What is a Security Patch?

What is the Importance of a Security Patch?

Failure to timely implement a security patch may place the confidentiality, integrity, and availability of covered entity’s electronic protected health information (ePHI) at risk. The Office for Civil Rights (OCR) of the Department of Health and Human Services (the Department that enforces HIPAA) has issued reminders to healthcare providers of the importance of patch management to achieve HIPAA compliance.

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

What is a Patch Management Process?

A patch management process consists of identifying, acquiring, installing, and verifying patches for products and systems. 

OCR has stated that a HIPAA compliant patch management process for a networked organization should include the following elements:

• Evaluation. Evaluation consists of determining whether a given patch is applicable to a covered entity’s software and systems.
• Patch Testing. Patch testing should consist of testing the patch on one isolated system first, to see if the patch causes problems such as software malfunctions or system instability. 
• Approval. Approval consists of approving a specific patch for application, after relevant tests have proven successful.
• Deployment. Deployment consists of actually applying the patches on live systems. 
• Verification and Testing. Verification consists of testing and auditing systems after deployment to see if the patches were applied correctly, and that there were no unforeseen side effects. 

What are the Benefits of Keeping Security Patches Up to Date?

Keeping security patches up to date allows you to:

• Reduce Exposure to Cyberattacks. In many instances, security patches are available before a hacker can exploit a system vulnerability.  
• Protect Your Data. Hackers have the ability to use personal data from one system to gain access to a different one. If, for example, a hacker gains access to a user ID/password from someone who uses these same credentials to access multiple systems, the hacker can gain access to these multiple systems.
• Protect Data of Patients. Covered entities and business associates must take steps to safeguard ePHI. Security patch installation plays an important role in the safeguarding process.
• Protect Other Network Users. Worms are a type of malware that remain active on one computer as they infect other computers. Security patches play an important role in stopping the spread of computer worms to other networked devices.

When Is Patch Installation Required Under the HIPAA Security Rule?

The HIPAA Security Rule requires entities to perform risk analysis and risk management. 

The scope of the risk analysis and risk management processes encompasses the potential risks and vulnerabilities to all ePHI that an organization creates, receives, maintains, or transmits. This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI.

Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate. In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access)

Security patches play an important role in an organization’s cybersecurity strategy. Patches ensure that devices and user data have the most up-to-date protection against current cyberattacks. Whether one is securing a single device, or an array of computer systems for a large organization, one needs to have a plan in place for patch management.