In a recent newsletter, the Office for Civil Rights of the U.S. Department of Health and Human Services provided guidance on software vulnerabilities and patching.
Software is the instructions that runs computers and other electronic devices. Software often contains “bugs,” which are mistakes in the coding that impacts how the software works. According to OCR, some of these bugs may introduce security vulnerabilities that could allow hackers access to a user’s computer network. Covered entities under HIPAA rely on software for processing and handling PHI.
When covered entities perform their risk assessment, they should identify and mitigate risks and vulnerabilities that un-patched software may have on an organization’s electronic protected health information. The mitigation activity should include installing patches and installing those patches where reasonable and appropriate.
For the full newsletter on patching software vulnerabilities, click here.