A new bulletin states that a lack of Patch Management protocols constitutes a HIPAA violation
The Office of Civil Rights (OCR) recently opened an investigation into Anchorage Community Mental Health Services (ACMHS) following a breach of patient data affecting 2,743 patient records. The breach occurred from malware infection, and triggered a full audit of the health system’s privacy practices. The bulletin that was released by HHS can be find here, on the HHS website.
The Breach Resulted from a Lack of a Patch Management Protocol
OCR Director Jocelyn Samuels released a statement that shines light on the “Windows XP Debate”, and should put the matter to rest – having XP on your network is not HIPAA compliant. Her quote: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” Her quote encompasses more than just the Operating System, however – it alludes to having a Patch Management protocol for all of your software, and ensuring that each piece of software is currently being supported by the vendor.
What Software Needs to be Included in a Patch Management Protocol?
Aside from the obvious answer of your Operating System, Practice Management Software & Imaging Software, there are a few other programs to keep your eyes on for Patch Management. Vulnerabilities in Java, Flash, Reader, Silverlight and browsers are often cited as sources of malware. Many employees and dentists are commonly greeted with pop-ups stating that one of these programs has an update, but avoid installing the update for fear of damaging the PC’s operating system, or due to the time it takes to install the update – especially if a reboot is required.
CryptoWall 2.0, Malvertising, Adobe Flash, and You.
A new version of CryptoWall was just released which installs itself from banner ads on trustworthy sites. Here, malware designers disguised as advertisers are beginning to buy advertising blocks on reputable sites, which specifically target exploits in unpatched Flash or Java vulnerabilities. Yahoo, AOL, and Match.com are some examples of legitimate sites which have fallen victim to these “malvertisments”, and by exploiting a specific vulnerability in older versions of Adobe Flash. It is estimated that over 3 million internet users per day have been potentially exposed to malicious banner ads on reputable sites.
Following a Patch Management Schedule is Doable
If your practice has only a few PCs, then you may want to devote the labor hours to keep these programs updated. Use this sample Patch Management protocol and use it to document the update schedule for each piece of software on each of your workstations. We recommend going through this process at least once a month. While some programs can be set to auto-update, some simply can not – Java, for example, requires user-interaction unless third-party patching software is used to silently update these programs. Part of your Security Plan should include launching each program, and selecting the “check for update” options and following the prompts.
Patch Management Can be Automated
Depending on how many PCs you have in your practice, you might want to consider an automated, off-hours approach to Patch Management. By automating the process for Windows and all third-party software such as Adobe Flash, Java, etc., you can “set it and forget it.” With third-party software updaters, you can keep everything up to date and receive periodic (i.e. weekly) reports on what has been updated, and what is pending. A more aggressive measure which provides the best protection is to set Patch Management into an automated daily maintenance plan which takes place off-hours. The value in automated patch management is largest in practices with more than 4 or 5 PCs.
Speak with an IT Professional
If the above information still leaves you with questions, contact dmi Networking for the low-down on Patch Management and how it can affect your practice.