In order to adhere with Health Insurance Portability and Accountability Act regulations it is vitally important that all healthcare and health plan suppliers use appropriate security measures to keep the personal and medical information of employees and patients safe.
There are many possible security risks when maintaining a database of patient medical records, whether the data is stored on internal on site servers, managed by external contractors or hosted in the cloud. The only way it is possible to be certain that all weaknesses are identified is to conduct a comprehensive risk assessment of all IT systems, including any hardware and software that touches the PHI.
Software quickly becomes defunct and needs to be regularly updated to maintain its operational capability. As software engineers discover weaknesses, patches are developed and made available for download. It is essential that these patches and software updates are run on all terminals and mobiles using the software to ensure the systems and data are unwittingly exposed to attack.
Applying software patches is as important as updating virus definitions of anti-virus software and failing to make a timely update can expose whole networks to hackers and cybercriminals. Additonally, while software patches are not specifically referred to in the HIPAA Security Rule, a failure to keep software up to date is deemed to be a HIPAA violation and as Anchorage Community Mental Health Services recently found, Security Rule violations carry heavy financial penalties.
ACMHS runs five mental health centers in Alaska and is a non-profit organization. In 2012 it suffered a security violation that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers the malware would have been unable to attack the PCs.
After ACMHS reported the breach the OCR completed an investigation and determined that ACMHS had not done enough to protect the Protected Health Information of its patients. ACMHS has now agreed to a settlement and willpay the HHS $150,000 for the HIPAA violations.
The Security Rule does not specifically refer to updates to software, applying patches or even installing firewalls; yet a failure to install a firewall or apply security updates to software is defined as a violation. It is not possible to manage risk if weaknesses are not removed and security holes plugged. When patches are no longer being released for software, it must be upgraded or changed. Using outdated software is also a HIPAA breach.
These are all issues which should be identified when a risk analysis is conducted and simply following the Security Rule to the letter will not ensure compliance. It would be impossible to keep legislation fully up to date with the pace that technology is advancing and is up to each organization to make sure that full due diligence is conducted and all potential risks assessed and addressed; not just those specifically referred in the Security Rule.
As per the resolution agreement between the OCR and ACMHS, “ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches”.
The only way to ensure HIPAA compliance and control risk effectively is to apply software patches and updates as soon as they are made available, and where possible to install software to update automatically.
OCR Director Jocelyn Samuel stated, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis” He added “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
