But the HIPAA Security Rule doesn’t explicitly say anything about patches and updates!?!?
Technology is a requirement for business and is deeply embedded in modern healthcare. Although no specifics for patch management is available in the HIPAA Security Rule, healthcare providers who fall victim to threats like phishing, malware, ransomware or other cyber criminals may be subject to significant fines if they do not have a documented patch management program in place. Most of the software that powers the technology used in healthcare contains “bugs” that can negatively affect how the software works and create risks to the confidentiality, integrity and availability of the data. These “bugs” are regularly fixed with updates and patches by the manufacturers, but it’s generally the users responsibility to test, approve and install these updates and patches. While the HIPAA Security Rule doesn’t explicitly detail a patch management process, failing to follow best practices like having an effective patch management program in place to ensure that systems are kept up to date is considered a violation and can result in significant fines.
The Cyber Tech Cafe MyIT Silver program is a simple, cost effective solution that can help healthcare providers better understand their environment and comply with the HIPAA requirements. In addition to simply installing updates, the MyIT Silver program includes active monitoring of the endpoints, up-to-date inventory of hardware and software, montly testing of backups and a monthly report highlighting any findings. Additional information on our MyIT programs including the MyIT Silver program is available on our website or, if you’d like to reach out to us directly, all of our contact information is available here.
- OCR Draws attention to Patch Management – https://www.hipaajournal.com/hipaa-patch-management-requirements/
- OCR Guidance on Sofware Vulnerabilities and Patching – https://www.hhs.gov/sites/default/files/june-2018-newsletter-software-patches.pdf
- Anchorage Community Mental Health Services fined $150,000 – https://www.hipaajournal.com/patch-update-computer-software-face-hipaa-sanction/