Summer 2020 OCR Cybersecurity Newsletter—Making a List and Checking it Twice: HIPAA and IT Asset Inventories
Available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html
The Summer 2020 OCR Cybersecurity Newsletter highlights the benefits of information technology (IT) asset inventories as an element of HIPAA security rule compliance. According to the newsletter, these inventories can facilitate development of the comprehensive, enterprise-wide risk analysis required by the HIPAA security rule by helping organizations fully understand where electronic PHI may be stored within their environments. The newsletter explains that an IT asset inventory generally includes a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as the asset’s identification (e.g., vendor, asset type, and asset name/number), version, and assigned responsibility (e.g., person accountable for the asset). The inventory may include hardware assets (such as electronic devices and media, workstations, firewalls, and routers); software assets (such as operating systems, email, databases, record systems, and anti-malware tools); and data assets (such as the PHI created, received, maintained, and transmitted using hardware and software assets).
Noting that the HIPAA security rule requires tracking movement of hardware and electronic media into, out of, and within facilities, the newsletter describes how the IT asset inventory can improve an organization’s risk analysis through increased understanding of how electronic PHI is created and enters, flows through, and leaves the organization. The newsletter explains that it may also be beneficial for the inventory to include assets that do not store or process PHI since those assets may present a method for intrusion into IT systems. For example, smart devices that access the organization’s climate control systems can present serious risks to PHI—especially if the devices use unpatched software or have weak or unchanged default passwords and are installed in a network without firewalls, network segmentation, or other techniques to hinder an intruder’s lateral movement. Real-world examples are cited to illustrate that hackers, once inside a network, have been able to conduct reconnaissance and access other network devices in search of additional privileges and high-value data. A complete inventory can help organizations identify and track devices in need of software updates and patches to stay ahead of new software bugs and vulnerabilities.
EBIA Comment: OCR’s periodic newsletters often highlight compliance issues identified during recent investigations, and OCR observes in this edition that organizations frequently lack sufficient understanding of the location of PHI entrusted to their care. Interestingly, this newsletter follows a June 2020 settlement for over $1 million, in which OCR cited the covered entity’s failure to implement procedures to inventory and track the movement of network devices containing PHI (see our Checkpoint article). Cautious covered entities and business associates may wish to review their HIPAA policies and procedures in light of the information provided in the newsletter. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXX.C (“Physical Safeguards”). You may also be interested in our upcoming webinar “HIPAA Breaches: Preparation and Response” (live on 9/10/2020).
Contributing Editors: EBIA Staff.