Healthcare organizations and vendors are responsible for identifying and mitigating the risks unpatched software poses to ePHI as part of their HIPAA compliance, OCR advised in its June Cybersecurity Newsletter.

By Fred Donovan

Healthcare organizations and vendors are responsible for identifying and mitigating the risks unpatched software poses to ePHI as part of their HIPAA compliance, OCR advised in its June Cybersecurity Newsletter.

As part of their risk analysis requirement under the HIPAA Security Rule, covered entities and business associates are required to implement measures to reduce risks and vulnerabilities found in their risk analysis.

This includes activities to mitigate risks from unpatched software. 

“Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate,” OCR explained.

“In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access).”

Identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and fulfill HIPAA requirements. Organizations should include an inventory of operating systems, applications, device firmware, and other software as part of its patch management process.

Unfortunately, many healthcare security professionals are lax in their patching programs. In fact, a majority of security professionals in the healthcare and pharmaceutical industries admitted that they have had a data breach because of an unpatched vulnerability for which a patch was available, according to a survey of nearly 3,000 security professionals by the Ponemon Institute on behalf of ServiceNow.

OCR noted that patches can be applied to software and firmware on all types of devices and that installing vendor-recommended patches is typically a routine process.

However, organizations should be aware that software patches can cause unintended problems because computer programs are often dependent on the functionality and output of other programs.

When changes are made to software, including the installation of a patch, programs dependent on the changed software may not perform as expected. This is a reason why patch management plays a crucial role in implementing these changes, OCR noted.

According to the National Institute of Standards and Technology (NIST), patch management is the “process of identifying, acquiring, installing and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware.”

NIST advised organizations to deploy enterprise patch management tools using a phased approach, reduce the risks associated with enterprise patch management tools through the application of standard security techniques, and balance security needs with needs for usability and availability.

Patch management ensures that patches are correctly applied so that problems are minimized. Each organization is different and has unique systems, challenges, and needs for this process.

OCR recommended that organizations take the following steps as part of an effective patch management program:

• Evaluate patches to determine if they apply to your software/systems

• Test patches on an isolated system to discover if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability

• Approve patches for deployment once they have been evaluated and tested

• Schedule patches to be installed on live or production systems once approved

• Test and audit systems to ensure that the software patches were applied correctly and that there are no unforeseen side effects

“Due to the complexity of some systems, installing a patch or collection of patches can be a major undertaking,” OCR explained.

“System modifications that affect the security of ePHI may trigger an entity’s HIPAA obligation to conduct an evaluation to ensure that ePHI remains protected following environmental or operational changes,” the agency continued. “The purpose of this evaluation is to establish a process to review and maintain reasonable and appropriate security measures.”

The newsletter cautioned that installing patches can introduce changes to a system. For example, technicians may disable security features to access certain services, or unanticipated bugs or stability issues may result from a software update.

“An evaluation can help identify new vulnerabilities that may have resulted from these changes. Undiscovered bugs or vulnerabilities are unpleasant surprises that could be exploited and may lead to beaches of PHI,” OCR concluded.