Under the HIPAA security rule, HIPAA covered entities (CEs) and business associates (BAs) are required to protect their electronic personal health information (ePHI), which typically involves identifying and mitigating software vulnerabilities that could put (ePHI) at risk. It also includes conducting a risk analysis, and implementing actions that will reduce these risks.
Mitigation activities may include installing patches if patches are available and appropriate. Patch management is the process of “identifying, acquiring, installing and verifying patches for products and systems.” When patching is not suitable, entities should implement additional controls to reduce risk. (For example- restricting network access or disabling network services to reduce vulnerabilities that could be exploited via the network.)
Each organization is unique and has different systems, challenges, and needs. However, the identification and mitigation of risks associated with unpatched software is essential to ensure the protection of ePHI.
The Office of Civil Rights (OCR) recommends that organizations take the following steps as part of an effective patch management program:
Installing a patch or patches can often be a significant undertaking, especially when dealing with complex systems. Today’s threat landscape changes rapidly and organizations must be vigilant to ensure that patches are correctly and safely applied so that risk is minimized.