How does an IT asset inventory aid HIPAA compliance?
by Ryan Ozawa
Any covered entity (including healthcare providers, health plans, and healthcare clearinghouses) must prepare and maintain a risk assessment in order to comply with the requirements of the HIPAA Security Rule. And to do this, an IT asset inventory is a vital starting point.
What is an IT asset inventory?
An IT asset inventory is a complete, comprehensive, and current list of all an organization’s information technology (IT) assets. These assets include endpoints like computer workstations and mobile devices, and infrastructure including file servers, network routers, and firewalls. But hardware is only part of the equation.
IT assets also include software, including operating systems, email applications, databases, virtual and remote access programs, and the various administrative tools used to manage the overall system.
Finally, and most relevant to HIPAA, an IT asset inventory must include data assets: member or customer information, payment and financial information, and electronic protected health information (ePHI).
While the definition is clear, the effort and expertise required to create an IT inventory are not insignificant. Indeed, the Office for Civil Rights (OCR), which investigates HIPAA violations, finds that many organizations lack sufficient understanding of where all of the ePHI that’s entrusted to their care is located.
What’s included in an IT asset inventory?
According to the U.S. Department of Health and Human Services (HHS):
Generally, an enterprise-wide IT asset inventory is a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset).
An IT asset inventory frequently separates entries into three categories:
- Hardware assets: physical components, including electronic devices and media, which make up an organization’s networks and systems.
- Software assets: programs and applications that run on an organization’s electronic devices.
- Data assets: information (including ePHI) that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.
As part of the data asset inventory, organizations should also document how information is used and flows throughout an organization.
How do you create an IT asset inventory?
For a very small organization, a simple spreadsheet may suffice. However, once an organization has dozens of employees, devices, and databases, a more robust solution will probably be needed. Fortunately, there are freely available tools that can help.
The HHS Security Risk Assessment Tool, which was just updated in October 2020, includes inventory features that support both manual entry or importing of asset information. In addition to helping healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule, the tool also supports the Medicaid Electronic Health Record (EHR) Incentive Program.
Larger organizations that follow the NIST Cybersecurity Framework (NCF) can use the IT Asset Management section of the framework, which covers inventorying hardware (ID.AM-1), inventorying software (ID.AM-2), and mapping communication and data networks (ID.AM-3). These components naturally flow into creating and maintaining an IT asset inventory.
HHS notes that larger, more complex organizations may choose “dedicated IT Asset Management (ITAM) solutions that include automated discovery and update processes for asset and inventory management.”
This is a fast-growing sector of healthcare technology, one that Jeremiah Grossman spoke about at the Paubox SECURE @ Home conference. During his day one presentation, he said that “asset inventory is the next big thing in information security,” an area in which his company BitDiscovery specializes.
An IT asset inventory is an important part of an organization’s overall cybersecurity posture and HIPAA compliance. There are free tools and resources to help create and maintain one, as well as specialized vendors that can generate them with automated system scans.
Such an inventory also makes it easier to track software updates and security patches. And once all IT assets are identified, it becomes easier to identify and isolate “rogue devices” connected to a computer network, either by an unknowing employee or a malicious party.