How HIPAA can lean in to SAM


SAM & HIPAA – How HIPAA can lean in….


One topic that is dear to all out hearts (and the rest of our body!) is that of health, and the management of our health.  Like any other aspect of life today, technology and data management can determine a positive or negative experience.  Provision of accurate and timely data in the event of an emergency can literally mean the difference between life and death.

But away from the more extreme aspects of health management, comes a requirement to treat patient data Confidentially, safeguarding Integrity while also respecting Availability.  If this CIA approach is ringing bells with you, it is because it is the heartbeat of ISO 27001 – The ISO Standard charged with creating and maintaining an Information Security Management System (ISMS).

Without wishing to labour the bodily analogy, everything is an entity, and every entity has a lifecycle.  This lifecycle, revolves around birth, maturity, use and eventual retirement or death.  The same is no different of patient records.  Once the lifecycle of a patient record has been clearly modelled, then we can start to think about:

Who:  Should have access to the record?

What: Should that person be able to see?

What: Should that person be able to transmit/ disseminate?

What: Constitutes patient-data?

Where: Is the patient-data stored and secured?

When:  Is the patient-data created/ modified/ backed-up/ transferred/ archived?

Why: Are we using the technology that is currently in place?

Software Asset Management is primarily focussed in ensuring an organisation gains the maximum benefit from its software assets without exceeding the terms and conditions of any contract or licence that governs its deployment/ use.  However; the checks and balances we apply to creating and maintaining an IT/ Software Asset Management System (See ISO 19770-1: 2017 for details) can readily offer massive benefits to HIPAA and Information Security:

Named User Verification Process:

Access to patient data may well be aligned to a client access licence.  I can guarantee a hospital will not pay someone one day after they have left to work at another institution – but can you say the same for your system access?

Scope Verification Process:

With the advent of mobile devices, and the need to have data as mobile as our staff, ensuring that non-hospital devices are not trafficking in HIPAA-related data is an ever-present challenge that needs addressing.

Create & Maintain a Supported Software Catalogue:

Software Asset Management looks to maintain a definitive list of software required to run an organisation; down to version, edition and release.  Any software used in the storage, retrieval and manipulation of HIPAA patient-data, needs to have adequate patching and version control applied to it, so that ransomware such as WannaCry doesn’t adversely impact patient care, or expose a hospital to HIPAA-based liabilities and suits.

Hardware Disposal Process:

Over time, hardware will be disposed of; aside from ensuring that a robust purging of HIPAA related data takes place, we also need to make sure that those devices are no longer granted access to core hospital/ patient systems and data.  SAM’s concern here is that when devices are disposed of, the software on those devices gets recycled – so that we don’t re-buy software if/ when new hardware is purchased.

Joiners Movers and Leavers:

Rather like the Named User Verification Process, we want to make sure that IT access is in alignment with the HR lifecycle, so that as staff move through the hospital their access to HIPAA-patient data is commensurate to their job role – and most importantly, when their employment ends, so does their access to patient-data for that hospital.

Increasingly, suspending someone’s AD account might block network access, but may not block software access.

Recovery of mobile devices is also of paramount importance at the end point of the HR lifecycle.

Reporting Process:

Due to the sensitivity of the data in question, releasing the right data at the right time to the right people in the right manner is absolutely vital.  Being able to demonstrate that this was how patient-data was/ is managed is critical not just to patient safety, but also to the livelihood of the hospital.


HIPAA (Like SAM and Information Security) is a participation sport – it doesn’t matter what brand of sneakers you own, changing from one brand to another will not make you run faster! You have to train; you have to work to an ideal of what good HIPAA security looks like – SAM can help!

SAM Charter is able to discern how well/ badly you are managing your software, and by extension your patient-data.  If a refresh of where you stand in respect to SAM could improve your HIPAA management protocols, then email:

3 thoughts on “SAM & HIPAA”

  1. Pingback: California Consumer Privacy Act (CCPA) | SAM Charter

Leave a Comment

Your email address will not be published. Required fields are marked *

Blue SAM CHARTER text with a DNA Strand

Like what you see?

Share this with one of your colleagues

Share on email
Share on facebook
Share on twitter
Share on linkedin