In the first post of this blog series we covered the basics of Information Governance. As promised, this second installment goes a little deeper and addresses an essential part of your Information Governance Policy – your Application Inventory.
What is an Application Inventory?
As one might expect, an Application Inventory lists all the software, hardware and websites in a healthcare system in which patient information may be entered, transferred, edited or stored. This list should include the departmental solutions that generate information across the organization as well as enterprise-wide applications. It should include systems currently in use and also past systems.
This simple definition does not reveal the levels of complexity one encounters when actually compiling an Application Inventory.
How to compile an Application Inventory
While the systems your staff use every day may be top of mind, when compiling an Application Inventory, you’ve also got to consider all the support systems, niche departmental applications and additional solutions that run behind the scenes.
To help you identify the scope of the applications in your organization, consider the following:
Managed vs. Unmanaged Environments: Managed environments are those information repositories that users work in all the time. They’re easy to identify and include in your Application Inventory. On the other hand, unmanaged environments run in the background, and could possibly include legacy applications that aren’t doing much more than sitting on a shelf (metaphorically speaking) in your IT stack. Both managed and unmanaged environments need to be included in your Application Inventory. As the saying goes, “out of sight, out of mind.” You may find a comprehensive list of unmanaged environments reveals opportunities for significant cost savings, as you may be paying fees for applications you don’t even use any more.
Approved vs. Unapproved Applications: Depending on your organization’s policies, you may find you’ve got a variety of unapproved applications that users have installed to help them complete tasks. Despite the moniker, “Shadow IT” activity isn’t sinister. It can be as innocent as when a physician downloads the application to support the scanner that was purchased for the office to his work-issued laptop. Because that application may store scans, it needs to be included in your Application Inventory. While it may not be possible to identify all the unapproved applications in use at your organization, a concerted effort should be made nonetheless. Doing so also presents an opportunity to improve user adoption of approved applications. After all, one way to reduce the number of unapproved applications is to offer approved applications that meet your users’ needs. Whether these devices contain data you need to keep may be determined later. For now, list everything considered inventory!
Centralized vs. Decentralized IT: Large health systems with multiple locations may either have centralized IT – one department managing all the organization’s hospitals and clinics – or decentralized IT in which each location manages its own applications. A decentralized IT department will certainly make creating an Application Inventory a little more difficult, but as with unapproved applications, identifying every application across an entire system may also reveal streamlining opportunities to reduce costs and your overall technology footprint.
Manual vs. Automated Inventory: You can maintain your Application Inventory manually (in an Excel spreadsheet, for example) or use an automated system. While an automated system won’t help you build the list, it will help you keep up with license renewals, support expirations and product updates.
What to include in an Application Inventory
As you’re creating your Application Inventory, you may wonder what information you need to include, other than the name of the solution. While you can never have too much information, don’t let perfection get in the way of progress. Here is a list of information to include about each of your applications. This is not an exhaustive list, by any means, but it should get you started:
Hardware and Software: Separate out hardware and software in your Application Inventory. For hardware, include the make, model and serial number, the Windows/Mac Edition as well as any other physical characteristics. If the hardware is being licensed by a vendor, make note of the license expiration dates and support fees. For software, include the vendor name, modules, version, database type, location and size, as well as the implementation date and annual cost. For both hardware and software make sure to note any stability issues or upcoming renewal dates. Having this will help you prioritize decisions about archiving or replacing systems.
The Type of Data: The data is the real star of the show here, so you need to know as much as you can about what data each application stores. Does the data contain protected health information (PHI)? Who are the stakeholders? Is it information you need to keep? For how long? Does it meet the needs of your end users? Does it meet your organization’s criteria for Release of Information, Research and Analytics, and Audit and Compliance?
Precursor and Successor Information: What is the “chain-of-custody” for the data stored in this application? Did it originate in a previous system? Does it pass to a different system? To illustrate the workflow, it may be helpful to create a diagram to show how the information travels as well as how users access the system and how the system sends information across the enterprise.
Legal Requirements: You’ll want to document any legal data storage considerations in your Application Inventory as well. Include the federal regulations, but also your state- and organization-specific policies and regulations. Learning that you’ve got data housed in an unstable, unsupported application that needs to be accessible to remain audit compliant will help you prioritize your team’s efforts.
An Application Inventory is critical to the ethical management of an organization’s information assets and provides a great deal of insight. From the Application Inventory, you’ll be able to identify data storage and legal compliance issues, as well as opportunities to save money and reduce your technology footprint by sunsetting or combining systems. As an advocate for the patients and the caregivers in your organization, this is an opportunity to use your extensive knowledge of the patient care workflow to point out inconsistencies, discover new workflows that could ease the burden on your providers, or develop processes that give end users easier access to the resources they need to do their jobs.
Up next in our final post in this series on Information Governance, we’ll look across state lines. In the meantime, please send me your questions on Information Governance or other data archiving challenges.