OIT has an internal standard for logging, monitoring and auditing that applies to all servers managed by CU Denver OIT. Click her to view the version that was effective as of July 1, 2017. Please contact OIT's Risk and Compliance team for the most up to date version.
According to the standard the following details are logged and saved on a centralized logging server for at least six months:
The events related to the following categories are logged:
As applicable, the most secure SEHD data are subject to the UCD Auditing HIPAA Policy 9.3. The auditing policy requires units that hold medium to high risk ePHI must create a Audit Control and review Plan. Within that plan it states:
The system hardware, software, and applications must have the capability of creating log files. These logs must include, but are not limited to:
Units must monitor login success and failure to systems that host ePHI. To ensure that unauthorized login attempts are discovered, discrepancies or unusual login patterns must be reported to the department administrator and HIPAA Security Officer.