OCR: Step Up Patching of Third-Party Apps
OCR: Step Up Patching of Third-Party Apps; Cyber Awareness Notice Focuses on Risks, Mitigation Steps
… Other factors also contribute to the challenge of applying software patches and updates in busy healthcare settings, says Keith Fricke, principal consultant at tw-Security.
“Patching requires time to test for compatibility with the clinical and business applications running in their environment,” he says. “Because CEs generally operate around the clock, finding windows to schedule downtime required to apply some patches may be challenging. Also, some vendors have longer lead times on when patching is permitted, based on FDA safety requirements.”
Compensating controls can also play a big part in reducing risks related to software vulnerabilities, Fricke notes. “Endpoint technologies, advanced malware protection solutions and next generation firewall technology may be able to detect and prevent some attacks against vulnerable systems until patches are either available or can be installed,” he says.
“Data can be compromised if covered entities and business associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks,” OCR notes.
Healthcare organizations should be ask prospective business associates about their software development life cycle practices, especially related to secure coding practices, Fricke stresses. “If infrastructure and staff necessary to test and deploy security patches are challenging, consider investing in some of the preventive, protective and detective technologies as compensating controls. These can provide bigger windows of time in managing risk until systems can be patched.”