Show us your asset inventory
This is one of the questions you may be asked by the Office for Civil Rights (OCR) if you receive an audit letter from them. In a recent newsletter from the OCR, they highlighted the importance of maintaining an inventory of all of the connected devices and software programs on your network. Sadly, few companies comply with this requirement, and even fewer have the resources to keep it up to date and be able to report real-time changes.
The truth is, whether you’re a HIPAA Covered Entity, an independent company, or working from home, you should be aware of what’s running on your network, and what devices are connected to it. For many of us, we think we know this, but how many are keeping track? More importantly, if a new device joins your network, would you know it? The fact that few organizations or households have tools to alert to a new device joining the network represents a critical security flaw, and it’s one everyone should be able to remedy.
For personal use, there are applications like Circle that can be used to monitor all network devices. With Circle, you can organize your attached devices by user, set permissions and restrictions (including time limits), and be alerted if a rogue device appears. If you’re working from home and sharing a family network, this should be considered essential software. You can read more about Circle here: https://meetcircle.com/
For corporate purposes, your firewall should be able to track devices and alert when new ones appear. A recommended organizational policy is not just to alert management when a new device appears, but to also require authorization to join.
On the software side, there are tools like Belarc Advisor that will inventory your software (and licensing keys) for free. You can learn more about Belarc here: https://www.belarc.com/products_belarc_advisor
Larger organizations can use a paid version of Belarc Advisor, a manual process, or more sophisticated discovery tools available through us and other IT and cybersecurity compliance companies.
It’s important to recognize that while this information is required by law for all HIPAA CE’s, they should be considered mandatory for everyone with sensitive information on their computers. Keeping track of what’s running, and what’s on your network, is a basic security step that everyone should be taking, particularly when the cost to do so is nominal.
Don’t assume your HIPAA compliance company includes this as part of their program. Not all do. Whether you’re required by HIPAA or just interested in following cybersecurity best-practices, we can help check this box for you.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.