In Health Care, Patch Management is More Important Than Ever

In Health Care, Patch Management is More Important Than Ever

A report from DataBreaches.net and Protenus found the U.S. health care industry, on average, experienced one data breach per day in 2016.  Such incidents compromised approximately 27.3 million patient records. 

Unfortunately, these statistics aren't surprising given how quickly care providers have implemented electronic health record systems to comply with the Affordable Care Act. EHR adoption rates rose 74.4 percent between 2008 and 2015, according to the Office of the National Coordinator for Health Information Technology. Along the way, vulnerabilities likely fell through the cracks. 

To address those bugs, care providers and others need to institute strong patch management processes, especially given the value EHRs present to hackers. 

EHR System Vulnerabilities Difficult to Report 

Security researchers, system administrators and other IT professionals are invaluable resources for software companies because they alert developers to bugs that may have slipped past QA during testing. Some vulnerabilities may not even be bugs - just functions that indirectly allow hackers to access sensitive data. 

However, if no vulnerability reporting mechanisms are in place, it's difficult for those using the software to inform developers of pressing issues. According to Joshua Mandel, health IT ecosystem lead at Verily, this is a common problem among EHR vendors.

In an article for SMART Health IT, Mandel wrote that he tried to inform HL7 of a vulnerability he found in a piece of code written by the international health standards organization. Many health IT product developers incorporated this code into their products. When he reached out to HL7, he struggled to find any developers who might have worked on the code. 

Mandel then tried reaching out to the EHR vendors by:

  • Sending emails to vendor security addresses or other vendor-supplied addresses (info@, sales@, etc.).
  • Using vendor-specified security vulnerability reporting programs.

"Sysadmins can't patch software if developers don't create patches in the first place."

Unfortunately, less than 10 percent of the vendors he contacted got in touch with him regarding the vulnerability. Two of the vendors replied that their systems didn't have the bug, while one "simply confirmed" that they received his email. 

The issues Mandel encountered present a huge challenge to sysadmins: They can't patch software if the developers don't create patches in the first place. 


EHR vendors need to revisit their bug reporting protocols. EHR vendors need to revisit their bug reporting protocols.

Implementing Patch Management Processes in Health Care

Most health care organizations are actually well positioned to apply DevOps practices to their patch management policies. This is because many IT teams acquire developer-esque knowledge of the EHR systems they manage. Some hospitals even have developers specializing in particular EHR solutions, enabling those institutions to customize the technology. 

For example, Healthcare IT News found 60 percent of hospital executives said they plan to launch internal EHR interoperability development projects. Another 55 percent said those development projects will focus on improving EHR workflow. This indicates quite a few hospitals have established developer resources.

But how could DevOps fit into patch management process? Here's how it could work:

  • Developers build EHR functions.
  • Quality assurance tests the functions.
  • Sysadmins apply those changes to the EHR. 
  • End-users and IT then report bugs to developers, who create the patches. 
  • QA tests those patches.
  • Sysadmins implement the patches. 

This system could actually address the vulnerability reporting deficiencies Mandel noted. Of course, the process has its challenges, one of them being that some vulnerabilities may exist in the source code. For some institutions, this may not be a problem if the EHR vendors grant license holders access to the code. At the same time, this may require a level of expertise in-house developers may not possess, which obligates care providers to fund developer training.

In addition, there's no guarantee vendors will take an open source-esque approach to EHR development. After all, these are proprietary systems we're talking about. 

One encouraging factor is that EHR vendors have the incentive to improve their security vulnerability reporting programs. As attacks against care providers increase, companies will face pressure to institute more robust communication with end-users.