Will Regulators Make Technology Asset Inventories Mandatory?

As data leaks and cyberattacks continue to create global disruptions, regulators are looking for ways to reduce cyber risks and protect sensitive data. To that end, the Department of Health and Human Services Office for Civil Rights (OCR) has recently put forward a Notice of Proposed Rulemaking (NPRM) to modify HIPPA Security Rules, including a mandatory technology asset inventory for those subject to HIPPA. Polsinelli covers what changes could be coming if the new Security Rule goes through stating:

“Notably, according to an OCR Fact Sheet also released on December 27, the NPRM revisions to the Security Rule could require:

• Developing and revising a technology asset inventory and network map at least every 12 months.
• Mandatory analysis of a technology asset inventory and network map, as part of the Security Rule’s risk analysis requirement.
• Analysis of the relative criticality of relevant electronic information systems and technology assets to determine their priority for restoration when an incident happens, as part of the Security Rule’s risk analysis requirement.”

Technology asset inventories help companies manage cybersecurity risks by mapping their technology assets and documenting data creation and retention policies. By understanding the lifecycle of their data, companies can better identify vulnerabilities in their systems and shore up their security before malicious actors strike. If the OCR rules go through we may see technology asset inventories mandated in other sectors, particularly those that relate to national security and those dealing in sensitive information.