ALERT: Fined for Unpatched Software
Anchorage Community Mental Health Services (ACMHS) was recently hit with a $150,000 fine for failing to apply software patches.
ADMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults, and families.
This HIPAA settlement in the Alaska case marks the 1st time The Department of Health and Human Services’ Office for Civil Rights has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule. The OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of the mental health provider’s information technology resources.
OCR’s investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.
“ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches,” says the OCR resolution agreement with ACMHS.
In addition, OCR says that contributing to the incident was ACMHS’ failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.
OCR Director Jocelyn Samuels states:
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilites and unsupported software that can leave patient information susceptible to malware and other risks.”
Independent HIPAA and healthcare attorney Susan A. Miller states:
“This is a wake up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].”
“The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately,” Miller adds. “That includes operating systems, electronic health records, practice management – and any electronic tool containing PHI.”
Our personalized Monthly Service Plans make sure your patches are up-to-date, and your system is safe and secure!
Call us for a Network Security Analysis!
We Make I.T. Work!