HIPAA Patch Management Requirements Highlighted by OCR
Computer software often has mistakes in the code that could possibly be exploited by malicious actors to gain access to computers and healthcare systems.
Software, operating system, and firmware flaws are to be expected. No operating systems, software application, or medical device is impenetrable. What is vital is that these flaws are identified promptly and mitigations are put in place to minimize the probability of the vulnerabilities being targeted.
Security experts often identify flaws and potential exploits. The bugs are reported to producers and patches are developed to fix the vulnerabilities to prevent malicious actors from taking advantage.
Sadly, it is not possible for software developers to test every patch completely and identify all potential interactions with other software and systems and still release patches in a timely fashion.
Therefore, IT departments must test the patches before they are enabled. IT teams must also make sure that patches are applied on all vulnerable systems and no device goes unnoticed.
With so many IT systems and software applications in use and the frequency that patches are made available, patch management can be a major challenge for healthcare organizations.
The HHS’ Office for Civil Rights has recently highlighted the importance of patching in its June 2018 cybersecurity newsletter. OCR explains the HIPAA patch management obligations and how patching vulnerable software is an crucial element of HIPAA compliance. OCR describes patch management as “the process of identifying, acquiring, installing and verifying patches for products and systems.”
“Security vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware,” according to the OCR. “Identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements.”
Patch management is not outright mentioned in the HIPAA Security Rule, although the identification of vulnerabilities is included in the HIPAA administrative safeguards under the security management process standard.
Flaws in the confidentiality, integrity, and availability of ePHI should be discovered through a group’s risk analyses – 45 C.F.R. § 164.308(a)(1)(i)(A) – and subjected to HIPAA-compliant risk management processes – 45 C.F.R. § 164.308(a)(1)(i)(B).
Patch management is also included in the security awareness and training standard – 45 C.F.R. § 164.308(a)(5)(ii)(B) – protection from malicious software – and the evaluation standard – 45 C.F.R. § 164.308(a)(8).
To see to it that patches can be applied, it is essential for IT teams to have a complete inventory of all systems, devices, operating systems, firmware, and software installed throughout the group. Regular scans should also be carried out to identify unauthorized software – shadow IT – that has been installed.
The United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) supply up to date information on new vulnerabilities, mitigations, and patches. Covered entities should constantly check their websites and, ideally, sign up for alerts. Information on vulnerabilities and patches should also be obtained from software vendors and medical device producers.
For a HIPAA-covered body to ensure HIPAA patch management requirements are satisfied and flaws to the confidentiality, integrity, and availability of ePHI are reduced to an acceptable level, robust patch management policies and procedures need to be developed and put in place.
OCR states that the patch management process should incorporate:
- Evaluation: See whether patches apply to your software/systems.
- Patch Testing: Test patches on an isolated system to deduce if there are any unforeseen or unwanted side effects, such as applications not working properly or system instability.
- Approval: After testing, approve patches for deployment.
- Deployment: Release patches on live or production systems.
- Verification and Testing: Following deployment, continue to test and audit systems to make sure patches have been applied correctly and that there are no surprising side effects.