Kentucky REC News

HHS Guidance on Software Vulnerabilities and Patching

Software is the underlying set of instructions that runs computers and other electronic devices. Most software that we use contains “bugs” – mistakes in the software code that negatively affects how the software works. Some of these bugs may introduce security vulnerabilities that, if exploited, could permit hackers unauthorized access to a user’s computer or an organization’s computer network. Patches are fixes to these bugs to correct how the software operates, including closing security vulnerabilities. Patches play an essential role in the software life cycle, as vulnerabilities are regularly discovered in software that can create risks to the confidentiality, integrity, and availability of data. Without patches, such vulnerabilities could not be fixed.

In late 2017, researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allowed malware to bypass data access controls and potentially access sensitive data. The security flaw was present in nearly all processors produced in the last 10 years and affected millions of devices. After the discovery of these defects, vendors scrambled to release patches that addressed this problem. However, testing indicated that a side effect of the patches could be decreased performance in certain computer uses. Testing and understanding the impact of patches can be critical to mitigating the risks patches are designed to address, while avoiding or minimizing risks that patches may introduce. HHS published a newsletter discussing such risks in the context of the Spectre and Meltdown vulnerabilities and patches.

Many HIPAA covered entities (CEs) and business associates (BAs) are highly dependent on software for processing and handling of electronic protected health information (ePHI). Under the HIPAA Security Rule, CEs and BAs are required to protect their ePHI, which includes identifying and mitigating vulnerabilities of computer programs and systems that could affect the security of ePHI. Identifying software vulnerabilities and mitigating the associated risks are important activities for CEs and BAs to conduct as part of their security management process and technical evaluations.

Identifying Software Vulnerabilities

HIPAA covered entities (CEs) and business associates (BAs) are required to conduct a risk analysis – an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) they hold. Following a risk analysis, CEs and BAs must implement measures that reduce these risks and vulnerabilities to a reasonable and appropriate level. The scope of the risk analysis and risk management processes encompasses the potential risks and vulnerabilities to all ePHI that an organization creates, receives, maintains, or transmits. This includes identifying and mitigating risks and vulnerabilities that un-patched software poses to an organization’s ePHI. Mitigation activities could include installing patches, if patches are available, and patching is reasonable and appropriate. In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access).

Security vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware. Each type of program will have its own unique set of vulnerabilities and challenges for patching, but identifying and mitigating the risks un-patched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements. Including operating systems, applications, device firmware and other software, along with the versions currently in use, as part of an organization’s inventory can aid in determining what systems and applications should be part of an organization’s patch management process.

Identifying risks and vulnerabilities in software is no easy task. Today’s threat landscape changes rapidly and organizations must be vigilant. One helpful source is the United States Computer Emergency Readiness Team (US-CERT). This organization collects and publishes information on cybersecurity threats for stakeholders in government and industry. OCR’s February 2017 cybersecurity newsletter included information on using US-CERT bulletins to help identify vulnerabilities. In addition to following publications, there are a variety of tools that can help CEs and BAs keep their software updated with the latest patches. Vulnerability scanners are software tools used to test systems and networks for known vulnerabilities including identifying outdated or unsupported software. Oftentimes, when threat and vulnerability data is available publicly, malicious actors specifically seek out un-patched vulnerabilities on a system to exploit. This means that the timely implementation of patches is an important part of the risk management process.

Patching Software

Patches can be applied to software and firmware on all types of devices – phones, computers, servers, routers, and more. Installing vendor recommended patches is typically a routine process. However, organizations should be prepared in the event that issues arise as a result of applying patches. Computer programs are often interconnected and dependent on the functionality and output of other programs. When certain changes are made, including the installation of a patch, programs dependent on the changed application may not perform as expected because settings or data are affected. This is why in complex environments, patch management plays a crucial role in the safe and correct implementation of these changes. Patch management is the process of “identifying, acquiring, installing and verifying patches for products and systems.” This ensures that patches are correctly and safely applied so that adverse effects are minimized. Each organization is different and has unique systems, challenges, and needs for this process.

Patches for identified vulnerabilities should be applied, as appropriate, in accordance with an organization’s security management process. Each type of program will have its own unique set of vulnerabilities and challenges for patching, but the identification and mitigation of risks associated with unpatched software is important to ensure the protection of ePHI. The following are some common steps to include in effective patch management as part of a security management program:

  • Evaluation: Evaluate patches to determine if they apply to your software/systems.
  • Patch Testing: When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
  • Approval: Once patches have been evaluated and tested, approve them for deployment.
  • Deployment: Following approval, patches can be scheduled to be installed on live or production systems.
  • Verification and Testing: After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects.

Due to the complexity of some systems, installing a patch or collection of patches can be a major undertaking. System modifications that affect the security of ePHI may trigger an entity’s HIPAA obligation to conduct an evaluation to ensure that ePHI remains protected following environmental or operational changes. The purpose of this evaluation is to establish a process to review and maintain reasonable and appropriate security measures. Installing patches can introduce a variety of changes to a system; technicians may disable security features in order to access certain services or unanticipated bugs or stability issues may result from an update. An evaluation can help identify new vulnerabilities that may have resulted from these changes. Undiscovered bugs or vulnerabilities are unpleasant surprises that could be exploited and may lead to breaches of PHI.

Additional Resources

United States Computer Emergency Readiness Team
HIPAA Administrative Safeguards
Meltdown and Spectre
A copy of this newsletter may be found here.
OCR’s cybersecurity guidance may be found here.

Contact the security experts at Kentucky REC with your HIPAA and security questions. We can be reached at 859-323-3090.

Announcing The PILL Podcast Series

Kentucky REC is embarking on a new way to share information regarding quality improvement and transformation in healthcare. Beginning Fall 2018, join us for a new podcast series: The PILL Podcast for providers, innovators, leaders and learners. We’ll be hosting interviews with experts in the field who are leading the charge in addressing Value-based Care and Payment. Each person will discuss aspects of the change process and lessons they’ve learned along the way. We’ll address regulatory changes from Washington and Frankfort, and how practices small and large can succeed in the ever more complex world of healthcare. Subjects will include ways to comply with regulatory initiatives, along with the changes needed to be successful in the Quality Payment Program and MIPS.

Episode 0: What is The PILL Podcast? Kentucky REC Managing Director Trudi Matthews, along with cohost Stephen Williams, introduce the series.


Episode 1: Karen Ditsch – Reluctant Convert – This episode features Karen Ditsch, CEO of Juniper Health in Eastern Kentucky, as she describes her personal and practice journey. She and Juniper moved from a mindset of a reluctant, reactive, and compliance based operation to becoming champions of quality Improvement. They began the proactive quality journey in 2006/7, and they went from paper to EMR in 2010. She shares the struggles and successes along the way, and strategies to move forward as Value-based Care and Payment becomes the model for all providers.


Episode 2 of The PILL Podcast will feature Dr. Chris Yost of UK Healthcare, as he discusses the benefits of seeking Patient Centered Medical Home recognition and focusing on promoting the health of all patients.

Contact Kentucky REC with your questions regarding the Quality Payment Program. Our team of experts are here to help. Phone 859-323-3090


Learn More About the FY 2019 Medicare IPPS and LTCH Final Rule

The Centers for Medicare & Medicaid Services (CMS) issued updates to Fiscal Year (FY) 2019 Medicare payment policies and rates under the Inpatient Prospective Payment System (IPPS) and the Long-Term Care Hospital (LTCH) Prospective Payment System (PPS) final rule (CMS-1694-F) on August 2nd.

