Organizations adhere to a rigorous record-keeping practice, meticulously documenting the movements of hardware and electronic media, alongside details of the individuals responsible for these assets. This critical process is indispensable for monitoring the physical whereabouts and secure handling of sensitive equipment, storage media, and electronic devices, including those containing Protected Health Information (PHI). By maintaining detailed records, organizations strengthen security measures, ensure accountability, and demonstrate compliance with regulatory requirements.

The record-keeping protocol encompasses the entire lifecycle of hardware and electronic media, covering movement, transfer, and disposal. Each entry in the record includes vital information such as the asset's description, unique identifier, location, date, time, and the responsible individual. This meticulous documentation is instrumental in monitoring asset usage, detecting potential security breaches, and guaranteeing the proper handling of devices containing sensitive information.

Priority: High

Category: Security and Risk Management

Services Associated with AWS:

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

AWS Security Hub

Services Associated with Azure:

Azure Identity and Access Management

Azure Active Directory

Azure Security Center

Objective Evidence:

- Administrative: Documented policies and procedures for recording hardware and media movements

- Administrative: Supporting documentation demonstrating the proper handling and tracking of electronic media

- Technical: Records and logs of hardware and media movements

- Technical: Documentation of procedures for creating retrievable, exact copies of ePHI before equipment movement

- Technical: Documentation of physical safeguards implemented for workstations accessing ePHI

Possible Technology Considerations:

- Security Information and Event Management (SIEM) Systems

- Intrusion Detection and Prevention Systems (IDPS)

- Endpoint Protection Solutions

- Security Awareness Training Platforms

What needs to be answered:

Are there mechanisms in place to capture and document the movements of hardware and electronic media, including the responsible individuals?

Is there a documented procedure for creating retrievable, exact copies of ePHI before the movement of equipment?

Have physical safeguards been implemented for all workstations that access ePHI to restrict access to authorized users?

Are there policies and procedures specifying the proper functions, manner, and physical attributes of workstations accessing ePHI?

Are there policies and procedures documenting repairs and modifications to the physical components of the facility related to security?

Are there procedures for controlling and validating a person's access to facilities based on their role or function?