November 12, 2021
Patching – It’s a Patient Safety Issue
Running unpatched applications and infrastructure can directly impact patient safety. Imagine a patient requiring emergency surgery and just as the clinicians are preparing the patient the computer systems fail due to a security exploit on an unpatched system.
Everyone understands the need to stay current on patches, but no matter how well this is understood it doesn’t happen at many hospitals. A recent survey by the Ponemon Institute found 57% of respondents who faced a security breach said the hacks were due to vulnerabilities in unpatched software. Thirty-four percent of the effected sites were aware of the holes in their software but didn’t patch them in time.
In at least 50% of the hospitals that I interact with there is no schedule patching cycle. This leaves IT constantly negotiating with the clinical staff to obtain a window of time to patch the systems. The majority of patching is focused on the big infrastructure players, Microsoft, VMWare, etc. Very few hospitals have a full inventory of infrastructure and applications along with a plan for ensuring the full infrastructure and application stack is maintained.
Establishing a consistent patching cycle is critical to creating a culture where system patching is believed to be as important to patient safety as regular blood testing is for a diabetic. In my experience when I encounter hospitals that are not current on their patches there are two common traits:
- No institutional schedule for system maintenance
- A lack of infrastructure and application inventory with identified maintenance intervals
Establishing a system maintenance schedule helps ingrain it into the hospital culture. A consistent monthly window should be established along with the stakeholders of the hospital. In addition to a monthly schedule, you should establish an emergency maintenance process and schedule to address emergencies quickly and effectively. The schedule should then be communicated to the entire organization so everyone can plan accordingly.
Once you have a schedule, you’ll need to create a plan for patching both your infrastructure and your applications. The first step to creating a comprehensive plan is to build an inventory of your infrastructure and applications. The inventory should include the patching cadence for each item as well as mapping systems to their environment. It’s important to understand your system interdependencies so you can plan your maintenance accordingly. In the event a patch causes issues you’ll then understand all the systems that will be impacted or may need remediation.
Creating a schedule and taking the time to plan ahead should ensure you are never one of the hospitals that reports a security incident due to unpatched systems.
John McDougall is the Director of Professional Services and Consulting at CloudWave. John can be reached at firstname.lastname@example.org.