OCR Emphasizes the Value of Creating and Keeping a Comprehensive IT Asset Inventory

Though risk analysis is a very important requirement of the HIPAA Security Rule, the Office for Civil Rights data breach investigations and compliance audits show that it is often not complied with. There are HIPAA-covered entities that completely ignored this requirement, but most cases of noncompliance were because of the inability to conduct a comprehensive risk analysis throughout the organization.

Before conducting a comprehensive risk analysis, it is necessary to know first how your organization receives ePHI, where it goes, where it is stored, and what systems are used to access that data. One common cause of risk analysis noncompliance is not understanding the location of all ePHI in the organization.

The Summer 2020 Cybersecurity Newsletter of OCR featured the essentiality of having  a complete information technology (IT) asset inventory and details its role in the risk analysis process. An IT asset inventory lists all the organization’s IT assets, including descriptions, serial numbers, names, and other data used to distinguish the asset, such as its location, version (operating system/application), and the individual responsible for the asset.

Although an IT asset inventory is not required under the HIPAA Security Rule, it is a helpful tool for the development of a complete, organization-wide risk analysis. It helps organizations to know where ePHI may be located, and improve their HIPAA Security Rule compliance.

An IT asset inventory does not just include physical hardware like mobile gadgets, servers, workstations, peripherals, portable media, firewalls, and routers. Software assets and applications, such as operating systems, anti-malware tools, email, administrative and financial records systems, databases, and electronic health record systems, are also included.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included. Data assets that contain ePHI that an organization generates, receives, stores on its electronic devices or and media, and sends via its network should be included as well.

Small healthcare providers can create and maintain an IT asset inventory manually. Large and more complex companies can use dedicated IT Asset Management (ITAM) solutions, which use automated discovery and update processes to make sure no asset is overlooked.

In creating an IT asset inventory, be sure to add assets that may be used to access ePHI or networks or ePHI storage devices. Though IoT devices are not used for storing or accessing ePHI, they may be used to get network or device access that enable ePHI viewing.

If vulnerable IoT devices are unpatched, an intruder could exploit it to get a foothold into a company’s IT network and possibly access ePHI. There have been several reported incidents such as this.

Organizations that lack a complete IT asset inventory may fail in recognizing and mitigating risks to ePHI. A comprehensive view of the company’s environment is necessary to ensure the performance of an accurate and detailed risk analysis that comply with the Security Rule.

Another purpose of an IT asset inventory is in the creation of policies and procedures that cover the acceptance and withdrawal of hardware and electronic media containing ePHI in and out of the company. The IT asset inventory can help spot unauthorized devices that someone connected to the network. It can also help ensure that no device, software, or IT asset is missed when performing updates and security patches.

The NIST Cybersecurity Framework can help organizations create an IT asset inventory. A guidance on IT asset management in its Cybersecurity Practice Guide published by NIST is available. Another tool from HHS that can help with IT asset management includes inventory capabilities that permit  manual or bulk input of asset information with regards to ePHI.