Having an asset management plan is essential to your healthcare business. Similar to how you’d want a list of your household items for insurance coverage in the event of theft or loss, you need to know the details and access them quickly. Especially if an item goes missing or breaks. It is likely that your IT department oversees this part of your business since it will predominantly include technology devices. Additionally, you should be sure that your program addresses all of the requirements of the HIPAA Security Rule.
Creating an Effective Asset Management Program
The goal of the program is to maintain and track devices. The first step would be to create an inventory list that is updated whenever an asset is:
- Broken or Damaged
- Lost or Stolen
- Transferred to a new employee or location
Each item should be listed with the device name (manufacturer and model), employee(s) that use or have access to the device, date of purchase, and software details that are on the device. This allows for updates to be applied when available, or replacements to be made when the device contains a program that is no longer supported. This will reduce the risk of a breach in multiple ways. It is also important to track updates made to each device. Knowing whether or not data was encrypted on a lost laptop is information you want to have easily at hand when the loss occurs. Additionally, if a developer no longer supports a program due to security risks, you would need to know which devices are using that program.
Policies & Procedures
Your organization should outline how processes are addressed if any one of the occurrences listed above takes place. For example, if an employee loses a device, what is the first thing that they should do? Provide employees with clear and concise steps on who to contact immediately. Being able to remotely wipe a device is critical if it has access to ePHI. The policies and procedures should be acknowledged by everyone on the team.
Contact HIPAA Secure Now to see how we offer solutions that can help your healthcare business. We work to identify any gaps in your HIPAA and cybersecurity programs, and then provide solutions to mitigate the risk of a breach.