Hard Drives Lost, Affecting Nearly 1 Million
Incident Raises Issues About Encryption, Inventory Tracking
The Centene incident shines a spotlight on the difficulties related to tracking IT inventory, says Tom Walsh, founder of security consulting firm tw-Security.
“While the HIPAA Security Rule has an implementation specification of ‘accountability’ under the standard of ‘device and media controls,’ maintaining an accurate inventory and tracking everywhere PHI is stored is easier said than done,” he says.
“An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn’t scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information. ”
To improve the oversight of IT equipment and the appropriate level of security controls needed, “an inventory should identify high-risk devices where large amounts of PHI are stored or where the threat of theft and loss are greater than other devices,” Walsh notes. “For example, a laptop used to collect and store patient information during a medical procedure is at a higher risk than a virtualized workstation – functioning like a dumb terminal – that cannot store any information to the internal hard drive.”
A risk analysis along with an accurate inventory will help organizations to “channel limited security resources where they are needed most,” Walsh adds.