Skip to Content

HIPAA - Log-in Monitoring 164.308(a)(5)(ii)(C)

450  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Procedures for monitoring log-in attempts and reporting discrepancies.


Action Items:
1) Obtain and review procedures (or other vehicle) for monitoring log-in and reporting discrepancies and related training material. Elements to review may include but are not limited to: Workforce members' roles and responsibilities in monitoring log-in attempts and reporting discrepancies; Identify how log-in monitoring is conducted; How to identify an inappropriate or attempted log-in; Action(s) to be taken in response to an inappropriate or attempted log-in
2) Obtain and review documentation demonstrating that procedures are in place to monitor log-in attempts and report discrepancies. Evaluate and determine whether such procedures are in accordance with the monitoring log-in attempts and reporting discrepancies procedures in the training material.
3) Obtain and review documentation of workforce members and role types of who should be trained on the procedures for monitoring log-in attempts and reporting discrepancies. Obtain and review documentation of the workforce members who were trained on the procedures for monitoring log-in attempts and reporting discrepancies. Evaluate and determine if appropriate workforce members are being trained on the procedures for monitoring log-in attempts and reporting discrepancies.


Related Documents:
1) Documented procedures (or other vehicle) for monitoring log-in and reporting discrepancies and related training material.
2) Documentation demonstrating that procedures are in place to monitor log-in attempts and report discrepancies.
3) Documentation of workforce members and role types of who should be trained on the procedures for monitoring log-in attempts and reporting discrepancies.


Additional Guidance:
Typically, an inappropriate or attempted log-in is when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log-in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log-in attempts.


If smaller covered entities are not using, or are not familiar with, their systems capabilities for these types of log-in attempts, they should contact their system vendor or read their application software manuals for more information. Once capabilities are established the workforce must be made aware of how to use and monitor them.
Not Rated
Secure Code