Demo  Arrow | GitHub | Docs | API reference | Contact | Resources
tirreno - Open-source security framework Home Use cases How it works Pricing About
Arrow Download

tirreno » .com/bat » Self-hosted HIPAA monitoring






Resources

tirreno
.com/bat



Self-hosted HIPAA monitoring

March 2, 2026 · 6 min read

Healthcare applications that handle protected health information face a specific compliance problem that most security monitoring tools make worse. HIPAA requires audit trails and activity monitoring for systems that contain or use electronic PHI. To satisfy that requirement, organizations deploy monitoring tools that observe who accesses what, when, from where, and on what device. The monitoring itself generates detailed records of user behavior around sensitive health data.

When that monitoring runs on a SaaS platform, the audit data about PHI access leaves your infrastructure. Every login to your healthcare application, every record access, every field modification, every session detail flows to a third party's systems. The monitoring tool that is supposed to help you demonstrate HIPAA compliance creates a new data handling relationship that itself requires compliance management. You need a Business Associate Agreement with the monitoring vendor. You need to verify their safeguards. You need to document the data flow. The compliance tool adds to the compliance burden.

On-premise monitoring eliminates this entirely. The audit data stays where the PHI stays: on your infrastructure, under your controls, governed by your policies. tirreno provides the audit trails and behavioral monitoring that HIPAA demands without introducing a third party into the PHI data flow.

What HIPAA actually requires for monitoring

HIPAA's Security Rule includes specific requirements around audit controls and activity monitoring that apply to any information system containing electronic PHI.

The audit controls standard requires implementing mechanisms that record and examine activity in systems that contain or use ePHI. This is a required implementation specification, not an optional or addressable one. The system must produce records of who did what, and those records must be reviewable.

The information system activity review standard requires regularly reviewing records of information system activity, including audit logs, access reports, and security incident tracking. This means actively monitoring logs for patterns that indicate unauthorized access or misuse, not simply generating them.

Login monitoring is specified as an addressable implementation under security awareness and training. Organizations are expected to track login attempts and report discrepancies. Failed login patterns, logins from unusual locations or devices, and credential stuffing indicators all fall under this requirement.

Person or entity authentication requires verifying the identity of anyone seeking access to ePHI. Monitoring that detects when authentication patterns are inconsistent with a user's established behavior supports this requirement by identifying sessions where the authenticated identity may not match the actual person.

What HIPAA does not require is sending audit data to a third party. The regulations are about what you monitor and how you review it, not where the monitoring platform is hosted. Self-hosted monitoring satisfies every audit and monitoring requirement without introducing an external data processor into the PHI data flow.

Where tirreno fits in a healthcare compliance stack

tirreno is not a complete HIPAA compliance solution. It does not handle encryption, physical safeguards, access control enforcement, or BAA management. It is a behavioral monitoring and audit trail tool that addresses the activity monitoring and audit controls portions of the Security Rule, running entirely on your own infrastructure.

For healthcare applications specifically, tirreno covers three areas that HIPAA auditors consistently examine.

Activity monitoring for PHI-containing systems. tirreno receives events from your application backend for every significant user action: logins, page views, record access, account changes, failed authentication attempts. Each event is stored with the user identity, IP address, device identity, timestamp, and event type. The activity page shows all events with trust scores, timestamps, IPs, IP types, and devices, giving compliance teams a real-time and historical view of system interaction.

Field-level audit trails for PHI modifications. When your application instruments field changes through the API, tirreno records every modification to tracked fields with the old value, the new value, the user who made the change, the device and IP of the session, and the timestamp. For a healthcare application, this means a searchable record of every change to patient records, billing information, or any other tracked PHI field, tied to the session that made it. When an auditor asks who modified a specific patient record and when, the answer is a query against your own database.

Behavioral anomaly detection for unauthorized access. The insider_threat preset weights the rules most relevant to detecting unusual access patterns by authorized users: logins from unfamiliar devices or locations, sessions at unusual hours, dormant accounts that reactivate, and activity that deviates from a user's established behavioral baseline. The account_takeover preset covers the external threat: compromised credentials used to access the system, credential stuffing against the login endpoint, and account changes that indicate a session is controlled by someone other than the legitimate user.

