Audit Controls
Description
Implement hardware, software, and/or procedural mechanisms that record and examine activity in systems containing ePHI.
⚠️ Risk Impact
Without audit logs, unauthorized access to patient data cannot be detected.
🔧 Remediation
Enable CloudTrail/Cloud Audit Logging. EchelonGraph monitors audit log configuration compliance.
💀 Real-World Attack Scenario
A medical billing company's employee accessed celebrity patient records 847 times over 2 years. Without comprehensive audit logging, the unauthorized access was only discovered when the employee attempted to sell the records. Retroactive investigation was impossible for the period without logs.
💰 Cost of Non-Compliance
UCLA Health: $865K settlement for failure to audit ePHI access. Massachusetts General: $1M settlement for audit control failures. Average HIPAA audit control violation: $750K.
📋 Audit Questions
- 1.Are audit logs enabled for ALL systems containing ePHI?
- 2.How long are audit logs retained? (HIPAA requires 6 years)
- 3.Who reviews audit logs and how frequently?
- 4.Can you demonstrate log review procedures?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Enabling audit logging but not retaining logs for the HIPAA-required 6 years
- ⛔Not reviewing audit logs for unusual access patterns
- ⛔Missing audit logging on EHR systems while only monitoring cloud infrastructure
📈 Business Value
HIPAA audit controls with 6-year retention provide complete access history for ePHI. Proactive log review detects insider threats and unauthorized access before they become breaches.
⏱️ Effort Estimate
4-8 hours to configure logging across all ePHI systems
EchelonGraph monitors audit log configuration and retention compliance
🔗 Cross-Framework References
Automate HIPAA 164.312(b) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →