Before You Can Safeguard PHI, You Must Know Where it is Located

HIPAA-covered entities and their business associates are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). While this may be straightforward for ePHI stored in an electronic medical record system, that is far from the only location where ePHI is created, received, maintained, or transmitted by a HIPAA-covered entity. HIPAA requires safeguards to be implemented to protect all ePHI. It is not possible to be 100% certain that you have safeguarded all ePHI if you do not know every device and software solution that is used to store ePHI or can be used to access ePHI.

In its Summer 2020 OCR Cybersecurity Newsletter, distributed by OCR on August 25, 2020, OCR explained how the creation of an IT asset inventory is important in this regard and can help to ensure that no ePHI is left unprotected.

“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance.”

An IT asset inventory is a comprehensive list of an organization’s IT assets. The inventory should contain information about the type of asset and information to allow the asset to be identified. It should include details of the operating system/application, to whom the device is entrusted, and where it is located. The inventory should include hardware such as all mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It should also include software assets such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, electronic medical/health record systems, backup solutions, virtual machine managers/hypervisors, and other admin tools.

Sometimes forgotten, an IT inventory should also include data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. It is also important to include IoT devices in the inventory. From a HIPAA compliance perspective, these devices may not be used to store or process ePHI, but ePHI could potentially be accessed through the devices. If a vulnerability in the device is exploited by a hacker, for example, the confidentiality of ePHI could be compromised. As OCR points out, hackers have exploited vulnerabilities in VOIP phones, printers, and video decoders to gain access to corporate networks in the past.

An IT asset inventory is extremely useful when conducting a risk analysis as it helps to understand how ePHI is created, where it enters an organization, how ePHI flows through an organization, and how and where it leaves.

“The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization’s recognition and mitigation of risks to the organization’s ePHI.  Having a complete understanding of one’s environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule.”

While the IT asset inventory is not a requirement of the HIPAA Security Rule, it is necessary to “implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility.”

Having a complete IT asset inventory can also help with cybersecurity, as it makes it easier to identify rogue devices that connect to the network that could pose a cybersecurity risk. It also helps with vulnerability management, as if diligently maintained, it can help to identify and track devices that need to be updated and patched.

NIST Special Publication (1800-5) – IT Asset Management – explains the importance of creating an IT asset inventory, best practices, and guidance for those responsible for tracking assets.