Now you realize that the person logging in at 3 am
probably was not Mary, and that her account has most
likely been compromised, and now you have a data
breach on your hands.
So the sooner your systems can identify and stop this
type of behavior, the better for all concerned.
Issue #7: Patching of Software
The use of unpatched or unsupported software on
systems which access ePHI could introduce additional
risk. In addition to operating systems, EMR/PM
systems, and office productivity applications, software
which should be monitored for patches and vendor
end-of-life include:
- Router and firewall firmware
- Anti-virus and anti-malware software
- Multimedia and runtime environments (e.g.,
Adobe Flash, Java, etc.)
This is the first time we have seen the OCR call out this
data security practice. But it is not at all surprising in
light of malware such as WannaCry in which patches
were available 4-6 weeks prior that would have
protected companies from attack, a surprisingly high
number of firms succumbed.
Those included the notorious Equifax hack, and also
hundreds of healthcare providers in the British
National Health System who had their operations
seriously disrupted, putting patients at risk.
The fact is that most breaches are caused by failure to
update software components that were known to be
vulnerable for months, or even years as in the case of
Equifax. So this is a very sensible recommendation.
Issue #8: Insider Threat
See 45 C.F.R. §164.308(a)(3). Organizations must
“[i]mplement policies and procedures to ensure that all
members of its workforce have appropriate access to
electronic protected health information … and to