My personal laptop, a Mac, used to function just fine, thank you. I understood its behavior. I knew where to find things. It was dependable. It was comforting.
I recently received yet another notice that my operating system required an update. Some of the update related to functionality bugs, but some of it related to security. I had to make a decision. Should I patch the system now in order to keep up with the latest threats? Or, should I put it off until later?
On one hand, I do not want my system vulnerable to viruses, worms, ransomware and the like, so it would be a good thing to patch it. On the other hand, every time I patch the system, it seems I have to accept some unpredictable tradeoff in performance or functionality. If I had a third hand, it would represent the fact that I tell people every day to patch their systems and keep them up to date, and I risk hypocrisy for not following my own advice.
I knew at the same time, however, that with each iteration of its operating system, my failure to upgrade put me in a deeper hole. Finally, my level of risk hit some critical point of discomfort that I had subconsciously created, and I upgraded.
Before the upgrade, my laptop would shut down in four seconds, regardless of how much memory I had used over the course of that work session. With the new, “better” operating system, it now takes, on a fast day, about 15 seconds. That is still livable compared with my Windows machine, which seems like it wants to exchange long, tearful goodbyes with every bit and byte it had encountered that day before sadly shutting down. On a slow day, my new and improved Mac can take a minute to shut down. And almost every day, I find the spinning beach ball visits my screen at one time or another.
Despite these performance issues, it is supposedly “better and safer” than before. While I cannot see or experience the “better and safer,” I do see and experience the performance hit.
These are tiny, personal examples of why upgrading is such a challenge for the healthcare industry. When you have dozens of servers, routers, PCs, applications and a thousand other devices interconnected, is it any wonder that some organizations (okay, many) can’t keep up with all the patching? Whether your enterprise is home to one server or a thousand, you must determine the amount of risk you’re willing to take.
When the WannaCry ransomware broke, it targeted Windows Server 2003, Windows 8 and Windows XP. Yes, XP is still out there. It’s hard to believe 2003 was 14 years ago already. Yet, security researchers estimate around 300,000 devices compromised by this worm.
In reality, when doing a risk assessment, the amount of acceptable risk shouldn’t be about our personal limits. In healthcare, the focus, and our risk-determining drivers, should be about the people who must trust our systems with data over which they have little control. Their expectations are high, and their lives depend on us. In perspective, the inconvenience to us is a small one compared to the potential loss of trust in our organization, or the life of those who trust us.
And so, we must backup obsessively. We must patch our systems. We must educate each other about the risks and the threats, as well as how to reduce the impact, of compromised systems.
Meanwhile, I will try to keep things in perspective. The annoyance of continued system updates is minor compared to what could happen. In this game, the one that is last-to-patch is usually the one who loses.