News & Resources

Publications & Media

“Don’t Expose Your ePHI by Using Vulnerable Third-Party Applications”

Safe and Sound By Elizabeth R. Gebarski

Covered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application software and describing how CEs and BAs can secure their systems to mitigate vulnerabilities.

What is third-party application software?
Third-party application software is a program that is created by companies other than the operating system developer. If you have a Macintosh computer, a couple examples would be Acrobat Adobe and Norton AntiVirus Software.

What is wrong with using third-party application software?
It is not that it is wrong to use third-party application software, but it is inadvisable to use this software without understanding, vetting and correcting it. A survey in the Study of Software Related Cybersecurity Risk in Public Companies found that about 80% of US and UK companies use commercial software, but less than 20% of these companies performed formal verifications on the third-party application software.

What does HHS advise?
The HHS Office for Civil Rights in Action provides some advice on how companies can manage the risk in utilizing third-party applications:

  • Know how to safely use the application. When a CE or BA undertakes use of a third-party application, a software license agreement (or end user license agreement (EULA)) is entered between the CE or BA and the third-party application company. The EULA should disclose what actions can expose the ePHI to vulnerabilities. CEs and BAs should make sure they understand how to properly use the software to secure ePHI.
  • Test the applications for vulnerabilities. As mentioned, only 1 in 5 companies that used commercial software performed formal verifications on the software. Testing is necessary, as it will reveal the flaws in security.
  • Repair the flaws. Once the company knows the flaws, it can repair or “patch” those flaws. HHS recommends that CEs and BAs install patches and update software promptly and on a continuous basis, while taking into account the risk the patches may pose to the CE’s information systems.

Failing to take these steps can cost big bucks and cause big headaches. Just recall the Medical Informatics Engineering, Inc. (MIE) breach. MIE, a software company, created NoMoreClipboard, a third-party application, for use in CE medical record operating systems. On May 26, 2015 MIE discovered that the system was breached. By August 2015, NoMoreClipboard’s breach affected 3.9 million individuals. Heeding the advice of the HHS Office for Civil Rights in Action could save these headaches in the future.