For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On March 8, 2026, a Houston cardiology practice became the entry point for a ransomware attack that spread to three other medical facilities within 48 hours. The initial compromise? An unpatched infusion pump running firmware from 2019. The vulnerability had been publicly disclosed for over two years, with patches available from the manufacturer for 18 months. The practice's IT staff had never patched the device, assuming that medical equipment "just worked" and should not be touched. That assumption cost four practices a combined $2.7 million in recovery expenses.
Medical device patch management represents one of the most significant security gaps in healthcare organizations. The FDA reports that 53% of medical devices have known critical vulnerabilities, yet the majority of Texas medical practices have no systematic process for identifying, testing, and deploying medical device patches. This gap persists despite the April 2026 Texas HHSC directive specifically requiring medical device cybersecurity maintenance and the increasing frequency of device-based attacks.
Medical device patch management differs fundamentally from standard IT patching. Devices have unique characteristics that complicate maintenance:
Regulatory Constraints: Medical devices are FDA-regulated products. Modifications, including patches, may affect device safety and effectiveness. Manufacturers control patch distribution and may require specific installation procedures. A Dallas practice installed an unauthorized operating system patch on their imaging workstation, voiding their warranty and creating FDA compliance concerns.
Clinical Availability Requirements: Medical devices often operate continuously during patient care. Patching requires planned downtime that must be coordinated with clinical schedules. An Austin surgery center delayed patching their anesthesia machines for 14 months because available maintenance windows were limited and the patch required 4-hour downtime per device.
Interdependence and Integration: Medical devices frequently integrate with EHR systems, PACS networks, and other clinical infrastructure. Patches may affect these integrations, requiring testing before deployment. A San Antonio practice's PACS integration failed after a CT scanner patch changed network communication protocols, preventing image transmission for 6 hours.
Vendor Control and Visibility: Many medical devices run proprietary operating systems with limited administrative access. Practices cannot directly apply patches and must rely on vendor service visits or remote update capabilities. A Fort Worth practice discovered their ultrasound machines had received no security updates in 3 years because the vendor had not included their devices in the remote update program.
Legacy Device Proliferation: Medical equipment has long operational lifecycles, often 10-15 years or more. Older devices may run unsupported operating systems that no longer receive security patches. A Georgetown practice still operates Windows XP-based imaging equipment that cannot be patched for modern vulnerabilities.
A multi-location radiology practice in San Antonio experienced a breach in February 2026 that illustrates the consequences of inadequate medical device patching. The attack began with a vulnerability in their PACS network that had been patched by the manufacturer 11 months earlier.
Initial Compromise: Attackers exploited CVE-2024-21893, a known vulnerability in the practice's PACS server software. The vulnerability allowed remote code execution with administrative privileges. The manufacturer had released a patch in March 2025, but the practice had not applied it, unaware that their system was vulnerable.
Lateral Movement: From the compromised PACS server, attackers moved laterally to connected imaging modalities including CT scanners, MRI machines, and ultrasound equipment. Many of these devices had their own unpatched vulnerabilities that facilitated further compromise. The attackers established persistent access across the entire imaging infrastructure.
Dwell and Reconnaissance: The attackers remained undetected for 94 days, using their access to study the practice's operations, identify high-value data, and map connections to partner organizations. They captured credentials, identified backup systems, and prepared for data exfiltration and ransomware deployment.
Discovery and Response: The breach was discovered when unusual network traffic triggered an alert from a newly implemented monitoring system. Investigation revealed the extensive compromise and the unpatched vulnerability that enabled it. The practice faced notification requirements for 47,000 patients, OCR reporting obligations, and significant operational disruption while imaging systems were remediated.
Root Cause Analysis: Post-incident review identified multiple patch management failures. The practice had no inventory of medical device software versions. They had no process for monitoring vendor security advisories. Their IT staff assumed that the PACS vendor managed all patching remotely, which was not the case. No one was assigned responsibility for medical device patch management.
