Federal Regulators Put Spotlight on Software Risks.

Federal regulators are intensifying the spotlight on security risks posed to healthcare organizations and business associates by vulnerabilities in third-party applications.

On June 7 the HHS OCR stated, “Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Many covered entities and business associates may think their computers and devices that utilize operating systems are secure because the covered entities and business associates are deploying operating-system updates, but many systems are still at risk from third-party software.”

While almost every organization uses third-party applications, less than 20 percent have performed verifications on this software, according to the OCR.

Many third-party software providers are focused strictly on functionality, and not necessarily the security of their software. Healthcare organizations should question software vendors on how they ensure the security of their software, including independent assessments to identify potential security weaknesses.

This is especially important for smaller providers that don’t have the resources to continually monitor and update a complex web of software and applications that support their information systems and medical devices.

Software Vendors may be a BA

In some cases third-party software vendors are considered business associates, and thus are directly liable for HIPAA compliance. If a third-party software vendor is creating, transmitting or maintaining protected health information, then they are considered a business associate of a covered entity. Vigilance is important because a business associate agreement with the vendor would not necessarily cover the security of their software.

Steps to Take

Healthcare entities and business associates can take several measures to improve security involving third-party software.

  • Conduct a thorough inventory of applications and software that are operating on information systems and medical devices.
  • Monitor notifications from vendors and developers of new threats and vulnerabilities and take steps to install and update the software and applications with patches developed by the vendor.
  • Look for endpoint technologies—advanced malware protection solutions and next generation firewall technology that may be able to detect and prevent some attacks against vulnerable systems until patches are either available or can be installed.

In its bulletin, OCR offers suggestions for better addressing the security vulnerabilities lurking in their third-party applications, including:

  • Test software prior to installation to determine, for example, how vulnerable a system may be to flaws in applications and whether data and resources are protected from potential intruders
  • Install software patches or updated versions in a timely manner
  • Review software license agreements for risks that can make electronic PHI vulnerable.

Data can be compromised if covered entities and business associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks.

If you have any questions about the security of your IT systems, give ITPAC a call today.