OCR releases guidance on software vulnerabilities and patching

July 13, 2018
Medicare Web

OCR’s June cybersecurity report focuses on software bugs and patches designed to fix them. Software bugs can make your computer systems vulnerable and put electronic personal health information (ePHI) at risk.

Most covered entities and business associates rely on software to manage ePHI, and they are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI. This includes evaluating software vulnerabilities, assessing potential risks, and implementing solutions to keep risk at a reasonable minimum.

According to the OCR report, “In late 2017, researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allowed malware to bypass data access controls and potentially access sensitive data. The security flaw was present in nearly all processors produced in the last 10 years and affected millions of devices. After the discovery of these defects, vendors scrambled to release patches that addressed this problem.”

Software patches are often available for software and firmware on phones, computers, servers, and other devices, but they aren’t always the best fix. Some patches may decrease device performance or even introduce new vulnerabilities, especially given that computer programs are often interconnected. This is why patch management plays an important role in maintaining HIPAA Security Rule compliance.

The OCR report suggests five steps for effective patch management:

  • Evaluation of patches to determine if they apply

  • Patch testing on an isolated system

  • Approval for deployment after testing

  • Deployment or installation of the patch on live systems

  • Verification and testing to ensure correct installation and no unforeseen side effects

The report warns that depending on the patch, “system modifications that affect the security of ePHI may trigger an entity’s HIPAA obligation to conduct an evaluation to ensure that ePHI remains protected following environmental or operational changes.” Evaluations are a necessary part of the vigilance required to ensure the security of ePHI.

For more on staying up-to-date on potential cybersecurity threats, see the United States Computer Emergency Readiness Team bulletin.

Related Topics: 
HIPAA