Meta: Unpatched software is the second most exploited attack vector in healthcare. Here is how home health agencies implement automated patch management without disrupting care workflows.
In the conversations I have with home health administrators about cybersecurity, patch management almost never comes up. Ransomware comes up. Phishing comes up. Cyber insurance comes up. The practice of ensuring that every operating system, application, and firmware version across your device fleet is current with security updates — a practice that would have prevented the majority of ransomware incidents I have worked through over the past decade — rarely makes the agenda.
This oversight is understandable. Patch management is unglamorous. It does not generate dashboards that show threats blocked or incidents detected. It is a maintenance function that works by preventing things from happening — and prevention is always harder to see than response. But the data is unambiguous: unpatched software vulnerabilities are the initial access vector in approximately 30% of healthcare ransomware incidents, making them the second most common entry point behind phishing email. A home health agency that enforces MFA, deploys behavioral EDR, and runs advanced email security — but runs software that is six months behind on patches — is protecting its front door while leaving a ground-floor window open.
Why Patch Management Is Now a HIPAA Documented Requirement
The 2026 HIPAA Security Rule update addressed patch management explicitly in its revised vulnerability management provisions. The rule requires covered entities to implement "a patch management process that identifies, evaluates, and addresses security vulnerabilities in a timely manner." Unlike some provisions that allow flexibility in implementation, the 2026 rule establishes that critical security patches — those addressing vulnerabilities that are actively being exploited in the wild — must be applied within a defined, documented timeframe.
OCR guidance accompanying the rule indicates that a 30-day remediation window for critical patches and a 60-day window for high-severity patches represents the maximum acceptable delay for organisations without documented operational constraints that justify longer timelines. A home health agency that discovers a critical Windows vulnerability and applies the patch 90 days later — because patch deployment was manual and depended on IT availability — has a documented HIPAA compliance gap, not just a security gap.
The Patch Management Gap at Distributed Home Health Agencies
The challenge of patch management at home health agencies is not identifying which patches are needed — operating systems and applications generate update notifications reliably. The challenge is deploying those patches across a device fleet that is never in one place at the same time. Field nurse tablets are in patient homes during business hours. Personal smartphones used for EHR access are personal property that cannot be managed without the individual's cooperation. Remote administrative staff laptops are in home offices across the region. No one is bringing these devices into the office for manual update cycles.
Manual patch management — the approach where someone periodically opens a device and checks for updates — is not patch management. It is patch aspiration. The only approach that produces measurable, documentable compliance is automated patch management through MDM: a policy that checks device patch status continuously and applies available security updates automatically, within a defined deployment window that minimises disruption to clinical workflows.
Implementing Automated Patch Management Through MDM
Windows Endpoint Patch Management
Microsoft Intune provides Windows Update for Business integration that allows administrators to control exactly which updates are deployed, when they are deployed, and to which device groups. The recommended configuration for home health agencies: security-only updates deploy automatically within 24 hours of release with no user interaction required; feature updates are tested on a small pilot group before broad deployment to prevent workflow disruptions from unexpected interface changes; update deployment is scheduled during overnight hours or low-usage periods to minimise clinical disruption.
Mobile Device and Application Patch Management
iOS and Android devices enrolled in MDM can be configured to apply operating system updates automatically within defined windows. Application updates — particularly the EHR mobile app, email clients, and any other application that handles ePHI — should be configured to update automatically rather than requiring user-initiated updates. A field nurse whose EHR app is three versions behind because she dismissed update prompts for six weeks is running software with known, unpatched vulnerabilities against which targeted exploits may exist.
Documentation: Creating the Audit Trail That HIPAA Requires
A patch management programme without documentation is a security practice, not a HIPAA compliance programme. Document: the patch management policy (defining the timeline requirements for critical, high, and medium patches); the current patch status report for every device in inventory (generated from MDM on at least a monthly basis); the remediation record for any device found to be non-current (when identified, what action was taken, when the device reached compliance); and any exceptions (documented devices that cannot be patched immediately with the reason and the compensating control in place during the exception period).
ShieldForce manages automated patch management across every client's device fleet as a standard component of our managed service — every device current, every deployment documented, every exception tracked.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ View Plans and Pricing — shieldforce.io/pricing-comparison
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison