The United States Office for Civil Rights (OCR) has issued a warning about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security risks of third-party application software. Many practices pay attention only to their main computer operating system and applications, but neglect giving attention to third-party application software on their computers such as PDF readers, JAVA, other browsers and helpful utilities, etc. The complete OCR guidance is as follows.
What’s in Your Third-Party Application Software?
Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices. For example, Microsoft Windows 7 is an operating system that controls the way computers work and how other programs function, but Acrobat Adobe is a third-party application that is utilized by computer users to create, modify, and read PDF files. Many HIPAA Covered Entities and Business Associates may think their computers and devices that utilize operating systems are secure because the Covered Entities and Business Associates are deploying operating-system updates, but many systems are still at risk from third-party software.
According to a recent study, a majority of companies use third-party applications or software, but less than 1 in 5 companies have performed verification on that third-party software. Also, it was reported in companies that install their operating-system patches, a fair amount have third-party software that remains unpatched.
Furthermore, third-party software may have numerous security vulnerabilities that do not stem from the applications themselves. Misconfigured servers, improper files settings, and outdated software versions may contribute to third-party software security vulnerabilities.
Covered Entities and Business Associates Should Consider:
Testing Software Prior to Installation
HIPAA Covered Entities and Business Associates should define the criteria they are willing to accept for safe third-party applications, including open source and public domain applications. Applications should meet the corporate standards set by the entities and also satisfy compliance requirements, and entities should test against these criteria.
The purpose of conducting security testing on software is to reveal flaws in its security mechanisms and find the vulnerabilities or weaknesses of software applications. For example, conducting testing may find out how vulnerable a system may be to flaws in applications and determine whether data and resources are protected from potential intruders.
HIPAA Covered Entities and Business Associates should work with their Business Associate vendors to test their applications for security vulnerabilities prior to installation, and on a regular basis after the software has been installed.
Installing Software Patches or Updated Versions
Software patches repair “bugs” in applications and software programs. Patches are updates that fix a particular problem or vulnerability within a program. HIPAA Covered Entities and Business Associates should be installing patches or updating the software versions promptly and on a continuous basis. The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner.
Though applying patches is essential to ensure the security of information systems, patches should be assessed prior to deployment to determine the risk they pose to the HIPAA Covered Entity’s information systems.
Reviewing Software License Agreements
A software license agreement [also known as end user license agreement (EULA)] highlights the risks that can make electronic protected health information (ePHI) vulnerable. Data can be compromised if HIPAA Covered Entities and Business Associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks.
Software license agreements are legal binding agreements that can have restrictions on how the software can be used; the agreements can require entities to agree to certain conditions when using the software, and can also limit their ability to sue for damages.
To protect information systems and networks from security and privacy problems related to EULAs, the United States Computer Emergency Readiness Team (US-CERT) recommends that entities:
- Review the Software EULA – Before installing any software, take the time to read its EULA.
- Beware of Firewall Prompts When Installing Software – During installation, if your firewall generates a prompt asking whether you want to allow certain inbound or outbound connections, proceed with caution. Verify that the software requires changes to your firewall settings for normal operation and that you are comfortable with this operation.
- Consider the Software Publisher – If you are not familiar with the company or organization that published the software, review the software EULA with added scrutiny.