This week, an article on Healthcare Info Security pointed me to the Department of Health and Human Services' Office for Civil Rights' latest monthly newsletter which reminded HIPAA-covered healthcare organizations that software patching was a critical step in securing their networks and offered some advice about the tools and processes to implement. As the article points out, the advice applies to nearly all organizations, not just those in the healthcare sector, but it can be difficult for organizations to put into practice.
Organizations need to implement processes to reduce attack surface by identifying and mitigating vulnerabilities. Often, this involves patching software with the latest updates designed to remove unintentional vulnerabilities in previous version of the software. This can be an overwhelming process to take on manually. You may not be aware of all the software installed on a system, or whether updates have been applied consistently. Fortunately, vulnerability scanners can help automate the process of identifying vulnerabilities across your network.
Once identified, the vulnerability must be remediated, usually by deploying a patch. Again, this process can be daunting to perform manually if your organization has many devices. Going computer to computer to install a patch isn’t a scalable solution, and you won’t be able to keep up with the pace of new patches. Patch management solutions can scan devices for available updates, but typically don’t provide guidance as to which patches address a particular vulnerability, which makes it difficult to prioritize which patches to address first.
It’s also important to follow a process to identify, test, deploy, and verify the patch. You should document the steps taken, which devices have received which patches--all aspects of the process. An auditor may ask for documentation to support your risk mitigation efforts and you should be able to produce details of your process and steps taken to identify and mitigate vulnerabilities.
Cygilant SOCVue Vulnerability and Patch Management provides an easier solution that combines both vulnerability and patch management into a single solution and pairs that with our 24x7 Global SOC team to schedule scans and provide guidance on remediation. Too many organizations are struggling with resources to retain the top talent needed to manage today’s complex security technologies, around the clock. Our SOC team fills this gap, acting as an extension of your internal team and freeing up your team to take on high priority tasks. Our integrated vulnerability and patch management solution shows the link between vulnerabilities and available patches, along with a risk score based on risk to your organization, aiding prioritization. You can quickly deploy necessary patches with an auditable workflow.
Ready to learn more? Watch this brief video:
Tags: Patch Management