Patch and Update Computer Software or Face a HIPAA Sanction
In order to comply with Health Insurance Portability and Accountability Act regulations it is essential that all healthcare and health plan providers use appropriate safeguards to keep the personal and medical information of employees and patients private.
There are many potential security risks when maintaining a database of patient medical records, whether the data is stored on in-house servers, managed by external contractors or hosted in the cloud. The only way it is possible to be certain that all vulnerabilities are identified is to conduct a comprehensive risk assessment of all IT systems, including any hardware and software that touches the PHI.
Software quickly becomes outdated and needs to be regularly updated to maintain its functionality. As software engineers discover vulnerabilities, patches are developed and made available for download. It is essential that these patches and software updates are run on all terminals and mobiles running on the software to ensure the systems and data are unwittingly exposed to attack.
Applying software patches is as important as updating virus definitions of anti-virus software and failing to make a timely update can leave whole networks open to hackers and cybercriminals. Furthermore, while software patches are not specifically mentioned in the HIPAA Security Rule, a failure to keep software up to date is deemed to be a HIPAA violation and as Anchorage Community Mental Health Services recently discovered, Security Rule violations carry heavy financial penalties.
ACMHS runs five mental health facilities in Alaska and is a non-profit organization. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers the malware would not have been unable to infect the PCs.
After ACMHS reported the breach the OCR conducted an investigation and determined that ACMHS had not done enough to protect the Protected Health Information of its patients. ACMHS has now agreed to a settlement and is required to pay the HHS $150,000 for the HIPAA violations.
The Security Rule does not specifically cover updates to software, applying patches or even installing firewalls; yet a failure to install a firewall or apply security updates to software is considered a violation. It is not possible to manage risk if vulnerabilities are not removed and security holes plugged. When patches are no longer being issued for software, it must be upgraded or changed. Using outdated software is also a HIPAA violation.
These are all issues which should be raised when a risk analysis is conducted and simply following the Security Rule to the letter will not ensure compliance. It would be impossible to keep legislation fully up to date with the pace that technology is advancing and is up to the organization in question to make sure that full due diligence is conducted and all potential risks assessed and addressed; not just those specifically mentioned in the Security Rule.
According to the resolution agreement between the OCR and ACMHS, “ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches,” according to the resolution agreement.
The only way to ensure HIPAA compliance and manage risk effectively is to apply software patches and updates as soon as they are made available, and where possible to set software to update automatically.
In the words OCR Director Jocelyn Samuel, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis” He goes on to say “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”