Effective immediately, IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA have launched 30-day search plans for HIPAA workloads.
The IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA services’ features enable DevOps teams to monitor their application logs and logs generated from IBM Cloud Platform services. This monitoring capability can be helpful in cases where your application supports U.S. healthcare data, which is often regulated by the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA requires that entities covered by the law (called Covered Entities) and those performing services for these Covered Entities (called Business Associates) utilize administrative, physical, and technical safeguards to protect the HIPAA regulated data (called Protected Health Information or PHI).
Both IBM Cloud services include a 30-day search plan HIPAA workload feature that can constitute an administrative safeguard for HIPAA data, when HIPAA is enabled for your IBM Cloud account.
Maintaining compliance can extend beyond the application itself to dependent services that support the application when PHI is involved. Downstream services like log and event management services can be relevant to HIPAA either to facilitate compliance or as a source of vulnerability.
Consider these two scenarios
Scenario 1: Log and event management services are used to monitor and audit health application compliance.
This scenario is most common. Frequently, application developers will want to provision both IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker together to assist with the monitoring and auditing of their application. If your application leverages other IBM Cloud PaaS services—such as IBM Cloud Databases—IBM Log Analysis with LogDNA can be configured to automatically capture your relevant IBM Cloud Databases logs. Combining platform service logs with your application logs provides greater overall environment visibility.
IBM Cloud Activity Tracker with LogDNA can be configured to automatically capture activities your application made in IBM Cloud as well as changes your user made.
- An Administrator gave a User administrative access to application resources hosted in IBM Cloud. When this action is initiated, the IBM Cloud Identity and Access Management (IAM) service forwards an event to IBM Cloud Activity Tracker with LogDNA ,indicating the action performed and the action’s success/failure.
- There is an inside security threat hacking the application, seeking to obtain data. When the malicious user logs into the service via the UI, the client id for their login indicates the action being performed was through the UI. If login from the UI is considered an anonymous action, security can be alerted.
- If your application includes IBM Cloudant and your Cloudant account is setup to share data events, you receive events when database reads are performed. In this example, user adm-machine6 performed a read action. Not pictured (but included in the event details) is specific reference to what was read. If the inside security threat accessed data in Cloudant, read events on the malicious user’s activities would be recorded.
When monitoring and auditing your HIPAA applications, HIPAA guidelines identify archiving log data for a minimum of six years. Archiving can easily be set up within the IBM Cloud services, enabling data to be retained for the amount of time your application determines as necessary.
Scenario 2: Application logs may unintentionally expose data during error reporting or other informational logging practices.
This scenario is less common, but you should take action to address this risk. PHI should not be logged. In addition, consider the following guidelines when connecting your application to IBM Log Analysis with LogDNA to reduce risk:
- Assess the sources of your application logs that will be generated and stored. Sources originating from within your application carry increased risk of containing PHI and other confidential information as they process application data. Sources from other IT-based IBM Cloud PaaS services are likely lower risk because they log your applications use of those services, but should be verified through test and automated regression verification.
- For data that must remain confidential to a client company, design the application to not log—or at least mask—the sensitive data.
- Implement de-identification methods on PHI and sensitive data. An example is using a record number as it appears in the database in lieu of the data itself. Note that de-identification means that the data cannot be reconstructed.
- Regularly review log and event data for anomalies and PHI leakage.
- While not foolproof, these steps should reduce risk.
When a 30-day search HIPAA service plan is selected, additional protections apply. Examples include:
- Operations teams for the IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA services cannot access those accounts for troubleshooting.
- The service plan operates under the IBM BAA.
Expedite your application delivery with IBM Cloud managed log management services
When the HIPAA Search Plan is selected for IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA, these cloud services alleviate the additional effort required to instrument HIPAA bespoke tools. The newly introduced service plans offer the same highly scalable and highly available environments as the other services plans, no matter your log and event volume.
These benefits complement the existing service core features by helping DevOps teams maintain control of their data and gain valuable insights from their logs and event data:
- See data instantly in Live Tail
- Debug using natural language queries
- Correlate and analyze data with Graphs and Screens
- Audit behavior of software operations and identify security concerns
IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA are deployed consistently across six worldwide multi-zone regions (MZRs) and two single-zone regions (SZRs). The Frankfurt region provides additional coverage ability for EU-Managed operations.
Altogether, these benefits enable DevOps teams to focus on development and operations of their applications unencumbered with additional IT tooling management.
Get Started with a HIPAA service plan
Getting started with the HIPAA service plan can be as simple as selecting it from within the Cloud service:
If you have an existing LogDNA instance, you may convert this to the HIPAA plan.
Use of the services is offered under an IBM BAA. If you have not already enabled your IBM Cloud account for HIPAA, refer here for more information. When you configure your IBM Cloud account for HIPAA, you must accept an IBM BAA, either via the provided click-through link or via a separate BSS process led by your IBM sales team representative. The standard IBM Cloud BAA can be referenced at the IBM SLA terms BAA page.
Once you have a HIPAA service plan instantiated and your Cloud account enabled for HIPAA, review our documentation on best practices for helping optimize the configuration for HIPAA compliance.
Not just HIPAA compliance…
IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA can assist in multiple compliance areas to help you meet your varied workload and regulatory needs. In addition to HIPAA, these areas include the following:
- SOC 2 Type 2
- EU-US Privacy Shield
Learn more about IBM Cloud compliance in Compliance on the IBM Cloud
Whether your workload has specific regulatory needs or you desire compliance for additional operational sound of mind, IBM Log Analysis with LogDNA and IBM Cloud Activity Tracker with LogDNA are here to help you get the most out of your application logs and IBM Cloud environment data. Learn more: