As part of the practice of handling protected health information (PHI) during their regular duties, healthcare providers must take precautions to safeguard sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the fifth of which is healthcare asset management.
What is Healthcare Asset Management?
Healthcare asset management, as HIPAA views it, refers to tracking and maintaining any device that stores or accesses electronic protected health information (ePHI). Although not explicitly mandated by HIPAA law, asset management addresses several aspects required under HIPAA.
The HIPAA Security Rule requires organizations to maintain a record of the movements of hardware and electronic media and any person responsible thereof. Part of an effective asset management policy is taking an inventory of all devices accessing ePHI, and anyone using that device.
Additionally, the HIPAA Security Rule requires an organization to identify where ePHI is stored, maintained, received, or transmitted. Healthcare asset management also addresses this.
In the event of a HIPAA audit, the Office for Civil Rights (OCR) will want to:
- Know how the location and movement of media and hardware containing ePHI are tracked
- Obtain and review policies and procedures
- Evaluate the content relative to the specified criteria regarding tracking the location of ePHI media and hardware
What is an Effective Asset Management Program?
Developing an effective healthcare asset management program allows an organization to track and maintain devices. An asset inventory list should be updated whenever a new device or employee is added to an organization. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the age of the device will facilitate business operations as it ensures that outdated systems, that are no longer supported with updates, are promptly replaced.
For example, support for Microsoft Windows 7 ended in January 2020. However, a September 2022 report found that 10.7% of computers worldwide are still running Windows 7. Using an outdated operating system, such as Windows 7, risks patient data. Since Microsoft no longer supports Windows 7 with updates, the risk of experiencing a data breach is highly likely when using this system.
How Did a Stolen Laptop Lead to a $50,000 Fine?
In 2012 an Idaho hospice reported a breach involving less than 500 patients to the HHS OCR, as required by the HIPAA Breach Notification Rule. The breach occurred when thieves stole one of the computers used by employees working in the field.
The laptop was not encrypted, meaning the thieves could have accessed patient ePHI stored on the machine.
Following an investigation by OCR, the hospice was found to have violated several provisions of HIPAA law, including the Security Rule, resulting in a $50,000 civil monetary penalty for the company.
This was the first instance of a fine issued for a breach of fewer than 500 patients. The fine was not based on the number of patients whose data was exposed, but instead on the provisions of HIPAA that were violated.
Although the decision to encrypt devices is at the discretion of individual organizations, laptops that are removed from an organization’s physical site should always be encrypted. Had the organization had an effective asset management policy and program, there would have been no data breach, meaning no breach notification would have been necessary, and no investigation would have resulted.
HHS Cybersecurity Best Practices
-
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
