How to handle security patches like a pro
Data security in a medical practice is a shared responsibility, but is there a better way to manage data risk in a busy practice? Here are some simple tips to make security fixes and patches a more seamless process for your practice and staff.
What is a security patch?
A software ‘patch’ or ‘fix’ is a set of changes to a software program designed to fix or improve it.
Usually when a security flaw is discovered within software, the technology provider will release a security ‘patch’ to fix and update the software.
This security patch helps ensure hackers or malicious programs cannot potentially abuse any vulnerability in the software.
These patches, also called ‘bug fixes,’ can also include updates to software designed to improve overall usability and performance.
Why is security patching important in a healthcare setting?
The health industry is one of the most targeted industries in relation to cyber attacks. This is because health organisations may not always have the appropriate defences in place to protect against potential threats, and importantly, health data is extremely valuable to attackers.
It’s one of the reasons the RACGP Security Guide lists security patches as one of their recommended action points within their medical practice computer security checklist.
How can medical practices protect against software vulnerabilities?
The easiest and fastest way is to continually update your software. If software is kept up to date, it is less likely to be vulnerable to exploitation or attack.
Running the latest software will also have additional benefits to a practice, such as:
- Performance improvements, and faster running of your software
- Availability of new product features
- Making upgrading to new releases of software easier
- Making it easier and potentially less costly for IT teams to support
Fostering a culture of security and risk management
Making security patches a painless process starts with a ‘culture’ of security leadership, which the RACGP Security Guide stresses is critical in any medical practice that’s serious about risk management.
Adopting a security ‘culture’ and leadership encourages more people within the practice to take responsibility for data security. Proactive measures include offering education and training, sharing helpful resources, and making available practical policies that direct staff to better understand and manage security risks.
The RACGP also recommends:
- Regular risk analysis: conducting regular security ‘health and hygiene’ reviews of computer and IT systems, identifying any gaps in security and developing strategies to mitigate risk.
- Identifying a designated data security authority: Allocating one person with the authority to ensure that the relevant security processes are documented and followed.
- Drafting and reviewing data management plans and processes: Especially to clarify data backup and disaster recovery protocols and procedures.
What are some additional resources that can help?
At a local level, the Australian Cyber Security Centre: offers some helpful information about security patches and risk mitigation, including:
- A handy guide on assessing security risk and applying patches.
- A list of the ‘essential eight’ risk mitigation strategies and why patches form part of this wider security strategy.
The Australian Federal Government also has a range of resources and information on cyber security available in the Information and Services section of their website.
The Security Colony is also an Australian website with some useful material on cyber security, including a range of free and paid content.
At an international level, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), publish a joint standard, the ‘ISO 27001’. This standard specifies a wider system that is intended to bring information security under tighter management control.
The International Systems Audit and Control Association (ISACA) is an international professional association focused on IT governance and offers a range of events and educational tools on its website. For world class security education and tools, you can also visit (ISC)² a global not-for-profit cyber security organisation.
For MedicalDirector customers interested in enhancing their data security processes and systems, visit our online help or support pages, or contact your dedicated Client Manager today.