2 min read

How does an IT asset inventory aid HIPAA compliance?

Ryan Ozawa October 26, 2020

HIPAA compliance
Illustration of connected devices and cloud services on a network
Illustration of connected devices and cloud services representing IT asset management and data security Any covered entity (including healthcare providers, health plans, and healthcare clearinghouses) must prepare and maintain a risk assessment in order to comply with the requirements of the HIPAA Security Rule. And to do this, an IT asset inventory is a vital starting point.

 

What is an IT asset inventory?

An IT asset inventory is a complete, comprehensive, and current list of all an organization's information technology (IT) assets. These assets include endpoints like computer workstations and mobile devices, and infrastructure including file servers, network routers, and firewalls. But hardware is only part of the equation. IT assets also include software, including operating systems, email applications, databases, virtual and remote access programs, and the various administrative tools used to manage the overall system. Finally, and most relevant to HIPAA, an IT asset inventory must include data assets: member or customer information, payment and financial information, and electronic protected health information (ePHI). While the definition is clear, the effort and expertise required to create an IT inventory are not insignificant. Indeed, the Office for Civil Rights (OCR), which investigates HIPAA violations, finds that many organizations lack sufficient understanding of where all of the ePHI that's entrusted to their care is located.

 

What's included in an IT asset inventory?

According to the U.S. Department of Health and Human Services (HHS):
Generally, an enterprise-wide IT asset inventory is a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset).
An IT asset inventory frequently separates entries into three categories:
  1. Hardware assets: physical components, including electronic devices and media, which make up an organization’s networks and systems.
  2. Software assets: programs and applications that run on an organization’s electronic devices.
  3. Data assets: information (including ePHI) that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.
As part of the data asset inventory, organizations should also document how information is used and flows throughout an organization.

 

How do you create an IT asset inventory?

For a very small organization, a simple spreadsheet may suffice. However, once an organization has dozens of employees, devices, and databases, a more robust solution will probably be needed. Fortunately, there are freely available tools that can help. The HHS Security Risk Assessment Tool, which was just updated in October 2020, includes inventory features that support both manual entry or importing of asset information. In addition to helping healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule, the tool also supports the Medicaid Electronic Health Record (EHR) Incentive Program. Larger organizations that follow the NIST Cybersecurity Framework (NCF) can use the IT Asset Management section of the framework, which covers inventorying hardware (ID.AM-1), inventorying software (ID.AM-2), and mapping communication and data networks (ID.AM-3). These components naturally flow into creating and maintaining an IT asset inventory. HHS notes that larger, more complex organizations may choose "dedicated IT Asset Management (ITAM) solutions that include automated discovery and update processes for asset and inventory management." This is a fast-growing sector of healthcare technology, one that  Jeremiah Grossman spoke about at the Paubox SECURE @ Home conference. During his day one presentation, he said that "asset inventory is the next big thing in information security," an area in which his company  BitDiscovery specializes.

 

Conclusion

An IT asset inventory is an important part of an organization’s overall cybersecurity posture and HIPAA compliance. There are free tools and resources to help create and maintain one, as well as specialized vendors that can generate them with automated system scans. Such an inventory also makes it easier to track software updates and security patches. And once all IT assets are identified, it becomes easier to identify and isolate "rogue devices" connected to a computer network, either by an unknowing employee or a malicious party. SEE ALSO: HIPAA Compliant Email: the Definitive Guide
 
Try Paubox Email Suite for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Filing cabinet with labeled folders

Permitted uses and disclosures of protected health information (PHI) under HIPAA

Picture of Tshedimoso Makhene Tshedimoso Makhene : September 14, 2025

Information is the backbone of modern healthcare. It guides clinical decisions, supports coordination among providers, and ensures patients receive...

HIPAA compliance
Read More
man on laptop with business icons

How to implement hybrid architectures in healthcare

Picture of Kirsten Peremore Kirsten Peremore : June 10, 2024

Hybrid architecture in data management is a method that combines two different approaches to handle information efficiently: federated and...

HIPAA compliance
Read More
Image of a dog and cat at the vet.

When pet insurance crosses the line into human health privacy

Picture of Kirsten Peremore Kirsten Peremore : June 27, 2025

Pet insurance companies, as a rule, do not fall under the category of HIPAA covered entities because they do not provide health care to humans, nor...

HIPAA compliance Patient privacy
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.