Patch management—identifying known vulnerabilities in information systems and fixing them with specific “patches” from vendors—is an obvious component of a healthcare information security strategy.

But is patch management a regularly scheduled component of the strategy? Healthcare organizations should use scanning tools to run vulnerability scans of information systems weekly to identify new areas of security weakness, such as an unauthorized program reading PDF files, says Rob Juncker, vice president of engineering at Shavlik, a vendor of patch management, software license control management and secure mobile email products.

“Patch Tuesday” is a good time to do the scans, as that is when many vendors release their latest known vulnerabilities along with one or more patches to fix them. Most products don’t automatically apply a patch; it generally takes a technician to do the work unless a network is using automated patch management software, Juncker says. Either way, Tuesday’s a good day to make sure vulnerabilities are identified and fixed.

Chief information officers and chief information security officers are well aware that protected health information has become a valuable commodity to criminal enterprises, Juncker says. But what many may not understand is the rate at which PHI is being stolen. “What we see is that it is happening a lot faster than a gradual shift we’ve seen in the past.”

Once a network is compromised, it’s tough to get the bad stuff off it. The challenge is tougher in healthcare than many other industries, according to Juncker. Companies elsewhere have clusters of machines holding simpler data, such as financial data, in one area. But healthcare has more networks holding more diverse and complex data, with the networks more spread out and with special rules (HIPAA) on how to handle the data.

Healthcare organizations also may have ancillary information systems in various locations that the IT department doesn’t know about. Maybe an acquired rural provider brought in an old system, or a fax machine or some other small device broke in a hospital unit and they just replaced it without telling IT.

With the HHS Office for Civil Rights having handed down more than 20 large fines accompanied with corrective action plans to healthcare organizations—and with a new HIPAA compliance audit program coming—the industry also has more data protection enforcement activity than some others.

Vulnerabilities are everywhere. Juncker recalls a breach of protected health information last year in which a hacker got into the network through an opening in the facilities management information system. “You need software to identify and isolate systems, or get them on a patch management schedule. You have to look at everything that could be compromised, not just what you manage.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access