The HIPAA Requirements on Patch Management

Healthcare providers are reminded by OCR to follow the HIPAA patch management requirements, which make sure that ePHI privacy, integrity, and accessibility stays secure. Flaws in the software applications code could be exploited by hackers to get into the computer network systems.

Since software programs, operating systems and healthcare devices aren’t 100% perfect, it’s likely to find vulnerabilities in these things. What is important is to discover those weaknesses immediately and to do something promptly to stop the chance that hackers would exploit the vulnerabilities.

Part of what security researchers do is to discover vulnerabilities. They submit bug reports to device manufacturers so they could create patches to correct the flaws and stop malicious actors from taking advantage of the vulnerabilities. The thing is that software programmers are unable to test all patches completely to spot all prospective problems. Consequently, patches aren’t always available on time.

Therefore, it is the IT departments’ added task to check the patches prior to utilizing them. All insecure systems and gadgets should then be fixed with the patches. This work of patch management is a major task for healthcare companies’ IT departments. With many IT systems and computer software, it seems impossible to upgrade everything considering the continuous release of patches.

In June 2018, HHS’ OCR’s cybersecurity newsletter discussed the need for patching, the requirements of HIPAA patch management and the necessity of patching vulnerable software for HIPAA compliance. OCR explained patch management as the process of identifying, obtaining, , installing and validating patches for products and devices.

Various software programs, device firmware, email system, operating systems, applets like Java and Adobe Flash, are all at risk of security vulnerabilities. It’s vital to identify the flaws and patch them right away or the ePHI could be compromised potentially resulting in HIPAA violation. The HIPAA Security Rule doesn’t say anything about patch management. However, finding vulnerabilities is subject to the security management process standard of the HIPAA administrative safeguards.

Healthcare providers have to do risk analyses including determining vulnerabilities in order to maintain the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(i)(A) – and should follow HIPAA-compliant risk management processes – 45 C.F.R. § 164.308(a)(1)(i)(B). Patch management is required under 45 C.F.R. § 164.308(a)(5)(ii)(B),  the security awareness and training standard;  the protection against malicious software and the evaluation standard – 45 C.F.R. § 164.308(a)(8).

The first step of discovering vulnerabilities and managing patches is to do an extensive inventory of all existing systems, including software, firmware and operating systems being used in the entire organization. Scans ought to be performed on a regular basis to check if unauthorized software or shadow IT has been installed in the system.

Available information on the latest identified vulnerabilities and preventive action steps or patches can be found on the websites of the United States Computer Emergency Readiness Team (US-CERT <>) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT <>). It is advisable for covered entities to check out these websites often or subscribe to alerts. Health device manufacturers as well as software sellers likewise have the essential information on vulnerabilities and fixes.

OCR recommended a Patch Management Process comprising of the following steps to make sure covered entities are able to comply with the HIPAA patch management requirements:

  1. Evaluation – Find out if the patches can be applied to the software/systems in your company
  2. Patch Testing: Do a trial application of the patch on one singled out system first to check if it will have negative effects, such as failure of applications or program instability.
  3. Approval: If the test works, confirm all the patches for application.
  4. Deployment: Implement the patches on live or production devices.
  5. Verification and Testing: Check and review systems once deployment is done to check if the patches had been implemented appropriately and the system encounters no sudden problems.

Resource on Patch Management: NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies (Revision 3)

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at