The Clearwater Compliance definition of an information asset is:

A business application, system or solution that creates, receives, maintains or transmits sensitive information, such as Protected Health Information (PHI), personally identifiable information (PII), payment card data, company proprietary business plans or financial data, etc., the confidentiality, integrity and availability of which must be safeguarded for the sake of overall business risk management.

Unlike traditional hard assets, like desktop computers, laptops, and servers, information assets in this context are not necessarily physical, individual, “things” that might bear an “asset tag”. Rather, they are software applications, integrated devices, and third party services used to access, create, transmit, maintain, or receive sensitive data of interest (e.g. PHI, PII, payment card data, billing/financial information, payroll information, etc.).

Click here for Information Asset Examples by Type of Organization

Frequently Asked Questions

Software applications are some of the most critical information assets you should include in your inventory. Software to be included in your Information Asset Inventory might include : electronic health record applications, clinical information applications, lab and/or medical specialty applications, medical billing/claims processing applications, email applications, company intranet websites, HR management applications, network file sharing applications, EDI applications, fax applications, payment processing applications, financial management/reporting applications, and any other software used to manage sensitive electronic information. It does not matter if these applications were internally developed, purchased off-the-shelf, or hosted by your organization or hosted on a third party’s computer hardware (i.e. Platform-as-a-Service or Software-as-a-Service).
The number of information assets will vary based on your individual organization and the number of applications, systems, or solutions you have that create, receive, maintain or transmit sensitive information. No information assets that handle sensitive data should be excluded from your Risk Analysis.
If an application creates, receives, maintains, or transmits sensitive data, it does not matter whether the application was internally developed, purchased off-the-shelf, or hosted by your organization or hosted on a third party’s computer hardware (i.e. Platform-as-a-Service or Software-as-a-Service).

If the device creates, receives, maintains, or transmits sensitive data, you would list it as an information asset. Many medical devices fall under the category “Integrated Devices/Equipment.” Examples include blood gas analyzers, x-ray machines, and CAT, PET, and MRI scanners. Integrated devices are usually software/hardware configurations that are integrated to serve a specialized purpose. Examples of integrated devices/equipment that are not medical devices would include multi-function printers, fax machines, and closed-circuit TV recording equipment.

For a Risk Analysis these types of assets should be classified by type of device rather than listing individual pieces of equipment.

Unlike traditional hard assets, like desktop computers, laptops, and servers, information assets in this context are not necessarily physical, individual, “things” that might bear an “asset tag”. Rather, they are software applications, integrated devices, and third party services used to access, create, transmit, maintain, or receive sensitive data of interest (e.g. PHI, PII, payment card data, billing/financial information, payroll information, etc.).

Most-often missed in thinking about risks to information assets are third party vendors engaged by your organization in some capacity that requires them to create, receive, maintain or transmit your sensitive information. Because of the access these third parties have to the organization’s sensitive information, it is vital that the risks posed to the confidentiality, integrity and availability of your sensitive information by that third party also be evaluated. Thus, they should also be included in your Information Asset Inventory. Examples include, but are not limited to: Platform-as-a-Service providers (often cloud-based), software suppliers (including Software-as-a-Service providers), hardware maintenance services, backup media management companies, HR/benefits services, payroll services medical transcription services, medical coding processors and all other hired consultants/contractors having regular access to your sensitive information.

Each third party should be thought of as a separate entry on your inventory.

We assume that every organization will have workstations.  Do not include desktops or laptops in your inventory unless there are specialized classes for your organization such as isolated workstations for areas such as imaging or pharmacy or specialized images for home health, clinicians, administration, etc…  These items should be listed or counted on your inventory as classes of workstations not individual pieces of equipment.
Many modern Electronic Health Record systems provide many modules accessible via Role Based Access such as; Ambulatory Care, ICU System, LMS, Pharmacy, etc…  There is no need to list each module of your EHR separately if the modules are all hosted on the same servers with the same authentication system.
If you think members of your organization are sharing sensitive data via email your email system should be listed as an information asset, even if it cloud based or a Software-as-a-Service.

Do not count VPN or Secure Access Appliances as an asset. These are a networking methods.

Routers and switches should not be counted, they are covered by networking questions in the IRM|Analysis™ software.

Do not count spreadsheets, word documents or other MS office files as assets.   They will be addressed by the workstations or servers they reside on.    It is not advisable to do risk analysis at the file level.
It is wise to include network files shares, shared directories, document repositories and products such as SharePoint if they store sensitive data.
1. Closed-Circuit TV system for security at any site that stores the recorded images of patients
2. Voice system that stores messages or recordings
3. Digital cameras / photography systems at any site to take pictures of patient
4. Pagers that capture messages about patients
5. Diagnostic equipment (e.g. EKG, EEG, Esophageal cameras, etc.) which store both patient data
6. Radiological modalities which store both images
7. Lab equipment (e.g. blood analyzers, flow cytometers, etc.) which stores patient lab results
8. Monitoring or telemetry devices (e.g. vital sign monitors, Holter monitors, insulin pumps, etc.)
9. Automated medication or medical supply cabinets (e.g. Omnicell, Pyxis, Lynx Mobile, etc.)
10. Third-party vendors or consultants that do not provide “health care services”, such as transcriptionists, billing code review services, etc.
11. Third-party collection services to collect overdue patient bills
12. Third-party file-sharing services (e.g. DropBox, Google Drive, Microsoft OneDrive, etc.)
13. Third-party data backup services (e.g. CrashPlan, Carbonite, LiveVault, Mozy, etc.)
14. Other third-parties that access ePHI
15. Stand-alone servers or shared workstations at any site that store ePHI (e.g. act as network file shares)
16. Stand-alone fax machines that are used to transmit or receive documents with ePHI
17. Stand-alone copy machines that copy documents with ePHI
18. Stand-alone scanners that scan documents with ePHI
19. Multi-function printers that print documents with ePHI
20. External hard drives connected to your workstations (i.e. desktop PCs, laptop PC, etc)
21. CDs, DVDs or other external media made in response to a patient request for their medical records