How the Cost of Unpatched Software Figures Into HIPAA and Industry Compliance 

How the Cost of Unpatched Software Figures Into HIPAA and Industry Compliance 

January 2

We’ve talked quite a bit about the end of life for Windows XP and the importance of upgrading to a newer OS. It’s nothing against XP. It’s more about the instability and security issues that crop up when a system is no longer receiving those vital security updates and patches. As one company in the healthcare arena has learned, the cost of unpatched software can run rather steep.

Non-profit organization Anchorage Community Mental Health Services (ACMHS) was recently hit with a $150,000 fine by the Office for Civil Rights (OCR), a branch of the Department of Health and Human Services. According to reports, the fine is a HIPAA-related penalty levied due to the Alaskan nonprofit’s failure to apply software patches, which resulted in a security breach that enabled malware to affect more than 2,700 people. ACMHS is the first of its industry peers to receive such a fine and the feeling is that it could merely be the first of several in the healthcare field.

HIPAA Upping the Ante on Data Protection

Passed in 1996, the Health Insurance Portability and Accountability Act or HIPAA, is a federal law that sets standards for protecting the security and privacy of personal health information. The law is enforced by the OCR and requires organizations to immediately provide notification when information protected under its provisions is breached via the HIPAA Breach Notification Rule. The OCR also enforces privacy and security rules related to the act.

What’s interesting about the ACMHS fine is that HIPAA doesn’t specifically mention anything about patch management or keeping software fresh with security updates. Documentation in the Security Rule call for healthcare entities to put measures in place to protect patient information and not to use or disclose that information in ways that can be deemed improper. While not technically required to do so by law, failing to address potential software vulnerabilities through patching makes it difficult for companies to provide the secure infrastructure needed to adequately safeguard patient data.

The Truth about Windows XP, End of Life, and Patch Problems

An apparent hard drive failure recently took out my relatively new computer running Windows 8, so I’m temporarily back on my old machine. Despite being a little slower, I can say that XP still works just fine. This is one of the main points driven home in the Importance of Managing Unpatched Software. The article’s author Kevin Beaver mentions that unpatched software like XP is not necessarily vulnerable directly, yet indirectly due to attacks against the apps it supports. He revealed that hackers can compromise an entire system by simply exploiting its vulnerable third-party software.

Beaver said that our systems can run forever if we take a diligent approach to testing third-party applications for security vulnerabilities. At the same time, his editorial aligns with the message that comes out of the ACMHS breach and subsequent HIPAA fine. Whether it pertains to operating systems or supportive software that runs in the OS environment, it’s critical to apply new patches and security updates as soon as they’re available. A few minutes of an IT administrator’s time can save the company they work for thousands in compliance fees and immeasurable amounts in peace of mind.

If it’s one takeaway that ties together the moral of this story almost perfectly, I think it would be saying that when it comes to meeting industry compliance, it not only pays to go beyond the minimal requirements of established rules and regulations, but also pays to apply common sense to accessing and addressing security risks. So if it’s possible to harden your software with patches, bandages, and tape (so to speak), do it!

Photo Credit: Purple Slog via Flickr