The Office for Civil Rights (OCR) recently issued guidance to include information technology asset inventories in risk assessments. This directive forms part of the HIPAA Security Rule provisions designed to assist organizations in adopting robust measures to safeguard sensitive information.
Tom Martinez, who provides IT services in Grand Rapids and works within the healthcare space shares insights into all the new direction of risk assessments.
In the latest release, OCR noted that incorporating IT asset inventories helps implement a comprehensive risk analysis. However, the inclusion of inventories is not a requirement of the security rule. Organizations should consider creating and maintaining the asset inventory to enhance data protection efforts.
When implemented appropriately, the approach becomes a useful tool to help entities identify and track storage and the movement of electronic protected health information (ePHI). By adopting the latest guidance, organizations improve compliance with the HIPAA Security Rule.
In the past, OCR fined countless entities for failing to conduct comprehensive and accurate risk assessments. The lack of a clear understanding of ePHI storage and movement is one of the common reasons for appropriately implementing risk assessments. Without adequate knowledge about ePHI storage locations, it is challenging for organizations to implement adequate security measures.
Keeping an IT Asset Inventory
Information technology assets that should form part of risk assessments include hardware and software. They also incorporate assets like the Internet of Things (IoT) devices, which do not process or store electronic protected health information directly. These assets can trigger vulnerabilities to IT equipment and software programs used to store ePHI.
Data assets typically enable entities to create, manage, and transmit on various media, networks, and devices. The assets help process ePHI based on an organization’s workflows. OCR recommends that organizations consider how they process and utilize ePHI between departments. Doing so allows entities to conduct a more thorough and accurate risk assessment.
By listing electronic devices that come into contact with ePHI, it becomes easier to maximize control. Additionally, organizations safeguard the availability, integrity, and confidentiality of protected health information. Each inventory list must incorporate a detailed description of data stored on the listed devices.
Names and versions (operating system or app version) of the electronic devices should appear on the inventory sheets. The same applies to the names of end-users and personnel responsible for the device’s maintenance. Asset assignment information also indicates the employee tasked with keeping track of an asset’s location.
Asset and Risk Assessment Tools
The HHS Security Risk Assessment Tool incorporates the capabilities of the inventory, which enable batch processing or manual entry of asset details in connection with ePHI. Larger organizations with complex IT infrastructure can employ a dedicated IT Asset Management (ITAM) solution. This type of tool comes with automated processes for listing and updating assets.
Meanwhile, organizations using the NIST Cybersecurity Framework (NCF) can take advantage of the NCF’s inventory features. The framework provides access to comprehensive inventory components, which cover hardware, software, data flows, and mapping communication. These components make it easier to create and manage inventory for various types of information technology assets.
These inventory tools are ideal for tracking software assets like email, operating systems, antivirus programs, databases, and accounting software. When it comes to hardware, the tools track workstations, routers, peripherals, removable media, servers, and mobile devices.
Enhancing Your Organization’s Risk Assessments
Understanding your organization’s ePHI processing and data storage is the first step to improving risk analysis. In doing so, you identify potential risks capable of exposing electronic protected health information. Vulnerabilities may emerge from peripheral IT assets that form part of the broader infrastructure but do not directly store or process ePHI.
Hackers can take advantage of peripheral assets to compromise the security of protected health information in databases and applications. An intrusion comprises the integrity, confidentiality, and availability of sensitive information. IT assets like smart, connected devices can present bad actors with a soft entry point even if they do not store ePHI.
Unpatched IoT devices with weak passwords allow unauthorized access to an organization’s IT network. The hacker can exploit the vulnerability to reach core assets in the network. Without an IT asset inventory, an organization’s mitigation and recognition procedures may leave gaps that create unwanted vulnerabilities.
Compiling a comprehensive inventory also contributes to a robust overall cybersecurity status and HIPAA compliance. Organizations enhance data protection by controlling the movement of information technology assets containing ePHI within and outside the premises. Tracking asset movement should become part of the inventory process.
The ability to track technology assets has become crucial for many organizations, as networks are increasingly expansive and complex. Workers use removable media and mobile devices to handle their day-to-day duties.
Stuart Crawford serves as Managing Partner with Ulistic LP, a specialty MSP Marketing firm focused on information technology marketing and business development. He brings a wealth of knowledge and experience pertaining to how technology business owners and IT firms can use marketing as a vehicle to obtain success.