Running outdated software can cost healthcare companies big

For the first time, HHS has fined a company for running out of date software.  The actual enforcement letter is available here. This is a new evolution.  Previously, to get a monetary fine, you practically had to sell PHI on the open market to get a fine. Okay, that's a little extreme - some fines have been levied for simply mishandling PHI in a reckless manner.  However, this is the first time I'm aware of that simply running outdated and known insecure software resulted in a fine.

I run into way too many organizations, particularly in health care, that are tied to custom software that requires Internet Explorer 8 (or worse, earlier), Java 1.6, or Windows XP (eek).  More often than not, in-house developed and custom software doesn't support DEP (data execution prevention) or ASLR (address space layout randomization).  And don't even think about EMET...  

When performing security assessments with Rendition Infosec, I get to hear all kinds of excuses about how much it will cost to upgrade legacy systems.  Organizations often simply sign off on the risk instead.  I've actually had IT managers explain to me that while they know their security is bad, nobody ever gets fined for not upgrading their systems.  Well, now that day has come and I for one am thrilled.  I hope that this is the first of many such fines from HHS.

The enforcement letter spells out the actions that must be taken to comply with the HHS settlement.  These  actions can be broadly broken down into the following:

1. Updated Policies and Procedures
2. Training (for anyone who touches e-PHI)
3. Annual Risk Assessments
4. Annual Reports Attesting the State of Security

The last one sounds easy enough, but one of the requirements is specified as:

"An attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches."

This sounds innocent enough, but can your organization really make such an attestation?  There are no exceptions to this provision in the enforcement letter, no easy out.  Think of all the outdated switches and routers likely in portions of any large business.  Not to mention embedded systems, etc.  They are running fine, but are they supported?  Is everything really running all of the latest patches?  That seems doubtful and is unlike any organization I've ever seen.  While I applaud HHS for this enforcement, I think they may have set up an unattainable standard.  It will be interesting to see how this and other enforcements from HHS play out.