HIPAAGuidance on HIPAA IT Asset Inventories

Table of Content

• Introduction
• Everything About IT Asset Inventory
• HIPAA Risk Analysis
• OCR and its Advice to Implement HIPAA IT Asset Inventory
• Conclusion

Having an information system asset inventory is not compulsory for every business that falls under compliance but if you have one, it will help in meeting several requirements of the  HIPAA Security Rule like information system activity review, risk analysis and management, audit controls, and device & media management. Managing healthcare assets and sensitive data is covered under the act of HIPAA compliance. Easier to say than to follow, it is a favorable option for businesses to know about the importance of HIPAA compliance to protect them from any kind of data breaches. An asset inventory is something that does more than just tracking the hardware of your system. 

As per the HIPAA Security Rule Crosswalk to NIST, assets inventory enables companies to achieve critical business goals. Besides, there are a few benefits for businesses involved in the healthcare department and has systems like EHR/EMR systems, hospital management systems. These benefits are up-to-date business operations, streamlined risk management, and reduced financial costs. And all this is because of the HIPAA IT asset inventory approach. 

To get an exact idea about the concepts like IT asset inventory and HIPAA risk analysis & management, let us go through this blog.  

Everything about IT Asset Inventory

• What is an IT Asset Inventory?

An IT asset inventory is nothing but a comprehensive, complete, and current list of all the information technology (IT) assets of any company. These assets include computer workstations and mobile devices. It also includes infrastructure like network routers, firewalls, and file servers. 

IT assets also include software like email applications, remote & virtual access programs, operating systems, administrative tools, and databases. Besides, something that is the most relevant to HIPAA is that an IT asset inventory must have data assets – customer information, financial information, payment, and ePHI (electronically protected health information).

This shows that the definition of IT asset inventory is clear. But the expertise required to create one is not insignificant. The Office for Civil Rights (OCR) keeps an eye on the HIPAA violations and finds out that there are many organizations that lack sufficient understanding of where all of the electronically protected health information is located.

• What is included in an IT Asset Inventory?

As per the U.S. Department of Health and Human Services, the IT asset inventory of an enterprise is a comprehensive listing of all the assets that the organization holds with the descriptive information like version of the asset, data regarding the identification of the asset, and asset assignment. And this is why the IT asset inventory separates entries into three main categories:

Software Assets: They are the applications and programs that run on an organization’s electronic devices.

Hardware Assets: They include all the physical components like media and electronic devices and media.

Data Assets: They include all the data that a company receives, creates, maintains, and transmits on its media, electronic devices, and network.

• How do you Create one Effectively?

When it comes to a small organization, having just a simple spreadsheet may suffice. But when the company starts growing and has dozens of devices, employees, and databases, a more robust solution is required. And for this, there are some freely available tools that can be helpful.

The HHS Security Risk Assessment Tool is a system that includes all the essential inventory features that can easily support both importing of asset information or manual entries. Besides this, it helps the healthcare providers to conduct a security risk assessment which is advised by the HIPAA Security Rule. In addition to that, this tool also supports the Medicaid Electronic Health Record (EHR).

Besides this, when we talk about larger organizations, they mainly follow the NIST Cybersecurity Framework (NCF) and because of that, they can use the IT Asset Management section which covers data networks (ID.AM-3),  inventorying software (ID.AM-2), inventorying hardware (ID.AM-1), and mapping communication.

HHS suggests that when an organization is big and has complex operations, it can go for dedicated IT Asset Management (ITAM) solutions that come with updated automated discovery for assets.

Now, after understanding the concept of IT asset management and how an organization can create it. Let us go through HIPAA risk analysis and learn more about it. 

HIPAA Risk Analysis

• What is Risk Analysis?

Risk analysis is nothing but a concept that involves identifying the digital assets of any practice. This includes all ePHI created, received, maintained, or transmitted by the practice. This process identifies the vulnerabilities and risks that are caused because of the lack of integrity, availability, and confidentiality of that ePHI. 

When any company wants to complete the risk analysis process, it will have to rate the risks as per the likelihood of them occurring and impacting the practice. When the rating is given to the risks, it gives a proper idea about the area in the system that needs more focus. 

• Why are Risk Analysis and Management Required?

As per HIPAA, risk analysis and assessment is a mandatory administrative and technical safeguard. If the risk analysis is conducted accurately, the potential risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI can be caught. And then, proper security measures can be implemented to reduce risks.

As per the security standard 164.306, protection of confidentiality, integrity, and availability (CIA) of the electronic health records that are received, created, maintained, and transmitted by a covered entity against the known hazard. For all this, the standard offers great flexibility in choosing the controls that can help in securing the ePHI in an appropriate manner. As per the standard, the control selection can be done by following these steps – 

• Size, capability, and complexity of the covered entity.
• Hardware, software, technical infrastructure, and security capability.
• Security measures and their cost.
• Probability and criticality of the ePHI risk.

The aim of performing a risk analysis is clear. The controls listed in HIPAA are minimum and have risk associated with it as technology is attached with it. Therefore, risk assessment is a process that helps companies to optimize their security budgets. It also helps them in giving a strong logical business case if they want support from all stakeholders in implementing the HIPAA controls. 

With risk analysis, the companies can make the decision on critical issues like where and how efforts and money are required to be saved. A perfect risk assessment helps to offer the prioritized approach for control implementation. It also offers a roadmap that specifies the needs to be addressed first. 

OCR and its Advice to Implement HIPAA IT Asset Inventory

OCR is a system that conducts compliance reviews to decide whether the procedures, policies, and actions of the covered entities are consistent as per the civil rights laws or not. OCR also educates covered entities about the civil rights laws and their obligations for these laws. The OCR published a newsletter that suggests that any company’s IT asset inventory list must include the following types of assets. Let us go through those types. 

Hardware Assets: The hardware assets comprise all the physical elements like media and electronic devices that help any organization make up a system or a network. This includes peripherals, removable media, mobile devices, workstations, servers, routers, and firewalls.

Software Assets: The software assets include programs and applications that help the companies run their electronic devices. Some of the most popular software assets are operating systems, anti-malware tools, financial record systems, databases, electronic health record systems, email, and administrative. 

Besides this, some other important programs for IT operations and security are virtual machine managers, backup solutions, and administrative tools.

Data Assets: Data assets include ePHI that any company receives, creates, maintains, or transmits on its electronic devices.

Besides this, the OCR Newsletter also recommends having IT assets that don’t process or store ePHI but still leads towards security incidents like smart devices or the Internet of Things (IoT).

Conclusion

As seen in this blog, an IT asset inventory is a very important approach for any organization and its HIPAA compliance & cybersecurity posture. There are many free tools and resources available in the market that can help organizations in creating and maintaining an IT asset inventory and generate them with automated system scans. By using such tools, companies can create an inventory that makes it easier for them to track security patches and software updates. And after the IT assets of an organization are identified, it becomes easier for the firm to identify and isolate problematic devices. 

So all in all, the HIPAA IT asset inventory approach helps organizations to keep track of their software, hardware, and data assets. And if any issue or security breach is observed in these assets, it can be easily solved without any system being damaged or data being lost.

This post has been sponsored by Open Tec Systems LLC