RE: Patch Management on Critical Servers (Healthcare)

-----Original Message-----
From: beinm@xxxxxxxxx [mailto:beinm@xxxxxxxxx]
Sent: Monday, May 08, 2006 9:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Patch Management on Critical Servers (Healthcare)


I'm just curious to hear how people in the field have been
handling patch management with critical servers. Have you
setup maintenance windows? If, so how did you manage the down
time? What have people been doing if the device or server has
an approved FDA configuration? Are you using thing like WSUS?

Since critical server patching should be done according to normal,
standard it best practices (test them and QA them first) I will address
the FDA validated systems.

You are in a catch22 (to, I guess 33)
#1, you can't modify a validated system in such a was as to it having
even the slightest possibility of change the results (this is especially
true for a 'medical device')

If the system 'a medical device' was provided by the manufacturer, get
all patches and updates from them.
(this is a dead end, mostly, they won't change them)

#2, you can't put anti-virus software on it (that could change results)

#3, you can't let a hacker change it either :-)

So, what to do?
If it is a FDA validated system, ask supplier to patch it. If they
won't, its usually due to the above rules.
Only option is to put them on isolated networks, vlans, separated by
their own firewalls or ACL's so that only the VERY LIMITED access is