HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.