HIPAA transmission security
In a healthcare organization, you must implement technical security measures that guard against unauthorized access to e-PHI being transmitted over an electronic network. You need to monitor server logs and email logs within your organization's environment to detect if protected health information is exposed to an unsecured environment. These searches alert relevant personnel if exposed PHI was detected so that the problem point can be identified and further data breach can be prevented.
Required data
To optimize the searches shown below, you should specify an index and a time range.
Transmission statistics
To run the following searches, you must have installed and configured the Splunk App for Stream.
Total number of transmission events
To count the number of e-PHI transmission events, run the following search.
sourcetype=stream:* | stats count AS Total
Number of events with exposed PHI
To count the number of e-PHI transmission events with exposed PHI, run the following search. You can remove any of the data points in the search below that aren't relevant to your system, or add others as needed.
sourcetype=stream:* (HL7_Tag=*) OR (SSN=* OR card_details=*) OR ((first_name1=* OR last_name=* OR names=*) AND (DOB=* OR ip_address=* OR phone_number=* OR street_address=*)) | stats count
Percentage of events with exposed PHI
To calculate the percentage of e-PHI tranmission events that involved exposted PHI, run the following search. You can remove any of the data points in the search below that aren't relevant to your system, or add others as needed.
sourcetype=stream:* | stats count AS total_events | appendcols [search index=main sourcetype=stream:* (HL7_Tag=*) OR (SSN=* OR card_details=*) OR ((first_name1=* OR last_name=* OR names=*) AND (DOB=* OR ip_address=* OR phone_number=* OR street_address=*)) | stats count as leaked_events] | eval leaked_perc=(leaked_events/total_events)*100 | fields - total_events, leaked_events
Outbound PHI data by destination email
To see the destinations that each distinct source IP address is sending mail to, run the following search.
sourcetype=stream:* | stats dc(src_ip)
Emails with exposed PHI path
To see the receivers of emails that included exposed e-PHI transmission, run the following search. You can remove any of the data points in the search below that aren't relevant to your system, or add others as needed.
sourcetype=stream:smtp SSN=* OR HL7_tag=* OR street_address=* OR phone_number=* | stats count BY sender_email, receiver_email | rename receiver_email AS RECEIVER
Statistics from health information technology services, devices, and hardware
These sample searches use Cerner. You can swap out this data source for ones in use at your organization, changing field names as necessary.
Number of exported patient records
To see a count of the number of exported patient records, run the following search.
sourcetype=Cerner_Audit_Log EventType="Output" ParticipantName=* UserName=* | stats count
Modification events
To see the details of healthcare records that have been modified, run the following search.
sourcetype=cerner_audit_log EventType="Write/Update Results" OR EventType="Add" OR EventType="Sign" OR EventType="Modify" OR EventType="Modify Details" OR EventType="Add/Modify and Review" | convert ctime(_time) | table _time, EventType, UserName, PrsnlName, Role, EventName, NetworkAccID | rename _time AS "Date/Time", UserName AS "User ID", PrsnlName AS "Name", EventType AS "Event Type", EventName AS "Event Name", NetworkAccID AS "Workstation"
Next steps
After running these access controls and taking appropriate action, you may want to look into other HIPAA controls: