This content is part of the Essential Guide: HIPAA compliance, patient data security top provider concerns
Manage Learn to apply best practices and optimize your operations.

Track legacy software for patient data security, HIPAA compliance

The HIPAA omnibus rule has thrown the spotlight on securing patient data. Track legacy software patches closely to maintain HIPAA compliance.

Patient data security and HIPAA compliance has been and will continue to be on the top of every IT executive's agenda within the healthcare space, especially with the omnibus rule's enforcement period commencing Sept. 23. With the constant changes and additions to health IT infrastructure and systems, coupled with the specter of increasing threats, CIOs and CISOs must constantly evaluate how to best monitor and ensure the protection of patient data.

One facet of data security getting a lot of attention these days is how to deal with end-of-life cycles for commonly-used PC products that no longer receive vendor security updates and patches. Specifically, Windows XP and Office 2013 will no longer be supported or receive security updates as of April 8, 2014.

While most hospitals have already upgraded or are in the process of replacing all their Windows XP machines, it's important to note that there are several other products used within a hospital facility that would likely need to be maintained with the latest stable updates, fixes or firmware. Other security updates will be needed for systems -- including those that apply to workstations, applications, routers, hypervisors, and medical devices -- that don't run on the latest versions of Windows.  

Knowing where your risks lie can inform future system upgrades and other purchasing decisions based on minimizing data security risk.

Patient data security is generally ensured when workstations are updated and patched with products from Microsoft and other third-party vendors. But IT staffers should consider maintaining a database and using other additional applications that will track all other relevant devices and applications that could pose a security risk.

These records will mostly be used as points of reference, to be periodically reviewed. Once communication is received from vendors in regards to security updates and fixes, then the product version can then be referenced to see what actions and upgrades are necessary to ensure HIPAA compliance.

As with most products and devices being used within hospitals, legacy systems are likely to carry some vulnerabilities. Fortunately, some vulnerabilities may never be exploited, but as a precaution and to ensure the appropriate steps are taken to safeguard electronic health records, it becomes critical to manage and be fully aware of risks associated with the products being used.

With close tracking of versions and updates, we see that many vendors release frequent security patches, while others remain question marks. Knowing where your risks lie can inform future system upgrades and other purchasing decisions based on minimizing data security risk.

About the author:
Reda Chouffani is vice president of development with Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email or contact @SearchHealthIT on Twitter.

Next Steps

HIPAA, meaningful use risk analysis advice

HIPAA omnibus compliance guide for health IT leaders

How well do you know the HIPAA omnibus rule?

Dig Deeper on Electronic health records security compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.