Sophisticated cyber-criminals are constantly probing for vulnerabilities that can be exploited to access healthcare IT systems and steal valuable protected health information (PHI). Technology professionals entrusted to safeguard patient data must be constantly vigilant and proactive in their efforts to identify and eliminate these threats before they’re exploited.
It’s no secret that regularly applying system updates and patches is one of the most important and effective ways to plug security holes and safeguard your data. Yet, stories are told every day about major healthcare system breaches resulting from well known software or hardware vulnerabilities.
More times than not, it’s a failure to develop, implement, and follow a rigorous maintenance plan. It’s well known among IT professionals that applying system upgrades can be a hassle. Some may even believe its more trouble than its worth. It requires working late nights to avoid disrupting critical systems during peak patient hours. Upgrades can negatively impact the stability of your infrastructure resulting in many hours of troubleshooting and rework.
The alternative is much worse, especially in the healthcare industry.
In 2014, Anchorage Community Mental Health Services (ACMHS) was hit with a $150,000 fine from the U.S. Dept. of Health and Human Services (HHS) after it was found that a significant breach of patient data was the result of ACMHS’s internal failures to adequately maintain security. Nearly 3,000 patients had their data accessed illegally via a malware breach because, as the HHS investigation concluded, ACMHS failed to patch their systems and continued to run outdated and unsupported software for a seven-year period from 2005 to 2012. In addition to the $150,000 payment, ACMHS will also be required to implement a corrective action plan (CAP) and provide regular reports to the HHS on the progression and status of its compliance program.
It seems obvious that security patches should be applied as soon as they are released, but they frequently aren’t. Employees are busy and perhaps there are other IT priorities that steal focus away from routine maintenance. Proper planning and documentation is key. Instead of reacting to patches as they come in and relying on software vendors to be responsible for sending notification of patch availability, it is wise to make patching a regular part of the IT schedule and budget. Being proactive reduces the risk that a critical patch or update is missed.
Of course, patches are sometimes faulty. In 2014, the year ACMHS was fined for violating HIPAA protocols, Microsoft customers endured numerous patching problems. Again, being proactive and staying on top of updates can help the IT team to more quickly identify and resolve problems that may occur with a botched or incomplete patch.
The solution to safeguarding your systems – and the valuable health information contained within – is a documented plan that details all impacted software and applications and includes a patching plan. It might be wise to start with a risk assessment from a trusted third-party information security services provider. They can quickly ascertain which software and applications require the most effort to maintain.
Following the assessment, the information security services provider can also be of assistance in creating a comprehensive plan for security updates. They can even take on the work of applying the patches and work with software vendors and developers to understand when they plan to offer routine patches. Four steps a managed data services provider can help take for a successful patching plan are:
Bottom line, receiving and acting on patch notifications is a continuous responsibility. You can’t count on hackers ever taking a day off. If an emergency patch is made available on Christmas Day, someone must be available to implement it in order to protect the organization—and most importantly, patient data.