OCR warns about dangers of security vulnerabilities in third-party apps

Third-party software applications can put healthcare organizations at risk for security vulnerabilities, even if entities deploy operating system updates, according to an email alert from the Health and Human Services Department's Office for Civil Rights.

Such applications, like Adobe Acrobat, run on operating systems that receive frequent updates; but just because those systems are updated does not mean the third-party software is, OCR warns.

OCR also says vulnerabilities that stem from misconfigured servers, incorrect file settings and other flaws may also impact third-party applications, even though those issues don't come from the software itself.

Some steps organizations should take to keep such tools secure, according to OCR, include:

  • Create criteria for third-party applications before installing new software and test against the criteria set to see if there are flaws or weaknesses in the applications.
  • Work with business associates to test those entities' applications for security issues before installation and after the applications have been installed.
  • Regularly install patches and updates to applications. "The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner," OCR notes.
  • Carefully review a third party's software license agreement, which should highlight possible risks; this information should not be ignored, OCR warns.

Healthcare organizations face about one cyberattack per month and are still struggling to find effective strategies to keep systems secure, according to research from the Ponemon Institute.

OCR itself has been upping the ante when it comes to issuing guidance on, and warning about, both security risks and the need to protect and free patient data.