Unpatched Software Leads To Regulatory Action, Fines

We have talked on this blog at length about the health care sector related to poor security hygiene, embedded systems and regulatory changes. However, a recent decision by the Department of Health and Human Services’ Office for Civil Rights seems to open up a entirely new topic of discussion regarding interpretation of the HIPAA security rules.

As reported by Data Breach Today, Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.  The HHS investigation found that ACMHS failed to apply software patches that contributed to a 2012 malware-related breach affecting more than 2,700 individuals.

This is one of the first cases where a fine was issued on the basis of unpatched vulnerabilities within software. Many people assume that the HIPAA rules provide guidance on vulnerability scanning, patch management, intrusion monitoring and other common information security standard practices. However, these issues are not clearly addressed today.

Hospital environments are a hodge podge of embedded systems, off-the-shelf IT equipment and proprietary applications. It is common to find HIPAA “compliant” organizations running legacy Windows operating systems and even older versions of productivity tools going back as far as Office 2003. The fact that this fine is the first to specifically call out this insufficiency is what makes it a landmark case.

Care providers must take immediate action to improve their security programs beyond the scope of HIPAA doctrine.  This reminds me of the early days of the payment card industry standards, where fines were issued and debated based on an inconsistent interpretation of the guidance.  These fines hurt some organizations quite badly, but the silver lining is the more mature PCI 3.0 standard we see today.

Today the focal point is unpatched systems and unpatched software, but what about the next investigation?  Maybe next month a sanction will be issued on insufficient access controls or unreviewed logs… you get the idea.  How does a CIO of a health care organization figure out where to start?

It all comes back to focusing on security vs. compliance.  For example, some organizations have made significant progress by applying the SANS Top 20 Critical Controls on top of the HIPAA rule set. If you haven’t seen the top 20 critical controls it is worth reading up on.  It is a great place to start, but keep in mind it still requires interpretation and there are other issues to address such as enterprise security management and resource planning.

Ultimately, every organization is unique and will have to come up with a plan that makes the most sense for them. It is common to find security programs that are already down the road on a plan and have stalled due to budgetary constraints or organizational challenges.  Dunbar consultants can help to provide an objective view and introduce strategies to get measurable changes implemented as effectively as possible.