What is patch management?
Patch management is the technique of planning, testing, and installing patches to a computer or computer system to keep it up to date, as well as determining which patches should be applied to which systems.
Patching operating systems is very similar to patching applications with a potentially more significant risk of impact to your business if you don’t patch, or patch without first testing. Applying operating system patches is vital for protecting your patient data as the operating system provides a baseline of security that your applications use.
When operating systems are missing patches, they expose your business to a high risk of security incidents. Patching your operating systems (and applications) is essential for keeping your dispensing and patient data safe from threat actors attempting to exploit vulnerabilities and gain access to your systems.
The Timely Application Of Operating System Patches
When a critical vulnerability in an operating system is found, it is important to patch it as soon as possible to lessen the likelihood of it being exploited.
According to the Australian Cybersecurity Centre (ACSC), once a patch for a system is released by a vendor, the patch should be applied in a timeframe commensurate with an organisation’s exposure to the security vulnerability and the level of cyber threat the organisation is aiming to protect themselves against. They recommend that the patch be applied within 48 hours in critical cases.
In our previous post on Application Patching, we talked about vulnerability ratings. Understanding vulnerability ratings can assist you in determining how vital a patch is and how quickly you need to apply it. If a patch has a rating or CVSS score greater than 8.9, you should apply the patch to your systems as soon as possible. You should follow the same risk-based approach to patching operating systems as application patching.
Risk Mitigation When Applying Operating System Patches
Applying operating system patches is not without its challenges. Some things could go wrong during your patch management process. Many pharmacists will have experienced the Microsoft print-nightmare problems that resulted from Microsoft patching vulnerabilities in Windows 10 printing services.
It is essential to understand that with numerous device configurations, operating systems versions and releases, and individual pharmacy hardware configurations, no security patch can ever be perfect. Computer systems are complex and minor changes to them can impact how they operate. It is important to consider this complexity when creating a patch management program for your pharmacy.
A second challenge is deciding the time when a patch should be installed. Patches can interrupt the busy workday, making some systems unusable while they are installed. It is also not a good idea to patch too late in the day when accessing IT support is difficult or costly due to out-of-hours charges.
Corum recommends adopting the following patch management process within your pharmacy:
Applying operating system patches is a critical process for overall pharmacy security. Not applying patches increases your risk of compromise or ransomware-type events. The solution is to implement a test plan for applying the patches on non-crucial systems before installing them on all pharmacy systems once the patch has been validated in your own environment.
If you are worried about the security of your pharmacy systems and want to know how you can implement operating system patching processes in your pharmacy and protect yourself from ransomware, speak to your Corum Customer Success Manager or contact us on 1300 669 86.