As of September 23, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added 225 additional vulnerabilities to its Known Exploited Vulnerability Catalog, bringing the total to 834. These are software and operating systems vulnerabilities exploited by cybercriminals in real-world attacks.
Patching healthcare cybersecurity vulnerabilities upon discovery is critical to maintaining the security and integrity of any network. But one type of vulnerability is notoriously hard to permanently correct.
HIPAA and Healthcare Cybersecurity Vulnerability
All Federal Civilian Executive Branch agencies must scan for and patch or mitigate vulnerabilities within two weeks of being added to the catalog. Sometimes the flaws listed have been addressed by previous patches or affect products that have passed their end-of-life.
The list of operating systems and systems affected by vulnerabilities reads like a list of the most prominent technology names in the world, proving that no company is immune from software flaws.
The HIPAA Security Rule addresses patching vulnerabilities like these and others as part of an effective plan for healthcare organizations and vendors to achieve HIPAA compliance.
Failure to patch known vulnerabilities can lead to the unauthorized exposure of patients’ protected health information (PHI). It also violates HIPAA regulations.
What is the Hardest Healthcare Cybersecurity Vulnerability to Patch?
Correcting many healthcare cybersecurity vulnerabilities is generally straightforward. But the vulnerabilities that cause the greatest threat to the HIPAA compliance and PHI are usually located on the chair side of the keyboard.
Most healthcare data breaches result from failures by people, not software failures. These failures can happen in a wide variety of ways, including:
- Improperly accessing patient records
- Failing to have and follow effective policies and procedures related to PHI
- Losing mobile devices and computers containing unencrypted data
- Responding to phishing emails, text messages, or other social-engineered attacks
- Ignoring industry-standard network protections like multi-factor authentication and zero-trust principles
When these failures result in HIPAA violations, they expose companies and individuals to potential fines as well as civil and criminal actions.
Patching the Toughest Healthcare Cybersecurity Vulnerability
The best strategy for preventing human failures is similar to other failures: detect, correct, and verify. Annual cybersecurity training is one of the requirements to achieve and maintain HIPAA compliance.
For example, phishing attacks create vulnerabilities that lead to cyberattacks and data breaches. All credible cybersecurity training should include a discussion of phishing awareness.
The next step is to detect how well employees apply their training by following up with simulated phishing emails and other communications. These simulations can help keep cybersecurity awareness in mind. The next step is using the data from phishing tests to identify high-risk employees and enforce mandatory and interactive cybersecurity awareness training. This corrective action should be part of organizational HIPAA policies and procedures,
Addressing healthcare cybersecurity vulnerabilities, whether caused by software or people, must be continuous. Cybercriminals are creating new attack vectors and modifying old ones every day. Today, “eternal vigilance is the price of liberty” and securing PHI.
