The Office for Civil Rights (OCR) released guidance on Software Vulnerabilities and Patching in their June 2018 Cybersecurity Newsletter. The guidance, which can be accessed by clicking here, notes that electronic health record (EHR) vendors regularly release patches to fix breaches in security. However, these patches may introduce additional weaknesses in EHR systems. Therefore, the guidance outlines five steps for effective patch management, including:
- "Evaluation: Evaluate patches to determine if they apply to your software/systems.
- Patch Testing: When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
- Approval: Once patches have been evaluated and tested, approve them for deployment.
- Deployment: Following approval, patches can be scheduled to be installed on live or production systems.
- Verification and Testing: After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects."