Health and Human Services (HHS) Office for Civil Rights has made October 2017, National Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations to go back to the basics in applying HIPAA privacy and security principles. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips in applying password management strategies. In this week’s second installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine the importance of updating and patching your information systems and applications.
Patch Management: Patch management is the process that helps acquire, test, and install multiple patches (code changes which are fixes) on existing applications and software in your information systems. This is a process that is accomplished by your system’s administrator or HIPAA security officer. You may have been notified that a specific application will be down for a few hours or overnight. This is most likely the result of testing for vulnerabilities, after which, patches are applied to “plug up” the vulnerabilities that were found. Patch management is a basic concept of HIPAA security and must be accomplished on a periodic basis to keep your e-PHI secured. Oftentimes, software patches are provided by the major providers such as Microsoft and other vendors, to update the software. In addition, a system administrator can purchase a Patch Management Software Program that schedules testing and patching periodically.
To bring this basic concept of patching closer to home, let’s examine the recent privacy breach at the Equifax Credit monitoring company where financial information of 145.5 million individuals was exposed. Under testimony to a Congressional panel, CEO Richard Smith explained how the breach occurred. In March 2017, the Department of Homeland Security notified Equifax of the requirement to patch a vulnerability in their Apache Struts software. Apache Struts is used by Equifax as an online portal for customers to dispute errors on their credit reports. According to Mr. Smith, the Equifax security team was to notify the technical team responsible for finding the vulnerability and applying the patch. But the human error here is that the patch was never applied. In addition, subsequent technical scans just didn’t work, and so the vulnerability that they were warned about by DHS was never found. As a result, the hackers accessed the data on May 13, 2017. The public was not notified until Sept 7, 2017. Needless to say, this nightmare scenario should not occur at your organization. Take a moment to discuss patch management with your HIPAA security officer.
Patch management is a basic security principle which can be managed by scheduling periodic scanning of your information systems as well as checking with vendors that provide your applications you use to manage your e-PHI which could include your EMR/EHR. In addition to patch management, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking!