You won’t find the words “Patch Management” in the HIPAA Security Rule, but given recent action taken by the US government agency that enforces HIPAA compliance, it’s there. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) settled with a community behavioral health organization in December 2014 concerning potential HIPAA violations which surfaced as a result of the OCR’s investigation of a breach of electronic protected health information (ePHI) that was reported to HHS by the organization in March 2012.
The press release announcing the settlement included a quote from OCR Director Jocelyn Samuels who stated, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis … this includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Per the settlement agreement, the community behavioral health organization failed to complete the required formal security risk analysis of ePHI, failed to implement security policies and procedures, and failed to implement technical security measures—specifically that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches. While firewalls and patch management are not specifically mentioned in the HIPAA Security Rule, you’ll find them implied by several implementation specifications.
First, OCR Director Samuels’ mention of “…a common sense approach to assessing and addressing the risks to ePHI on a regular basis…” is a reference to the Risk Analysis implementation specification under the Security Management Process standard which establishes the requirement to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Reading between the lines, the OCR considers unsupported or unpatched software to be a reasonably anticipated risk.
Second, under the HIPAA Security Awareness and Training standard, there is an addressable implementation specification entitled, Protection from Malicious Software, which requires “procedures for guarding against, detecting, and reporting malicious software.” Guarding against malicious software could reasonably be interpreted to include the use of firewalls, antivirus software, and patch management. Other safeguards might include use of intrusion detection and prevention software, web content filtering, and even requiring users to acknowledge their obligation to refrain from downloading, installing, and running unauthorized software.
For more information on patch management, see the NIST Special Publication 800-40, Revision 3, Guide to Enterprise Patch Management Technologies.