OCR warns about dangers of security vulnerabilities in third-party apps

Laptop computer sitting on desk

Third-party software applications can put healthcare organizations at risk for security vulnerabilities, even if entities deploy operating system updates, according to an email alert from the Health and Human Services Department's Office for Civil Rights.

Such applications, like Adobe Acrobat, run on operating systems that receive frequent updates; but just because those systems are updated does not mean the third-party software is, OCR warns.

OCR also says vulnerabilities that stem from misconfigured servers, incorrect file settings and other flaws may also impact third-party applications, even though those issues don't come from the software itself.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Some steps organizations should take to keep such tools secure, according to OCR, include:

  • Create criteria for third-party applications before installing new software and test against the criteria set to see if there are flaws or weaknesses in the applications.
  • Work with business associates to test those entities' applications for security issues before installation and after the applications have been installed.
  • Regularly install patches and updates to applications. "The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner," OCR notes.
  • Carefully review a third party's software license agreement, which should highlight possible risks; this information should not be ignored, OCR warns.

Healthcare organizations face about one cyberattack per month and are still struggling to find effective strategies to keep systems secure, according to research from the Ponemon Institute.

OCR itself has been upping the ante when it comes to issuing guidance on, and warning about, both security risks and the need to protect and free patient data.

Suggested Articles

Two senators introduced this week bipartisan legislation to establish a third-party oversight committee to help monitor the implementation of the new EHR…

ONC is moving another step closer to implementing a framework designed to improve data sharing between health information networks.

Welcome news to many health IT stakeholders: HHS announced Friday that it is extending the comment period for two proposed interoperability rules.