Share this article on:
The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization.
In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.
In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the risk analysis process. An IT asset inventory is a detailed list of all IT assets in an organization, which should include a description of each asset, serial numbers, names, and other information that can be used to identify the asset, version (operating system/application), its location, and the person to whom the asset has been assigned and who is responsible for maintaining it.
“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” explained OCR in the newsletter.
An IT asset inventory should not only include physical hardware such as mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It is also important to list software assets and applications that run on an organization’s hardware, such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems.
IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included, as should data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.
“Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.”
For smaller healthcare organizations, an IT asset inventory can be created and maintained manually, but for larger, more complex organizations, dedicated IT Asset Management (ITAM) solutions are more appropriate. These solutions include automated discovery and update processes for asset and inventory management and will help to ensure that no assets are missed.
When creating an IT asset inventory to aid the risk analysis, it is useful to include assets that are not used to create, receive, process, or transmit ePHI, but may be used to gain access to ePHI or to networks or devices that store ePHI. IoT devices may not store or be used to access ePHI, but they could be used to gain access to a network or device that would allow ePHI to be viewed.
“Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network,” suggests OCR. “The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.” There have been multiple incidents where hackers have exploited a vulnerability in one of these devices to penetrate an organization’s network and access sensitive data.
Organizations that do not have a comprehensive IT asset inventory could have gaps in recognition and mitigation of risks to ePHI. Only with a comprehensive understanding of the entire organization’s environment will it be possible to minimize those gaps and ensure that an accurate and thorough risk analysis is performed to ensure Security Rule compliance.
Maintaining an IT asset inventory may not be a Security Rule requirement but covered entities must create policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. An IT asset inventory can also be used for this purpose. The IT asset inventory can also be compared with the results of network scanning and mapping processes to help identify unauthorized devices that have been connected to the network and used as part of vulnerability management to ensure that no devices, software, or other assets are missed when performing software updates and applying security patches.
The NIST Cybersecurity Framework can be leveraged to assist with the creation of an IT asset inventory. NIST has also produced guidance on IT asset management in its Cybersecurity Practice Guide, Special Publication 1800-5. The HHS Security Risk Assessment Tool can also help with IT asset management. It includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI.