A detailed record of who accessed data, when, and how often might be the only way an organization can trace the source of a HIPAA breach. Ensuring the thoroughness of those logs should be a top priority for any healthcare organization, says former federal prosecutor Thomas G.A. Brown, senior managing director of the Global Risk & Investigations Practice with FTI Consulting in Washington, DC.

“Companies often do not have adequate logs, and so they don’t even know what they lost or how it happened,” Brown says. “They might know they’ve been breached, but they can’t figure out what data was accessed, much less who is responsible.”

It is a mistake to focus only on defending the computer system from attack, from outside or within, Brown says. Criminals eventually will find a way around even the best security, and incidents such as the Blue Cross Blue Shield Michigan screen shots show that insiders can steal data without leaving an obvious trail. But the computer log should reveal all, he says.

Internal segmentation of the data system should slow thieves, which prevents easy access across databases, but employees always will have access to protected health information (PHI), so Brown says the computer log can be used to determine when and how an employee accessed that data.

“The key thing is figure out what you lost, which is really important in the healthcare field, because you need to provide adequate notice to victims and other obligations under HIPAA,” Brown says. “If you know you lost something, but you don’t know what you lost, that’s going to complicate your efforts to comply with HIPAA’s obligations once you’re aware of the breach.”