It shocks many in the healthcare industry to learn that they can get fined for “not knowing” they are out of compliance. According to HIPAA fine ranges, this named violation category carries a maximum of $1.5 million per inspection. Category fines per violation range from $100 to $50,000 and numerous violations can rack up, one for each non-compliant find.
This shock can be avoided by knowing the rules. According to the HITECH Act portion of HIPAA compliance, Standard §164.308(a)(1)(i) implies a need to implement procedures to prevent security incidents including software updates and patch management as part of security management processes. Similarly, Risk Management section §164.308(a)(1)(ii)(B) explains how software updates are not optional and should be implemented if possible.
The implications of non-compliance can be financially painful. For example, Metro Community Provider Network got fined $400,000 in 2017 for lack of security management around patient healthcare information. To avoid this, IT management needs to work to assure all versions of system software are supported by their manufacturers to address security threats.
Since “not knowing” won’t be an accepted excuse, laboratories must keep their systems up to date like any other healthcare facility. This means applying all Windows Server and SQL patches and upgrades. If one is running on unsupported software, security won’t be possible. Also, not applying Windows updates makes it very challenging to keep most apps working correctly.
We talked last month about “sunsetted” software. Much of it is still in use. We’ve seen it. These sunsetted versions contribute directly to non-compliance and can lead to the nasty fines some facilities have paid. We can help with a quick consultation and let you know how compliant you are. After we talk, you’ll be “in the know.”