When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls.
An information system asset inventory is more than just tracking your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
There are many benefits of creating and maintaining an accurate and up-to-date inventory. The three broad categories of benefit are: Risk Management, Business Operations, and Financial.
You can’t protect what you don’t know you have. Arguably one of the most important requirements of the HIPAA Security Rule is the Risk Analysis. Organizations that have to comply with HIPAA, are required to identify reasonable threats and vulnerabilities to their electronic PHI. Having an information system asset inventory will give the organization a starting place for this process.
Conducting audits and reviewing your system activity is also drastically simplified when there is an inventory in place. The inventory serves as a checklist to ensure you have reviewed/audited all the systems in your organization where PHI is stored, accessed, transmitted, or created.
Healthcare entities are notoriously short staffed and as such are constantly looking for ways to improve their productivity with their existing workforce. The irony is that the healthcare industry as a whole as a reliance on older and legacy systems which are costly from a productivity standpoint (which translate into lost dollars). Having an information system asset inventory helps to identify technology gaps. Since we know that older systems that are not supported by the manufacturer are a major risk factor, having an inventory that reflects the age of a system can identify when that system should be replaced. This not only will help improve productivity, but will also reduce the risk of a technical breach to your organization.
Reducing risk and improving productivity will have a direct and positive impact on your organization. Understanding the percentage of your budget spent on technology is also important. The healthcare industry has historically not invested heavily on their IT infrastructure and supporting systems. The majority of the healthcare IT budget is spent on softwares such as EMR and telehealth. This can cause an increased cost to productivity, operations, and compliance as not enough attention is being spent on the infrastructure itself. As detailed in Business Operations, an information systems asset inventory can give a broad picture to help identify these gaps in order to allot appropriately in your organization’s budget.
More than just managing risk and operations, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as these systems can be depreciated over time. Unlike other assets in your organization, technology becomes less valuable over time.
Creating and managing an information system asset inventory is good for your business and ultimately for your patients. Start simple, create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (so-called Bring Your Own Device). Consider including the cost and age of the information systems as well. As you continue this process, or if you are a larger healthcare entity, you may want to use a software system that can help you track these systems.
A healthy organization is one that manages its risks and creates a culture of security. Having an information system asset inventory list is an important step in the health of your organization!
If you have any questions, please don’t hesitate to reach out! Happy HIPAA trekking!