We Need To Cure Healthcare’s Patching Allergy

Poor patching is only becoming a bigger problem in healthcare technology. Case in point: exploited software vulnerabilities now account for more ransomware attacks than compromised credentials. Known security gaps caused 40% of attacks last year and, unfortunately, the sector itself is largely to blame.

Why? Because healthcare continues to treat patching as riskier than not patching. Ecosystem admins are quick to point out that hospital devices are older, require uptime, and sometimes struggle during rollbacks. But these patching roadblocks overlook the fact that known vulnerabilities are increasingly leading to unauthorized access, data loss, and ransom demands. And, ultimately, with successful ransomware threatening service delivery and even cancelling surgeries, it’s the most important stakeholder that bears the brunt: patients.

This attack vector is in hacker crosshairs and automated vulnerability detection only makes future attempts more likely. Going forward, healthcare must recognize that poor patching only leads to more ransomware and take steps to overcome its allergy.

The sorry state of healthcare software

Don’t get me wrong – there are certainly patching complications in healthcare. For starters, each hospital bed supports 10 to 15 connected devices with hardware often designed to last for decades. The flip side is that software cycles are far shorter and require constant vigilance to keep up to date. This is no mean feat, of course, when devices are nearly always in use across hundreds of individual beds.

We’re talking about devices that support and enhance patient care and, understandably, there’s concern about what happens when patches go wrong. Unlike updating a smartphone or laptop, where a failed update is merely inconvenient, a bad patch in healthcare could disable patient monitoring systems or lock clinicians out of critical records. This creates tension: admins know they should patch but the risk of compatibility issues with tightly integrated workflows makes them think twice.

Compounding the issue is that many healthcare organizations lack unified endpoint visibility and streamlined rollback capabilities. Without confidence that they can quickly reverse a problematic update, teams sometimes stick with outdated but stable systems rather than risk uncertainty. This thinking, however, ignores that while a bad patch can cause temporary disruption, unpatched backdoors are an open invitation to attackers who scan networks 24/7 searching for exactly these weaknesses.

Three ways to fix the patching aversion

The good news? There are ways around each of the above bottlenecks and the benefits of keeping endpoints up to date far outweigh the perceived risks.

First, adopt a phased strategy. Testing patches on non-critical systems before rolling out to mission-critical devices is a good way to iron out any technical kinks. By deploying to 5-10% of endpoints and monitoring for 48 hours before expanding, admins get a software safety net.

Second, gain a better overview of the ecosystem. It’s impossible to patch what you can’t see and – between BYOD policies, shadow IT, and contractor equipment – admins have significant blind spots. Unified endpoint management is helpful as it centralizes visibility and provides real-time patch status. Admins can then automate rollout (ideal for the early hours of the morning when things are quiet) and attain a complete map of the attack surface.

Third, segment whatever can’t be updated. Some endpoints are too old or lack vendor support but remain vital to patient care. In these cases, isolate them on their own network with zero-trust access so that attackers can’t pivot to other critical infrastructure in the event of a hack. This buys time while organizations develop a longer-term lifecycle replacement plan.

What happens next is up to us

Beyond the technology, there’s also a pervasive anti-patch culture that healthcare needs to change. Yes, there are roadblocks, but there are also readily available solutions. Organizations that succeed will both modernize their technical approach and educate staff on why patching matters, ensuring the culture moves with the infrastructure.

Right now, clinical teams often resist downtime for “IT maintenance” because of patient care pressures. However, regular training that connects patching to patient safety, regulatory compliance, and ransomware prevention helps bridge that gap. 

The path forward requires investment in the right tools, processes, and mindset. With that combination, healthcare can cure its patching allergy once and for all.