OCR warns about dangers of security vulnerabilities in third-party apps
Third-party software applications can put healthcare organizations at risk for security vulnerabilities, even if entities deploy operating system updates, according to an email alert from the Health and Human Services Department's Office for Civil Rights.
We continue to see customers overlook the vulnerabilities in 3rd party applications such as"
- EHR vendors chosen "web server service"
- The various versions of Java required by dated applications
- Adobe Reader and Adobe Acrobat
- Versions of VPN software required to connect to 3rd party applications
- and much more
Some steps organizations should take to keep such tools secure, according to OCR, include:
- Create criteria for third-party applications before installing new software and test against the criteria set to see if there are flaws or weaknesses in the applications.
- Work with business associates to test those entities' applications for security issues before installation and after the applications have been installed.
- Regularly install patches and updates to applications. "The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner," OCR notes.
- Carefully review a third party's software license agreement, which should highlight possible risks; this information should not be ignored, OCR warns.
For more information read the article from FierceHealthIT: http://www.fiercehealthit.com/story/ocr-warns-about-dangers-security-vulnerabilities-third-party-apps/2016-06-09