Cyber-attacks on healthcare providers are a critical concern as they can directly impact patient safety. In many cases, IT system outages cause considerable disruption to patient care, as the lack of access to patient data results in delays that can affect patient outcomes. Multiple studies have identified increased hospital mortality rates following ransomware attacks and other major cyber incidents. For example, there was a recent fatality due to an IT system failure when a patient who needed urgent care passed during the time it took for transport to another facility.
One of the most common methods cyber-criminals utilize to launch large-scale attacks is exploiting unpatched vulnerabilities in common software that organizations use daily. These vulnerabilities allow malicious actors to leverage known security bugs to run malicious code, which makes unpatched systems one of the biggest threats to a healthcare IT system. In fact, 57% of hospitals that suffered cyber-attacks stated that their breaches could have been prevented if they had installed an available patch.
Windows, one of the most popular operating systems in the world, is an example of this. Hackers are constantly trying to find exploits within Windows; if a critical Windows update gets pushed and an organization falls behind by just a few days, that is more than enough time for cybercriminals to get in the door. Hackers recently exploited an unpatched Microsoft Office vulnerability in the Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190, also dubbed “Follina,” that allows for remote code execution on Windows systems. The flaw affected 41 Microsoft products, and the company warned that it could enable malicious actors to delete data, install programs, and create new accounts allowed by the user’s rights.
Furthermore. these unpatched vulnerabilities often include older known threats that organizations have been slow to patch, allowing hackers to easily exploit them. Research recently showed that many of the vulnerabilities malicious actors exploited in 2022 attacks were years old.
If Patching Is So Critical, Why Is It Not Getting Done?
According to the Cybersecurity Infrastructure and Security Agency (CISA), “the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” However, healthcare IT departments face many challenges when scheduling and conducting routine maintenance, including:
- Staffing shortages, limited IT resources, and budgets: Healthcare organizations continue to face unprecedented shortages in available IT talent while balancing extreme budget pressures.
- The complexity of healthcare IT systems: The healthcare IT environment is often home to outdated legacy and complex software systems. Older software versions get retired and stop receiving support/updates, which becomes problematic when they remain in the existing IT environment.
- Prioritization: Lean healthcare IT teams often have competing priorities, and while patching it is crucial, it can take a back seat to other larger, seemingly more pressing projects.
- Bargaining with clinical staff for downtime: Scheduling and conducting routine maintenance, such as patching, requires systems to be down for a period of time, which can disrupt patient care.
How Fully Managed Patching Can Help
Organizations are increasingly turning to fully managed patching to alleviate the strain on healthcare IT systems, which provides a structured approach to system maintenance. By working with an experienced partner to prioritize critical patching requirements, healthcare IT teams can take a hands-off approach to maintenance while keeping the environment compliant and secure against cyber threats.
As a best practice, healthcare institutions should work with a highly qualified partner to institute a patch management policy, outlining testing and the methodology for deploying patches, as well as identifying critical systems to prioritize. A qualified partner often has a well-established, streamlined patch management approach developed from working with thousands of healthcare IT environments.
Fully managed patching is also affordable, as it costs roughly the same as paying staff to work overnight shifts to prepare for patching days in advance. It also minimizes downtime and frees up substantial resources, enabling the IT team to concentrate on other priorities. In summary, this enables healthcare organizations to maintain operational excellence while focusing on what matters most, including providing exceptional patient care.