Imagine the following: let’s say that based on the crimes around your home you are very concerned about your safety and install the latest alarm for your home. The system recognizes you and arms itself automatically when you leave home and disarms when you enter your home. The system also provides you with cameras so you can see anyone at the door or inside your home regardless of where you are. There is even a function where the system contacts your local police or fire department using voice
However, the system is not isolated and has several vulnerabilities that are not within the system to fix such as:
The good news is that most system’s developers continue to update their systems on an on-going basis so that if a flaw is identified they work a solution and release it to their customers via what is known as “system patches”. The bad news is that you may not find out about them until you face a situation when it is too late after an incident that could have been prevented occurs.
Let’s bring the same scenario to the healthcare arena. For the most part, everyone has some kind of antivirus software within their system. For the most part, they think this is enough to protect their system and the information within it. For the most part, they are mistaken in their logic.
We at Taino Consultants have antimalware that is updated weekly, we also have anti-ransomware, and have our system being monitored externally yet a couple days back I decided to check one of the computers and found over 1,000 unauthorized programs within one computer alone. Point being that we, all of us, are under attack on an on-going basis. Software developers know this and try to keep up with the same by developing and releasing patches to their system so you remain protected. They also advise customers when a software version will no longer be supported so customers migrate to the latest version with the corresponding upgrades. Yet many times these security messages get lost or are not taken seriously.
Under HIPAA Security the Federal Government has issued guidelines regarding the importance of software patches and as in the case against the Alaska Department of Health and Human Services (ADHSS), they were cited for HIPAA violations which included: “implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.” This particular case was settled for $1.7 million dollars plus implementation of a corrective action plan and the implementation of a monitor to report back to the Department of Health and Human Service with updates as it related to their compliance actions.
Definitively, system patches are part of our daily lives and an item we must not overlook. Do not underestimate the threat of running with outdated system and consider adding to your budget a subcontractor to monitor and maintain your system operations as this will be an investment in your organization’s future and a cost of doing business.