Software is your healthcare clinic’s biggest vulnerability.
If you’re like most modern healthcare offices, you’re using multiple Electronic Health Record (EHR) platforms and software applications for your day-to-day operations:
- You might manage active schedules and patient accounts on one EHR platform while using an older legacy system for record storage;
- You might use third-party communication platforms such as Skype to speak with other team members;
- You may use internet browsing clients like Firefox or Chrome to look up information;
- And within these browsers, you might have active applets such as Adobe Flash or Java running in the background.
Of course, most of us can’t do without these tools any more. The inherent problem with these digital tools isn’t that we use them, it’s how we use them.
Unpatched Software Is Dangerous
Any office with EHRs and other web-based software applications needs to make cybersecurity a priority. Unfortunately, many healthcare clinics don’t understand the myriad ways their organizations are exposed to risk through these tools. One of the easiest ways to improve cybersecurity in this regard is to get acquainted with software patching alongside learning why outdated software is an IT threat to businesses.
What Is Patching?
Patching refers to the process of regularly updating software with the latest versions offered by the software developer. Depending on the size and complexity of the platform, these updates may be offered every few months or every few years.
These updates are necessary because, unfortunately, software development is an inexact science. Software bugs can exist in any software program, even those that have been carefully tested before release. These bugs disrupt the way the software functions and often creates security loopholes that malicious users can exploit.
In fact, the Department of Health and Human Services Office for Civil Rights (OCR) recently released a warning about this very issue, describing that under HIPAA, healthcare offices are responsible for protecting their electronic health information from misuse. Patching is a crucial aspect of this, as outdated software is an IT threat to businesses—and correcting newly-identified security issues is one of the key benefits of software patches.
The Risks of Unpatched Software
Failing to patch software is just one misstep in a long list of necessary cybersecurity protocols, but it’s one of the easiest things for busy clinicians to overlook.
- Data Theft and Malware Attacks Healthcare offices are at bigger risk than most from lax cybersecurity practices partially because health clinics store ePHI—electronic protected health information. Research indicates that healthcare organizations are some of the top targets of dangerous ransomware attacks that seize control a clinic’s system and attempt to extort users into paying a fee. Unpatched software creates vulnerabilities that hackers can use to launch these types of attacks.
- HIPAA Violations Of course, any data breach or loss of ePHI results in HIPAA violations—a risk that all clinicians know well. Reports suggest that in 2017 alone, nearly 175 million patient records were affected by data breaches, the bulk of which came from hacking/IT incidents levied against a company’s server. And while the average cost of these HIPAA violations vary based on size and type of breach, it’s never pretty.
- Legal Fees Depending on whether the loss of ePHI is considered negligent or not, healthcare organizations may be subject to legal fees or lawsuits as a result of their error. Remember the Anthem data breach back in 2015? The company ended up paying a total of $115 million to settle its outstanding legal fees—the biggest settlement for any data breach in history. And while Anthem’s breach was unprecedented in scale, smaller clinics are exposed to the same risk.
- Loss of Patient Trust Perhaps most damaging of all is the loss of patient trust that accompanies data breaches. Consumers take their privacy seriously, and the security of their personal health information even more so. A large-scale data breach can be disastrous for small healthcare clinics that rely on long-term patient relationships, personal connections, and word-of-mouth referrals.
Software Patching Best Practices
So, how do healthcare workers protect their offices from these vulnerabilities? Per the advice of the OCR’s above newsletter, clinics should implement patches with the following process:
- Evaluation: Evaluate each patch to determine if it applies to your software or system.
- Patch Testing: If possible, test patches on isolated systems to make sure they don’t produce any unforeseen or unwanted side effects, such as application disruption or instability.
- Approval: After the evaluative process, have IT personnel approve each for integration.
- Deployment: Patches should be scheduled for installation on live, or production systems.
- Verification: After deployment, continue testing and auditing the system to ensure that the patch was applied correctly.
Your clinic has enough to deal with—unpatched software shouldn’t be part of it. Keep these tips in mind to ensure your software isn’t exposing your clinic to undue risk.