Poor Patching Cadence Correlated To Healthcare Ransomware Risk

Recent Bitsight research shows healthcare organizations that display poor patching cadence can be up to 7x more likely to experience ransomware. 

Ransomware attacks on Scripps Health in San Diego, Ireland’s national health service, and Waikato hospitals in New Zealand illustrate how disruptive ransomware attacks are for healthcare providers and patients. Key details about these attacks have not been disclosed, but the use of outdated and/or unpatched systems and devices is a long-time issue in the healthcare sector, according to cybersecurity news and analysis provider Threatpost.

With COVID numbers rising and colder weather around the corner in the northern hemisphere, mitigating risk associated with patching cadence should be considered a priority for healthcare organizations.

What We Learned

Bitsight analyzed hundreds of ransomware incidents over the last three years to identify common security performance gaps and challenges that lead to successful ransomware attacks. We found that patching cadence, or the elapsed time between patch availability and implementation, is a strong overall security program performance indicator. 

Bitsight measures patching cadence rate by examining the duration of high-confidence vulnerabilities observed on an organization's infrastructure. We process more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale). Click here to learn more about how Bitsight Security Ratings are calculated.

To calculate the grades (A-F) associated with the Patching Cadence risk vector, Bitsight examines remediation time -- the speed with which an organization addresses vulnerabilities. We compute remediation time as the time from the first observation of the vulnerability’s presence until the last observation. Bitsight calculates an organization's Patching Cadence grade by averaging the time it takes to remediate vulnerabilities. We factor a vulnerability's Common Vulnerability Scoring System (CVSS) score into our calculation to reflect the criticality of certain critical vulnerabilities. 

Overall, nearly 70% of healthcare organizations received an “A” in patching cadence. That’s positive, however 30% of the healthcare sector is at heightened risk of ransomware due to poor patching cadence. Companies who scored a “B” are 4.4x more likely to experience ransomware and a “C” or lower means an organization is approximately 7x more likely to get hit. 

Mitigating Patching Cadence Risk

An exhaustive look at patch management practices is beyond the scope of this blog. However, it is generally recommended that patching is conducted on a monthly basis. For example, Microsoft recommends that Windows Server patching should be conducted monthly according to a set schedule, with the exception of zero day/out of band patches, which should be applied as soon as possible.

Patching is not without challenges. For example, application downtime can be hard to come by in today’s business computing climate. Additionally, patching can actually create problems. A testing environment that emulates your production environment can help avoid complications associated with patch deployment. A patch management tool or backup solution that enables you to easily revert to a point in time before a patch was applied is also critical. This ensures that you can quickly restore normal operations if patching does create an issue in your environment.

“Cyber threats are constantly changing and keeping systems up-to-date with the most recent patches is more critical than ever. Developing and implementing a repeatable and timely patch management strategy can reduce deployment issues, shrink the window of vulnerability, and enable organizations to meet patching cadence targets,” said Stephen Boyer, Co-Founder and CTO of Bitsight. “However, this is just the beginning; evaluating and improving patching activities over time is an important part of driving continuous improvement and reducing risk in your organization.”

Bitsight's inventory of externally visible vulnerabilities enables organizations to make informed decisions that improve security posture and reduce risk.