The Importance of Setting Patching PrioritiesFormer CISO Mark Johnson on Critical Practices
Recent alerts from federal regulators about patching vulnerabilities in the Windows 10 operating system highlight the importance of strong, ongoing patch management practices for healthcare organizations, says former CISO Mark Johnson.
"If you don't patch ... whether it's related to [the recent Windows 10 alert] or the normal run-of-the-mill patches you see on an almost daily basis from the vendors, you fall behind and you put your patients and data ... at a greater risk," Johnson, of the consulting firm LBMC Information Security, says in an interview with Information Security Media Group.
On Wednesday, the Department of Health and Human Services distributed an "emergency directive" from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to mitigate critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol server and client (see: Why Patching Windows Is So Urgent in Healthcare Sector).
When it comes to having a strong vulnerability patch management program, it's important to quickly addressing critical, time-sensitive vulnerabilities, Johnson says.
"You can't just treat every single patch the same way," he says. "You have to look at it and the impact of your environment." The type of operating system vulnerabilities that are spotlighted in the recent warnings "are important, and everybody should be paying attention and following the mitigation path highlighted in the alert."
One key factor to keep in mind is "not every patch has the same impact," he says. "When it comes to something this ubiquitous like a Microsoft Windows 10 operating system patch, you need to look at that and get patching right away."
In the interview (see audio link below photo), Johnson also discusses:
- Top security challenges involving legacy medical devices;
- Critical steps to bolster the cybersecurity of medical devices;
- Cyber threats facing the healthcare sector this year.
Johnson leads the healthcare security practice at consulting firm LBMC Information Security. He has over 27 years of information security experience. Previously, Johnson led KPMG's national healthcare industry cybersecurity services and was CISO at Vanderbilt University and Medical Center.