Re: Patch Management on Critical Servers (Healthcare)

There was an article written a bit back about this and the FDA stated that you did not have to wait for 'FDA' approved patches...that it was the vendor that was dragging their feet.

Push back on that vendor and kick their butts into not blocking you from patching. If they do, post their name(s) on

Michael Scheidell wrote:

-----Original Message-----
From: beinm@xxxxxxxxx [mailto:beinm@xxxxxxxxx] Sent: Monday, May 08, 2006 9:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Patch Management on Critical Servers (Healthcare)


I'm just curious to hear how people in the field have been handling patch management with critical servers. Have you setup maintenance windows? If, so how did you manage the down time? What have people been doing if the device or server has an approved FDA configuration? Are you using thing like WSUS?

Since critical server patching should be done according to normal,
standard it best practices (test them and QA them first) I will address
the FDA validated systems.

You are in a catch22 (to, I guess 33)
#1, you can't modify a validated system in such a was as to it having
even the slightest possibility of change the results (this is especially
true for a 'medical device')

If the system 'a medical device' was provided by the manufacturer, get
all patches and updates from them.
(this is a dead end, mostly, they won't change them)

#2, you can't put anti-virus software on it (that could change results)

#3, you can't let a hacker change it either :-)

So, what to do?
If it is a FDA validated system, ask supplier to patch it. If they
won't, its usually due to the above rules.
Only option is to put them on isolated networks, vlans, separated by
their own firewalls or ACL's so that only the VERY LIMITED access is


Letting your vendors set your risk analysis these days?