HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy

A new project has been launched by Microsoft and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop guidance on developing and implementing an effective patch management strategy.

Following the (Not)Petya wiper attacks in 2017, Microsoft embarked on a voyage of discovery into why companies had failed to exercise basic cybersecurity hygiene and had not patched their systems, even though patches had been released months previously and could have protected against the attacks.

Over the past 12 months, feedback has been sought from the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the Center for Internet Security on the risk of exploitation and patch management strategies. Microsoft has also sat down with customers to find out more about the challenges they face applying patches and to discover exactly why patching is often delayed and why in some cases patches are not applied.

These meetings revealed many companies were unsure about what they should be doing in terms of patch testing. In some cases, patch testing appeared to consist only of asking questions on online forums to see if anyone had experienced any problems with recently released patches. Many customers were unsure about how fast patches needed to be applied.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The meetings prompted Microsoft to form a partnership with NCCoE to develop an enterprise patch management strategy to help companies plan and implement an effective patching strategy. The aim of the initiative is to devise industry guidance and standards to help companies improve their patch management processes.

The project is just about to commence and will involve developing common patch management architectures and processes. Appropriate vendors will assist by building and validating implementation instructions in the NCCoE lab and the project will ultimately result in a new NIST Special Publication 1800 practice guide on patch management.

An invitation has now been extended to vendors with technology offerings that can help with patch management, such as scanning, reporting, deployment, and risk measurement. Individuals and organizations willing to share patch management tips and tactics, and the lessons they have learned are also welcome to participate.

Any vendor, organization, or individual that wishes to participate should contact the project team on at [email protected]

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.