The HIPAA fine against the Alaskan health provider is just the first for the health industry, but more and more, companies are being held financially responsible for security breaches. And, it’s foreseen that more fines will be lobbied in the near future.
This is truly an unexpected angle for software patching where a litter of bad vendor patches could result in a fine due to lost data and regulatory oversight.
In the report, Susan A. Miller, a HIPAA and healthcare attorney says…
The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately. That includes operating systems, electronic health records, practice management – and any electronic tool containing PHI.
This comes on the heels of a year of patching woes for most Microsoft customers. Many customers have altered their patching policies so that critical updates are delayed by weeks and sometimes months because Microsoft hasn’t been able to deliver an error-free month. So, what happens when a company delays a critical update because of fear of botched updates? Should IT deploy anyway and expect to just deal with the fallout of lost revenue due to downtime and crashing applications? Is Microsoft at all to blame? And, who should be responsible for paying the fine if an attack was successful due to a patch that didn’t work? There have been several instances this year where a critical, zero-day patch was flawed, had to be recalled, fixed, and rereleased.
Its one thing to be flat-out irresponsible with security like the recent Sony hack and other reported cases like Target, but quite another entirely to get caught waiting for a workable patch. In the case of the Alaskan health provider, the organization was negligent, but let’s hope it doesn’t set a precedent where it’s difficult to determine who is really at fault. This is a slippery slope, particularly if Microsoft can’t figure out how to fix its QA processes.