What is an Effective Asset Management Program?
Developing an effective healthcare asset management program allows an organization to track and maintain devices. An asset inventory list should be updated whenever a new device or employee is added to an organization. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the age of the device will facilitate business operations as it ensures that outdated systems, that are no longer supported with updates, are promptly replaced.
For example, support for Microsoft Windows 7 ended in January 2020. However, a September 2022 report found that 10.7% of computers worldwide are still running Windows 7. Using an outdated operating system, such as Windows 7, risks patient data. Since Microsoft no longer supports Windows 7 with updates, the risk of experiencing a data breach is highly likely when using this system.
How Did a Stolen Laptop Lead to a $50,000 Fine?
In 2012 an Idaho hospice reported a breach involving less than 500 patients to the HHS OCR, as required by the HIPAA Breach Notification Rule. The breach occurred when thieves stole one of the computers used by employees working in the field.
The laptop was not encrypted, meaning the thieves could have accessed patient ePHI stored on the machine.
Following an investigation by OCR, the hospice was found to have violated several provisions of HIPAA law, including the Security Rule, resulting in a $50,000 civil monetary penalty for the company.
This was the first instance of a fine issued for a breach of fewer than 500 patients. The fine was not based on the number of patients whose data was exposed, but instead on the provisions of HIPAA that were violated.
Although the decision to encrypt devices is at the discretion of individual organizations, laptops that are removed from an organization’s physical site should always be encrypted. Had the organization had an effective asset management policy and program, there would have been no data breach, meaning no breach notification would have been necessary, and no investigation would have resulted.
HHS Cybersecurity Best Practices
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies