Nurse checking medical device for patient's data

Medical Device Cybersecurity Module 4: Patching with Precision

Asynchronous Icon

Duration

4 Hours

Curriculum Icon

Format

Blended Learning 
(Virtual + Self-paced)

Flexibility Icon

Certificate + CEUs

Earn Certificate of completion 
+ 0.4 CEUs

Strong Network Icon

Instructors

Matt Dimino and Toby Gouker
Experts, Practitioners, and Executive Leaders in Medical Device Security

Unlike traditional IT systems, medical devices often cannot be patched easily—or at all—due to regulatory constraints, vendor limitations, or operational risks. This short course provides practical strategies for evaluating patchability, prioritizing patching efforts, and how to effectively apply patches to medical devices. 

Patching medical devices is not as straightforward as it is with traditional IT systems. Many medical devices:
 

  • Run outdated operating systems (e.g., Windows XP, 7, or embedded Linux) no longer supported by vendors.
  • Require vendor validation before applying updates—sometimes taking months or years.
  • May be in constant use, leaving no safe downtime window for patching.
  • Are not visible to standard IT asset management tools, leading to incomplete inventories and missed vulnerabilities.

Register Today

What You'll Learn

Expand all

Inventory and Risk Prioritization

  • Use CMMS and tools to identify patchable vs. unpatchable devices.
  • Prioritize by CVSS + clinical criticality + network exposure 

Vendor Coordination and Maintenance Windows

  • Build relationships with vendors for timely validation.
  • Schedule safe patch windows with clinical input.
  • Maintain patch approval and exception logs.

Alternative Controls for Unpatchable Devices

  • Apply network segmentation, firewall rules, and virtual patching.
  • Use anomaly detection to monitor at-risk devices.
  • Document compensating controls for audits and compliance.

Policy and Governance Integration

  • Develop HTM + IT patch coordination playbooks.
  • Align with FDA postmarket guidance, NIST CSF and NIST SP 800-53 controls.
  • Implement patch governance metrics (e.g., % of devices patched within 90 days).

Communication and Documentation

  • Communicate patch plans to clinical leadership to manage expectations.
  • Document risk acceptance decisions and incident recovery protocols.

Key topics include:

  • Understanding medical device patching constraints
  • Discuss risk-based patching prioritization
  • Patchability assessment and lifecycle management
  • How to coordinate patch implementation
  • Identification of mitigation strategies for unpatchable devices
  • Discuss documentation best practices and compliance
  • Identification of metrics for continuous improvement

Participants will be able to:

  • Apply a risk-based approach to prioritizing patching efforts based on device exposure, clinical impact, and CVSS/KEV/EPSS scoring.
  • Coordinate safe and effective patching strategies between HTM/CE, IT, and InfoSec teams.
  • Document patching actions, exceptions, and risk acceptance for governance, risk, and compliance (GRC).
  • Aligning medical device security change control and change management with enterprise practices.
  • Support cybersecurity investment cases such as network segmentation.
  • Strengthen organizational cybersecurity posture while preserving patient safety and clinical uptime. 

Register Today

Questions?

Interested in learning more about this module or how it fits into your organization’s needs?

Start the Conversation