HIPAA Security – System Patches

patchesAs of January 12, 2016, Microsoft stopped support and security updates for Internet Explorer 8, 9 and 10. In other words, anyone using any of these versions after the specified date is compromising the security of their systems. From the standpoint of HIPAA Security the failure to patch, update or migrate to an update system may be interpreted as a violation of §164.308(a)(1)(i) which specifies that covered entities are required to “implement policies and procedures to prevent, detect, contain, and correct security violations.” This may not be an easy task to complete as most covered entities and business associates currently use a significant number of applications on every device.  Each application may easily have monthly, or even more frequently, patches release which need to be uploaded and executed in these systems.  Even worst, based on my own personal experience, the installation of a patch may cause a system incompatibility which could cause errors or in some cases crashes of the system. As a result, Information Technology (IT) professionals may lag behind in the installation of these critical patches either because of the enormity of the tasks or because they want to see if the patches are safe to install.  Worst part of this particular situation is that there is already precedence were a Covered Entity paid $150,000 in a settlement due to a breach caused by a malware infection. Had software patches been installed on the computers the malware would have been unable to infect the PCs. In short, do not underestimate the importance of updating your systems.