We all know that patching is something we should do. Some of us even consider it something we must do. But I don’t think any of us consider how much it could cost us if we didn’t, so take heed of the following object lesson. Anchorage Community Mental Health Services (ACMHS) was fined US $150,000 after a data breach resulted in attackers gaining access to the Personally Identifiable Information (PII) of over 2,700 individuals. In investigating the breach, the Department of Health and Human Services’ Office for Civil Rights (OCR) found that missing software patches directly contributed to the breach, and used HIPAA to invoke a sanction and fine.
ACMHS experienced a compromise of their systems stemming from a malware incident in March of 2012. In June 2012, the OCR opened an investigation after receiving notification of the incident and resulting data leakage. In the course of the investigation, it was determined that while ACMHS had adopted a set of standards for HIPAA compliance as early as 2005, they were not following these standards. Jocelyn Samuels, the director of OCR, was quoted as saying: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
ACMHS will have to revise their policies and procedures and provide training to all personnel on HIPAA requirements and safe data handling, and conduct annual risk assessments with documentation on issued uncovered and remedial actions taken.
This is not the first time OCR has imposed fines on healthcare providers. New York Presbyterian Hospital and Columbia University were together fined almost $5 million dollars for storing PII in an unencrypted format, and Parkview Health System was fined $800,000 related to the improper disposal of paper copies of thousands of patients. However, this is the first time a company was fined for an incident that resulted from something that was so easily avoidable. Not applying patches left a vulnerability exploited by malware that resulted in the data breach. Given the cost of living in Alaska, $150K would probably have paid for a patch management application and an full time employee to run it for several years.
It’s important to note that the bulletin does not state what was unpatched. Whether it was an operating system, office suite, or a third-party application, a patch management solution with the ability to update both operating systems and applications would have been key, could have prevented this breach, and certainly would have helped ACMHS to avoid such a large fine. Whether your company is covered by HIPAA, PCI DSS or other compliance regulations, it’s clear that this should be a wakeup call for patch management. If the US government can fine companies for not patching, it won’t be long before consumers can sue businesses for the same thing if their PII is lost as a result.
You can read more about the incident, the investigation, the findings, and the fine at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/acmhsbulletin.pdf. And you can read more about GFI LanGuard at http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard to learn about how GFI LanGuard can solve your patch management challenges.