OCR Issues Guidance on Software Vulnerabilities and Patching

Written by: Anthony E. Stewart, Esq.

Last month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided guidance regarding software vulnerabilities and patching. In simple terms, a software vulnerability is a weakness, design or implementation error that can lead to an unexpected and undesirable event, compromising the security of a system. After a vulnerability is discovered, a patch is typically released to fix the vulnerability.

HIPAA requires covered entities and business associates to protect their electronic protected health information (ePHI), which includes identifying and mitigating software vulnerabilities. Undiscovered, or unpatched, vulnerabilities can often be exploited and may lead to a breach of ePHI or other confidential material.

Identifying Software Vulnerabilities

Every covered entity and business associate is required under HIPAA to conduct a risk analysis – an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI. The OCR admits that this is no easy task and recommends that organizations routinely review security bulletins issued by the United States Computer Emergency Readiness Team (US-CERT) to help identify vulnerabilities. Additionally, OCR recommends performing periodic vulnerability scans to test systems and networks for known vulnerabilities, which should include identifying outdated or unsupported software.

Patching Software

After a vulnerability is identified, a patch should be applied, as appropriate, following an organization’s security management process. Typically, this is a routine process; however, organizations should be prepared for the unexpected as installing patches can introduce a variety of changes to a system. The OCR recommends implementing a patch management policy as part of their security management program, and identifies the following typical steps in effective patch management:

• Evaluation: Evaluate patches to determine if they apply to your software/systems.
• Patch Testing: When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
• Approval: Once patches have been evaluated and tested, approve them for deployment.
• Deployment: Following approval, patches can be scheduled to be installed on live or production systems.
• Verification and Testing: After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects.