I.T. Risk Analysis Device Audit – Further Explained
I get a lot of questions in regards to this audit. For that reason, I decided to include this article within the help center to hopefully clear the air on this questionnaire.
Personally, I find the wording of the Law itself confusing. There’s all this talk about creating, maintaining, accessing ePHI . . . What’s all this mean?! Forget the jargon for a moment and think of it this way – If your device has the ability to ‘touch‘ ePHI in any manner it belongs on this list. If you back up to a cloud service, when you access the information, that terminal is ‘touching‘ ePHI. When you remote into a customer’s network to trouble shoot, your workstation is ‘touching‘ the customer’s ePHI. When you login to a chart on your E.H.R., your computer is ‘touching‘ that ePHI.
In the end, this audit is not asking much of you. You don’t need to hunt down serial numbers, or tear modems from walls. You merely need to inventory these devices which have the ability to touch this ePHI. If the device you are listing is Debbie’s desktop, keep it simple. Fill in ‘Debbie’s desktop’. Onto column B – Is the device mobile? Rather straightforward. Column C – Where is the device located? Again, keep it simple – Fill in ‘Debbie’s Office’. Column D – How are you protecting it? – Do you have encryption, anti-virus, malware protection, remote wipe, or a strong password present on the terminal? Column E – Remediation – Please disregard this column. It is for our use on this end. If we need to create a remediation plan for you, this spot will be where we do so.
Find out more about Auditing, Assessments and Remediation here >>
This ties back to the Seven Fundamental Elements of an Effective Compliance Plan by, “Conducting internal monitoring and auditing.”