OCR Warns of Security Vulnerabilities in Third Party Apps

The Office for Civil Rights has recently reminded covered entities and their business associates to be alert to risks that can be introduced by using third party software applications.

While covered entities and business associates may be aware that operating system software patches need to be installed promptly, the same is true for all third party software applications.

OCR cites recent research that indicates only one in five companies has performed verification on third party software and applications, even though a majority of companies use third party software. Many organizations fail to apply patches promptly and allow known vulnerabilities to remain unpatched.

Updates are frequently issued for third party applications such as Adobe Acrobat, Adobe Flash, and Oracle JRE. Many of the zero day vulnerabilities in these software applications are actively exploited by the time patches are released. A failure to update these applications promptly could place healthcare computer networks at risk of attack. All covered entities must therefore ensure that all third party software is covered in their patch management policies and procedures.

OCR advises all covered entities and business associates to thoroughly test all software prior to installation to ensure that corporate and HIPAA security standards are met. Tests should also be conducted to determine how vulnerable computer systems are to flaws in third party software applications, and action should be taken to mitigate those risks.

Comprehensive security testing should highlight vulnerabilities that could potentially place ePHI at risk, although this is not a one-off procedure on a HIPAA-compliance checklist. In addition to testing software prior to installation, regular checks should be conducted to test for vulnerabilities that may have been inadvertently introduced.

Patch management policies must be developed to include all computer systems and third party applications; however, simply applying a patch does not guarantee that systems will be made secure. Patches are released to address known vulnerabilities, but applying a patch may result in new risks to data security being introduced. Healthcare IT departments must therefore assess each patch prior to deployment to determine whether new risks are likely to be introduced by applying a patch.

Covered entities are advised to work closely with their business associates and provide assistance to ensure that security assessments on third party software applications are performed. It is essential that a covered entity’s stringent data security standards are adopted by their business associates. Vulnerabilities in business associates’ systems could all too easily lead to a breach of ePHI.

OCR also points out that care should be taken to ensure that end user license agreements (EULAs) are checked thoroughly. Software developers usually stipulate how their software must be used. If these restrictions are ignored, it may allow risks to be introduced. This could not only result in ePHI being compromised, it may also prevent covered entities from suing software developers for damages in the event of a data breach.

The United States Computer Emergency Readiness Team (US-CERT) issues updates on critical security vulnerabilities and provides information on the latest third party software patches as they are released. Covered entities should check the US-CERT website frequently to keep abreast of the latest threats and to find out about new software patches.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.