Blog Post

New OCR Guidelines on Software Vulnerabilities and Patching

Computer processors sold in the past 10 years are
vulnerable to malware.

The Department of Health and Human Services Office for Civil Rights (OCR) recently issued a cybersecurity report that focuses on software bugs and patches. Software bugs are mistakes in a software code that can negatively impact how the software operates. These bugs can create computer system vulnerabilities and put electronic protected health information (ePHI) at risk. Patches are fixes to the software bugs that correct the software operation. They can be applied to software and firmware on all types of devices, such as phones, computers, servers and routers. Covered entities (CE) and business associates (BA) generally rely on software to manage their ePHI. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, CEs and BAs must use appropriate technical safeguards to ensure the security of their ePHI. To do so, CEs and BAs should evaluate software vulnerabilities, assess potential risks, and implement reasonable solutions.

In its report, OCR revealed that in late 2017, researchers discovered a widespread vulnerability in nearly all of the computer processors that were sold over the past decade, affecting millions of devices. These vulnerabilities allowed malware to bypass data access controls and potentially access sensitive data, and are known as Spectre and Meltdown. Once these defects were discovered, vendors quickly released patches to fix the problem. Although installing vendor recommended patches is a routine process, it is not always the best solution. Patches can create new issues, such as decreased performance in some devices.  They may also introduce new vulnerabilities in interconnected systems. As such, patch management should play a significant part in maintaining compliance with the HIPAA Security Rule.

The OCR report suggests the following five steps for effective patch management:

  • Evaluate patches to determine if they apply to the software or system in use;
  • Conduct patch testing on an isolated system to determine if there are unforeseen or unwanted side effects;
  • Approve deployment of patches after conducting the evaluation and testing;
  • Deploy or install the patches on live or production systems following approval; and
  • Test systems after deploying the patches to verify that patches were applied correctly and no unforeseen side effects exist.

The OCR report warns that depending on the patch, an entity’s HIPAA obligations may be triggered. System modifications that affect the security of ePHI may trigger an entity’s obligation to evaluate whether the ePHI remains protected following an environmental or operational change.

Subscribe to blog