OCR Cybersecurity Newsletter: Guidance on Software Vulnerabilities and Patching (June 2018)
In its June 2018 cybersecurity newsletter, HHS’s Office for Civil Rights (OCR) highlights the importance of keeping computer software up-to-date and installing the latest patches to address security vulnerabilities to electronic protected health information (PHI). OCR notes that patches, which fix bugs in software codes that negatively affect how the software works, also play an essential role in addressing security vulnerabilities that can create risks to the confidentiality, integrity, and availability of data. OCR explains that the risk analysis required by the HIPAA security rule should identify vulnerabilities associated with unpatched software. According to OCR, vulnerabilities may be present in many types of software, including databases, operating systems, email, applets (a small application that performs one specific task), or device firmware, which should be inventoried as part of the risk analysis. Covered entities and business associates must also implement a risk management process to mitigate security risks and vulnerabilities in software. Mitigation activities could include installing patches where available. When patches are not available (e.g., where a software developer no longer supports a particular product), mitigation may require reasonable compensating controls, such as restricting network access or disabling network services. (Failure to adopt a mitigation plan can lead to penalties—see our Checkpoint article). OCR acknowledges that identifying software vulnerabilities is not easy and suggests resources, including vulnerability scans and bulletins from the United States Computer Emergency Readiness Team (US-CERT),(see our Checkpoint article) to help detect vulnerabilities.
OCR further notes that installing patches is typically a routine process—but organizations should be prepared for potential disruption because installation of a patch may adversely affect performance of other programs that depend on the patched software. OCR also lists five common steps for an effective patch management program: evaluation; testing for side effects; approval; deployment; and verification and effectiveness testing. Patch installation also may trigger an entity’s HIPAA obligation to conduct periodic evaluations of the continued effectiveness of its security safeguards.
EBIA Comment: OCR’s monthly cybersecurity newsletters rarely break new ground, but they do provide helpful reminders for covered entities and business associates. They may also suggest significant issues that OCR has recently investigated or observed in compliance reviews, which may turn into enforcement priorities. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXX.B (“Core Security Requirements: Administrative Safeguards”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 1/17/18).
Contributing Editors: EBIA Staff.