OCR warns about dangers of security vulnerabilities in third-party apps

Laptop computer sitting on desk

Third-party software applications can put healthcare organizations at risk for security vulnerabilities, even if entities deploy operating system updates, according to an email alert from the Health and Human Services Department's Office for Civil Rights.

Such applications, like Adobe Acrobat, run on operating systems that receive frequent updates; but just because those systems are updated does not mean the third-party software is, OCR warns.

OCR also says vulnerabilities that stem from misconfigured servers, incorrect file settings and other flaws may also impact third-party applications, even though those issues don't come from the software itself.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Some steps organizations should take to keep such tools secure, according to OCR, include:

  • Create criteria for third-party applications before installing new software and test against the criteria set to see if there are flaws or weaknesses in the applications.
  • Work with business associates to test those entities' applications for security issues before installation and after the applications have been installed.
  • Regularly install patches and updates to applications. "The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner," OCR notes.
  • Carefully review a third party's software license agreement, which should highlight possible risks; this information should not be ignored, OCR warns.

Healthcare organizations face about one cyberattack per month and are still struggling to find effective strategies to keep systems secure, according to research from the Ponemon Institute.

OCR itself has been upping the ante when it comes to issuing guidance on, and warning about, both security risks and the need to protect and free patient data.

Suggested Articles

Memorial Sloan Kettering Cancer Center has tapped former CVS Health and Aetna executive Claus Torp Jensen, Ph.D., as its first chief digital officer.

NYC Health + Hospitals plans to upgrade millions of imaging technologies across the health system as part of a $224 million deal with GE Healthcare.

A New Orleans-based genetic testing company will pay $42.6 million to resolve False Claims Act and kickback allegations.