Should I Have an Information System Asset Inventory?
Although you aren’t required to have an information system asset inventory, having one will help you meet several requirements of the HIPAA Security Rule, including risk analysis and management, information systems activity review, device and media management, and audit controls. An asset inventory does more than just track your hardware. According to the HIPAA Security Rule Crosswalk to NIST, inventorying assets helps you achieve important business goals. A few business benefits include streamlined risk management, up-to-date business operations, and reduced financial cost.
HIPAA requires a risk analysis in which you identify threats and vulnerabilities that could compromise protected health information (PHI). An asset inventory will show you all areas you need to examine in your risk analysis. Furthermore, when you conduct audits or system activity reviews, you’ll know where to look. Essentially, the asset inventory serves as a checklist of all the systems where PHI is created, stored, accessed, or transmitted.
Healthcare organizations tend to rely on older and legacy systems that hamper productivity, resulting in lost dollars. Additionally, outdated systems that are no longer supported by the manufacturer are a major risk factor. An asset inventory helps you identify the age of your systems, so you know when to replace them. This improves productivity and reduces the risk of a system breach.
Historically, healthcare organizations haven’t invested heavily in their IT infrastructure and supporting systems. The majority of the IT budget is spent on software, such as electronic medical records and tele-health. However, a poor IT infrastructure can harm productivity, operations, and compliance. An asset inventory can help you find gaps and determine the funds your organization should allocate to infrastructure. Additionally, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as technology systems become less valuable over time.
Having an information system asset inventory is a good business practice. Start simple by creating a spreadsheet where you can list all your hardware and software systems. Remember to include personal devices that are used for business purposes. Also, consider including the cost and age of your systems. This will be a small but important step in managing risks and creating a culture of security at your organization.