What is the globally accepted percentage for OS patch compliance with Healthcare Industry as per HIPAA?
Sort By:
Oldest
IT Manager in Healthcare and Biotech2 months ago
Technically per HIPAA it’s 100% depending on your environment and the severity of the vulnerability it is patching. It’s not an if you patch, but how quickly you patch based on your security and vulnerability protocols.IT Manager2 months ago
It’s not going to be the accepted percentage, but your patch management program in place. 100% of patching (while desirable) may not mean your 100% protected. You need a plan that allows for you to review patches, test them for compatibility and ensure they do not create additional security concerns, and then deploy them so as to not affect the security and availability of the data. I’d refer to NIST publications. 800-40 rev 4 is a good place to start.
Engineering Manager in IT Services2 months ago
HIPAA doesn't specify an exact percentage for OS patch compliance. Instead, it focuses on the requirement to have a risk-based approach to managing security and implementing safeguards like patch management.This means healthcare organizations should aim for a level of compliance that adequately protects patient data, considering factors like the type of data handled, the organization's size, and the potential risks involved.
In order for a HIPAA-covered entity to ensure HIPAA patch management requirements are satisfied and vulnerabilities to the confidentiality, integrity, and availability of ePHI are reduced to an acceptable level, robust patch management policies and procedures need to be developed and implemented.
It suggests the patch management process should include:
Evaluation: Determine whether patches apply to your software/systems.
Patch Testing: Test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
Approval: Following testing, approve patches for deployment.
Deployment: Deploy patches on live or production systems.
Verification and Testing: After deployment, continue to test and audit systems to ensure patches have been applied correctly and that there are no unforeseen side effects.