Information System Activity Review

By Adam Kehler & David Mertz on November, 10 2021

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Adam Kehler & David Mertz

Online Business Systems (Online) conducts dozens of HIPAA Compliance and Security Risk Assessments* annually. One finding we see come up consistently across Clients, is the lack of a formal Information System Activity Review.

Info blog 3

What is HIPAA Security Information System Activity Review?   


This requirement, tucked into the Security Management Process Standard of the HIPAA Security Rule reads as follows: 

  • 164.308(a)(1)(ii)(D): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The purpose of information system activity reviews is to identify potential new and ongoing threats to ePHI across the enterprise. Which begs the question: What is an Information System Activity Review and, why are they important?   

Performing system activity reviews is not just a HIPAA requirement.  Any industry which stores, processes, or transmits sensitive consumer information is required to perform system activity reviews.  These security frameworks  (i.e., NIST CSF, NIST SP 800-53, ISO 27001/2, PCI-DSS, CIS Controls) require the monitoring of network activity to identify anomalous behavior; though they may use different language (i.e., security monitoring, log monitoring) to do so.   

What specifically do HIPAA and PCI, NIST CSF, CIS require to perform system activity reviews?  

  • Effective asset management – You can only monitor what you know.
  • Transparent Data Access Management – Monitoring of internal and external user activity for unauthorized access to confidential consumer information including ePHI.
  • Security Controls – Are your security controls (i.e., Anti-virus, intrusion detection, application firewalls, configuration management) operating properly.   

  • Log Monitoring Operations – Identify bad actors and anomalous behavior. 

  • Response to Exceptions – Responding to alerts generated by system activity reviews and security controls.  

As external attacks become more sophisticated and insider attacks more frequent, an organization cannot simply rely on protective security controls. They must assume security incidents will happen and take steps to ensure that, when (not if) they occur, they will be detected.

It is nearly impossible to monitor EVERYTHING, so it is important to take a risk-based approach to activity reviews and focus on the most likely threats. By doing this, organizations can save effort and money while maximizing the effectiveness of the reviews. 

Once you have a system activity review process in place, you will want to test its effectiveness; this is something our team routinely is asked to do. By evaluating what you have, we are able to identify practical ways your company can more quickly identify threats posed by both internal and external actors including ransomware, data theft, network compromise, and unauthorized access to medical records.   

A recent Verizon study found almost 40% of breaches take months or years to detect.  This is down from findings in previous reports largely due to increasing Ransomware infections where the bad actor lets you know you have a problem in hours or days instead of lurking in your network and stealing data for months and years. 

We love to help our clients tune their information system activity reviews to identify potential bad actors before a ransom demand is ever made. 

To contact Adam, David, or our RSP team, please email

* In the United States, healthcare providers, payors, clearinghouses, and Business Associates must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In Canada, organizations must wade through a mixture of provincial and federal Privacy and Security legislations.

Information security provides the basis for trust in the healthcare industry.
Online Business Systems has 20-years of experience within the healthcare industry and over 20-years of experience in the security arena. Our approach to security risk analysis goes beyond adherence to the HIPAA Security Rule. We identify realistic threats to the organization’s information and systems and present them in a manner that is meaningful and actionable to the business decision-makers.

Online is much more than an assessor. Online will walk alongside the organization to ensure that security and compliance risks are identified in a timely manner and addressed using a risk-based decision-making methodology that results in security controls that are impactful and right-sized for the organization.


  About Adam Kehler and David Mertz

Adam Kehler cropped Adam Kehler is the Director of RSP Healthcare Services at Online Business Systems. Adam has conducted hundreds of HIPAA Security Risk Assessments, HIPAA COmpliance engagements, and is a trusted advisor, or vCISO, to several organizations that have a wide array of Privacy, Security, and Compliance needs. 


David Mertz - Professional Headshot-1

David Mertz is a Principal Consultant with our Risk, Security & Privacy Practice. As an experienced compliance, data security, and risk professional, David performs Security Risk Assessments and helps Clients maximize their security monitoring operations implementations. 



Submit a Comment

Get latest articles directly in your inbox, stay up to date