BreachExchange mailing list archives
Why Vulnerable Healthcare Software Must Be Patched
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 9 Dec 2014 18:51:08 -0700
http://healthitsecurity.com/2014/12/09/why-vulnerable-healthcare-software-must-be-patched/ Healthcare software programs need to be kept current, especially as technology continues to evolve and facilities are working to implement tools such as new EHR programs or communication options. A weak point in the system could lead to a data breach, which could compromise patients’ protected health information (PHI). This is essentially what happened to Anchorage Community Mental Health Services (ACMHS), which recently settled alleged HIPAA violations with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program, according to an OCR bulletin. The agency was notified on March 2, 2012 that ACMHS discovered a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals. The breach was due to malware compromising the ACMHS healthcare software system. An OCR investigation found that ACMHS had adopted sample Security Rule policies and procedures in 2005. However, those policies were not followed, according to OCR. The investigation also led to the conclusion that the incident was due to ACMHS not identifying and addressing basic risks. This included a failure to regularly update its IT resources with available patches and running outdated, unsupported software. “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” OCR Director Jocelyn Samuels said in a statement. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” Along with the $150,000 settlement payment, ACMHS must also take part in a corrective action plan. This will require the health organization to report the state of its compliance to OCR for two years. ACMHS was also released from certain actions, according to the HHS resolution agreement. In consideration of and conditioned upon ACMHS’ performance of its obligations under this Agreement, HHS releases ACMHS from any actions it has or may have against ACMHS under the Privacy, Security, and Breach Notification Rules arising out of or related to the Covered Conduct specified in paragraph I.2. of this Agreement. HHS does not release ACMHS from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. As the ACMHS case shows, healthcare software issues that lead to data breaches can affect a facility for some time. Covered entities must provide individual notifications to those potentially affected no later than 60 days. However, the aftermath and recovery process typically takes longer than those two months. Moreover, small and large facilities can suffer if their software programs are not up-to-date. The Department of Veterans Affairs (VA) recently failed its 16th consecutive annual cybersecurity audit. However, auditors did tell VA leaders that noticeable progress had been made from the year before. Adhering to federal regulations concerning healthcare software security is crucial for organizations of all sizes. Patients will feel better knowing that their data is secure, and facilities can feel confident in their ability to remain compliant and avoid potentially hefty fines.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why Vulnerable Healthcare Software Must Be Patched Audrey McNeil (Dec 16)