Why a Comprehensive IT Asset Inventory is Important in Risk Analysis

The Office for Civil Rights reveals many companies fail to comply with risk analysis, which is an important HIPAA Security Rule requirement. While some HIPAA-covered entities completely neglect this requirement, many fail to comply just because they did not perform a comprehensive organization-wide risk analysis.

Before performing an extensive risk analysis, an organization should know first how it obtains ePHI, how the ePHI is processed and stored, and what assets are used for ePHI access. Many organizations fail in risk analysis compliance because they do not understand where all their ePHI are located.

The Summer 2020 Cybersecurity Newsletter of OCR emphasized why having  an information technology (IT) asset inventory is important in the risk analysis process. What is an IT asset inventory? It is a listing of all the IT assets in the organization. This includes asset descriptions, names, serial numbers, and other details that distinguish the asset, like its location, model (operating system/program), and the person in-charge of the asset.

Though HIPAA Security rule does not require an IT asset inventory, it is a valuable tool for the conduct of an extensive, organization-wide risk analysis. It allows organizations to pinpoint the location of their ePHI, and easily comply with the HIPAA Security Rule.

Aside from the physical hardware (mobile devices, portable media, servers, workstations, peripherals, firewalls, and routers), an IT asset inventory should also include software assets, for instance, operating systems, email, administrative and financial records systems, anti-malware tools, databases, and EHR systems.

An IT asset inventory should also include IT solutions, namely backup software, administrative tools and virtual machine managers/hypervisors. The list should also include data assets with ePHI created, received, maintained, or transmitted by an organization.

Small healthcare companies can manually prepare and update an IT asset inventory. Big and more complex organizations can employ IT Asset Management (ITAM) solutions taking advantage of automation to discover and update assets so that none is left out.

An IT asset inventory should also include assets that can be employed to get access to ePHI, networks or storage devices. Even if IoT devices are not used for storing or accessing ePHI, people may use it to access a network or device to view ePHI.

IoT devices need regular updates or patching to ensure that intruders cannot exploit it to get access to the IT network of an organization and view ePHI. Cases of such incidents have actually been reported. 

Without an IT asset inventory, organizations may fail to recognize and mitigate ePHI  risks. A complete knowledge of the company’s IT assets will help ensure its compliance with regard to the performance of an accurate and detailed risk analysis.

An IT asset inventory also contributes to the creation of efficient policies and procedures covering the receipt and discharge of hardware and electronic media with ePHI. It can help easily identify unauthorized devices connected to the network or devices and software that need updates or security patches.

The NIST Cybersecurity Framework has resources that can help organizations make their IT asset inventory. Check out NIST’s guidance on IT asset management in its Cybersecurity Practice Guide  is available. Also, take a look at this tool that includes inventory functions that facilitate manual or bulk input of asset information.