Software updates and HIPAA

HHS/OCR has made it clear by the recently assessed $150,000 fine that a Breach due to the failure to maintain software via updates and patches will be dealt with harshly. Just ask Anchorage Community Mental Health Services after its AVOIDABLE malware Breach of 2,700 records.

While updates and patches are not statutory requirements, they have been a long-standing HHS/OCR audit checklist (and common sense) item. It is Best Practice to update and install patches as soon as they are released – keeping in mind that by the time the patch/update has been created, the “culprit” has already been around a while.

COMMENT: I strongly recommend against updates and patches on any frequency other than as they are issued. While there may be a small savings relative to IT, the Risk/Reward quotient absolutely pushed us to get patches and updates done ASAP. Note that HHS/OCR’s position is similar to the FTC’s position relative to other consumer information.