Last week it was reported that federal regulators have issued a sanction against an Alaskan mental health service provider, due to, of all things, not being up-to-date on software patches. Fined $150,000 by HIPAA, Anchorage Community Mental Health Services failed to apply available software patches and was subsequently infected with malware that led to personal information being absconded from 2,700 individuals.
The HIPAA fine against the Alaskan health provider is just the first for the health industry, but more and more, companies are being held financially responsible for security breaches. And, it's foreseen that more fines will be lobbied in the near future.
This is truly an unexpected angle for software patching where a litter of bad vendor patches could result in a fine due to lost data and regulatory oversight.
In the report, Susan A. Miller, a HIPAA and healthcare attorney says…
The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately. That includes operating systems, electronic health records, practice management - and any electronic tool containing PHI.
This comes on the heels of a year of patching woes for most Microsoft customers. Many customers have altered their patching policies so that critical updates are delayed by weeks and sometimes months because Microsoft hasn't been able to deliver an error-free month. So, what happens when a company delays a critical update because of fear of botched updates? Should IT deploy anyway and expect to just deal with the fallout of lost revenue due to downtime and crashing applications? Is Microsoft at all to blame? And, who should be responsible for paying the fine if an attack was successful due to a patch that didn't work? There have been several instances this year where a critical, zero-day patch was flawed, had to be recalled, fixed, and rereleased.
Its one thing to be flat-out irresponsible with security like the recent Sony hack and other reported cases like Target, but quite another entirely to get caught waiting for a workable patch. In the case of the Alaskan health provider, the organization was negligent, but let's hope it doesn't set a precedent where it's difficult to determine who is really at fault. This is a slippery slope, particularly if Microsoft can't figure out how to fix its QA processes.