Why a gap in patching is a breach risk

The patching gap is the time between the discovery (or patch release) of a vulnerability and its fix in a live healthcare system. Clarke and Martin (2024) note that “outdated monitoring devices [are] being linked to networks with little support to patch security flaws.” In other words, many medical devices and older systems are poorly maintained, leaving known flaws.

In 20205, 74% of healthcare organizations that reported email-based breaches had no DMARC record or had their DMARC set to none, leaving them exposed to unauthenticated email, according to Paubox’s 2026 Healthcare Email Security Report. Every day, there is more exposure. For example, “An unpatched Windows vulnerability or medical device software bug that has [electronic protected health information] ePHI is a clear invitation to attackers.”

When patch failures become breach pathways

Vulnerabilities become pathways to PHI when teams don’t patch fast enough. Systems that are not patched, such as electronic health record (EHR) servers, network equipment and remote-access tools, are vulnerable to remote compromise. You get a foot in the door via an internet-facing portal with a missing update or old VPN appliance. Insider error makes it worse, as when Yeo & Banfield (2022) found that “382 incidents, or 26 percent of all human factor–based breaches, were caused by an insider’s carelessness, negligence, or apathy.”

Patching failures often appear as human error or misconfigurations (e.g., default passwords, misrouted email) that provide avenues for breaches. Any uncorrected software flaw is a compliance issue, according to healthcare OCR guidance. Legacy systems are at risk because they were never designed to be updated quickly.

Why prioritization is more effective than perfect patching

Healthcare organizations have thousands of vulnerabilities and limited staff time so a risk based approach is needed. The 100% patched target is just not feasible. Prioritize fixes based on risk to continuity of care, patient data, and exploitability, rather than date of discovery. According to Clarke and Martin, leaders need to create a culture in which “leaders encourage all employees, including IT professionals and clinicians, to make cybersecurity a priority.”

Focus on fixing the most critical vulnerabilities, such as those on CISA’s Known Exploited Vulnerabilities list or flaws in systems that handle PHI or face the internet. Then apply patches for low-risk updates. Begin with patches for the areas most likely to be exploited (identity systems, remote access, and medical devices). Prioritization ensures lean security teams spend their time on the patches that matter.

What to do when a patch can not be applied

Sometimes patches can't be applied right away, so compensating controls should mitigate the risk. This includes network segmentation (isolation of the vulnerable device), application whitelisting, disabling the affected service or adding intrusion detection on that system. Clarke and Martin note that security awareness is also the “fact that most healthcare breaches are caused by mistakes made by people or people who work for the company”.

If you can’t patch, increase policies and monitoring. For example, you could lock down user privileges, require multi-factor access around the unpatched asset and increase logging. Such actions as disabling vulnerable functions, tightening firewalls, etc., are acceptable compensating controls. When a patch is available or a way to upgrade is found, periodic risk reviews should ensure that the vulnerability is closed in the end.

What we learned from the Verizon Data Breach Investigations Report (DBIR)

“Cybersecurity attacks have increased in the healthcare industry,” Clarke says. If we look at the 2026 Data Breach Investigations Report, we can see a clear shift in how breaches get started. Attackers are also getting to known software vulnerabilities faster than they used to, especially if organizations leave systems exposed for long patching windows. Ransomware was also involved in 48% of breaches, up from 44% the previous year, according to reporting on the 2026 DBIR.

A missed patch is not a silent technology delay waiting in an IT queue. It could be the first step of an extortion event, data breach, system outage or care disruption. We still see attackers phishing for credentials and stolen logins can still be an issue, particularly in healthcare environments with remote access, cloud systems and vendor connections.

The DBIR states that exploiting vulnerabilities has become a prime entry point in itself. Healthcare organizations need to view patching as breach prevention. Every system exposed has an owner, every vulnerability has a risk rating, every patch that is late has a documented mitigation plan.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Who is responsible for software patching?

Responsibility generally spans IT, security, operations, vendors, and business owners. Every group must have defined responsibilities because patching frequently spans systems in multiple departments.

How does vendor management work for patching?

Vendors may work with software, cloud tools, devices or business associate systems. Organizations need to understand how vendors respond to vulnerabilities, patching timelines, breach notifications, and support for legacy products.

What happens when software is no longer supported?

Security updates for unsupported software will stop. It is a long-term risk, since new-found vulnerabilities could be left open forever.”