Cybersecurity: System Hardening Guidance

The most recent Office for Civil Rights (OCR) Cybersecurity Newsletter was released in January and focuses on system hardening and protecting electronic PHI (ePHI). “System hardening is the process of customizing electronic information systems (e.g., computer systems and other electronic devices) to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit.” The following are several suggestions on how to harden your system:

Create Security Baselines – These are minimum standards and settings for servers, smartphones, laptops, desktops, etcetera. throughout your pharmacy. This would include any device that creates, receives, maintains or transmits ePHI. These can include administrative, physical, and technical safeguards.

Patch Known Vulnerabilities – New devices, and devices already in use, can have known vulnerabilities. These vulnerabilities or weaknesses can be exploited by bad actors to gain unauthorized access into your system. It is important to stay up to date on these known vulnerabilities and seek out a way to fix, or ‘patch’, the weakness. Both software (web services, mobile applications, email, etc.) and firmware (specialized software embedded directly into hardware devices to control their basic functions and operations; e.g., firewalls and routers) may need to be patched. Keeping a list of all your information technology (IT) assets is recommended so the type of hardware, software, and security measures are all documented in one convenient location. This makes it easier for the Security Officer to review devices and systems for potential vulnerabilities and recommended patches. Since bad actors are continuously finding new ways to gain entry to systems, it is imperative that these vulnerability checks and patches be conducted routinely.

Remove or Disable Unneeded Software and Services – Devices often come with preloaded software, much of which may not be necessary for the device to function as required within your pharmacy. These unwanted and unused items housed within the device are potentially weak links for bad actors to exploit. Deleting them removes one more potential vulnerability and if a software or service cannot be deleted, disabling it is the next best practice. Also be mindful of ‘admin’ or guest accounts with default passwords. It is recommended that default passwords be updated to a unique, more secure passphrase.

Enable and Configure Security Measures – There may be security measures pre-installed in a device that need to be enabled, or “third-party security solutions such as, for example, anti-malware, endpoint detection and response (EDR), or security information and event management solutions (SIEM).” Examples may include access controls, encryption, audit controls and authentication. Sound familiar? They should! These are examples of technical safeguards as per the HIPAA Security Rule.

Routine evaluation and system hardening is necessary to protect your ePHI. Creating security baselines, patching known vulnerabilities, removing or disabling unneeded software and services and enabling or confirming security measures can be part of this process.

PAAS Tips:

• Those with a PAAS National^® Fraud, Waste & Abuse and HIPAA Compliance Program membership can:
  • Read more about administrative, physical, and technical safeguards in your Policy & Procedure Manual, Sections 11.3 through 11.19.
  • Build and maintain your IT asset list in your online Risk Analysis.
  • Have all staff complete Cybersecurity training. The dynamic nature of cyberthreats necessitates continual adaptation and vigilance. Cybersecurity training helps equip staff with essential knowledge regarding best practices to hinder potential threats related to network connected medical device security, insider data loss, loss or theft of equipment and data, ransomware, and social engineering. Threats lurk around every digital corner and safeguarding sensitive information has never been more crucial.
• Utilize various methods and resources to help identify vulnerabilities:
  • Sign up for vulnerability alerts from manufacturers and vendors (e.g., Apple, Microsoft).
  • Perform scans to detect vulnerabilities as well as missing patches and obsolete software (e.g., National Institute of Standards and Technology’s [NIST’s] National Vulnerability Database, U.S. Cybersecurity and Infrastructure Security Agency [CISA] Cyber Hygiene Services or Known Exploited Vulnerabilities Catalog).

• Author
• Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

• Cybersecurity: System Hardening Guidance - March 4, 2026
• Notable Updates From the 2026 CVS Caremark Provider Manual   - February 6, 2026
• 2026 PAAS Fraud, Waste & Abuse and HIPAA Compliance Program Updates - January 19, 2026