Quick Links
Let’s go back to the alerts on our phones or computers and the not-so-subtle reminder that our operating system or application needs an update, upgrade, or patch. Often, these updates aren’t urgent, though in some cases they are. But what changes are they really making? Software patches and upgrades are essential components of maintaining the functionality, security, and performance of software systems, including healthcare systems.
Software patches are small updates or fixes released by software vendors to address specific issues, vulnerabilities, or bugs in their software. Typically, software patches are designed to improve software reliability, fix security vulnerabilities, and resolve any identified problems or glitches. Cloud softwares connected to the internet usually patch themselves automatically.
Software upgrades or updates often involve installing a new version of the software that typically includes new features, improvements, and sometimes a complete overhaul of the system. Unlike patches which are typically designed to resolve issues quickly, upgrades aim to enhance capabilities, introduce new functionalities, and keep the software up-to-date with evolving technological standards. In short, they’ve typically spent more time in development and may include substantial changes to functionality and performance.
It’ll come as no surprise to anyone who’s regularly reading the news that threats to healthcare data, EHRs, and ePHI are at an all-time high. And, one of the biggest vulnerabilities is a failure to properly update, upgrade, or patch applications. Further, it’s a threat big enough that the FBI has recently warned healthcare organizations of the risks related to unpatched and outdated medical devices.
In fact, it’s estimated that nearly 60% of breaches can be linked back to unpatched vulnerabilities. For example, the often cited MOVEit hack was directly related to an unpatched vulnerability and that one incident exposed nearly 8.5 million records.
More specifically, unpatched or updated software can result in:
Cybercriminals are constantly launching new and improved attacks on software hoping to exploit vulnerabilities. Patches are critical because they often include the latest fixes to protect against potential cyber threats and unauthorized access to sensitive patient information. But, as noted, they do more than that, including helping to maintain the stability of healthcare applications while also ensuring that the software adheres to industry standards.
And, when it comes to updates and upgrades, they often bring new features and capabilities that not only improve efficiency, workflow, and user experience, but they also ensure the software remains compatible with the latest hardware, operating systems, and other integrated tools.
While improved functionality user experience of your software may be your main focus here, seamless integrations and operations between applications are also vital for security. In fact, the software supply chain, and failure to keep integrations performing at peak, can also create vulnerabilities resulting in supply chain attacks. Supply chain attacks can leave healthcare organizations, especially smaller ones without dedicated IT teams, vulnerable as hackers leverage third-party vendors to access vulnerable systems.
So how big a problem is it really? While we obviously can’t cover every single breach, as some don’t make the news, there’s still no shortage of bigger healthcare data breaches related to software vulnerabilities. Unfortunately, due to the nature of data breach reporting, many of the exact causes of a breach or hacking event are not disclosed.
However, it’s important to note that a vast majority of attacks and breaches are occurring at the network or server level, suggesting that bad actors found ways to access these secure areas. While unpatched software from firewalls to applications aren’t the only potentially vulnerable access point, it is, as noted above, one of the most prevalent access points. In fact, a 2022 report from Health and Human Services identified unpatched vulnerabilities as a “major infection vector for both ransomware and data breaches impacting the healthcare sector.”
Because many organizations in the healthcare space utilize or rely on some of the same software or third party vendors, it’s easy to understand how failing to patch widely used software can have a huge impact across many healthcare providers.
For example, the aforementioned MOVEit hack, related to unpatched applications, resulted in significant impacts to a wide variety of healthcare organizations. More specifically, Delta Dental of California was also hit as part of the MOVEit hack, exposing nearly 7 million individuals. Similarly, Welltok has nearly 8.5 million individuals exposed and Arietis Health (an RCM third party) saw nearly 2 million individuals exposed. Nuance Communications and others were also impacted by this same attack.
And, it’s important to mention, these are, in most cases, wholly preventable attacks with a patch management strategy in place as well as general IT security priorities and protocols.
Given concerns about healthcare data security, every healthcare organization must be implementing a comprehensive security policy and plan as it relates to healthcare data. Part of that comprehensive plan includes regular software maintenance. Thankfully, there are additional steps your practice or organization can take to ensure software security.
If you need assistance ensuring your security not only meets HIPAA requirements, finding the right resources and tools can not only improve your security stance overall, but ensure the security of your tech stack as well. For many smaller practices, this means dedicating internal resources to IT demands and needs. However, many practices simply don’t have those resources available and so managed IT services for healthcare may be a great option.
If you’d like to talk to someone about the security options available for you and your healthcare office, get in touch with the team at iCoreConnect. Our experts are ready to discuss security options and assistance available to you through our HIPAA compliance platform and managed services.