Logging and auditing

Tidepool maintains a Business Associate Agreement for HIPAA compliance with both SumoLogic and Rollbar for handling of PHI.

Sumo Logic Application service logs and analysis are available to six employees who maintain Tidepool's infrastructure. Rollbar logs are available to all developers.

Monitoring, audit controls, and system activity review is documented and complies with 45 CFR 164.308(a)(5)(ii)(C), 45 CFR 164.312(b), and 45 CFR 164.308(a)(1)(ii)(D).

Tidepool implements administrative safeguards compliant with 45 CFR 164.308(a)(1) and has addressable safeguards compliant with 45 CFR 164.308(a)(3).

All application logs are stored on encrypted filesystems in Virtual Private Clouds (VPC) as described in https://tidepool.atlassian.net/wiki/spaces/PUBSEC/pages/862128669. Access logs to instances containing PHI are maintained via operating system logging mechanisms.

All logs are stored and verified with integrity protection or checksums to provide information to validate integrity of all log and audit data.

Where possible, logs are stored in write-only media, with no capability to modify the data.

Where possible, logs are sent off the host/application they are operating in, to provide additional integrity and mitigate the possibility of log modification.

Audit activity as defined by our Operations Security Policy:

• Log user log-in and log-out

• Log CRUD (create, read, update, delete) operations on application and system users and objects

• Log security settings changes (including disabling or modifying of logging)

• Log application owner or administrator access to customer data (i.e. Access Transparency)

• Logs include user ID, IP address, valid timestamp, type of action performed, and object of this action.

• Logs are stored for at least seven (7) years, or until they are no longer needed, whichever is longer.