Find out what types of system and network vulnerabilities cause problems for health care organizations and their HIPAA compliance.

Some system vulnerabilities such as outdated operating systems and software can lead to HIPAA breaches. A couple recent examples of outdated system breaches include the WannaCry and Locky attacks that have been hitting hospitals using Windows XP and Vista. XP reached its end of life on April 8, 2014 and Vista on April 11, 2017, meaning updates are no longer provided for these operating systems. Microsoft made an exception to the end-life dates and provided some updates after the WannaCry Ransomware attack, but that was after the fact. The effected health care organizations likely could have protected themselves from the ransomware attacks if they were using more recent operating systems.

Similar to the issues with outdated systems, systems with missing patches are particularly vulnerable to malicious actors. Many exploits from missing patches can result in improper system level access. If a workstation doesn’t have all the patches, a hacker could gain access to that workstation. That might provide access to the EHR software on that workstation, which constitutes a breach. If any files with protected health information (PHI) are saved on the computer, the hacker could gain access to them, also a breach.

These two examples are exactly why a vulnerability scan should be conducted. These scans identify possible vulnerabilities on each device. Then, the person who manages your IT infrastructure can work to address those vulnerabilities.

What are some other technical HIPAA compliance issues?

There are some network vulnerabilities that might not be found during a vulnerability scan, but can be found during a penetration test. One example of this occurs when the file permissions are not managed well, allowing a hacker or even an employee without special permissions to gain access to files that he or she shouldn’t. These might be files that an administrator should only have access to that include ePHI.

Another example is default credentials on a device. Some storage systems come with a default username and password. When the device is set up, the default username and password may not be removed. A scan of the device won’t pick that up, but manual testing will. By using the default username and password, anyone could gain access to that storage device, including possible ePHI.

These are all reasons to remain proactive when protecting your patients’ information. Join HIPAAgps to learn more about what you can do to determine if you have taken the proper steps to protect your patients and your organization. If you want a third-party check on your systems or networks, check out our partners at MainNerve.