PHI and PII Tagging

CMDB supports tagging configuration items that store Protected Health Information (PHI) or Personally Identifiable Information (PII). These tags propagate to Defend for elevated alert priority and appear in compliance reports.

What PHI / PII Tags Do

When a CI is tagged with PHI or PII:

• Defend escalates alert severity for threats detected on that asset — a ransomware alert on a PHI-tagged server is treated with higher urgency than the same alert on an untagged server
• Compliance reports list all PHI/PII-tagged assets, enabling you to demonstrate to auditors exactly which assets handle sensitive data
• Access controls ensure that only authorized team members can view or modify PHI-tagged CI details
• Audit logging captures every access to PHI-tagged records for HIPAA and regulatory compliance

Applying PHI / PII Tags

1. Open the CI's detail page
2. In the Tags section, add PHI, PII, or both
3. Click Save

Tags can also be applied during CI creation or via bulk tagging operations.

Bulk Tagging

1. Navigate to Config Items
2. Filter to the relevant company or CI type
3. Select the CIs that store sensitive data
4. Click Bulk Actions → Add Tags
5. Enter PHI or PII
6. Confirm

⚠️HIPAA Compliance:

PHI tagging in CMDB is a documentation and alerting tool — it does not enforce data encryption on the tagged device itself. Ensure that devices storing PHI have appropriate encryption, access controls, and backup policies configured through RMM and Defend.

Compliance Reporting

To generate a compliance report of all PHI/PII assets:

1. Navigate to Reports
2. Run the Inventory Report
3. Filter by tags containing PHI or PII
4. The report shows all tagged CIs with their criticality, status, company, and last audit date

This report is useful for:

• HIPAA audits — demonstrate which assets handle PHI and what security controls are in place
• Insurance questionnaires — provide evidence of asset classification and monitoring
• Client reviews — show clients exactly how their sensitive data is tracked and protected

Best Practices

• Tag servers that host databases containing patient records, financial data, or personal information
• Tag workstations that access PHI applications, even if they don't store data locally
• Combine PHI tags with Critical criticality for maximum alert escalation in Defend
• Review PHI-tagged assets when clients add new applications or change data handling practices
• Document the rationale for PHI classification in the CI's description field

Next Steps

• Asset Criticality — Combine criticality with PHI tags for maximum protection
• Defend Integration — How PHI tags affect threat response
• Change Tracking — Audit trail for PHI-tagged asset modifications