[BreachExchange] Software Patching Integral to PHI Data Security, HIPAA Compliance

[Audrey McNeil]

https://healthitsecurity.com/news/software-patching-
integral-to-phi-data-security-hipaa-compliance

Healthcare organizations and vendors are responsible for identifying and
mitigating the risks unpatched software poses to ePHI as part of their
HIPAA compliance, OCR advised in its June Cybersecurity Newsletter.

As part of their risk analysis requirement under the HIPAA Security Rule,
covered entities and business associates are required to implement measures
to reduce risks and vulnerabilities found in their risk analysis.

This includes activities to mitigate risks from unpatched software.

“Mitigation activities could include installing patches if patches are
available and patching is reasonable and appropriate,” OCR explained.

“In situations where patches are not available (e.g., obsolete or
unsupported software) or testing or other concerns weigh against patching
as a mitigation solution, entities should implement reasonable compensating
controls to reduce the risk of identified vulnerabilities to a reasonable
and appropriate level (e.g., restricting network access or disabling
network services to reduce vulnerabilities that could be exploited via
network access).”

Identifying and mitigating the risks unpatched software poses to ePHI is
important to ensure the protection of ePHI and fulfill HIPAA requirements.
Organizations should include an inventory of operating systems,
applications, device firmware, and other software as part of its patch
management process.

Unfortunately, many healthcare security professionals are lax in their
patching programs. In fact, a majority of security professionals in the
healthcare and pharmaceutical industries admitted that they have had a data
breach because of an unpatched vulnerability for which a patch was
available, according to a survey of nearly 3,000 security professionals by
the Ponemon Institute on behalf of ServiceNow.

OCR noted that patches can be applied to software and firmware on all types
of devices and that installing vendor-recommended patches is typically a
routine process.

However, organizations should be aware that software patches can cause
unintended problems because computer programs are often dependent on the
functionality and output of other programs.

When changes are made to software, including the installation of a patch,
programs dependent on the changed software may not perform as expected.
This is a reason why patch management plays a crucial role in implementing
these changes, OCR noted.

According to the National Institute of Standards and Technology (NIST),
patch management is the “process of identifying, acquiring, installing and
verifying patches for products and systems. Patches correct security and
functionality problems in software and firmware.”

NIST advised organizations to deploy enterprise patch management tools
using a phased approach, reduce the risks associated with enterprise patch
management tools through the application of standard security techniques,
and balance security needs with needs for usability and availability.

Patch management ensures that patches are correctly applied so that
problems are minimized. Each organization is different and has unique
systems, challenges, and needs for this process.

OCR recommended that organizations take the following steps as part of an
effective patch management program:

• Evaluate patches to determine if they apply to your software/systems

• Test patches on an isolated system to discover if there are any
unforeseen or unwanted side effects, such as applications not functioning
properly or system instability

• Approve patches for deployment once they have been evaluated and tested

• Schedule patches to be installed on live or production systems once
approved

• Test and audit systems to ensure that the software patches were applied
correctly and that there are no unforeseen side effects

“Due to the complexity of some systems, installing a patch or collection of
patches can be a major undertaking,” OCR explained.

“System modifications that affect the security of ePHI may trigger an
entity’s HIPAA obligation to conduct an evaluation to ensure that ePHI
remains protected following environmental or operational changes,” the
agency continued. “The purpose of this evaluation is to establish a process
to review and maintain reasonable and appropriate security measures.”

The newsletter cautioned that installing patches can introduce changes to a
system. For example, technicians may disable security features to access
certain services, or unanticipated bugs or stability issues may result from
a software update.

“An evaluation can help identify new vulnerabilities that may have resulted
from these changes. Undiscovered bugs or vulnerabilities are unpleasant
surprises that could be exploited and may lead to beaches of PHI,” OCR
concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180703/046ee798/attachment.html>