HIT Infrastructure Security: Keeping Up With Patches
Sophisticated cyber-criminals are constantly probing for vulnerabilities that can be exploited to access healthcare IT systems and steal valuable protected health information (PHI). Technology professionals entrusted to safeguard patient data must be constantly vigilant and proactive in their efforts to identify and eliminate these threats before they’re exploited.
It’s no secret that regularly applying system updates and patches is one of the most important and effective ways to plug security holes and safeguard your data. Yet, stories are told every day about major healthcare system breaches resulting from well known software or hardware vulnerabilities.
How does this happen?
More times than not, it’s a failure to develop, implement, and follow a rigorous maintenance plan. It’s well known among IT professionals that applying system upgrades can be a hassle. Some may even believe its more trouble than its worth. It requires working late nights to avoid disrupting critical systems during peak patient hours. Upgrades can negatively impact the stability of your infrastructure resulting in many hours of troubleshooting and rework.
The alternative is much worse, especially in the healthcare industry.
In 2014, Anchorage Community Mental Health Services (ACMHS) was hit with a $150,000 fine from the U.S. Dept. of Health and Human Services (HHS) after it was found that a significant breach of patient data was the result of ACMHS’s internal failures to adequately maintain security. Nearly 3,000 patients had their data accessed illegally via a malware breach because, as the HHS investigation concluded, ACMHS failed to patch their systems and continued to run outdated and unsupported software for a seven-year period from 2005 to 2012. In addition to the $150,000 payment, ACMHS will also be required to implement a corrective action plan (CAP) and provide regular reports to the HHS on the progression and status of its compliance program.
It seems obvious that security patches should be applied as soon as they are released, but they frequently aren’t. Employees are busy and perhaps there are other IT priorities that steal focus away from routine maintenance. Proper planning and documentation is key. Instead of reacting to patches as they come in and relying on software vendors to be responsible for sending notification of patch availability, it is wise to make patching a regular part of the IT schedule and budget. Being proactive reduces the risk that a critical patch or update is missed.
Of course, patches are sometimes faulty. In 2014, the year ACMHS was fined for violating HIPAA protocols, Microsoft customers endured numerous patching problems. Again, being proactive and staying on top of updates can help the IT team to more quickly identify and resolve problems that may occur with a botched or incomplete patch.
Bring in reinforcements
The solution to safeguarding your systems – and the valuable health information contained within – is a documented plan that details all impacted software and applications and includes a patching plan. It might be wise to start with a risk assessment from a trusted third-party information security services provider. They can quickly ascertain which software and applications require the most effort to maintain.
Following the assessment, the information security services provider can also be of assistance in creating a comprehensive plan for security updates. They can even take on the work of applying the patches and work with software vendors and developers to understand when they plan to offer routine patches. Four steps a managed data services provider can help take for a successful patching plan are:
- Test the Patch
Before any patch goes live, it should be tested to make sure it will work properly within all impacted applications and operating systems. Using the same application or database code in testing allows you to reveal any problems or potential failures before they can negatively affect working systems.
- Make the patch accessible and simple to implement
Patches should be designed to be implemented in as few steps as possible. Complicated instructions only serve to reinforce the perception among users that these patches are a bother, as opposed to a critical necessity.
- Monitor the status of the patch
Once the patch is made available it is critical to monitor it for problems. Unexpected bugs or complications can result in additional vulnerabilities. Work isn’t done when the patch goes live, monitoring is necessary to make sure it is working toward its intended purpose and that there aren’t unforeseen issues keeping it from being successfully downloaded and installed.
- Monitor user compliance in implementing the patch
Finally, additional monitoring is necessary to make sure that users are indeed downloading the patch. Anything but a high install rate may be an indicator of technical issues, or it may simply point out the need for additional outreach to users. Users may require additional education regarding the critical importance of these patches and the security risks associated with ignoring them.
Bottom line, receiving and acting on patch notifications is a continuous responsibility. You can’t count on hackers ever taking a day off. If an emergency patch is made available on Christmas Day, someone must be available to implement it in order to protect the organization—and most importantly, patient data.