$150K Fine for Unpatched Software: Don’t Let This Happen to YOUR Healthcare Organization

It’s not every day where you see a $150,000 US fine slapped onto a non-profit organization because of software not being patched. Truth is, they were two years overdue on their updates. This isn’t something to take lightly, it affects 2,700 individuals.

History

Anchorage Community Mental Health Services (ACMHS) failed to take basic risk assessment and, in March, 2012, was infected with malware. This malware compromised the systems of mental health providers, specifically their information technology resources. This could have been prevented if they followed a policy they adopted in 2005. Affecting that big of a population calls for action, that of which they did not take. Now, the ACMHS is being fined for a large sum because they did not take action.

What Prevention Methods Should They Have Taken

It is actually a simple fix, abide by policy and update your systems. Susan A. Miller, an independent HIPAA and healthcare attorney, stated “This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].” She goes on to state “the lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately.”

About Managing Risk

If managing all risks were simple, we wouldn’t have policies in place to abide by. Miller makes a great point by noting all patches should be applied and that technology security should be looked at regularly. Networks and servers also have security issues that need to take looked at. Some can happen because of employees.

Along with the fine, ACMHS is also advised to train all employees on proper security procedures and practices, within the facility. This isn’t the first case, other problems have come across major health institutions in the past.

What You Can Take from This

Monitoring your network is always a priority, but it doesn’t mean you have the time to manage it. Managing a network is the same as managing a business; keeping up to date, employees notified, on top of threats and analyzing data. Here are some actions you can take:

• Update all software – operating systems and programs can all have dangerous holes that need patching.
• Update firmware – software, but for your computer’s hardware, there is more than one way to get through a system.
• Backup all your information – security threats don’t always give you access to your data, having it in a safe place helps.
• Create an employee policy – employees bring electronics to work that can compromise your system.
• Get an IT support company on your side – focus on your company so you don’t have to worry about client information being stolen or viewed.

Don’t know where to go? Go with someone that has experience with healthcare organizations. Give us a call at (919) 424-2000 or email us at info@cspinc.com. Raleigh IT Support Company and IT Services Provider | CSP Inc., keeping disasters at bay while keeping your information safe.