Medical device patch management is increasingly subject to regulatory requirements:
Texas HHSC Directive (April 2026): The Texas Health and Human Services Commission issued specific requirements for medical device cybersecurity maintenance. Covered entities must maintain current inventories of medical devices, monitor vendor security advisories, apply security patches within manufacturer-specified timeframes, and document patch management activities. The directive establishes specific timelines: critical patches within 30 days, high-severity patches within 60 days.
FDA Post-Market Guidance: The FDA's guidance on cybersecurity maintenance emphasizes that device manufacturers must provide patches for known vulnerabilities and that healthcare facilities must apply them. The guidance establishes shared responsibility between manufacturers and healthcare providers for maintaining device security.
Joint Commission Standards: The Joint Commission's information management standards require healthcare organizations to maintain medical device security, including patch management. Surveyors are increasingly examining device patching processes during accreditation reviews.
HIPAA Security Rule: While not specific to medical devices, the Security Rule's requirements for security management, information access management, and audit controls apply to medical device security. OCR has cited inadequate device patching in enforcement actions.
Effective medical device patch management requires systematic processes tailored to healthcare environments:
Comprehensive Device Inventory: Maintain accurate inventories of all medical devices including software versions, operating systems, network connections, and responsible vendors. Inventory should include both networked and standalone devices. A Houston practice discovered 23 medical devices they had not previously inventoried, including several with known critical vulnerabilities.
Vendor Relationship Management: Establish clear agreements with device vendors regarding patch notification, availability, and support. Document vendor contact information, service level agreements, and remote access capabilities. A Dallas practice includes patch management requirements in their device procurement contracts, ensuring vendor accountability.
Security Advisory Monitoring: Implement processes for monitoring vendor security advisories, FDA safety communications, and industry threat intelligence. Subscribe to manufacturer notification lists and security mailing lists. An Austin practice assigns specific staff to monitor advisories from their 12 primary device vendors, ensuring timely awareness of security updates.
Risk-Based Patch Prioritization: Prioritize patches based on vulnerability severity, device criticality, and exploit availability. Critical vulnerabilities on high-priority devices require immediate attention. Lower-priority patches may be scheduled during regular maintenance windows. A San Antonio practice uses a risk matrix that considers both CVSS scores and clinical impact to prioritize their patch queue.
Testing and Validation: Test patches in non-production environments when possible. Validate that patches do not affect device functionality or clinical integrations. Document testing procedures and results. A Fort Worth practice maintains a test network with representative devices that allows patch validation before production deployment.
Deployment Scheduling: Coordinate patch deployment with clinical operations to minimize patient care impact. Schedule during planned maintenance windows or low-activity periods. Maintain emergency patching capability for critical vulnerabilities requiring immediate remediation. A Georgetown practice schedules routine patching during their monthly maintenance window, with emergency procedures for critical security updates.
Legacy devices that cannot be patched require compensating controls:
Network Segmentation: Isolate legacy devices on dedicated network segments with strict access controls. Limit connections to only necessary systems and services. A Houston practice segments their Windows XP imaging equipment on an isolated VLAN with no internet access and controlled connections to their PACS network.
Enhanced Monitoring: Implement additional monitoring for legacy devices to detect anomalous activity that might indicate compromise. Monitor network traffic, system behavior, and access patterns. A Dallas practice deploys network monitoring specifically focused on their legacy devices, providing visibility that compensates for inability to patch.
Replacement Planning: Develop capital plans for replacing unsupported devices. Include security risk in replacement prioritization decisions. An Austin practice accelerated replacement of their oldest imaging equipment after a risk assessment identified unpatched vulnerabilities that could enable network compromise.
Vendor Engagement: Work with vendors to understand extended support options, including security patch availability for older devices. Some manufacturers offer extended support programs for critical equipment. A San Antonio practice negotiated extended security support for their primary imaging modalities, ensuring patch availability beyond standard support periods.
We assess your medical device patch management program and implement systematic processes that satisfy Texas HHSC requirements and reduce security risk. Our evaluations include device inventory, vendor management, advisory monitoring, and patch deployment procedures tailored to your practice operations.
Call 469-252-7016 or schedule online. We help Texas medical practices close critical device security gaps.