OCR Draws Consideration to HIPAA Patch Administration Requirements

July 5, 2018

Healthcare companies have been reminded of HIPAA patch administration necessities to ensure the integrity, confidentiality, and availability of ePHI is protected.
Patch Management: A Big Task for Healthcare Companies
Computer software often has mistakes in the code that might possibly be abused by malevolent actors to gain access to computers and healthcare systems.
Software, operating system, and firmware weaknesses are to be projected. No operating systems, software application or medical appliance is invincible. What is vital is those weaknesses are recognized quickly and alleviations are put in place to decrease the possibility of the weaknesses being abused.
Safety scientists often identify faults and possible exploits. The bugs are reported to producers and patches are developed to repair the weaknesses to avoid malevolent actors from taking benefit.
Unluckily, it’s not possible for software developers to check every patch meticulously and identify all possible interactions with other software and systems and still release patches in a timely way.
For that reason, IT divisions should check the patches before they are applied. IT teams should also make sure that patches are applied to all weak systems and no appliance is neglected.
With so many IT systems and software applications in use and the frequency that patches are issued, patch management can be a big challenge for healthcare companies.
Discovering Weaknesses and Possible Alleviations
To make sure patches can be applied, it’s essential for IT groups to have a complete inventory of all systems, appliances, operating systems, firmware, and software fixed all through the company. Regular scans must also be carried out to identify illegal software – shadow IT – that has been fitted.
The United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provide the latest information on new weaknesses, alleviations, and patches. Covered units must regularly check their websites and, ideally, sign up for warnings. Information on weaknesses and patches must also be obtained from software sellers and medical appliance producers.
The Patch Management Procedure
In order for a HIPAA-covered unit to make certain HIPAA patch management necessities are satisfied and weaknesses to the secrecy, integrity, and availability of ePHI are decreased to an acceptable point, robust patch management plans and processes should be developed and applied.
OCR recommends the patch management procedure should include:
• Evaluation: Decide whether patches apply to your software/systems.
• Patch Testing: Test patches on a quarantined system to decide if there are any unexpected or unwanted side effects, such as applications not working correctly or system instability.
• Approval: After testing, allow patches for placement.
• Deployment: Install patches on live or production systems.
• Verification and Testing: After deployment, carry on to test and audit systems to make sure patches have been applied properly and that there are no unexpected side effects.
NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies (Revision 3) is an admirable source covering best practices for patch administration.