SAM & HIPAA – How HIPAA can lean in….

SAM & HIPAA: An Introduction:

One topic that is dear to all our hearts (and the rest of our body!) is that of health, and the management of our health.  Like any other aspect of life today, technology and data management can determine a positive or negative experience.  Provision of accurate and timely data in the event of an emergency can literally mean the difference between life and death. So let’s dive deeper into how SAM & HIPAA could better hold hands together.

Away from the more extreme aspects of health management, comes a requirement to treat patient data Confidentially, safeguarding Integrity while also respecting Availability.  If this “CIA” approach is ringing bells with you, it is because it is the heartbeat of ISO 27001 – The ISO Standard charged with creating and maintaining an Information Security Management System (ISMS).

SAM & HIPAA: A Breakdown:

Without wishing to labor the bodily analogy, everything is an entity, and every entity has a lifecycle.  This lifecycle, revolves around birth, maturity, use and eventual retirement or death.  The same is no different of patient records.  Once the lifecycle of a patient record has been clearly modelled, then we can start to think about:

  • Who:  Should have access to the record?
  • What: Should that person be able to see?
  • What: Should that person be able to transmit/ disseminate?
  • What: Constitutes patient-data?
  • Where: Is the patient-data stored and secured?
  • When:  Is the patient-data created/ modified/ backed-up/ transferred/ archived?
  • Why: Are we using the technology that is currently in place?

Software Asset Management is primarily focused in ensuring an organisation gains the maximum benefit from its software assets without exceeding the terms and conditions of any contract or licence that governs its deployment/ use.  However; the checks and balances we apply to creating and maintaining an IT/ Software Asset Management System (See ISO 19770-1: 2017 for details) can readily offer massive benefits to HIPAA and Information Security:

Named User Verification Process:

Access to patient data may well be aligned to a client access licence.  I can guarantee a hospital will not pay someone one day after they have left to work at another institution – but can you say the same for your system access?

Scope Verification Process:

With the advent of mobile devices, and the need to have data as mobile as our staff, ensuring that non-hospital devices are not trafficking in HIPAA-related data is an ever-present challenge that needs addressing.

Create & Maintain a Supported Software Catalogue:

SAM looks to maintain a definitive list of software required to run an organisation; down to version, edition and release.  Any software used in the storage, retrieval and manipulation of HIPAA patient-data, needs to have adequate patching and version control applied to it. This is so ransomware doesn’t adversely impact patient care, or expose a hospital to HIPAA-based liabilities and suits.

Hardware Disposal Process:

Over time, hardware will be disposed of; aside from ensuring that a robust purging of HIPAA related data takes place, we also need to make sure that those devices are no longer granted access to core hospital/ patient systems and data.  SAM’s concern here is that when devices are disposed of, the software on those devices gets recycled – so that we don’t re-buy software if/ when new hardware is purchased.

Joiners Movers and Leavers:

We want to make sure that IT access is in alignment with the HR lifecycle.  As staff move through the hospital their access to HIPAA-patient data is commensurate to their job role.   Most importantly though, when their employment ends, so does their access to patient-data for that hospital.

Increasingly, suspending someone’s AD account might block network access, but may not block software access.

Recovery of mobile devices is also of paramount importance at the end point of the HR lifecycle.

Reporting Process:

Releasing the right data at the right time to the right people in the right manner is absolutely vital.  How patient-data is managed is critical not just to patient safety, but also to the livelihood of the hospital.

SAM & HIPAA: Conclusion:

HIPAA (Like SAM and Information Security) is a participation sport. It doesn’t matter what brand of sneakers you own, a brand change will not make you run faster. You have to work to an ideal of what good HIPAA security looks like – SAM can help!

SAM Charter is able to discern how well/ badly you are managing your software, and by extension your patient-data.  If a refresh of where you stand in respect to SAM could improve your HIPAA management protocols, then email: [email protected]


  1. Since HIPAA was passed far before the real era of social media, there are no laws or amendments that are specific to the connection between HIPAA and social media.

Leave a comment

Your email address will not be published. Required fields are marked *