There is another issue that is problematic. When organizations test patches in their respective environments, oftentimes they find out that the patch causes problems with custom developed software and other applications that they use. Once that issue is identified, the problem must be diagnosed, remediated, tested and then migrated into the production environment. All of that takes time -- and we are not taking minutes or hours but days, weeks, months and maybe even years.
The big question is, do we have that time? Could someone exploit a disclosed vulnerability, one in software that is commonly used in medical devices and systems, due to the inherent delays of updating and revalidating the software? The answer is yes.
Additional measures must be taken to ensure the integrity of these systems until the patch can be safely applied with a high degree of confidence in the operation of the device or system. This is what DHS was referring to as a "robust security program" to be sure.
Software bugs and security vulnerabilities are inevitable. Missing patches and updates are a reality -- and one that has implications far beyond the healthcare industry. Organizations across many industries are now struggling with vulnerability management and the problem of patching specialized devices in the face of increasingly sophisticated cyber attacks.
Interestingly, I could not find any guidance from Occupational Safety and Health Administration addressing software safety risks for industrial SCADA (supervisory control and data acquisition) systems, but it is likely they will arrive very soon.
Similarly, the National Highway Traffic Safety Administration will probably have to weigh in on software vulnerabilities for transportation vehicles, especially after Richard Clarke's recent comments. The former U.S. national coordinator for security infrastructure protection and counter-terrorism said that university researchers have now shown "it's relatively easy to hack your way into the control system of a car."
There are those skeptics who believe this is not really an issue and that current cybersecurity experts are up to the challenge of addressing these problems. I would suggest that they read "The Seven Deadly Myths of Software Security."
What many also don't see coming is the increasing legal risks executives face from the threat of cyber attacks. While researching this article, I had a couple of discussions with lawyers. What started out as a product liability conversation turned into a discussion about the risks of civil negligence charges. Could a manufacturer, CIO or CISO be charged with criminal negligence if they fail to apply patches and properly secure and maintain their systems, in the event a cyber attack that exploits those factors results in the death of an individual or individuals?
That is one hell of a question and a glimpse of what lies ahead for those who don't take the new world of cyber threats seriously.