Why Vulnerable Healthcare Software Must Be Patched

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/12/09/why-vulnerable-healthcare-software-must-be-patched/

Healthcare software programs need to be kept current, especially as
technology continues to evolve and facilities are working to implement
tools such as new EHR programs or communication options. A weak point in
the system could lead to a data breach, which could compromise patients’
protected health information (PHI).

This is essentially what happened to Anchorage Community Mental Health
Services (ACMHS), which recently settled alleged HIPAA violations with the
Department of Health and Human Services (HHS), Office for Civil Rights
(OCR).

ACMHS will pay $150,000 and adopt a corrective action plan to correct
deficiencies in its HIPAA compliance program, according to an OCR bulletin.
The agency was notified on March 2, 2012 that ACMHS discovered a breach of
unsecured electronic protected health information (e-PHI) affecting 2,743
individuals. The breach was due to malware compromising the ACMHS
healthcare software system.

An OCR investigation found that ACMHS had adopted sample Security Rule
policies and procedures in 2005. However, those policies were not followed,
according to OCR. The investigation also led to the conclusion that the
incident was due to ACMHS not identifying and addressing basic risks. This
included a failure to regularly update its IT resources with available
patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing
and addressing the risks to ePHI on a regular basis,” OCR Director Jocelyn
Samuels said in a statement. “This includes reviewing systems for unpatched
vulnerabilities and unsupported software that can leave patient information
susceptible to malware and other risks.”

Along with the $150,000 settlement payment, ACMHS must also take part in a
corrective action plan. This will require the health organization to report
the state of its compliance to OCR for two years. ACMHS was also released
from certain actions, according to the HHS resolution agreement.

In consideration of and conditioned upon ACMHS’ performance of its
obligations under this Agreement, HHS releases ACMHS from any actions it
has or may have against ACMHS under the Privacy, Security, and Breach
Notification Rules arising out of or related to the Covered Conduct
specified in paragraph I.2. of this Agreement. HHS does not release ACMHS
from, nor waive any rights, obligations, or causes of action other than
those arising out of or related to the Covered Conduct and referred to in
this paragraph.

As the ACMHS case shows, healthcare software issues that lead to data
breaches can affect a facility for some time. Covered entities must provide
individual notifications to those potentially affected no later than 60
days. However, the aftermath and recovery process typically takes longer
than those two months.

Moreover, small and large facilities can suffer if their software programs
are not up-to-date. The Department of Veterans Affairs (VA) recently failed
its 16th consecutive annual cybersecurity audit. However, auditors did tell
VA leaders that noticeable progress had been made from the year before.

Adhering to federal regulations concerning healthcare software security is
crucial for organizations of all sizes. Patients will feel better knowing
that their data is secure, and facilities can feel confident in their
ability to remain compliant and avoid potentially hefty fines.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!