HIT Think

Why IT Asset Management is Core to Managing Information and Compliance Risks

Register now

As healthcare data breaches continue to dominate headlines, and the stakes for substantial fines and penalties increase, organizations are carefully re-examining their security and compliance posture. With more than 90 million healthcare records leaked in 2015 alone, safeguarding electronic protected health information (ePHI) is becoming a top priority for the industry. But is enough attention being given to managing and tracking the IT assets where ePHI is stored?

Industry regulations dictate that organizations must identify and record the location and movement of any media or hardware containing ePHI. Complying with these requirements means you have to understand what IT assets you own, what data is being stored on them and who has access to it. However, many healthcare organizations do not accurately know where or even how many assets they have, such as servers, laptops or mobile devices.

With increasing risks and regulation on security and privacy in healthcare, the role of IT asset management has been transformed from an optional activity into a mandatory business requirement.

A comprehensive IT asset management program provides the data needed to strategically and tactically manage IT assets from planning through acquisition, maintenance and disposal. Healthcare organizations can leverage IT asset management to reduce costs and improve operational efficiency. However, a well-managed lifecycle IT asset management program also can help identify and manage information risk.

This is particularly important because security laws, regulations and standards expect organizations to have an IT asset management program in place. Case in point:

* The HIPAA Security rule expects organizations to “maintain a record of the movements of hardware and electronic media and any person responsible therefore.”

* The Office for Civil Rights (OCR) has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule,” which states that, “an organization must identify where the e-PHI is stored, received, maintained or transmitted.”

* The HIPAA Audit Protocol expects OCR auditors to “inquire of management as to how the location and movement of media and hardware containing ePHI is tracked, and obtain and review policies and procedures and evaluate the content relative to the specified criteria regarding tracking the location of ePHI media and hardware.”

* The Payment Card Industry Data Security Standard (PCI DSS) has IT asset management requirements that include maintaining an inventory of system components that are in scope for PCI DSS, inventory logs of all media, and inventory of authorized wireless access points, including a documented business justification.

Most healthcare organizations have some level of IT asset management in place. However, what seems to be elusive for many is an enterprise-wide lifecycle IT asset management program that can effectively track, inventory and document where ePHI is stored, received, maintained and transmitted. Without knowing this information, it is nearly impossible to verify that your data is secure or that your fiduciary and governance responsibilities are being met.

From an asset management perspective, the key to complying with these requirements is being able to develop, monitor and enforce corporate governance, data security and provisioning policies surrounding the way your organization procures, maintains and retires IT assets. It’s imperative to track and manage IT assets throughout their lifecycles.

An effective IT asset management program typically includes the following:

* Strategy that links directly to the overall business objectives

* Policy, procedure and management processes

* Funding for asset management projects and skills training

* Asset inventory tools and solutions that integrate with purchasing/procurement and IT departments, as well as software distribution and change management

Mature programs leverage IT asset management data for ongoing decision support for each stage of the asset lifecycle. These programs use asset data as a method to develop an organizational discipline for reducing ongoing information risks, meeting compliance requirements, and facilitating technology implementations and change management.

If there is an improper deployment or upgrade of systems or applications resulting in an unplanned downtime, then a loss of availability – and ultimately revenue or unanticipated expenses – can occur. Without centralized data detailing what assets you have and the associated models, upgrades, and hardware and software versions, you can't foresee and avoid such unexpected issues.

Often, the success of deployed IT solutions hinges on an IT asset management system's ability to provide meaningful information and respond rapidly to changing requirements and capacities. For example, it's vital for healthcare organizations to know in advance when a server will reach its storage capacity. A proactive IT asset management system can provide alerts for that. Alternatively, organizations considering a major expansion should define the infrastructure requirements to support and facilitate that expansion. Without reliable IT asset management information, such efforts will likely be hampered.

Additionally, IT asset management can help address issues related to software piracy, noncompliance with software license agreements, copyright infringements and improper disposal of electronic equipment. Healthcare organizations that fail to comply with these requirements may face fines or penalties.

How can you ensure that there is adequate security protection in place throughout your organization if there isn’t an accurate IT asset inventory? You can’t. An enterprise-wide lifecycle IT asset management program is fundamental to manage your information risks more effectively and ensures compliance with regulations, standards, privacy concerns and intellectual property issues.

For reprint and licensing requests for this article, click here.