OCR Provides Guidance on Software Vulnerabilities and Patching

The most recent installment of the Office for Civil Rights (OCR) cybersecurity newsletter focused on software vulnerabilities and patching.

The newsletter began with a little background on what software is and the fact that much of the software we use contains “bugs.”  Some of these bugs may introduce security vulnerabilities, which could be exploited, allowing hackers access to sensitive information such as protected health information (PHI).  Most software companies issue patches to fix these known bugs.  As more vulnerabilities are discovered, more patches are issued; and, it is the burden of the user, or IT provider, to ensure those patches are implemented.

A couple of examples are the Spectre and Meltdown vulnerabilities that were discovered in 2017. These bugs were present in nearly all computer processors created in the last 10 years.  The vendors worked diligently to create patches for the vulnerabilities as they do with most any identified bugs.

The OCR reminded covered entities and business associates that, for HIPAA compliance, they need to identify and mitigate vulnerabilities that could affect PHI.  Additionally, the OCR reminded health care organizations that they must conduct a risk assessment and then implement measures or safeguards that reduce the risk of PHI exposure.

Mitigation might include installing patches that are available from vendors.  If patches are unavailable or there is a concern that a patch may cause other side effects, health care organizations should try to determine other compensating controls.  This might include restricting access or disabling certain network services.

Many health care organizations may not know where to find such vulnerabilities.  The OCR recommends using the United States Computer Emergency Readiness Team (US-CERT) to get information about vulnerabilities.  The US-CERT “collects and publishes information on cybersecurity threats for stakeholders in government and industry.”  Another option is using a company that conducts vulnerability scans and penetration tests.

For more information from the newsletter, click here.  If you need more information on how to stay HIPAA compliant, join HIPAAgps and use the risk assessment to start identifying vulnerabilities.