OCR: IT Asset Inventory Can Improve HIPAA-Required Risk Analysis
In its summer newsletter, OCR outlines best practice IT asset inventory steps to help healthcare entities improve their risk analysis as required under the HIPAA Security Rule.
By - The Office for Civil Rights recently shared a detailed list of IT asset inventory steps, which can help covered entities and their business associates better fulfill the HIPAA Security Rule requirement of performing a complete risk analysis of all electronic protected health information (ePHI).
Under HIPAA, covered entities and business associates are required to conduct a risk analysis of all potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. However, multiple OCR investigations have revealed organizations often fail to perform this valuable assessment and many do not fully understand where its ePHI is located within the network.
This often leads to massive civil monetary penalties, such as those seen between OCR and the Texas Health and Human Services Commission for $1.3 million in 2019.
OCR’s summer newsletter provides organizations with best practice insights into improving risk analyses with a more thorough IT asset inventory.
“Conducting a risk analysis... is not only a Security Rule requirement, but also is fundamental to identifying and implementing safeguards that comply with and carry out the Security Rule standards and implementation specifications,” officials wrote.
“Although the Security Rule does not require it, creating and maintaining an up-to-date, IT asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” they added.
Enterprise IT asset inventories take stock of all assets complete with corresponding descriptions, such a the type of data, asset type, name, version, and the person accountable for maintaining the asset and its location.
As noted previously by CHIME, many entities struggle with maintaining real-time, comprehensive inventories for their networks. Those issues include routinely discovering devices or apps not previously known to be operating on the enterprise network.
To OCR, the process can be improved by leveraging the Department of Health and Human Services’ Security Risk Assessment Tool, which includes inventory capabilities that account for manual entry or bulk loading of asset information for ePHI.
It’s recommended that larger organizations implement a dedicated IT Asset Management (ITAM) tool, with automated discovery and update processes for asset inventory management. As noted previously, manual inventory processes only capture about 80 to 90 percent of all devices operating on the network.
Organizations can also leverage NIST frameworks to assist with the inventory process.
Overall, IT asset inventories should include hardware assets, including physical elements like electronic devices and media, mobile devices, servers, peripherals, workstations, removeable media, firewalls, and routers.
Software assets should also be accounted for, which include those that run on enterprise electronic devices, such as anti-malware tools, operating systems, databases, email systems, administrative systems, financial records, and EHRs.
“Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory,” officials explained.
“Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media,” they added. “How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.”
A thorough inventory can help organizations identify potential risks to ePHI, even if the compiled assets don’t store or process patient data as they could still pose vulnerabilities that may allow for unauthorized access to the enterprise network – and therefore ePHI.
In many healthcare data breaches, the initial entry points began through email systems, server vulnerabilities, or even virtual private networks (VPNs).
OCR reminded organizations that a complete and thorough risk analysis can reduce mitigation and remediation gaps across the enterprise, while improving the overall cyber posture and HIPAA compliance.
“This has become more important as organizations’ networks and enterprises grow increasingly large and complex – especially, considering the proliferation and use of mobile devices and removable media by the workforce,” officials wrote.
“By comparing its inventory of known IT assets against the results of network scanning discovery and mapping processes, an organization can identify unknown or 'rogue’ devices or applications operating on its network,” they added. “Once identified, these previously unknown devices can be added to the inventory and the risks they may pose to ePHI identified, assessed, and mitigated.”
