HIPAA Sanctions Possible Unless Patch and Update for Computer Software is Applied
In order to be deemed as compliant with Health Insurance Portability and Accountability Act regulations it is vital that all healthcare and health plan providers use proper safeguards to keep the personal and medical information of employees and patients secure
There are many possible security risks when managing a database of patient medical records, whether the data is held on in-house servers, managed by external contractors or hosted in the cloud. The only way it is possible to be certain that all weaknesses are identified is to conduct a thorough risk assessment of all IT systems, including any hardware and software that comes into contact the PHI.
Software some becomes outdated and needs to be regularly updated to maintain its functionality. As software engineers spot weaknesses, patches are developed and made available to install. It is vital that these patches and software updates are run on all terminals and mobiles using the software to make sure the systems and data are unwittingly exposed to being hacked.
Applying software patches is as crucial as updating virus definitions of anti-virus software and failing to make a timely update can leave entire networks open to hackers and hackers. Also, while software patches are not specifically referred to in the HIPAA Security Rule, a failure to keep software up to date is found to be a HIPAA breach and as Anchorage Community Mental Health Services recently discovered, Security Rule violations carry hefty fines.
ACMHS runs five mental health facilities in Alaska and is a non-profit group. In 2012 it experienced a security breach that exposed the data of 2,700 individuals due to a malware infection. Had software patches been downloaded on the computers the malware would not have been unable to infect the PCs.
After ACMHS reported the breach the OCR ran an investigation and determined that ACMHS had not done enough to safeguard the Protected Health Information of its patients. ACMHS has now agreed to a settlement and is required to pay the HHS $150,000 for the HIPAA breaches.
The Security Rule does not specifically include updates to software, applying patches or even installing firewalls; yet a failure to download a firewall or apply security updates to software is considered a violation. It is not possible to manage risk if flaws are not removed and security holes plugged. When patches are no longer being released for software, it must be upgraded or changed. Using outdated software is also a HIPAA breach.
These are all problems which should be raised when a risk analysis is conducted and just following the Security Rule to the letter will not ensure compliance. It would be impossible to maintain legislation fully up to date with the pace that technology is advancing and is up to the group in question to make sure that full due diligence is conducted and all possible risks assessed and addressed; not just those specifically referred to in the Security Rule.
The resolution agreement between the OCR and ACMHS says: “ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
The only way to guarantee HIPAA compliance and manage risk effectively is to apply software patches and updates as soon as they are made publicly available, and where possible to set software to update automatically.
OCR Director Jocelyn Samuel stated: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis” He goes on to say “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”