For most small practices, the HIPAA compliance requirements can seem very confusing. Sometimes they may not even make sense. One of these is the requirement that all software used by both Covered Entities or Business Associates be supported by the manufacturer and also kept up to date. If the software is working, why do we need to update it? Why can’t an entity still use Windows XP when it’s working just fine?
In this week’s case study, we find a practice that didn’t keep their software up to date and it cost them $150,000.
Anchorage Community Mental Health Services (ACMHS), a five-facility mental health organization, suffered a malware attack in 2012. They reported it to HHS in March of that year stating that the breach had affected 2,743 patients.
HHS investigated the breach and found that failed to follow HIPAA compliance requirements to protect PHI and this led to the breach.
You can read the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) bulletin here.
The main takeaway from the bulletin can be read here:
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
OCR Director Jocelyn Samuels
This means that OCR found that ACMHS had not followed through on their obligations to protect patient data because they were using software that was no longer supported and they didn’t patch their software with updates. This lead to the malware attack that, in turn, allowed the breach.
What was the result?
ACMHS was fined $150,000 for the breach. In addition, they were required to implement a practice-wide corrective action plan. In addition, there were required to keep OCR updated on their compliance program.
$150,000 fine for not updating your software. It would have been far cheaper to pay the software vendor for the newest software than to pay the fine.
Why does unsupported software violate HIPAA compliance requirements?
Software is becoming more and more complex with each new release. As we add new functions and services into software, it increases the complexity. This includes all software from our operating systems, like Microsoft Windows, to electronic medical records. The complexity also increases the number of bugs and potential vulnerabilities in the software. Windows 7, one of Microsoft’s most popular operating systems ever had over 1000 bugs patched since its initial release.
Over time, vendors release patches to address individual bugs or new versions to address a lot of them. These patches, once installed, plug the hole and ensure that the vulnerability cannot be used by an attacker. However, when entities don’t apply these patches, it allows malware to attack and infect networks, even when those networks have anti-malware software.
Also, when a vendor stops supporting software due to its age, they won’t be releasing any new security updates for it. For this reason, HIPAA compliance requirements state that entities must use supported software to remain in compliance.
A good example of this is the approaching end of support for Windows 7. On January 14, 2020, all support for Windows 7 will stop. Any Windows 7 machines on your network at that time will be a HIPAA violation.
0 Day vulnerabilities a real challenge for practices and vendors
The worst offenders are called 0-day vulnerabilities. These are newly found vulnerabilities in software that attackers quickly create their methods of exploiting. Because vendors haven’t had time to release the patch, there is a space of time that allows attackers to take advantage and compromise systems. When those systems contain PHI, the results are devastating.
The WannaCry ransomware that was released in 2017 is a good example of this in action.
HHS OCR released a newsletter in June of 2018 that addressed this issue concerning software holes. You can read that here. (https://www.hhs.gov)
What can you do for your practice?
Patch management is a tedious process. Some patches work as expected while others cause new issues on the computers they are installed on. Even Microsoft has these issues.
However, this can’t be a reason not to install necessary patches for your practice. It is imperative that patches be installed to patch security vulnerabilities.
In addition, install any new updates from your EMR vendors or other software that your practice uses.
When a program that your practice uses is no longer supported, you will need to either upgrade to the newest version or stop using it. Otherwise, you will have a HIPAA violation. As in the case of ACMHS, it can be an expensive violation as well.
ACMHS didn’t update the software that they used in their practice with patches from the vendor. In addition, they were using software that was no longer supported by vendors. This led to a malware infection that impacted 2,743 patients. HHS OCR investigated and found the failures in ACMHS’ HIPAA policies and procedures and issued a fine of $150,000 and a two-year corrective action program for the practice.
Patch management and current, supported software is covered under HIPAA compliance requirements.