Under the HIPAA security rule, HIPAA covered entities (CEs) and business associates (BAs) are required to protect their electronic personal health information (ePHI), which typically involves identifying and mitigating software vulnerabilities that could put (ePHI) at risk. It also includes conducting a risk analysis, and implementing actions that will reduce these risks.
Mitigation activities may include installing patches if patches are available and appropriate. Patch management is the process of “identifying, acquiring, installing and verifying patches for products and systems.” When patching is not suitable, entities should implement additional controls to reduce risk. (For example- restricting network access or disabling network services to reduce vulnerabilities that could be exploited via the network.)
Each organization is unique and has different systems, challenges, and needs. However, the identification and mitigation of risks associated with unpatched software is essential to ensure the protection of ePHI.
The Office of Civil Rights (OCR) recommends that organizations take the following steps as part of an effective patch management program:
- Evaluation– conduct a thorough evaluation of patches to determine if they apply to your software.
- Patch Testing– When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning correctly or system instability.
- Approval– Once patches have been evaluated and tested, approve them for deployment.
- Verification and Testing– After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects
Installing a patch or patches can often be a significant undertaking, especially when dealing with complex systems. Today’s threat landscape changes rapidly and organizations must be vigilant to ensure that patches are correctly and safely applied so that risk is minimized.