STEP 2: Identify Resources for Compliance
Know what you have. And what you don’t.
You can't secure what you can't identify
Healthcare compliance isn’t about meeting checklists
Without a full inventory, risk assessments fall flat. Gap assessments miss critical blind spots. And remediation plans become guesses instead of strategy.
You can’t:
- Secure what you haven’t identified.
- Assign ownership to what’s invisible.
- Prove compliance without documentation.
Before you assign responsibilities, write policies, or remediate risks, you need to know the people, systems, assets, and controls already in place.
What to Inventory (and Why)
Here's what you need to documents to understand your current state and uncover gaps before they become liabilities:
Assets
What systems, tools, and infrastructure are in play?
- Laptops, servers, mobile devices
- SaaS platforms, development environments
- Cloud services (AWS, Azure)
Why It Matters
Organizations
How is your organization and decision-making structured?
- Are you part of a parent org?
- Do you managed multiple business units?
- Is decision-making centralized or siloed?
Why It Matters
Locations
Where does your company operate and store data?
- Physical offices
- Remote employees
- Cloud infrastructure / Co-located datacenters
Why It Matters
Users
Who are the personnel involved in your systems?
- Who has access?
- Who approves access?
- Who owns which responsibilities?
Why It Matters
Documentation
What policies and procedures already exist?
- InfoSec policies
- Security training logs
- 3rd Party Risk documentation
- Access control, onboarding & offboarding procedures
Why It Matters
Security Controls
What security safeguards are already in place?
- MFA, firewalls, encryption, logging
- Vendor reviews
- Risk assessments
- Physical badge access + logs, shredding policies
Why It Matters
Compliance Inventory Mistakes to Avoid
Relying on Static Lists
Spreadsheets and one-time exports age quickly. They miss changes in staff, tools, and structure.
Use a living inventory that updates regularly and reflects your current systems, people, and assets—not what you had six months ago.
Tracking People, Not Roles
Listing users without understanding what they do leaves big gaps in responsibility and risk mapping.
Map users to roles and responsibilities so you know who owns what—and where policies and controls apply.
Overlooking Hidden Assets
It’s easy to miss cloud services, mobile apps, and 'shadow IT' —especially those procured without IT involvement.
Take a comprehensive view of assets across departments, device types, and platforms, not just what’s centrally managed by IT.
Not Connecting Documentation
Policies, procedures, and system diagrams often live in folders, disconnected from controls or audit prep.
Link every document to a control, risk, or requirement so it actually supports your compliance narrative and audit readiness.
Start Your Risk Assessment
Now that you have the right people and platform in place, it’s time to uncover what could go wrong — before it does.
Kick off a foundational risk assessment to identify threats, assess their likelihood and impact, and document a plan that satisfies auditors and protects your organization.