The final rule changes the following aspects of the Promoting Interoperability (PI) Programs (formerly known as the EHR Incentive Programs):

  • Sets a new performance-based scoring methodology for the Medicare Promoting Interoperability Program
  • Requires the use of 2015 Edition CEHRT for eligible hospitals (EHs) and critical access hospitals (CAHs) beginning in Calendar Year (CY) 2019
  • Finalizes an EHR reporting period of any consecutive 90-day period for new and returning CMS or State Medicaid agency participants in CYs 2019 and 2020
  • Finalizes changes to measures, adds new measures and removes certain measures that do not emphasize interoperability and the electronic exchange of health information beginning in CY 2020
  • Requires EHs and CAHs to select one quarter of CY 2019 data and choose at least four self-selected electronic clinical quality measures (eCQMs) from a set of 16 for eCQM reporting

To learn more about these and other finalized changes, you may review the final rule, press release, and the fact sheet. For more information on the PI Programs, visit the CMS PI Programs landing page or contact our team of expert advisors at Kentucky REC with any Promoting Interoperability questions via email or by phone at 859-323-3090.

Successfully navigating the complex and evolving Promoting Interoperability landscape can be a challenging task. We work closely with our clients, providing efficient and effective advisory services to guide them through the multifaceted environment unique to health information technology.

We are here to help! Contact Kentucky REC today to learn more about the support we provide.

Webinar September 20: QPP for Specialty Practices

Even though the Quality Payment Program (QPP) impacts all Eligible Clinicians, we often hear that specialists think it is directed toward primary care providers. There are currently five types of providers (Physicians, PAs, NPs, CNS, & CRNAs) that can be Eligible Clinicians, and this list is expected to expand in coming years. The NPRM for 2019 proposes to include: Physical and Occupational Therapists, Clinical Social Workers, and Clinical Psychologists. This expansion, if included in the upcoming Final Rule, could include more specialists than ever before in a CMS program. While the Improvement Activities and Promoting Interoperability performance categories have significant flexibility to allow for the best fit regardless of practice type, Quality is an area that many specialists tend to struggle with as they work to choose the best approach.

While the majority of quality measures are highlighted as being primary care specific, there are measures and objectives for specialists. In fact, there are subset measures that are designed specifically for different specialties. The challenge is in identifying the correct quality measures, and the best approach for capturing the required information and submission.

Join us for our upcoming webinar where we will discuss how measure availability and subsequent benchmarks can affect scores for specialists. We will present crucial steps to take as a specialty practice to ensure ongoing success in the Quality Payment Program.

Webinar September 20 – QPP for Specialty Practices

Thursday September 20th 12-1 p.m. ET


CMS NPRM for Year 3 of The Quality Payment Program

The Kentucky REC recently hosted a webinar discussing the Notice of Proposed Rulemaking (NPRM) for Year 3 of the Quality Payment Program. The NPRM is available for public comment until 5 p.m. ET on September 10th, 2018. The NPRM features several potential changes that will affect clinicians and practices in the 2019 reporting year.

Major highlights of the proposed changes for Year 3 include:

  • Quality Performance Category weighting reduction from 50% to 45%
  • Cost Performance Category weight increase from 10% to 15%
  • Promoting Interoperability (formerly ACI) Performance Category restructure:
    • Removal of Base, Performance, and Bonus scoring
    • Implementation of a more straight-forward scoring approach that primarily employs a Performance-based methodology
  • Eligibility expansion to PT, OT, CSW, & Clinical Psychologist
  • Modifications to scoring thresholds by raising the bar to a minimum total combined score of 30 points or higher to avoid negative payment adjustment and extension of the Exceptional Performance Category threshold to 80+
  • Facility-based scoring is also back on the table for consideration in Year 3
  • Advanced APMs would be required to have at least 75% of ECs using CEHRT to document and communicate clinical care with patients and other health professionals
  • Upholding the requirement that all ECs must be on a 2015 CEHRT for 2019 Performance Year

KYREC experts created a NPRM fact sheet overview of the proposed changes. In case you missed our NPRM Webinar, listen here to the informative discussion regarding potential impacts these proposed changes could have on practices and providers across the Commonwealth and beyond.

Interested in making a comment about the NPRM to CMS? The only method to have your voice heard on how this program is shaped is through submitting a formal comment to CMS via the Federal Register. Click HERE for the NPRM and to submit a comment by 5 p.m ET on September 10th, 2018.

If you have more questions or would like additional information about The Quality Payment Program, MIPS or any of our other services, contact your expert advisors at Kentucky REC. We’re here to help! Call us at 859-323-3090.