Every IT professional knows the importance of identifying and patching software vulnerabilities in applications and operating systems. Without doing this, we’re putting ourselves in danger of a vulnerability being exploited by a hacker to affect system confidentiality, integrity, or availability.

However, identifying software vulnerabilities and patching them is hard—so much so that many organizations are often not taking the time necessary to address it. As a result, it has become a point of emphasis in a recent OCR newsletter.

Below, we address some of the reasons vulnerability management is so challenging for cybersecurity professionals, as well as a few proven steps you can take to overcome those challenges and proactively implement the software patches you need to limit the risk to the confidentiality, integrity, and availability of your data.

What Makes Vulnerability Management So Difficult?

Here are a few common reasons we hear from across the industry regarding why vulnerability management is so difficult:

  1. Limited time and resources. In some cases, patching can be time-consuming and expensive for most companies. Almost every company I know struggles to find the time or manpower to test and apply the patches. Because cybersecurity professionals often have to fight for their budgets in the first place, it can be difficult to make the case for extra resources needed to ensure all your software vulnerabilities are addressed.
  2. The time to test patches. When possible, organizations should test patches on an isolated system to determine if there are any unforeseen or unwanted side effects. But, for most companies, testing patches before deployment is a luxury. Most businesses don’t have test environments to observe whether a patch will have a negative impact on production, and thus, they hesitate to patch, fearing that critical systems may be negatively impacted.
  3. They can’t scale easily. Due to the complexity of some systems, installing a patch or collection of patches can be a major undertaking. Many patches require that a system be rebooted, leading to downtime on systems with high requirements for availability. For larger companies, patching can be difficult because they don’t have the software tools to automate the process across the large numbers of endpoints and servers.
  4. Some systems can’t be patched. For healthcare, in particular, medical devices are often supported by the manufacturer and also regulated by the FDA. As such, companies are often forced to take a hands-off approach to this class of assets, leaving them exposed to attacks from malicious attackers.

Getting to the Root of the Problem

While these are the most common reasons we hear from cybersecurity professionals, there’s a more prominent reason. At the root of it, it seems like security and IT professionals have failed to do a key part of our job—articulating the risk and costs of not patching our systems.

If we truly want to overcome the challenges associated with patching and vulnerability management, we must make it a priority along with overall compliance. Here are a couple effective strategies we’ve seen for addressing the root issues of vulnerability management:

  1. Communicate that your vulnerability management supports your overall business objectives. What will it cost our business to recover from ransomware? What’s the likelihood we will be compromised due to unpatched systems? How might our patients be harmed if critical systems are compromised? How does a secure environment improve patient outcomes and thereby enhance the organization’s bottom line? These are the conversations we should be having with the executives and board members who are in control of the budget. When you’re able to connect the dots between vulnerability management and your larger business objectives, you’ll get a lot further in securing the resources you need to address patches.
  2. Be more proactive about holding software providers accountable. Not all vendors put their software through rigorous security testing. Some don’t test for security at all. As the end user, we must be more proactive about holding our vendors accountable for addressing specific vulnerabilities BEFORE an attack occurs. We should be the ones holding their feet to the fire for economic damages we suffer because they are not keeping their products up-to-date and protected against known vulnerabilities. Whether it’s in your contracts or business associate agreements, find ways to draw a line in the sand when it comes to the role providers play in patching and vulnerability management.

Ballast Will Help You Evaluate the Effectiveness of Your Data Protection Strategies

Vulnerability management and patching are just a couple of important security program processes that should be evaluated as part of your risk management program. Traditional manual approaches to evaluating your program can be time-consuming and ineffective. That’s why we designed BALLAST—to help you go beyond the traditional risk assessment practices. With BALLAST, you will be able to consider threats, vulnerabilities, likelihood, and impact. More importantly, you’ll know what actions are needed to mitigate them.

To learn more about how BALLAST can help eliminate the inefficiencies and confusion around assessing your security risks, including those related to patching and vulnerability management, connect with our team today.


Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.