Patching computer systems in support of §164.308(a)(5)(ii)(B) and in support of a healthy security program continues to challenge the healthcare community. Two major obstacles include the failure to recognize all risk parameters (i.e. there's more than just probability) and the concern that a software update may impact critical patient operations. These two hurdles are why we continue to advocate for a team approach to a HIPAA Security program. When we trust one person or one department to make decisions that affect an entire (for example) hospital or clinic group, we inadvertently limit the perspective required to make sound business decisions.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency recently alerted the Internet about a critical vulnerability with Microsoft systems, as detailed with CVE-2020-0796. A patch to remedy this vulnerability was released a few days after Microsoft disclosed critical weaknesses introduced to the Server Message Block 3.1.1 (SMBv3) for all Windows 10 platforms and Windows Server versions 1903 and 1909. More important is that DHS is seeing hackers exploiting vulnerable systems with a publicly available proof of concept code.
The DHS note above is presented to demonstrate that timely patching is important, that criminals really do exist and do want to steal information. As we say at almost every speaking event, "...imagine that someone gets up every morning, drinks their coffee and heads into work; just like you. Except this person's job is to hack your information services for profit." YES, this is a real job. Hacking isn't done in the basement anymore and while there are probably some teens out there doing it, infiltrating your systems is a profession now and any information services person that doesn't recognize this truth should not be in charge of patching computer systems.
Click on the graphic below to read the source
Stay (HIPAA) safe,