the user is authenticated, whether the person was granted the authorized access privileges to perform functions and access e-PHI.

Required data

To optimize the searches shown below, you should specify an index and a time range. In addition, these sample searches use Cerner audit logs. You can swap out this data source for ones in use at your organization, changing field names as necessary.

How to use Splunk software for this use case 

To count the number of failed logon attempts to a device, run the following search.

sourcetype=Cerner_Audit_Log 
AuditSource=* 
EventName="Logon Attempt" 
OutcomeInd="8" 
| stats count

To sort these results by user ID, update the search to the following.

sourcetype=Cerner_Audit_Log 
AuditSource=* 
EventName="Logon Attempt" 
OutcomeInd="8" 
| stats count BY UserName
| sort  -count
| rename UserName AS "User ID", count AS "Count"

To see a timeline of these failed logins, update the search to the following.

sourcetype=Cerner_Audit_Log 
AuditSource=* 
EventName="Logon Attempt" 
OutcomeInd="8" 
| bin _time span=5m 
| fields _time,UserName 
| timechart count(UserName) BY UserName

Next steps

After running these access controls and taking appropriate action, you may want to look into other HIPAA controls: