If you have ever lost your wallet, I am pretty sure you did not worry about the actual wallet. I live about 45 miles away from Washington, D.C. and two miles from my house is a commuter train. I will never forget the first time I took that train into D.C. After boarding, I realized I did not have my wallet. The train was already on its way, so I was stuck.
That day, all I could think about were the contents of my wallet. My driver’s license, government ID, health ID, and credit cards. If that wallet ended up in the wrong hands, I could have a big mess to cleanup. Although I could cancel my credit cards, my heart was racing at the very thought of someone possibly using my license or health ID to steal my identity.
A computer hard drive is much like a wallet. If it gets lost or stolen, you will probably be more concerned about the contents than the actual hard drive. In 2014, it was reported that 68 percent of all healthcare data breaches since 2010 are due to device theft or loss…not hacking.
Security breaches associated with identity theft reported in the media are typically associated with sophisticated hacking programs. In reality, many security breaches come from computers and laptops that have been misplaced, lost, or stolen. Both the financial and healthcare sectors have been hit hard placing the identity of millions of people at risk.
To protect user identity, government agencies have focused on the financial and healthcare industries with security regulations. Organizations that do not meet security requirements can be fined and even prosecuted.
ITAM processes will help you comply with government security requirements
An important part of security regulations relate to the physical security of the device. The National Cybersecurity Center of Excellence (NCCoE) at the U.S. National Institute of Standards and Technology (NIST) is driven by the cybersecurity needs of American businesses. In an effort to address current security issues in the U.S. financial industry, the group worked with representatives from the private sector to address security problems and to provide solutions to these problems.
The organization created a document called IT ASSET MANAGEMENT: Securing Assets for the Financial Services Sector. The motivation for this document states that an effective ITAM system increases security by providing visibility into what assets are present and what they are doing.
The objective of this document states the following:
“To effectively manage, utilize and secure an asset, you first need to know the asset’s location and function. While many financial sector companies label physical assets with bar codes and track them with a database, this approach does not answer questions such as, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The goal of this project is to provide answers to questions like these by tying existing data systems for physical assets, security systems and IT support into a comprehensive IT asset management (ITAM) system.”
It has become evident to most organizations that IT service management (ITSM) and ITAM solutions play an important role in an organization’s overall security solution. ITAM is not just about tracking a device, it is also about tracking the data on that device.
It is not acceptable for any organization holding private identity information to not know exactly WHERE private information is stored, WHO has access to that information, and WHEN that information is accessed.
To protect the data, it is important to track the location of the asset and maintain a list of who has access to the device. That list should also include physical access and it would not be far-fetched to even add a custodian or cleaning crew to an access list. Furthermore, it important to know if the device is moved, reallocated, serviced or disposed. ITAM solutions should also communicate with ITSM solutions so that change requests to configuration items are properly documented.
Before a device is secured, it has to be discovered and documented in a database. After security configuration, software, and encryption has been added to the device, the ITAM database needs to have the ability to track the device. Tracking the device would need to include processes that would notify the security team if a device goes missing.
The United States Department of Health & Human Services mandates a security standard called HIPAA.
“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
The penalties for healthcare organizations are severe if they are found to be noncompliant with HIPPA requirements. A large component of these requirements addresses the physical devices that contain private patient data which are listed below in this HIPAA checklist:
164.310(a)(1) Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
164.310(c) Have you implemented physical safeguards for all workstations that access Electronic Protected Health Information (EPHI) to restrict access to authorized users?
164.310(d)(1) Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.
164.310(d)(2)(i) Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored?
164.310(d)(2)(ii) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse?
164.310(d)(2)(iii) Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement?
164.310(d)(2)(iv) Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment?
I am aware of a hospital in Florida that makes the internal PC hard drive the primary IT asset that is tracked. They use the serial number to track the status of all hard drives for HIPAA compliance. They also have a locked room with spare hard drives. If a production hard drive fails, it is replaced and its status is changed to repair or dispose in the ITAM database. They also have a process to ensure those drives are properly disposed. As part of the disposal verification process, alerts are in place to notify security if the serial number of a disposed hard drive reappears on another device in the future.
There is no question that ITAM should play an important role in your overall security strategy. Does your organization protect data by properly managing physical IT assets? Take this self-assessment quiz to see how you are doing.
- Does your organization track the name of the person receiving, disposing, reassigning, or moving physical IT assets? YES/NO
- Does your organization have policies that limit physical access to IT assets containing sensitive company data? YES/NO
- Does your organization enforce policies to track the removal of hardware-containing sensitive data in and out of our facility? YES/NO
- Does your organization have policies to sanitize and dispose of end-of-life IT assets? YES/NO
- Does your organization have policies to VERIFY that IT assets have been properly disposed? YES/NO
- Does your organization sanitize and physically secure IT assets that are currently not in use? YES/NO
- Does your organization have policies in place to be alerted in a timely fashion if an IT device is stolen or lost? YES/NO
If you said no to any of these questions, it’s time to make ITAM a part of your security strategy.
-follow me on Twitter @marcelshaw