Equipment Inventory and Network Maps: How to See the Risks You Are Expected to Manage

Under the HIPAA Security Rule, any portable or electronic device that creates, receives, maintains, or transmits electronic protected health information (ePHI) must be considered in the organization’s safeguards. That includes more than servers and office computers. It may include laptops, tablets, smartphones, USB drives, copiers, scanners, diagnostic equipment, telehealth tools, remote access devices, cloud-connected applications, smart dictation tools, and other technologies that touch patient information.

Devices are frequently overlooked because they do not always look like “medical records systems.” A copier may store scanned documents. A smartphone may contain patient photos, secure messages, voicemail notifications, or screenshots. A USB drive may be used for “just one file” and then disappear into a desk drawer. A voice-enabled device may listen in an area where patient information is discussed. These are not small details. They are part of the environment the HIPAA Security Officer is expected to understand and manage.

Why this information is important

The SRA is supposed to identify where ePHI exists, how it moves, and what risks could affect its confidentiality, integrity, and availability. You cannot answer those questions accurately if you do not know which devices exist or how they connect. That is why equipment inventory and network mapping are so closely related to the SRA. The inventory tells you what you have. The network map or network matrix helps you understand how information moves.

A network map is usually a visual diagram showing systems, connections, vendors, remote access points, and data flow. A network matrix can be a table that lists each system or device, where it is located, what type of ePHI it may access, who supports it, how it connects, what safeguards are in place, and what risks still need to be addressed. For many smaller organizations, a matrix may be easier to maintain than a complex diagram. The important point is that the Security Officer should be able to explain the environment in a way that helps leadership make decisions.

HHS/OCR has also proposed HIPAA Security Rule updates that would make technology asset inventories and network maps more specific and formal. Because these changes are proposed and may change before becoming final, organizations should be careful with wording. But the direction is clear: regulators expect better visibility into systems, assets, and ePHI movement.

Frequently overlooked devices and why they matter

Memory sticks, USB flash drives, and removable media can create serious risk because they are small, easy to lose, and often used informally. If ePHI is stored or transferred on removable media, the organization should address encryption, inventory tracking, chain of custody, and secure disposal. Password protection alone may not be enough if the data itself is not properly protected. If a device is no longer needed, it should be securely destroyed or handled through a documented disposal process consistent with recognized security practices.

Cell phones and smartphones deserve special attention. Healthcare professionals use phones for telehealth, clinical documentation, secure messaging, scheduling, photographs, and communication with patients or other providers. Whether the phone is issued by the organization or personally owned under a Bring Your Own Device (BYOD) arrangement, the organization needs policies that address access controls, authentication, auto-lock, encryption, secure messaging, remote wipe, and what happens when an employee leaves. Standard SMS texting and consumer communication tools can create risk when they are used to transmit ePHI without appropriate safeguards and business associate arrangements when required.

Mobile Device Management (MDM) or Mobile Application Management (MAM) can help separate work information from personal information, enforce security settings, and allow remote wipe when a phone is lost or stolen. The practical problem is that many organizations allow phone use before deciding what is allowed, what is prohibited, and how the policy will be monitored. That gap becomes visible during an SRA.

Voice-activated devices and virtual assistants create a different kind of concern. Smart speakers, dictation tools, and voice assistants may process audio in the cloud. If they are used in a clinical or administrative area where ePHI may be discussed or recorded, the organization needs to understand the vendor relationship, data storage practices, whether a Business Associate Agreement is required and available, and how accidental disclosures will be prevented. In sensitive areas, devices should be disabled, muted, or removed unless they are specifically approved for compliant use.

What is actually expected under this topic

The HIPAA Security Officer should help the organization build and maintain a current equipment inventory and a network map or matrix. This does not mean the Security Officer must personally configure every firewall or manage every device. It does mean the Security Officer should know who owns the inventory, how often it is updated, how new devices are approved, how lost or stolen devices are reported, how unsupported devices are retired, and how remote access is reviewed.

This is another area where people with good intentions can become stuck. A manager may say, “IT handles that.” IT may say, “We handle the network, but not clinical devices or personal phones.” The practice manager may say, “The doctors use their own phones.” Everyone may be trying to help, but if no one knows what needs to be listed, secured, monitored, and documented, the organization is still exposed.

EPI Compliance can help by giving the Security Officer and compliance team a structured place to maintain policies, forms, and recurring task reminders related to device management, access, security reminders, and documentation. It does not replace the SRA or technical support, but it helps keep the administrative side of the program from being forgotten after the assessment is finished.

If you are an executive manager, ask these questions

Manager Questions

☐ Do we have a current inventory of every device and system that may create, receive, maintain, or transmit ePHI?

☐ Does the inventory include smartphones, tablets, USB drives, copiers, scanners, diagnostic equipment, telehealth tools, and cloud-connected systems?

☐ Do we have a network map or network matrix showing how ePHI moves inside and outside the organization?

☐ Do we have a written BYOD policy for personal phones and tablets used for work?

☐ Are secure messaging, VoIP, remote access, MDM/MAM, encryption, and remote wipe addressed?

☐ How do we retire, destroy, or document disposal of devices that may contain ePHI?

☐ Has our HIPAA Security Officer been trained to understand this topic well enough to manage the process?

What you can do now

Start by making the invisible visible. Ask your team to list every device that may touch ePHI, including personal phones used for work, removable media, copiers, clinical equipment, and cloud-connected tools. Then have at least one team member complete the CHSO course and test so your organization has someone who understands how device inventory, network mapping, and the SRA fit together. After that, contact Taino Consultants to conduct the SRA from the beginning. The SRA will help identify your baseline, and that baseline becomes the starting point for a realistic security management roadmap.

Quick Checklist

☐ Create or update an inventory of all devices and systems that may touch ePHI.

☐ Include laptops, tablets, smartphones, USB drives, copiers, scanners, medical devices, telehealth tools, and cloud systems.

☐ Create a network map or network matrix showing connections, data flow, remote access, vendors, and safeguards.

☐ Review BYOD, secure messaging, VoIP, MDM/MAM, encryption, remote wipe, and device disposal policies.

☐ Have at least one team member complete the CHSO course and test.

☐ Use the SRA results as the baseline for device and network risk management.

“You cannot manage what you cannot see.”

If your organization has never looked closely at phones, USB drives, copiers, cloud tools, and network connections as part of the SRA, now is a practical time to begin. EPI Compliance can help organize the policies, forms, and reminders, while Taino Consultants can help you identify the baseline and turn visibility into action.