The largest HIPAA settlement ever, in the amount of $4.8 Million, by two affiliated organizations, NY Presbyterian and Columbia University, sheds light on HHS expectations for HIPAA compliance, at least for a large academic medical center with 24,000 employees. The settlement arises from a 2010 data breach in which 6800 patient records were made available on the internet, according to a press release issued by the HHS on May 7.
Through enforcement actions such as this one, HHS is clarifying to the community of HIPAA covered entities and business associates its expectations regarding HIPAA compliance. The HIPAA Security regulations are by design “scalable,” such that each covered entity or business associate must determine, based on the size, sophistication and complexity of its organization, the measures that are appropriate. This ambiguity has caused many a hospital CIO consternation in designing its HIPAA compliance program. This enforcement action can be seen as clarification of expectations for academic medical centers. We will focus on one item from the resolution agreement – The IT Asset inventory.
It is interesting to note that nowhere in the HIPAA regulations is there an explicit requirement for an IT Asset inventory. To some, this is evidence of significant flaws in the HIPAA regulations, as an IT Asset inventory is fundamental to effective security. As evidence, the SANS Top 20 controls list the inventory as the first control to implement. There is common sense involved here. How can we protect something if we don’t even know what we are protecting or where it is?
Reviewing the resolution agreements (NY Presbyterian and Columbia University), HHS wants Presbyterian/Columbia to include this comprehensive inventory as part of its risk analysis process. More specifically, the resolution agreement states that this process must “create a complete inventory of all electronic equipment, data systems and applications controlled, administered or owned by the covered entity, its workforce members and affiliated staff that store, transmit or receive ePHI.”
How does a large organization accomplish this? Implementing this typically requires a combination of tools.
- First, for hardware and software inventory, numerous automated tools will discover and catalog hardware and software on the network. Examples of commercially available tools which provide an inventory capability are Dell’s Asset Manager, WhatsUp Gold, Belarc’s BelManage, Spiceworks and many others. Best practices would involve physically tagging equipment as it is put into service, entering this into a database, and conducting periodic physical inventory to verify that its location is still known.
- Some tools are specific to mobile devices such as VMWare’s airwatch, BoxTone, SAP’s Afaria, Good Technology and others. Inventory is just one feature of many management features offered by these tools. These tools can be particularly valuable for organizations who have BYOD policies, that is, “bring your own device” policies, for smartphones, tablets and other equipment.
- Some shops that use backup tapes may benefit from a separate system for managing and labeling these assets.
- Finally, and very importantly, is the PHI application inventory, which we will cover more extensively in a subsequent post.
The inventory should include biomedical equipment and applications. This is very important as biomed equipment is increasingly connected to the main network, creating new risks and vulnerabilities.
The IT Asset inventory is an invaluable management tool. If Presbyterian/CU had implemented a rigorous process as outlined above, they may not be today’s poster child for HIPAA non-compliance.
While HHS expects the inventory to be a component of the risk analysis, this is not the way Eagle traditionally thinks of the inventory. We view this as an ongoing process, and a difficult one. Since HHS is the boss, we recommend that the risk analysis be considered incomplete unless an up-to-date inventory exists, whether it is part of the risk analysis or a separate process.
