HIPAA Security Compliance 101 - Lesson 5

Are you Following the Best Practices for Malware?

Published on

What is Malware?

Malware = Malicious Software

It includes spyware, viruses, trojan horses, key-loggers, rootkits, and ransomware

What does the law say?

The Security Rule requires that covered entities and business associates take steps to protect HIPAA regulated systems from malicious software.

Is this something OCR enforces?

Yes – In one particular case, OCR specifically referenced “not regularly updating their IT resources with available patches and running outdated, unsupported software” as the reason it levied a $150,000 fine.  Click here to read entire article

Malware Protection “Best Practices”:

1. Keep your system and application software up-to-date

  • Use a currently supported release for all systems and applications. Do NOT use outdated, unsupported software
  • Regularly review and install security updates and patches (e.g., weekly or monthly)
  • Apply updates to any device and software that stores, transmits, and accesses PHI (workstations, servers, smart phones, network, firewalls, etc.)

2. Use Virus / Malware Protection wherever it is available

  • HIPAA does not mandate a particular technology
  • Numerous options are available including Symantec, McAfee, Kaspersky, Microsoft, AVG, etc.
  • Consult with IT and online reviews
  • Make sure it checks your inbound email, a frequent source of malware

3. Keep your Virus / Malware protection software up-to-date.

  • New viruses and forms of malware are being constantly released, making it necessary to update your Virus / Malware protection on a regular basis (e.g., weekly).

4. Restrict user access based on their job role (another Security Rule provision).

  • Limiting what a user can update will limit the impact of any malware they introduce
  • Where possible, avoid giving regular users update access to server storage areas
  • Likewise, avoid giving regular users access to backup copies

5. Educate your users on best practices to avoid malware infections through email or web browsing

See https://dmctechgroup.com/dmcblog/best-practices/ for an example.