Lifespan Health System, a nonprofit healthcare provider in Rhode Island, recently agreed to a $1.04 million settlement with the Office for Civil Rights (OCR). An unencrypted laptop was stolen from an employee’s car, potentially releasing the protected health information (PHI) of more than 20,000 patients. The laptop was never recovered.
During its investigation, OCR found that Lifespan did not encrypt some of its laptops even after the health system found it to be reasonable and appropriate to do so. Among other HIPAA violations, the Lifespan did not inventory and track devices containing PHI.
This comes as the Department of Health and Human Services (HHS) released a summer security newsletter emphasizing the importance of an IT asset inventory. Although this inventory is not required by HIPAA, it is a necessary first step in a risk assessment process.
“Compliance requirements are meaningless if you don’t know you what have to protect,” said Nathan Burke, chief marketing officer of Axonius Inc., a cybersecurity company based in New York City. “The only way we can secure a system is to know what we have first and once we know, we can segment and drill into the details.”
In the newsletter, OCR said it frequently finds that organizations do not know where all their PHI is located. When his organization analyzes a system, Burke said, they always find devices that are unmanaged, meaning they are not being tracked and patched by the organization’s IT staff even though they are linked to PHI in some way.
A simple inventory
Taking an inventory of a practice’s IT a decade ago was much simpler than it is now. Today, organizations need to take stock of a wider array of hardware, including mobile devices, voice over internet protocol (VoIP) phones, printers, firewalls, and routers. Software assets like anti-malware programs, email, and electronic medical records should also be included in an inventory. To get a full scope of their inventory, practices should understand the flow of PHI and any hardware or software used to store, maintain, create, or transmit that information. With many people working remotely, practices must take into account things like Google Home or Alexa devices if a staff member is using those.
“It requires the practice to be a bit of a sleuth and sit down and think hard about every piece of equipment that might brush up against PHI,” said Maggie Hales, chief executive officer of the ET&C Group, LLC, based in St. Louis, Missouri. “But it doesn’t require expensive outside consultants or a PhD in coding. It’s about having the right tools, asking the right questions and being thorough.”
A very basic IT asset inventory is simply a list that includes each device, where it is located, the operating system in use, and if it is being managed. That list is then used to identify gaps in the system. For instance, an inventory might turn up a computer with Windows 7, an operating system for which patches are no longer available. In Lifespan’s case, an IT inventory would have alerted them that staff had unencrypted laptops, leaving the devices vulnerable to a breach.
A good inventory can also help track PHI and allows a scan of the network to detect when unknown devices or applications are operating there.
Taking an IT inventory is an area of HIPAA where compliance is simpler if the practice is smaller. The Department of Health and Human Services has a Risk Assessment Tool that practices can use to manually enter or bulk load asset information. ET&C’s HIPAA E-Tool is also tailored for smaller practices wanting to do a lot of the work in house. For larger systems with hundreds or thousands of devices, it may be impossible to have staff perform this kind of task.
That’s where groups like Axonius come into the picture. Their platform integrates with an organization’s network and takes an inventory of everything connected to the internet. The platform then allows providers to use queries to find different programs and identify where gaps might be in a system. For instance, someone can type in Windows and the laptops would pop up, enabling staff to catch those that were not encrypted.
Burke said they consistently find gaps in their clients’ systems after performing an inventory. Even small things like a smart TV in the conference room that is nor managed by the IT department can be vulnerable to a breach. “There are always a bunch of devices that groups think are under management but are not,” he said.
All IT assets in a practice should be managed, updated, and secured, Burke said. The inventory to enable this should be done at least quarterly, though Burke said that may not even be frequent enough to keep track.
“It will help them understand what they have but by the time they are done things are already obsolete because IT changes so much,” he said.