Last week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR investigations often find that organizations “lack sufficient understanding” of where all of their ePHI is located, and while the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards – which are HIPAA Security Rule requirements. Essentially, if an organization doesn’t know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?

The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization’s recognition and mitigation of risks to the organization’s ePHI.  Having a complete understanding of one’s environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule.

In general, an organization’s IT asset inventory list consists of “IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset.”

The OCR Newsletter suggests including the follow types of assets in an organization’s IT asset inventory list:

• Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.
• Software assets that are programs and applications which run on an organization’s electronic devices. Well-known software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.
• Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.

In addition, the OCR Newsletter recommends the inclusion of IT assets that don’t necessarily store or process ePHI, but that still may lead to a security incident, such as Internet of Things (IoT) or other smart devices.  For example, a recent study by Quocirca, a security research firm, found that approximately 60 % of businesses in in the U.S., U.K., France and Germany have suffered a IoT printer related data breach in 2019, with the average breach costing an organization approximately $400,000.

The OCR Newsletter also provides other cybersecurity-related and HIPAA compliance benefits an IT asset inventory list can provide, beyond the risk analysis. For example, HIPAA requires that covered entities and business associates “[i]mplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility”, which will be more efficient if the organization has IT asset inventory list that has location/owner/assignment information in place.  Moreover, an IT asset inventory list can aid an organization in identifying and tracking devices to ensure timely updates, patches and password changes.

HIPAA compliance is no doubt a significant challenge for large and small covered healthcare providers, and other covered entities and business associates, and data breaches are almost inevitable. Preparation of a comprehensive IT asset inventory, while not required, can go a long way in both ensuring HIPAA compliance, and preventing a security incident.  Below are some additional basic compliance measures:

• Provide training and improve security awareness for workforce members when they begin working for the organization and periodically thereafter.
• Maintain written policies and procedures that address required administrative, physical, and technical safeguards required under the Security Rule.
• Maintain business associate agreements with all business associates.
• Document compliance efforts.
• Maintain and practice an incident response plan in the event of a data breach.