Have you updated your software today?

By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations. Based upon the feedback from 168 US-based healthcare cybersecurity professionals, “Relatively few healthcare organizations are conducting end-to-end security risk assessments. Sensitive information is exposed and such systems are vulnerable to attack.”

A simple yet important precaution to reduce cybersecurity risks is ensuring software updates and patches are applied in a timely manner. Though they are easy to ignore, most software updates or patches are important, as they address a vulnerability or security flaw in the endpoint of computer systems or medical devices. 

Healthcare organizations have been increasingly targeted with ransomware and other cyberattacks since the beginning of the COVID-19 pandemic. This has shown hackers’ ability to endanger healthcare organizations’ operations as well as patient lives. 

In mid-December 2020, Accellion, a technology company specializing in secure file sharing and collaboration, was made aware of a zero-day vulnerability – a software security flaw for which a patch is not in place – in its legacy File Transfer Application (FTA) software. Since then , more than a dozen healthcare organizations have been impacted by the FTA vulnerability, compromising data for more than a million patients and triggering multiple lawsuits. Having the patch applied to their systems in a timely manner could have averted the majority of these cyberattacks. 

The FDA’s newly appointed acting director of medical device cybersecurity at the Center for Devices and Radiological Health, Kevin Fu, has named outdated software as one of the greatest cyber risks facing healthcare organizations. Fu indicates that the FDA “seeks to require that devices have the capability to be updated and patched in a timely manner.”

Of system vulnerabilities that lead to cyberattacks, experts predict that 99% are known in advance of an attack. A consistent and effective process to manage patch updates is critical to preventing successful attacks. A Ponemon study of 600 healthcare IT professionals found that “exploitation of old security vulnerabilities was the most widely cited cause for security incidents.” 

What can you do?

  • Ensure all systems, devices, and software you and your organization use have the latest updates and patches applied.
  • If you don’t have a security team, consult with a security and privacy professional to assess your cybersecurity risks and create an action plan for your organization.
Leave a comment

Share your thoughts on this topic!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 183 other subscribers
  • Contact Us

    Kasey Nicholoff
    staff @ ehra.org

    Amanda Patanow
    Communications and Media
    ehracomms @ npccs.com
%d bloggers like this: