Keeping track of your equipment, office furniture, and similar items for financial purposes is a routine part of business. It is tough to protect something if you do not know where it is or that it even exists. That is why making an inventory list of devices and software your office owns and uses, particularly those that access, transmit, or store protected health information (PHI) is a powerful tool to include in your annual risk analysis. An inventory list like this can also help keep warranty information together in one place.
The OCR’s Summer 2020 Cybersecurity Newsletter covered IT asset inventories in great detail and lines up with its long-standing emphasis on the importance of both covered entities and business associates doing “accurate and thorough” risk analyses. Since the beginning of 2019, half of OCR’s enforcements have focused on failures to conduct a regular risk analysis. These penalties are almost 6 times higher than other areas of OCR’s HIPAA enforcement, as its patient’s Right of Access Initiative. The highest yet, issued last month, was $6.85 million. The cause of the breach that brought about that investigation and enforcement was malware that was installed via a phishing email that went undetected for 9 months. Over that time, over 10 million records were breached. This shows how important it is to check systems and devices on your inventory list so issues like malware, theft, and breaches do not go undetected.
TMC helps its clients with their annual risk analyses. This includes developing an inventory list of hardware and software, creating a list of business associates, and providing other tools necessary to help think of all the places ePHI might be accessed or stored and get them on the list. During a risk analysis, you should check with your IT support company to ensure any hardware or software purchased since your last risk analysis is added to the inventory list. If it is time to replace desktops, servers, or tablets, be sure the ePHI is properly removed, and document the method used to remove the ePHI. Update your inventory list to show when it was replaced.
Do you know if any employees’ personal devices have access to your systems? If they do, add those to your inventory list and be sure to put a “Bring Your Own Device” policy in place and enforce it. Employee devices can create serious vulnerabilities to the security of PHI.
You can think of the inventory process as making sure there is a lock on each door and window of your house. An inventory list of each door and window, allows you to easily check each one off as you go so you do not forget one. Then your risk of someone getting into your house goes down. Once you have the list, it is easy to update, more accurate than memory, and it helps pinpoint problems down the road faster. You will know what needs to be protected, and your patients will thank you for that. You will thank yourself, too, if you find yourself hosting an OCR investigator.