Why software patch management is critical in the dental practice

In previous articles in this series, we have explored many of the HIPAA rules and regulations that affect dental practices. While many of these involves areas familiar to dentists, such as data backup and antivirus software, a number are less well-known, but just as critical. One of this is something called patch management.

In previous articles in this series, we have explored many of the HIPAA rules and regulations that affect dental practices. While many of these involves areas familiar to dentists, such as data backup and antivirus software, a number are less well-known, but just as critical. One of this is something called patch management.

You won’t find the words “Patch Management” in the HIPAA Security Rule, but given recent action taken by the US government agency that enforces HIPAA compliance, it’s there. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) settled with a community behavioral health organization in December 2014 concerning potential HIPAA violations which surfaced as a result of the OCR’s investigation of a breach of electronic protected health information (ePHI) that was reported to HHS by the organization in March 2012.

The press release announcing the settlement included a quote from OCR Director Jocelyn Samuels who stated, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis this includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

The basic premise of patch management is that dental offices are usually running a multitude of software programs. This includes your Windows operating system, your browser, Adobe products like PDF viewer, Office and numerous other systems. Unfortunately, these products tend to ship with security holes, and as new holes are discovered, the company will provide updates or "patches" to fix these security holes. This is a constant battle between the software developers and the people who look for security holes to exploit; many times, patches are released on a weekly basis!

While some products, like Windows, can be set to install and update their software automatically, others do not. And, even the ones that can do, it's often not prudent to install untested patches right away, I often suggest waiting a week or two to ensure that the bugs have been worked out.

This is where the concept of patch management comes in. Sure, you could pay your IT company to log on to each and every computer on a weekly basis to search for and apply patches to every software system on the computer but this will be a very expensive undertaking. Instead, there is a whole class of software called Managed Services that can automate this process for you.

While the software will install and update software on the schedule you dictate, it can also handle many other functions that may not necessarily be a HIPAA rule. For example, many of then include alerting: they can send an alert to you and/or your IT company if there's a problem, such as a corrupted hard drive, incorrect password entered, virus, etc. These software programs can also do things like defragment the hard drives and clean out temporary internet files and other functions.

Many IT companies, including mine, offer patch management services. Dentists should take the time to evaluate their options and decide on the best way to keep their patient data safe and secure.