Poor Patching Practices in Healthcare Revealed on Ponemon Institute Study

by | Apr 9, 2018

A recent survey carried out by the Ponemon Institute for ServiceNow has unveiled that healthcare and pharmaceutical companies are not keeping up to date on patching. Weaknesses are not being patched quickly leaving organizations susceptible to attack.

The survey was sent to 3,000 security workers from groups with more than 1,000 staff members across a broad range of industry sectors and countries. The outcomes of the survey were included in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention.

The report showed 57% of those that took the survey respondents had suffered at least one data breach where access to the network was gained by exploiting a weakness for which a patch had previously been issued. A third of respondents answered that they were aware that the vulnerability existed and a patch was available before the breach. More worrying was two third of groups did not know they were susceptible to attack.

Even though there is a major risk of weaknesses being exploited, 37% of respondents said they do not scan for dangers and therefore cannot be sure all vulnerabilities are identified and tackled. The healthcare and pharmaceutical sectors were slightly better than average, although 28% of IT security workers from those industries said vulnerability scanning was not completed.

65% of cybersecurity workers said they find it difficult to prioritize patching and ascertain what software should be patched first. 61% said manual processes were putting them in danger when patching weaknesses, and an average of 12 days were being lost coordinating patching activities across teams.

More than three quarters of IT security workers felt the delay in patching vulnerabilities was due to a lack of qualified staff. They simply did not have enough staff members to keep on top of patching. On average, 321 hours a week are being spent on vulnerability management, but even so, medium to low priority patches are still taking eight weeks or longer to be installed.

60% of respondents saying they were hiring more staff in the next year to help speed up the patching of flaws. On average, groups are looking to employ four new employees solely for vulnerability response.

Deciding to bring in more staff is one thing. Recruiting staff is a separate issue. There is a lack of skilled IT staff and the problem is getting worse. According to a recent survey carried out by the advocacy group ISACA, by 2019 there will be 2 million vacant cybersecurity positions.

Even if staff can be hired, there is no guarantee that security posture can be significantly enhanced. While more staff could certainly help some companies, the report implies there is a patching paradox – hiring more staff does not mean better security.

ServiceNow Security and Risk Vice President and General Manager Sean Convery said : “Adding more talent alone won’t address the core issue plaguing today’s security teams. Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

The Ponemon Institute/ServiceNow study offers five approvals that can help groups develop a roadmap to an improved security posture.

  • Recrod an unbiased inventory of weakness response capabilities.
  • Speed up time-to-benefit by addressing low-hanging fruit first.
  • Break down data obstacles between security and IT to regain lost time spend coordinating between the two
  • Define and prioritize end-to-end vulnerability response processes and then automate as much as you can within reason.
  • Ensure retention of talent by focusing on culture and work environment.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy