Should I Have an Information System Asset Inventory?


Although you aren’t required to have an information system asset inventory, having one will help you meet several requirements of the HIPAA Security Rule, including risk analysis and management, information systems activity review, device and media management, and audit controls. An asset inventory does more than just track your hardware. According to the HIPAA Security Rule Crosswalk to NIST, inventorying assets helps you achieve important business goals. A few business benefits include streamlined risk management, up-to-date business operations, and reduced financial cost.

Risk Management

HIPAA requires a risk analysis in which you identify threats and vulnerabilities that could compromise protected health information (PHI). An asset inventory will show you all areas you need to examine in your risk analysis. Furthermore, when you conduct audits or system activity reviews, you’ll know where to look. Essentially, the asset inventory serves as a checklist of all the systems where PHI is created, stored, accessed, or transmitted.

Business Operations

Healthcare organizations tend to rely on older and legacy systems that hamper productivity, resulting in lost dollars. Additionally, outdated systems that are no longer supported by the manufacturer are a major risk factor. An asset inventory helps you identify the age of your systems, so you know when to replace them. This improves productivity and reduces the risk of a system breach.


Historically, healthcare organizations haven’t invested heavily in their IT infrastructure and supporting systems. The majority of the IT budget is spent on software, such as electronic medical records and tele-health. However, a poor IT infrastructure can harm productivity, operations, and compliance. An asset inventory can help you find gaps and determine the funds your organization should allocate to infrastructure. Additionally, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as technology systems become less valuable over time.

Having an information system asset inventory is a good business practice. Start simple by creating a spreadsheet where you can list all your hardware and software systems. Remember to include personal devices that are used for business purposes. Also, consider including the cost and age of your systems. This will be a small but important step in managing risks and creating a culture of security at your organization.

To learn how the HIPAAtrek platform can help you manage your compliance program, contact us at

Being Prepared For Investigations

Are you prepared for a potential investigation?

Don’t wait until the Office of Civil Rights (OCR) comes knocking. Use this checklist to prepare now for potential investigations and find the confidence that comes from knowing you can prove compliance.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »