OCR: Step Up Patching of Third-Party AppsCyber Awareness Notice Focuses on Risks, Mitigation Steps
Federal regulators are intensifying the spotlight on security risks posed to healthcare organizations and business associates by vulnerabilities in third-party applications.
"Recently, it has been reported that third-party application software security vulnerabilities are on the rise," notes a cyber awareness bulletin issued on June 7 by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA. "Many covered entities and business associates may think their computers and devices that utilize operating systems are secure because the covered entities and business associates are deploying operating-system updates, but many systems are still at risk from third-party software."
Most organizations use third-party applications, but less than 20 percent have performed verifications on this software, OCR says. "In companies that install their operating system patches, a fair amount have third-party software that remains unpatched," OCR notes.
The OCR bulletin highlights a critical issue, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"Sometimes, third-party software providers are focused strictly on functionality, and not necessarily the security of their software. It can be helpful for healthcare organizations to question software vendors on how they ensure the security of their software, including whether their software has been assessed by a third party to identify potential security weaknesses."
Many organizations, especially smaller ones, fall short in their software patching practices, some security and privacy experts note.
"Smaller [organizations] do not have the expertise or resources to continually monitor and update the complex web of software and applications that support the information systems and medical devices in their organizations," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Often, the small organizations handling healthcare information do not have access to information security service providers either because of cost or resistance to prioritizing the safeguarding of health information."
Other factors also contribute to the challenge of applying software patches and updates in busy healthcare settings, says Keith Fricke, principal consultant at tw-Security.
"Patching requires time to test for compatibility with the clinical and business applications running in their environment," he says. "Because CEs generally operate around the clock, finding windows to schedule downtime required to apply some patches may be challenging. Also, some vendors have longer lead times on when patching is permitted, based on FDA safety requirements."
When a Software Vendor Is Also a BA
Sometimes third-party software vendors are considered business associates, and thus they're directly liable for HIPAA compliance.
"There are many examples of where a third-party software vendor is a business associate of a covered entity ... because they create, transmit or maintain protected health information," Holtzman notes.
"One example would be the MRI vendor who has access to patient data stored on the device when performing maintenance or repair," he says. Another example is "the developer of a mobile personal health record smartphone app deployed on behalf of a health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions."
Greene notes that healthcare entities also need to carefully monitor software vendors that host protected health information or need to access PHI during troubleshooting. "The [covered entity's] business associate agreement with the vendor would not necessarily cover the security of their software," he warns.
Another often neglected area of concern for unpatched vulnerabilities is medical devices, Holtzman says.
"Medical device vendors often incorporate third-party off-the-shelf software in their design. The end-user may not be familiar with the third-party software requirements or where to obtain the information to monitor and address developer patches and updates," he notes.
Steps to Take
Healthcare entities and business associates can take several measures to improve security involving third-party software, experts say.
"Whether you are a covered entity or business associate, the first step in addressing the security risks associated with operating system and third-party software vulnerabilities is to conduct a thorough inventory of applications and software that are operating on information systems and medical devices," Holtzman says. "Then develop a rigorous process to monitor notifications from vendors and developers of new threats and vulnerabilities and take steps to install and update the software and applications with patches developed by the vendor."
Compensating controls can also play a big part in reducing risks related to software vulnerabilities, Fricke notes. "Endpoint technologies, advanced malware protection solutions and next generation firewall technology may be able to detect and prevent some attacks against vulnerable systems until patches are either available or can be installed," he says.
In its bulletin, OCR offers suggestions for better addressing the security vulnerabilities lurking in their third-party applications, including:
- Test software prior to installation to determine, for example, how vulnerable a system may be to flaws in applications and whether data and resources are protected from potential intruders;
- Install software patches or updated versions in a timely manner;
- Review software license agreements for risks that can make electronic PHI vulnerable.
"Data can be compromised if covered entities and business associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks," OCR notes.
Healthcare organizations should be ask prospective business associates about their software development life cycle practices, especially related to secure coding practices, Fricke stresses. "If infrastructure and staff necessary to test and deploy security patches are challenging, consider investing in some of the preventive, protective and detective technologies as compensating controls. These can provide bigger windows of time in managing risk until systems can be patched."
And OCR warns organizations to watch for other red flags.
"During installation of software, if your firewall generates a prompt asking whether you want to allow certain inbound or outbound connections, proceed with caution," OCR notes. "Verify that the software requires changes to your firewall settings for normal operation and that you are comfortable with this operation."
OCR did not immediately respond to an Information Security Media Group inquiry about the type and frequency of breaches being reported involving unpatched third-party software apps.
The agency, however, has taken HIPAA enforcement action in at least one breach investigation case involving unpatched software.
In December 2014, OCR issued a resolution agreement, which included a $150,000 financial settlement and corrective action plan, to Anchorage Community Mental Health Services after a malware-related breach affecting 2,743 individuals.
OCR said the security incident "was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software."