HIPAA-compliant, Antivirus-protected Computers Can Still Get Infected

June 4, 2013

Even following the HIPAA Security Rule, which requires protecting computer systems with anti-virus and anti-spam, computers can still get infected. Why is that?

As I have stated many times before in this space, the HIPAA Security Rule is a good thing. It requires medical practices and clinics to adopt many processes that are considered IT and business best practices. One of those practices is contained in Standard 164.308(a)(5)(ii)(B): PROTECTION FROM MALICIOUS SOFTWARE: (The Covered Entity must implement) "Procedures for guarding against, detecting, and reporting malicious software."

Like most HIPAA Security specifications, this is not very specific. It does not define malicious software nor give precise preventative requirements. It leaves it up to the covered entity to understand, interpret, and appropriately comply.

Most industry experts would consider the following procedures as a minimum solution set to satisfy both the spirit and intent of the above standard:

1. Frequently update all operating systems with the latest updates and security patches (weekly).
2. Implement business-class anti-malware protection across all systems and components - primarily anti-virus and anti-spam. Run updates and scans very frequently (daily).

Let’s examine the thought process behind these two procedures, and hopefully it will help you and your medical practice avoid some of the pitfalls:

Software and Operating System Updates and Patches:
The Early Bird Gets the Worm (Or in this case, possibly avoids the virus)

All major operating systems such as Windows and Linux undergo constant revisions. Some of those revisions are to add new requested features and fix previously discovered "bugs," but many of those revisions are to plug "holes" discovered by outside hackers.

Hackers know that many people do not update their software routinely, so they will look at the software patches and create attacks that are patterned after those patches. Another common threat is "Zero-day exploits" - attacks built to take advantage of the security holes found and exploited before the software developers have a chance to create patches to fix them.

Hackers are licking their chops for April 2014, when Windows XP, which is still running on hundreds of millions of PCs, will no longer get software and security patches (See my "Death watch for Windows XP" blog).

All operating systems should be frequently patched and updated. And lest you think that Linux and Unix operating systems such as Apple and others are immune to hackers, think again. They have done a good job of creating the illusion of safety, but hackers have found them too, and they must be kept updated.

Malware Protection: You Frequently Get What You Pay for

There are many options for practices and clinics regarding anti-spam and anti-virus measures. There are services delivered over the Web, there are software programs that actually are installed on local workstations, and there are appliances that sit on the network and promise to keep out all the bad guys. Many purchased systems come with free or trial versions of various software programs pre-installed. The problem with most of these solutions is that they don’t provide an integrated, system-wide approach.

Some of these are free, and some of them cost a great deal of money. Some of the free ones are actually not only ineffective, they are threats unto themselves. A popup may appear that informs users there is a problem and tricks them into installing what is supposedly anti-malware software. Instead, it can frequently be malicious software, so many anti-virus and anti-spam packages advertised as "freeware" actually end up infecting systems.

And a few years ago, the authorities shut down a company that actually tricked users into paying for malware. That’s adding insult to injury – not only was the software not as advertised, the scammers had pulled in over $4 million in fees before being shut down.

The best solutions are those that are configured to deliver solutions over the entire system, not on individual devices. Integrated cloud services or network appliances are best, but they need to be healthcare-specific. And very few free-ware or share-ware systems are effective.

Even with Anti-Virus Protections, Your Computer Systems Can Still Get Sick

As I write this, I am suffering from some kind of early-summer flu. I am reasonably healthy, I take vitamins, and I avoid sick people. And I actually had a flu shot earlier this season. So why did I get sick? Just like with anti-virus on computer systems, you can take all the precautions and still end up with a cold or flu. There are always new strains of bacteria, new viruses, and sometimes in spite of best efforts you can still end up with an illness.

Even the best anti-malware systems are not totally foolproof. There are always new threats. And some infestations can actually be enabled by users, who may inadvertently defeat anti-malware systems by downloading a harmless-looking file attachment or clicking on a popup that manages to get past an anti-virus system.

Most cold and flu episodes are annoying but not life-threatening, and the symptoms pass in a few days. Similarly in the computer world, there have not been any known HIPAA breaches involving viruses. However the symptoms can severely impact operations, and are difficult to eradicate.

The best advice is to invest in business-class anti-malware systems, keep them updated and monitored by professional IT people, and educate users on proper behaviors to reduce risk and impact.