Drop this paragraph into the methodology section of your risk-analysis file. It describes a switch-derived, continuously refreshed inventory in language an HHS Office for Civil Rights investigator or a HITRUST assessor will accept. Edit the bracketed fields to match your environment.
The covered entity's asset inventory for the §164.308(a)(1)(ii)(A) Risk Analysis is produced by [Vendor name — e.g., CybrIQ], a device-identity platform deployed across the network infrastructure of [scope: e.g., the four hospital facilities and three ambulatory locations]. The platform consists of two software components: an External Scan Engine that polls the customer's managed switches using read-only access, and a main instance that performs device discovery and identity resolution against a 750-million-device reference database. The inventory is refreshed continuously rather than on an annual cycle; identity-change events are emitted with timestamps and switchport context.
The platform does not observe packet contents, does not require an agent on monitored devices, and does not transmit or process electronic protected health information. The information used to derive each device's identity is the set of signals the switch already records as a side effect of normal operation: link-negotiation pattern, MAC OUI, LLDP and CDP announcements, port-stats footprint, and VLAN/topology context.
The inventory is reconciled quarterly against the Clinical Engineering CMMS of record ([e.g., Nuvolo / TRIMEDX / Medigate CMMS]) and is exposed to the security team's SIEM ([e.g., Splunk]) and the risk register ([e.g., RSA Archer]) through standard syslog and REST egress channels. Identity-change events are logged with timestamps and switchport identifiers, satisfying the §164.312(b) Audit Controls requirement for "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."