Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.