Halting Healthcare Hacks: New NIST Patch Management Standards (Part 1, NIST 800-40)

Cyberattacks on healthcare entities have become the top source of cyber breaches in the last several years according to the Office for Civil Rights (OCR) public breach reporting database.1 Ransomware has become big business for cybercriminals targeting healthcare entities and their supporting vendor supply chain.  

The one thing that nearly all successful cyberattacks have in common is the exploitation of missing security patches for critical applications and systems. Missing patches are being exploited on internal healthcare applications as well as third-party and fourth-party products and services. Attacks on healthcare vendors and business associates increased by 18% last year alone according to a report from Critical Insight.2 

The National Institute of Standards and Technology (NIST) has recently issued two new security standards and models for implementing effective patch management programs. The two new standards both emphasize the need to prioritize patching and preventive maintenance in order to avoid data breaches and operational disruptions. The new standards are: 

According to NIST, “In past perimeter-based security architectures, most software was operated on internal networks protected by several layers of network security controls. While patching was generally considered important for reducing the likelihood of compromise and was a common compliance requirement, patching was not always considered a priority. In today’s environments, patching has become more important, often rising to the level of mission criticality."3 

This blog provides a summary of the new NIST 800-40 patch management standard. We also outline associated recommendations for healthcare cybersecurity programs including implementing routine vulnerability scanning and penetration testing exercises to validate patch levels. 

We will release another blog in the near future that summarizes the second new NIST patching standard, NIST 1800-31. 

NIST SP 800-40: Guide to Enterprise Patch Management Planning 

The first of two new patch standards is NIST SP 800-40: Guide to Enterprise Patch Management Planning | Preventive Maintenance for Technology.

This standard is focused on the routine maintenance and coordination activities required to keep systems and applications protected from evolving threats and vulnerabilities. NIST emphasizes the importance of a mindset of “preventative maintenance” to combat hacking attacks. NIST indicates that the new patch standard will help organizations in the following ways: 

  • Security and technology management and leadership at all levels of the organization will gain a new understanding of the role of patching in enterprise risk management. 
  • The security/technology and business/mission sides of the organization will be able to communicate with each other more effectively regarding patch management and reach a consensus on planning. 
  • Personnel from the security/technology and business/mission sides of the organization will be prepared to revamp their enterprise patching strategy throughout the entire patch management life cycle. 
Risk Response Approaches for Software Vulnerabilities

The first major section of the NIST 800-40 standard provides guidance on the software vulnerability management lifecycle along with processes for risk response and patching procedures. 

The four areas defined for risk response include an organization’s decision process to accept, mitigate, transfer or avoid identified risks. The default posture for organizations that fail to patch critical vulnerabilities is to “accept” the associated risks. Accepting such risks is a gamble that too many healthcare organizations are undertaking and paying the price in ransomware attacks, downtime, and other business disruptions. NIST advises organizations to focus on the “mitigation” approach, by implementing patches for known security vulnerabilities. 

The NIST 800-40 standard also provides details on the software vulnerability management lifecycle including: 

  • Know when new software vulnerabilities affect your organization’s assets, including applications, operating systems, and firmware. 
  • Plan the risk response. This involves assessing the risk the vulnerability poses to your organization, choosing which form of risk response (or combination of forms) to use, and deciding how to implement the risk response. 
  • Execute the risk response. NIST indicates that approaches to planning may vary, but typically include phases for preparing the risk response, implementing the risk response, verifying the risk response, and continuously monitoring the risk response. As noted further along in this blog, one of the most effective ways to verify and monitor the risk response is through routine vulnerability scanning and penetration testing exercises. 

NIST 800-40 further delves into patch management lifecycle best practices including the following phases: 

  1. Prepare to Deploy the Patch 
  2. Deploy the Patch 
  3. Verify Deployment 
  4. Monitor the Deployed Patches 

Details for each phase are provided in the body of the NIST 800-40 standard. 

