The Importance of Patches and Upgrades for Healthcare Data Security

Think back to the last time you got an alert on your phone or laptop, informing you that you needed to update your software or apply a patch. Most of us choose “Remind me later.” More and more, that’s becoming a dangerous choice. And, when it comes to patches and upgrades for healthcare software, the choice to ignore, postpone, or even procrastinate, can be quite costly and dangerous.

Quick Links

• What are Software Patches and Upgrades?
• The Impact of Software on Healthcare Data Security
• Recent Healthcare Data Security Incidents Related to Software
• How to Ensure Healthcare Data Security

What are Software Patches and Upgrades?

Let’s go back to the alerts on our phones or computers and the not-so-subtle reminder that our  operating system or application needs an update, upgrade, or patch. Often, these updates aren’t urgent, though in some cases they are. But what changes are they really making? Software patches and upgrades are essential components of maintaining the functionality, security, and performance of software systems, including healthcare systems. 

Software patches are small updates or fixes released by software vendors to address specific issues, vulnerabilities, or bugs in their software. Typically, software patches are designed to improve software reliability, fix security vulnerabilities, and resolve any identified problems or glitches. Cloud softwares connected to the internet usually patch themselves automatically.

Software upgrades or updates often involve installing a new version of the software that typically includes new features, improvements, and sometimes a complete overhaul of the system. Unlike patches which are typically designed to resolve issues quickly, upgrades aim to enhance capabilities, introduce new functionalities, and keep the software up-to-date with evolving technological standards. In short, they’ve typically spent more time in development and may include substantial changes to functionality and performance.

The Impact of Software on Healthcare Data Security

It’ll come as no surprise to anyone who’s regularly reading the news that threats to healthcare data, EHRs, and ePHI are at an all-time high. And, one of the biggest vulnerabilities is a failure to properly update, upgrade, or patch applications. Further, it’s a threat big enough that the FBI has recently warned healthcare organizations of the risks related to unpatched and outdated medical devices.

In fact, it’s estimated that nearly 60% of breaches can be linked back to unpatched vulnerabilities. For example, the often cited MOVEit hack was directly related to an unpatched vulnerability and that one incident exposed nearly 8.5 million records.

More specifically, unpatched or updated software can result in:

1. Weaknesses or gaps in software/application security, essentially leaving an open door for attackers to access your computer and data.
2. Phishing scams are constantly looking for an entry into your system to steal your data and they often exploit vulnerabilities left by poor patch management.
3. Lost data and data theft as hackers access systems and data is leaked through unpatched software. 
4. Compliance violations and audit failures may stem from unpatched or out-of-date software.

Cybercriminals are constantly launching new and improved attacks on software hoping to exploit vulnerabilities. Patches are critical because they often include the latest fixes to protect against potential cyber threats and unauthorized access to sensitive patient information. But, as noted, they do more than that, including helping to maintain the stability of healthcare applications while also ensuring that the software adheres to industry standards.

And, when it comes to updates and upgrades, they often bring new features and capabilities that not only improve efficiency, workflow, and user experience, but they also ensure the software remains compatible with the latest hardware, operating systems, and other integrated tools.

While improved functionality user experience of your software may be your main focus here, seamless integrations and operations between applications are also vital for security. In fact, the software supply chain, and failure to keep integrations performing at peak, can also create vulnerabilities resulting in supply chain attacks. Supply chain attacks can leave healthcare organizations, especially smaller ones without dedicated IT teams, vulnerable as hackers leverage third-party vendors to access vulnerable systems.

Recent Healthcare Data Security Incidents Related to Software

So how big a problem is it really? While we obviously can’t cover every single breach, as some don’t make the news, there’s still no shortage of bigger healthcare data breaches related to software vulnerabilities. Unfortunately, due to the nature of data breach reporting, many of the exact causes of a breach or hacking event are not disclosed.

However, it’s important to note that a vast majority of attacks and breaches are occurring at the network or server level, suggesting that bad actors found ways to access these secure areas. While unpatched software from firewalls to applications aren’t the only potentially vulnerable access point, it is, as noted above, one of the most prevalent access points. In fact, a 2022 report from Health and Human Services identified unpatched vulnerabilities as a “major infection vector for both ransomware and data breaches impacting the healthcare sector.”

Because many organizations in the healthcare space utilize or rely on some of the same software or third party vendors, it’s easy to understand how failing to patch widely used software can have a huge impact across many healthcare providers.

For example, the aforementioned MOVEit hack, related to unpatched applications, resulted in significant impacts to a wide variety of healthcare organizations. More specifically, Delta Dental of California was also hit as part of the MOVEit hack, exposing nearly 7 million individuals. Similarly, Welltok has nearly 8.5 million individuals exposed and Arietis Health (an RCM third party) saw nearly 2 million individuals exposed. Nuance Communications and others were also impacted by this same attack. 

And, it’s important to mention, these are, in most cases, wholly preventable attacks with a patch management strategy in place as well as general IT security priorities and protocols. 

How to Ensure Healthcare Data Security

Given concerns about healthcare data security, every healthcare organization must be implementing a comprehensive security policy and plan as it relates to healthcare data. Part of that comprehensive plan includes regular software maintenance. Thankfully, there are additional steps your practice or organization can take to ensure software security.

1. Create a patch management plan with a regular schedule for applying software patches and updates. 
2. Assign a team, or at least more than one person, to monitor for and apply security patches in particular.
3. Task these individuals with staying informed about software release schedules and managing vendor communication to understand the impact of patches and upgrades on your healthcare system.
4. Prior to implementation of any new software or updates, conduct thorough testing to ensure that patches and upgrades do not adversely affect critical healthcare processes.
5. Keep detailed records of all software updates applied, including patch notes and upgrade documentation. In part, this can provide peace of mind because you know you have the latest security updates. But also, should you need to backtrack or provide documentation in the event of an incident, you’ll be able to provide the audit trail you need.
6. Consider moving to cloud-based software and data storage, which performs most patches and upgrades automatically and takes the burden of manual application and tracking off your staff.

By staying vigilant and proactive in applying patches and upgrades, healthcare providers can contribute to a more secure, stable, and feature-rich healthcare IT environment. Further, enacting a stringent patch management plan, you can reduce the risks your practice is facing and, ultimately, avoid preventable security attacks.

If you need assistance ensuring your security not only meets HIPAA requirements, finding the right resources and tools can not only improve your security stance overall, but ensure the security of your tech stack as well. For many smaller practices, this means dedicating internal resources to IT demands and needs. However, many practices simply don’t have those resources available and so managed IT services for healthcare may be a great option.

If you’d like to talk to someone about the security options available for you and your healthcare office, get in touch with the team at iCoreConnect. Our experts are ready to discuss security options and assistance available to you through our HIPAA compliance platform and managed services.