Vulnerability Management – $150,000 Fine Issued for Unpatched Software
Anchorage Community Mental Health Services (ACMHS) failed to implement software patches resulting in a breach that affected approximately 2,700 patients. The vulnerability in their system could have been addressed by software patches sent by the vendor, however, ACMHS did not update their systems. ACMHS lacked vulnerability management, which would have identified their areas of risk before an incident occured.
The OCR stated in the resolution agreement, “ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
What is Vulnerability Management?
Vulnerability management is the process of managing network security by identifying possible risks in an organization’s network, and addressing those risks with remediation efforts.
Vulnerability management consists of the following:
- Checking for vulnerabilities: there are several ways in which an organization can check their systems for possible vulnerabilities. Organizations can use an automated tool such as a vulnerability scanner, however to conduct a thorough check organizations should implement regular:
- Network scanning: identifies active devices on a network to determine the ‘health’ of devices connected to the network. This ensures that all devices are using current software, reducing the risk of a malicious breach.
- Firewall logging: is a real-time log that shows all of the devices that have been active on a network, this includes devices that were denied access to the network. This allows organizations to determine if unauthorized users have accessed or tried to access their network.
- Penetration testing: also referred to as ethical hacking, penetration testing is when an organization hires someone to hack into their network to assess vulnerabilities. This process allows organizations to determine where their security is lacking so they may remedy the issue.
- Identifying vulnerabilities: once organizations have checked for vulnerabilities, they must assess the results to determine gaps in security that could be exploited by a hacker.
- Verifying vulnerabilities: determines if the identified gaps can realistically be exploited. Additionally, identified vulnerabilities must be categorized to determine the level of risk they pose to the organization.
- Mitigating vulnerabilities: limits the likelihood of vulnerabilities being exploited. Vulnerabilities must be addressed with patches, but in some cases a patch will not be available. Organizations may have to take affected systems offline until a patch is available. The OCR advised in its June cybersecurity newsletter, “In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access).”
- Patching vulnerabilities: vulnerabilities must be fixed through the use of patches. Organizations can contact vendors for patches that address vulnerabilities in software or hardware.
The Office for Civil Rights (OCR) recommends that organizations implement a patch management program:
- Evaluate patches to determine if they apply to your software/systems
- Test patches on an isolated system to discover if there are any unforeseen or unwanted side effects
- Approve patches for deployment once they have been evaluated and tested
- Schedule patches to be installed on live or production systems once approved
- Test and audit systems to ensure that the software patches were applied correctly
Implementing a vulnerability management system allows organizations to address security gaps before they result in a breach. With the increase in cyberattacks in the past few years, healthcare organizations must be vigilant in their efforts to safeguard PHI.
This is Part VIII of the XI-part blog series. You can also read Parts I to VII below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the eight of which is vulnerability management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention
- HIPAA Asset Management (Part VI)
- Network Management (Part VII)