OCR has reminded healthcare organizations of the importance of patch management for HIPAA compliance. Patches correct errors in the code of computer software which could be exploited by malicious actors to access computer network systems, placing the confidentiality, integrity, and availability of ePHi at risk.
No software, operating system or medical device is impervious to attack and it is certain than vulnerabilities will be identified at some point in the lifespan of the product. When updates and patches are issued to correct those vulnerabilities, it is important they are applied promptly to prevent hackers from gaining access to healthcare networks.
Vulnerabilities are often discovered by security researchers. They report the bugs to manufacturers so that they can develop patches to fix the problems and prevent malicious actors from exploiting the vulnerabilities. However, while these patches are tested, it is not possible to identify all potential interactions with third party software. Consequently, part of the patch management process requires IT teams to test patches before they are applied. Patch management is a big challenge for healthcare organizations’ IT departments. With many different IT systems and software applications, it can be difficult to keep on top of patching, especially considering the frequency at which patches are released.
In the June 2018 cybersecurity newsletter of the HHS’ Office for Civil Rights, OCR explained that patching vulnerable software promptly is a requirement for HIPAA compliance. OCR’s defines the patch management process as identifying, acquiring, installing and verifying patches for products and systems.
While the HIPAA Security Rule does not specially mention patch management, it is covered by the security management process standard of the HIPAA administrative safeguards.
Healthcare organizations are required to conduct risk analyses to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(i)(A). Any identified flaws must be subjected to a HIPAA-compliant risk management process – 45 C.F.R. § 164.308(a)(1)(i)(B). Patch management is also a requirement of 45 C.F.R. § 164.308(a)(5)(ii)(B), protection from malicious software, as well as 45 C.F.R. § 164.308(a)(8) – the evaluation standard.
HIPAA covered entities should have a complete inventory of all systems, firmware, software and operating systems. Without a complete list it will not be possible to tell which patches should be applied. It is important to check for new software updates and patches to ensure they can be applied promptly. The United States Computer Emergency Readiness Team (US-CERT <https://www.us-cert.gov/>) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT <https://ics-cert.us-cert.gov/>) are good sources of information, and their websites should be visited regularly and IT teams should sign up for alerts about the latest vulnerabilities and mitigations.
OCR suggested a HIPAA-compliant patch management process should include the following elements:
- Evaluation – Find out if patches are applicable to your software/systems.
- Patch Testing: Test the patch on one isolated system first to see if it causes problems such as causing system instability or other software to malfunction
- Approval: When tests are successful, approve the patches for application.
- Deployment: Apply the patches on live or production systems.
- Verification and Testing: Test and audit systems after deployment to see if the patches were applied correctly and monitor for problems. Ensure that patches have been applied to all devices and software and nothing has been missed.