CybrIQ
● For information security leaders in U.S. healthcare.
CybrIQ for healthcare§164.308 risk analysis
The work · §164.308

The same sentence is appearing in OCR resolution agreements again and again. You cannot risk-analyze assets you cannot name.

In December 2024 the Office for Civil Rights formally named its enforcement focus the Risk Analysis Initiative. Over the following twelve months it produced settlements against covered entities and business associates totaling well into eight figures. The cited deficiency is verbatim across the press releases: a failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information held by the covered entity. That word — accurate — is doing the work. An inventory that omits the biomedical VLAN, the contractor laptop on the guest network, or the imaging modality the vendor installed last quarter is, by definition, not accurate. That is the gap CybrIQ closes.

TL;DR §164.308(a)(1)(ii)(A) requires accuracy in asset enumeration. CybrIQ identifies every device on the wire at Layer 1, continuously, in a format your existing risk register can ingest via syslog or REST. We verify device identity. We do not assess configuration. No PHI is observed.
HIPAA Security Rule §164.308(a)(1)(ii)(A) — Risk Analysis (Required)

"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

HIPAA Security Rule §164.308(a)(1)(ii)(B) — Risk Management (Required)

"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a)."

Risk Management depends on Risk Analysis. Risk Analysis depends on inventory accuracy. The 2024–2025 OCR resolution agreements have been working that dependency tree from the bottom up.

Where the inventory typically fails.

Across the OCR resolution agreements published since the start of the Risk Analysis Initiative, the same six categories of missing assets recur. None of them are exotic. All of them are visible at Layer 1.

1. Biomedical devices on isolated VLANs that aren't actually isolated.

Infusion pumps, telemetry monitors, ventilators, and patient-controlled analgesia. The intent is segmentation. The reality is a misconfigured switchport, a vendor laptop bridged across the boundary, or a clinical engineering tech who needed an exception last March. The inventory in the GRC tool shows what was supposed to be there; the wire shows what is. CybrIQ identifies the wire-level view.

2. Imaging modalities the vendor installed without an asset ticket.

PACS workstations, ultrasound carts, mobile C-arms. The radiology vendor's service engineer adds them during a scheduled visit. The CMMS gets updated, sometimes. The IT asset database gets updated, less often. The HIPAA risk analysis gets updated, almost never. CybrIQ fingerprints these against a 750M+ device library that includes the major imaging-modality families.

3. Pharmacy automation and lab analyzers.

Carousels, sortation, automated dispensing cabinets, chemistry analyzers, hematology benches. Vendor-managed, vendor-instrumented, frequently with a tunnel back to the manufacturer for remote support. They are inside the clinical network, often touch ePHI-adjacent identifiers, and rarely appear on the IT inventory.

4. The contractor on the guest network who isn't on guest.

Construction supervisors, traveling reps, the radiology consultant, the third-party billing auditor. They are on the corporate VLAN because guest wifi did not reach the conference room. Their laptop is now in scope. The risk analysis is silent on it.

5. Building systems with quiet network access.

Pneumatic-tube controllers, HVAC, access control, nurse call. They live on the same physical infrastructure. Many of them are running operating systems whose support ended years ago. Joint Commission has been asking about them since 2023.

6. The acquired practice you brought on last quarter.

The asset list was a spreadsheet from a prior consultant. The switch closet had not been audited since 2019. The radiology workstation was on the same flat /24 as the front-desk PC. Within hours of CybrIQ getting read-only access to the acquired practice's switches, you have an identity-level inventory of every device on the new site in the same format your existing sites already feed. The M&A workstream gets its own page; see M&A integration.

How CybrIQ feeds the risk analysis, specifically.

We are one input to a HIPAA risk analysis, not a substitute for it. Here is what we produce, and what we leave to your team and your assessors.

What CybrIQ produces.

A continuous Layer 1 inventory of every device on the network: MAC, OUI, switchport, VLAN, IP (where observable), device family, manufacturer, model class, and a Device DNA™ confidence score. Changes are emitted as syslog events and exposed through a REST endpoint. New device, moved device, vanished device, identity drift — all surfaced with timestamps that map cleanly to §164.312(b) Audit Controls. We update the inventory on the cycle your network changes, not the cycle your annual assessment runs.

What CybrIQ does not produce.

A conclusion about whether a given device is appropriately controlled. A determination of whether your encryption posture meets §164.312(a)(2)(iv). A configuration audit. A penetration test. A threat-detection feed. The HIPAA risk analysis is your team's deliverable; CybrIQ provides the inventory input it has historically been hardest to keep accurate.

On PHI. CybrIQ does not observe packet payloads. We observe Layer 1 signal sets — link-layer frames, LLDP, CDP, BPDU, switch-derived metadata — and metadata about the device itself. ePHI does not flow through the platform. A Business Associate Agreement is available; we provide one even though our processing posture does not require us to receive PHI to deliver the service.

What the auditor sees.

During a HIPAA risk analysis review or an OCR investigation, the question is rarely "do you have a list?" The question is "how do you know your list is accurate?" CybrIQ's answer is the change feed. Every new identity event, every drift, every removed device is logged with a timestamp and the switchport where it occurred. The auditor sees a continuously refreshed source of truth rather than a spreadsheet last updated for the audit. That is the difference between a risk analysis the assessor signs off and a risk analysis the resolution agreement cites by name.

A clean recommendation for the assessor's file

"The covered entity's asset inventory feeding the §164.308(a)(1)(ii)(A) risk analysis is produced by a continuously running Layer 1 identity platform with a documented change feed. Coverage was validated against the radiology and biomedical VLANs and against the most recently integrated acquired practice."

A live demo of the platform and a conversation about whether CybrIQ fits your risk-analysis cycle.

Bring the most recent OCR findings your peers have shared, the device categories your assessor flagged last cycle, and a Visio of one site. We work the conversation in your context.

Book a demo

30-day pilot, no fee. BAA available. Telemetry stays in your chosen residency.