security patching mattersThere have been a lot of headlines lately about Windows 7 end of life and Windows 10 security patches. Let’s discuss why supported software and security patching matters for all software, not just windows. Then, we can talk about why it matters under HIPAA.

 

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Why Security Patching Matters – Ep 239

The HIPAA Boot Camp

2020 Spring Session Dates

March 24, 25, 26

Tucker, GA

2020 Fall Session Dates Coming Soon

For info go to TheHIPAABootCamp.com

Registration Form

 

Share Help Me With HIPAA with one person this week!

Thanks to our donors!

Your support is appreciated!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Why Security Patching Matters

Patching means more than most people think.  That includes folks who understand tech and those who don’t.

What does patching really mean to non-technical people?

If there is a problem found in software a patch is issued to fix it.  Sometimes the problems are just fixing simple things but many other times they fix things that impact the security of the applications.  It is literally just a patch to cover up a software hole.

What does HIPAA say about patching?

Way back in 2014 I wrote about how HIPAA addresses why no security patches for XP mattered under HIPAA.  Here we are again with the same questions as Windows 7 reaches the end of life.  Here is your first HIPAA statement that is pertinent:

164.306(a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

This is another part you must address also.

164.308(a)(5)(i)(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

That makes it pretty easy for you to make the argument whether or not you can reasonably anticipate threats due to lack of security patches.  Maybe you can find another way to address the threats.  Just remember here is what the law says you can consider when figuring that part out.

164.306(b)(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

Clearly, you have some HIPAA-specific issues to address if you are purposely using an operating system that you know will not have security updates installed.  It is important to also realize this goes for more than just operating systems, it goes for all kinds of applications you have on your network.

What do we mean when we talk about patching?

Windows 7 will no longer have those security updates released by Microsoft.  The irony of the other major issue this week was related to Windows 10 not Windows 7.  If it had involved Windows 7 it would likely have been patched.  But, what if another one is found in 6 months?

The Windows 10 issue is so scary the NSA notified Microsoft about it and made a big deal about their transparency.  That is another story.  What is important here is this one is so scary they urge us all to install it ASAP.  It is unfortunate but we will likely see this used by the bad kind of hackers sooner rather than later.

I do not recall HHS sending out an alert to patch systems but they did just that over this one.  Is that an indication of how bad this is or is it a change in what is required to get patching done more urgently?  Probably a little of the second one but most likely because this one is severe.

Here is a list of articles we have been tracking related to specific patches.

https://www.healthcareinfosecurity.com/patching-windows-so-urgent-in-healthcare-sector-a-13615

https://www.secureworldexpo.com/industry-news/recovering-from-vpn-compromise-hardening-vpn

https://thehackernews.com/2019/11/vnc-remote-software-hacking.html

https://it.slashdot.org/story/19/10/08/2016251/d-link-home-routers-open-to-remote-takeover-will-remain-unpatched

What kind of patching should be happening

There is a recent blog article from Microsoft with the title Patching as a social responsibility that announced they are partnering with U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).   The plan is to help make it “easier for organizations to plan, implement, and improve an enterprise patch management strategy”.  This was prompted after watching the WannaCry attack race around the world due to the lack of an installed patch.

One of the interesting points in the article hit the nail on the head about a big issue when it comes to an issue we hear about often when it comes to the patching discussions we have with tech staff.  As part of the program they did a series of meetings where they actually asked organizations why they weren’t patching quickly enough to prevent the attack.  Here was what they said they heard:

While the discussions mostly went in expected directions, we were surprised at how many challenges organizations had on processes and standards, including:

  • “What sort of testing should we actually be doing for patch testing?”
  • “How fast should I be patching my systems?”

This articulated need for good reference processes was further validated by observing that a common practice for “testing” a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum.

Interesting that point about checking on a forum to see if someone else has had a problem before they load it themselves. The issue is how long do you wait.  Patches that prevented WannaCry were out for three months.  Their next point was what they think they need to resolve.

Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think.

Patching should be happening on a regular basis on all of the applications that can be run on your network.  That includes firmware on devices as well as operating systems and business applications.  Adobe updates frequently.  Oracle had a mass number of patches coming out last week but it was overshadowed by the Windows issues.

Patches need to be loaded for all software.  There have been recent announcements about issues in VPN server software that needs patching. Many folks don’t even know what VPN software they are using. https://www.bankinfosecurity.com/unpatched-vpn-servers-targeted-by-nation-state-attackers-a-13202

How to manage patching with the IT team in your organization

We discussed this in an episode last fall that you need to understand how the IT folks are managing patches. 7 Questions To Ask IT – Ep 218

Understand what the patching policies are for your IT team.  This is when you need to look at your own policies and procedures compared to what your IT folks are really doing.  If you don’t already know how they handle patching this is a good time to do it.  You have to understand how they will be handling the immediate issues.

A plan for who is in charge of reviewing the patches and making sure they are loaded for all of your systems, firewalls, routers, medical devices, etc. is essential.  Don’t make assumptions because it is clear there we will be a continuing parade of these issues.

While you are discussing devices you have to address all of the applications you allow on your systems.  When we ask for a software inventory and suggest you have a list of what your systems should have on them this is exactly why you need to know these things.

After that meeting you should have a documented plan for managing patches that includes who, what, and when.

Priorities must be set and if you are assuming IT is handling it, are you sure their priorities match yours. https://www.bankinfosecurity.com/how-to-prioritize-vulnerability-patching-a-13200

I am not saying you have to understand the details of these things but you need to understand what is happening concerning patching. These are as many business decisions as technical ones.

Oh and ask your vendors if they are doing this exercise themselves. https://threatpost.com/cisco-dcnm-flaw-exploit/151949/

That is a lot of information, yes.  But, make sure you share it with anyone that can help get these things done properly to protect your information.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.