Risk: Lack of mechanisms that keep an inventory of hardware and electronic media
Explanation: An inventory of all types of hardware and electronic media needs to be tracked and maintained. With the advancement of technology, use of portable devices is on the rise, and hence the movement of these devices needs to be tracked and accounted for. Without having this kind of inventory it is difficult to know when a device is lost and thereby accessed by unauthorized persons, exposing ePHI to unintended persons.
Major Mitigation: Policies and procedures defining the mechanisms to be adopted maintaining the inventory of hardware and electronic media. The policy must define that there must be person who is accountable for this. For example, if a faulty hard disk is taken out to the service center, the necessary book keeping along with the person accountable for it must be logged.
Secondary Mitigation: The procedures can define the tools that are to be used to track and maintain the status of each of these media. Since they are many tools that available in the market, they can be used for easily doing this book keeping. The level and detail of book keeping needed, depends on each organization needs.
Success Criteria: Audit of the inventory logs, or if tools are used, the reports from these can provide the status. Also the risk assessment report can give a clearer understanding whether these types of risks are mitigated or not.