NIST also covers the strategic approaches for implementing enterprise-level patch management programs and coordinating the various stakeholders needed to affect change in the organization. This content is covered in the document’s section on “Recommendations for Enterprise Patch Management Planning”. NIST advises that organizations adopt the following fundamental principles for patch management program management: 

  • Problems are inevitable; be prepared for them 
  • Simplify decision making 
  • Rely on automation 
  • Start improvements now 

Further recommendations for patch management programs include: 

  • Reducing patching-related disruptions 
  • Inventorying your software and assets 
  • Defining risk response scenarios 
  • Assigning each asset to a maintenance group 
  • Defining maintenance plans for each maintenance group 
  • Choosing actionable enterprise-level patching metrics 
  • Considering software maintenance in procurement 
Meditology’s Patch Management Guidance 

Meditology advises healthcare entities to evaluate their patch management programs against the new NIST standards and update policies and processes for any identified gaps to the standards.  

We also advise that healthcare entities conduct routine ethical hacking and penetration testing exercises to validate the implementation of patch management processes. Hacking tests are essential to identify critical missing patches before ransomware and other cyber attackers can take advantage of them. 

Meditology offers a full suite of ethical hacking and penetration testing services to validate your patching implementation in alignment with these new NIST standards including: 

  • Network penetration testing 
  • Cloud security testing 
  • Vulnerability scanning 
  • Medical device penetration testing 
  • PCI-DSS penetration testing 
  • API, FHIR, and web application security testing 
  • And more 

Our ethical hacking services are designed and developed specifically for healthcare organizations and deliver safe testing methods to protect patient safety and validate that security patching is working as designed. We also offer a ransomware-specific assessment service called the Ransomware Defensive Posture Assessment which includes a deep dive assessment into your organization’s ransomware-specific defenses. 

Leverage the following resources to learn more about effective patch management and validation processes including ethical hacking models: 

Contact us to learn more about how we can help your organization can halt hacks against your enterprise via routine ethical hacking tests. 

We will launch the second part of this blog series in the near future to summarize the second of NIST’s new patch management standards: NIST SP 1800-31: Improving Enterprise Patching for General IT Systems | Utilizing Existing Tools and Performing Processes in Better Ways

What Our Clients Are Saying

"We have done several Hacking engagements over the years and this was the most straightforward and best one we’ve had. We got a well-executed pen test and the ability to take crisp action items that gives us a head start versus a list of findings we have to interpret." - CISO, Award-Winning Academic Medical Center


“The Meditology Ethical Hacking final report was much easier to understand than the prior two years’ reports from a competitor. We did different tests (web app, pen, scans, etc.) and rather than having to go from document to document, everything was in one final report which made it easier to interpret. And its fewer questions we have to answer to folks we share it with. Much more concisely done.” - Director, Technical Portfolio and Program Management, Healthcare Payment Automation Provider


“Pen tests are extremely valuable on many levels. Not just scan the network for things that could occur but things that do occur. The value in having Meditology as a partner is extremely high. We have already briefed the CIO and beginning on results roadmap so that level of value has been realized.” - Director, Cybersecurity Operations and CISO, Large Health System in the Northeast


"What made my life easy was the Meditology Ethical Hacking final report was ready to go as-is. We posted it as a response to 2-3 of our audits that we had tight timelines on and it satisfied. We went from being in the red in finishing audits on time to checking it off and being early." - Director, Technical Portfolio and Program Management, Healthcare Payment Automation Provider


“The Meditology Team is 5-star. We scheduled a call prior to the penetration test, then pretty much let them go and tell us what they could find. We had everything scheduled in advance and coordinated, stuck to timelines. Good follow-up and discussions around the findings. And we took some actions and additional steps based on the findings to remediate these issues.” - Manager, IS Info Security, Large Midwest Health Insurer


"There were a handful of items that needed a bit of talking through on a technical basis to understand what needed to happen to mitigate issues and it was a great interaction between our engineers and the Meditology engineers. I’ve seen other companies run an automated toolset and the best they can do is read it to us. Meditology Ethical Hacking team was way more knowledgeable." - Director, IT Infrastructure, Healthcare Payment Automation Provider

Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More