Patch Management Standard

Overview

Patch management is critical to operational efficiency and effectiveness, overcoming security vulnerabilities, and preserving stability of the production environment while maintaining the integrity and availability of patient information. Health System Technology Services continuously works on new administrative procedures and implementing new technologies that will allow the Medical Center to better protect the integrity of the computing infrastructure.

Purpose

This purpose of this standard is to help ensure a patch management strategy is defined on how/when patches are applied within the Medical Center.

Scope

This standard applies to System Owners, Application Owners and all staff that support Medical Center information resources.

Description

  1. The National Institute of Standards and Technology (NIST) Special Publication 800-40 “Guide to Enterprise Patch Management Technologies” writes,

Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation. Also, patches are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution. Sometimes there are alternatives to patches, such as temporary workarounds involving software or security control reconfiguration, but these workarounds often negatively impact functionality. Computers and other electronic devices with non-public or sensitive data must have critical patches applied on a frequent basis.

Poor patch management standards and procedures can result in serious financial costs. The Medical Center evaluates security vulnerabilities to identify those that may result in the loss of patient data or do damage to the systems that host that data. The mechanisms for producing financial losses include:

Downtime: The cost of lost end-user productivity, missing transactions on critical clinical application systems, and lost business during an incident can be very high as a result lost revenue and inadequate patient care. Most attacks cause downtown as a direct result of the attack itself, by the remediation required to recover, or both.  Some attacks can leave systems down for several days.

Remediation Time: The cost of repairing system damage in the Medical Center environment can accumulate very quickly depending on the number of hours dedicated to the issue and revenue lost due to the systems being unavailable.  Many security attacks can require a complete re-installation to be certain that back doors permitting future exploits were not left behind.

Data Integrity: If an attack damages data integrity, the cost of recovering that data from the last known reliable backup can be high in terms of recovery time and damage done to the integrity of data if the back-up tapes have degraded.

Legal Defense: The cost to defend the Medical Center from others taking legal action after an attack can be expensive and can result in even higher revenue losses due to lost business and reputation damage.

 The Medical Center uses tools that identify new security vulnerabilities that have been discovered, approaches that should be taken and implemented, and tools for installing patches more efficiently.

The Medical Center has developed proven methods of testing and implementing the latest security patch information and content to Medical Center’s server infrastructure. Health System Technology Services has developed distinct implementation levels, one of which is chosen depending on the severity of the particularly vulnerability discovered.

Patching of production systems (e.g. servers) may require complex testing and installation procedures.  The Medical Center’s patch management process requires all systems (e.g., servers, desktops, laptops, network devices and applications) be patched within 30 days of receiving a release. HIT recognizes that there may be extenuating circumstances that result in a delay in patch cycle. However, if a patch cycle goes past 60 days a review of the system is required by HIT to determine the risk of not applying the patch within the defined patch cycle. In certain cases, risk mitigation may be preferable over patching.  The risk mitigation alternative selected should be in proportion to the risk.  The reason for any departure from the above standard and alternative protection measures taken must be identified by in a Security Exception in place; in some cases, these must be approved by Senior Leadership.

Critical security patches and their implementation are reviewed as part of the Medical Center’s audit and vulnerability assessment procedures.

 

Medical Center Servers

  • Normal Implementation Cycle (7 to 10 days).  The normal implementation cycle is 7-10 days after release.  However, some vendors require patches to be reviewed and approved prior to implementation to ensure that the application will continue to function as designed and patient care is not affected and this approval process may extend the patch period to 14 days..
  • Imminent Threat (24 hours).  Schedule and begin patch installations with enterprise updates to be completed within 24 hours.
  • Impending Threat (12 hours).  Schedule immediate patch installations with enterprise updates to be completed within 12 hours.

 

Medical Center Desktops and Laptops

  • Normal Implementation (30 days). Patches are reviewed after each Patch Tuesday (2nd Tuesday of every month) and approved before being implemented to ensure that the patches function as expected and patient care is not affected. Patches are tested in pilot groups for 2 weeks; after the 2 week testing period, deployment to all Medical Center images is done in very detailed phased approach.  
  • Emergency Implementation (attempted within 24 hours).  Patches are reviewed and approved before being implemented to ensure that the patches function as expected and patient care is not affected. Patches are tested in pilot groups; after testing is completed, deployment to all Medical Center images is done in phases.

 

Medical Center Network Devices

  • Normal Implementation Cycle (7 to 10 days).  The normal implementation cycle is 7-10 days after release. However, some vendors require patches to be reviewed and approved prior to implementation to ensure that the application will continue to function as designed and patient care is not affected and this approval process may extend the patch period to 14 days
  • Imminent Threat (24 hours).  Schedule and begin patch installations with enterprise updates to be completed within 24 hours.

 

Medical Center Critical Applications

  • Normal Implementation Cycle (30 days).  For most applications, patches need to be reviewed and approved prior to implementation to insure new functionality works as designed, and patient care is not impacted.
  • Imminent Threat (24 hours) For most applications, patches need to be reviewed and approved before they are implemented to ensure that the new functionality will work as designed and patient care is not affected. A security exception is in place for those systems where 30 days is not sufficient for testing and implementation. Security exceptions for critical systems that contain sensitive and confidential information must be approved by HIT Senior Leadership.

Document Supporting Resources