The healthcare sector has learned hard lessons over the years regarding the need for an efficient and appropriately resourced process for the application of software patches.
It was a failure to apply patches in a timely way that allowed the Wannacry ransomware to infect the UK healthcare sector in 2017. Outside the sector, it was also a failure to apply patches that resulted in a recent reprimand for the Electoral Commission, who did not have an appropriate patching regime, which led to vulnerabilities that were repeatedly exploited by an unknown third party. Failures in patch management can lead to security breaches, operational disruptions, and financial loss.
A rushed or faulty approach to software updates can itself be problematic. In July 2024, as part of regular operations, CrowdStrike released a content configuration update that resulted in a system crash. Approximately 8.5 million Windows devices worldwide were directly affected. The resulting “blue screen of death” caused myriad issues for the travel sector, safety systems including air traffic control, healthcare providers, the media and financial services providers.
Liabilities arise
Failures in the security of information may lead to complaints, questions from Members of Parliament, regulatory investigations and litigation. All bring with them the potential for reputational damage, which in turn takes up valuable internal management time and resources.
Any loss of patient or staff data may trigger claims for breach of confidence, breach of data subject rights, or misuse of personal information. The issue is particularly acute in the healthcare sector, as issues arising from systems errors and breaches may be more likely to impact on a patient’s care pathway – causing delays which, in some cases, could be life-altering. As such, claims relating to data issues may be only a small part of the greater whole.
Outdated or inadequately patched systems may be lost to ransomware. An inability by healthcare providers (or their subcontractors) to supply promised services creates fertile ground for claims in contract, negligence, breach of statutory duty and the like.
Vulnerabilities in systems may also allow the theft of commercially sensitive information – potentially placing it in the hands of competitors and removing the ability of innovators and their employers to maximise their returns on technological and health advances.
Effective patch management
Patch management is a key part of information security compliance, both as regards personal data and more widely.
Effective patch management involves:
- Inventory: Keeping an up-to-date inventory of all hardware and software to enable IT teams to ensure that no systems are overlooked.
- Prioritising: Risk attaching to vulnerabilities, and the potential impact of the vulnerability being exploited, should guide prioritisation.
- Scheduling: Patching may require system downtime, so patching must be allocated to maintenance windows to reduce disruption for day-to-day operations.
- Testing: Before deploying patches across an entire network, it’s essential to test them in a controlled environment. Failure to do so may result in unexpected consequences.
- Documentation: Records should be sufficient to fulfil accountability obligations and to enable future IT engineers to trace through changes to the systems.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.