Why SaaS monitoring complicates healthcare compliance

When a healthcare organization uses a SaaS monitoring platform, the audit data about PHI access becomes a data flow that requires its own compliance management. The monitoring vendor qualifies as a business associate under HIPAA because it receives information about who is accessing PHI, when, from where, and what they are doing with it. Even if the vendor never sees the PHI itself, the behavioral data around PHI access is information that HIPAA's privacy and security provisions are designed to protect.

The practical consequences compound. You need a BAA with the monitoring vendor. You need to verify their safeguards against the Security Rule. You need to document the data flow in your risk assessment and include the vendor in your breach notification procedures, because a breach of the audit data (which reveals the patterns of PHI access across your organization) is itself a reportable event. Audit trail failures are among the most commonly cited deficiencies in HHS enforcement actions.

SaaS vendors also control the retention of your audit data. HIPAA requires retaining certain documentation for six years. If the vendor's retention policy is shorter, if the vendor changes their terms, or if the vendor is acquired or shut down, your compliance documentation is at risk on infrastructure you do not control.

Self-hosted monitoring removes these concerns. There is no business associate relationship for the monitoring itself. Audit data retention is governed by your policy. The data lives on infrastructure where your existing HIPAA safeguards already apply.

What this looks like in practice

A healthcare organization running an internal patient management application instruments it to send events to a tirreno instance on their own infrastructure. Every login, every record view, every field modification is sent as an event with full session context.

The insider_threat preset is applied from the rules page. An employee who normally accesses records during business hours from a workstation on the internal network and suddenly begins accessing records at night from a personal device on a residential IP accumulates risk signal. The scoring thresholds determine whether the account is flagged for review by the compliance team or automatically suspended pending investigation.

The field audit trail is configured for PHI fields. When a user modifies a patient address, updates insurance information, or changes a diagnosis code, the change is recorded with the old value, new value, user identity, device, IP, and timestamp. The compliance team can search this trail by user, by field, by date range, or by any combination.

When an auditor reviews the organization's HIPAA compliance, the activity monitoring and audit trail evidence comes from the organization's own database. The monitoring methodology is documented in open-source code that the auditor can inspect. The rules that flag unusual behavior are readable and explainable. There is no vendor black box to account for and no third-party data flow to justify.

Getting started

You can see how tirreno handles HIPAA-relevant monitoring in an afternoon.

Install. Deploy a tirreno instance on any server or container you control. The administration guide covers setup and configuration.

Send a few events. Point your application at the tirreno event API and start with logins and record access. Each event needs a user identity, timestamp, IP, and event type. The developer guide has the API schema.

Apply a preset. Open the rules page and activate the insider_threat preset. Browse the activity page to see how events are scored and what signals contribute to each score.

Try field-level tracking. Instrument one PHI field change (a patient address update, an insurance modification) and watch the audit trail appear with old value, new value, session context, and timestamp.

That is enough to evaluate whether the monitoring model fits your compliance workflow. From there, tuning thresholds, expanding event coverage, and hardening the deployment for production are incremental steps.

Keeping HIPAA audit evidence under your control

The core problem with outsourcing compliance monitoring is a problem of custody. The evidence that proves you are compliant with HIPAA's monitoring requirements is only as secure and as available as the system that holds it. When that system belongs to a vendor, your compliance posture depends on their operational continuity, their security practices, and their contractual terms.

Self-hosted monitoring collapses that dependency. The audit evidence lives alongside the data it describes, protected by the same safeguards, retained on your schedule, and available to auditors without a vendor intermediary. The detection logic is open source and inspectable. The rules are readable. The evidence is yours.

Download at tirreno.com/download.
tirreno

Security framework

Use cases

How it works

Pricing

About

Download

Live demo

GitHub

Dockerhub

Documentation

Resource center

Learn

Account takeovers

Insider threat detection

Login & activity monitoring

Field audit trails

API abuse

Bonus abuse

Chargeback management

Fake accounts

Threat hunting

Transaction abuse

HIPAA monitoring

tirreno is an open-source security
framework that embeds protection
against threats, fraud and abuse
right into your product.

General team@tirreno.com
Support ping@tirreno.com
Security atdt@tirreno.com

Terms & conditions
Privacy policy
Imprint | Contact

Rue Galilée 7
1400 Yverdon-les-Bains
Switzerland Switzerland

©2026, tirreno. tirreno© is a trademark of Tirreno Technologies Sàrl. All rights reserved.

Valid HTML 4.01 (1999 specification)



Open-source security framework