MDS Alert

Published on Tue Sep 04, 2018 PDF

Cybersecurity is everyone’s responsibility; make sure your facility’s practices and protocols engender a culture committed to maintaining the integrity of your IT system updates.

When you delete or bypass software updates, even on individual computers, you run the risk of being open for a cyberattack. Hackers scan for vulnerabilities day and night, and healthcare entities remain a favorite target.

Managing bugs, glitches, and patches is crucial and keeps intruders out — safeguarding your residents, your facility, and your reputation.

Context: In January, HHS issued a report to all covered entities (CEs) about malware issues caused by Spectre and Meltdown, concerning “how computer chips handle data that have the potential to expose sensitive information, such as protected health information (PHI), being processed on the chip,” says the agency release. The “design flaws” nicknamed Spectre and Meltdown were “present in nearly all processors produced in the last 10 years and affected millions of devices,” follows up the HHS Office of Civil Rights (OCR) June 2018 Cybersecurity Newsletter on the topic.

Read the HHS release here: https://content.govdelivery.com/attachments/USDHSCIKR/2018/01/17/file_attachments/944452/HCCIC-2018-001a-SpectreMeltdown.pdf.

One problem: Sometimes installing software updates isn’t enough protection, in and of itself, or negatively impacts other aspects of use. This was the case with patches for vulnerabilities due to Spectre and Meltdown. “Vendors scrambled to release patches that addressed this problem,” OCR notes. “However, testing indicated that a side effect of the patches” was a “decreased performance in certain computer uses.”

These types of cybersecurity scenarios lead to the loss of data and promote the HIPAA Security Rule mandate for thorough risk analyses of systems and devices. Because as this case reveals, “testing and understanding the impact of patches can be critical to mitigating the risks patches are designed to address while avoiding or minimizing risks that patches may introduce,” warns OCR.

Reduce Vulnerability Through Stringent Protocols

Malware attacks happen, but that doesn’t mean they’re inevitable. Challenges do arise when risk assessments occur, and the necessary changes are easy on paper but hard to implement in real time. And though it can be a pain for CEs and their business associates (BAs) to stop the daily grind and turn over technical processes to allow for software updates on hardware and devices, that health IT management is essential to protect ePHI.

“Cyber criminals prey upon the lax security practices, most breaches and attacks are preventable through a higher prioritization of operational security, including patch management and aggressive training programs,” observes Kurt J. Long, founder and CEO of Fair Warning Inc. in Clearwater, Florida.

Mechanics: Network and technical security oversight lead to breaches — it’s just that simple. But you can protect your practice with health information technology (HIT) protocols. “Apply vendor recommendation patches aggressively, and watch for vendor updates vigilantly,” suggests Long. “Not only should your IT team remain on top of such updates, but also, they should be driving a security-centric culture through your organization.”

Long maintains that it should be a team effort and all staff must understand security compliance. “All team members should understand the importance of installing security updates and maintaining proper security protocols,” he adds. “When everyone is on board, you can now plan and prevent for future attacks.”

Incorporate These Tips into Facility Policy and Practice

Every organization is different; therefore, you can’t expect one HIT solution to fit across all healthcare landscapes. Patch arrangements and rules for bigger facilities with a huge staff and multiple locations are going to be a lot different than the protocols for tiny, independent facilities. But if each individual computer user is ultimately responsible for installing updates, and even a single staff member is lax, your facility could be vulnerable.

“Each type of program will have its own unique set of vulnerabilities and challenges for patching,” advises OCR. “But, the identification and mitigation of risks associated with unpatched software is important to ensure the protection of ePHI.”

When putting together your patch management guide, consider implementing five “common steps,” the Cybersecurity Newsletter stresses. The OCR’s tips include:

1. “Evaluation:  Evaluate patches to determine if they apply to your software/systems.
2. “Patch testing: When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
3. “Approval: Once patches have been evaluated and tested, approve them for deployment.
4. “Deployment: Following approval, patches can be scheduled to be installed on live or production systems.
5. “Verification and Testing: After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects.”

Ignoring Cybersecurity Constitutes Real, Multifaceted Threat

Shirking on software maintenance can lead you into trouble with hackers — and with the OCR should a breach occur.

“Even small healthcare companies get hacked,” warned Thomas Lewis, CISSP, CISA, QSA, CEO of information security for LBMC Information Security, in a blog posting. And if a hacking incident leads to a HIPAA breach, the size of your organization won’t protect you from a government audit and potential sanctions, Lewis warns. The OCR will investigate organizations of any size when they suffer a data breach.