Paramount Software Solutions Inc

In Health Care, Patch Management is More Important Than Ever

A report from and Protenus found the U.S. health care industry, on average, experienced one data breach per day in 2016. Such incidents compromised approximately 27.3 million patient records.

Unfortunately, these statistics aren’t surprising given how quickly care providers have implemented electronic health record systems to comply with the Affordable Care Act. EHR adoption rates rose 74.4 percent between 2008 and 2015 , according to the Office of the National Coordinator for Health Information Technology. Along the way, vulnerabilities likely fell through the cracks. To address those bugs, care providers and others need to institute strong patch management processes, especially given the value EHRs present to hackers.

“Sysadmins can’t patch software if developers don’t create patches in the first place.”

EHR System Vulnerabilities Difficult to Report

Security researchers, system administrators and other IT professionals are invaluable resources for software companies because they alert developers to bugs that may have slipped past QA during testing. Some vulnerabilities may not even be bugs – just functions that indirectly allow hackers to access sensitive data.

However, if no vulnerability reporting mechanisms are in place, it’s difficult for those using the software to inform developers of pressing issues. According to Joshua Mandel, health IT ecosystem lead at Verily, this is a common problem among EHR vendors.

In an article for SMART Health IT, Mandel wrote that he tried to inform HL7 of a vulnerability he found in a piece of code written by the international health standards organization. Many health IT product developers incorporated this code into their products. When he reached out to HL7, he struggled to find any developers who might have worked on the code.

Mandel then tried reaching out to the EHR vendors by:

  • Sending emails to vendor security addresses or other vendor-supplied addresses (info@, sales@, etc.).
  • Using vendor-specified security vulnerability reporting programs.Unfortunately, less than 10 percent of the vendors he contacted got in touch with him regarding the vulnerability. Two of the vendors replied that their systems didn’t have the bug, while one “simply confirmed” that they received his email.
  • The issues Mandel encountered present a huge challenge to sysadmins: They can’t patch software if the developers don’t create patches in the first place.

Implementing Patch Management Processes in Health Care

Most health care organizations are actually well positioned to apply DevOps practices to their patch management policies. This is because many IT teams acquire developer-esque knowledge of the EHR systems they manage. Some hospitals even have developers specializing in particular EHR solutions, enabling those institutions to customize the technology.

For example, Healthcare IT News found 60 percent of hospital executives said they plan to launch internal EHR interoperability development projects. Another 55 percent said those development projects will focus on improving EHR workflow. This indicates quite a few hospitals have established developer resources.

But how could DevOps fit into patch management process? Here’s how it could work:

  • Developers build EHR functions.
  • Quality assurance tests the functions.
  • Sysadmins apply those changes to the EHR.
  • End-users and IT then report bugs to developers, who create the patches. 
  • QA tests those patches.
  • Sysadmins implement the patches. 

This system could actually address the vulnerability reporting deficiencies Mandel noted. Of course, the process has its challenges, one of them being that some vulnerabilities may exist in the source code. For some institutions, this may not be a problem if the EHR vendors grant license holders access to the code. At the same time, this may require a level of expertise in-house developers may not possess, which obligates care providers to fund developer training.

In addition, there’s no guarantee vendors will take an open source-esque approach to EHR development. After all, these are proprietary systems we’re talking about.

One encouraging factor is that EHR vendors have the incentive to improve their security vulnerability reporting programs. As attacks against care providers increase, companies will face pressure to institute more robust communication with end-users.

Share this on

In Health Care, Patch Management is More Important Than Ever

Stay In Touch

The future of businesses is ever-changing. Keeping up with the demands and dynamics of the technology industry is the most challenging now than ever.

ADR Mediation Scheduler Application Development

Drupal 8 Management, Maintenance, Support

Web Re-design & Re-hosting

Book A Demo

Employee retention is undeniably crucial for every organization and we have thought it through. Our retention focused employee benefits are designed to appeal to the best talent across industries. With an incredible 5-7 years retention span, we keep allocating the right cultural and operational fits that would not jeopardize an existing project implementation.

With a unique blend of traditional and contemporary management systems introduced, decision-making at Paramount is fast and effective. To help government agencies continue and also boost operational activity,  we ensure the quickest possible turnaround time. Instead of long traditional onboarding practices, we take pride in achieving a much shorter process to eliminate possible delays.

Our state – of the – art system enables our team to match solutions, and resources, for our government clients to bring in the latest and the most digitally advanced technical expertise – be it talents or technology solutions. We go through a matrix system that will match needs with solutions, keeping in mind parameters like cost, existing technical environment, and any other government prerequisites. Providing a solution that will match all the core needs is of utmost importance for Paramount – we go to absolutely all lengths to deliver precisely that.