Keeping up with never-ending software updates can be cumbersome, but there are programs that can help-and ensure you stay HIPAA compliant.
In previous articles in this series, we have explored the need to understand cybersecurity, especially as it relates to HIPAA rules and regulations. While many of these involve areas familiar to dentists such as disaster recovery and antimalware software, a number are less well-known but just as critical. One is something called patch management.
You won’t find the words “patch management” in the HIPAA Security Rule, but given recent action taken by the U.S. government agency that enforces HIPAA compliance, it’s there. While NIST (National Institute of Standards and Technology) only officially applies to federal institutions, many of us in the IT world consider their recommendations to be the de facto standard. Publication 800-40, Guide to Enterprise Patch Management Technologies, is the gold standard here.
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) settled with a community behavioral health organization in December 2014 concerning potential HIPAA violations that surfaced because of the OCR’s investigation of a breach of electronic protected health information (ePHI) that was reported to HHS by the organization in March 2012.
The press release announcing the settlement included a quote from OCR Director Jocelyn Samuels who stated, “Successful HIPAA compliance requires a common-sense approach to assessing and addressing the risks to ePHI on a regular basis … this includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
The basic premise of patch management is that dental offices are usually running a multitude of software programs. This includes your Windows operating system, your browser, Adobe products like PDF viewer, Microsoft Office and numerous other systems. Unfortunately, these products tend to ship with security holes, and as new holes are discovered, the company will provide updates or “patches” to fix these security holes. This is a constant battle between the software developers and the people who look for security holes to exploit; many times, patches are released on a weekly basis! It basically becomes a high-stakes game of Whack-A-Mole.
While some products (like Windows) can be set to install and update their software automatically, others cannot. And, even for the ones that can do this automatically, it’s often not prudent to install untested patches right away. I often suggest waiting a week or two to ensure that the bugs have been worked out.
This is where the concept of patch management comes in. Sure, you could pay your IT company to log on to each and every computer on a weekly basis to search for and apply patches to every software system on the computer, but this will be a very expensive undertaking. Instead, there is a whole class of software called Managed Services that can automate this process for you.
While the software will install and update software on the schedule you dictate, it can also handle many other functions that may not necessarily be a HIPAA rule. For example, many of them include alerting; they can send an alert to you and/or your IT company if there’s a problem such as a corrupted hard drive, incorrect password entered, virus, etc. These software programs can also do things like defragment the hard drives and clean out temporary internet files as well as other maintenance-type functions.
Many IT companies, including mine, offer patch management services. Dentists should take the time to evaluate their options and decide on the best way to keep their patient data safe and secure.