The Patching Problem Nobody Solves by Patching Everything
Every healthcare practice runs more software than it can keep perfectly current. Operating systems, the EHR, the practice management system, firewalls, network appliances, plugins, and a long tail of utilities each publish patches on their own schedule. Tens of thousands of new vulnerabilities are disclosed every year. "Patch everything immediately" is not a strategy — it is a wish, and the practices that try it end up exhausted, behind, and no safer.
The Security Rule does not demand that you eliminate every vulnerability. It demands a reasonable, risk-based process for addressing them. The question, then, is not "how do we patch faster" but "how do we know what to patch first." For that, healthcare has an unusually clear answer that costs nothing: CISA's Known Exploited Vulnerabilities catalog.
What the KEV Catalog Is — and Why It Changes the Math
The Cybersecurity and Infrastructure Security Agency maintains a public, continuously updated list of vulnerabilities that are being actively exploited in the wild. This is the critical distinction. The broader universe of vulnerabilities is a theoretical risk — flaws that could be exploited. The KEV catalog is the subset that attackers are demonstrably using right now. CISA does not add a vulnerability to the KEV list because it scores high on a severity scale; it adds it because there is reliable evidence of exploitation.
That reframes patching entirely. Instead of staring at a vulnerability scanner reporting four hundred findings sorted by a severity score that does not account for real-world activity, you start with a much shorter question: which of the flaws in my environment are on the list of things attackers are using today? That list is your queue. Everything else is important, but it is not on fire.
The 14-Day Rule
The federal civilian agencies that CISA directly oversees operate under binding timelines to remediate KEV-listed vulnerabilities, typically within a couple of weeks of being added. Your practice is not bound by that directive — but it is an excellent, defensible benchmark to adopt voluntarily. The working rule is simple:
Any vulnerability on the CISA KEV catalog that affects your environment gets patched, mitigated, or isolated within 14 days. No exceptions for inconvenient timing.
Fourteen days is aggressive enough to matter — it closes the window while the exploit is hot — and realistic enough that a small practice can actually meet it. Compare that to the alternative the breach data keeps revealing: several 2025–2026 healthcare breaches involved KEV-listed vulnerabilities that had been on the catalog for more than ninety days at the time of the incident. Those organizations were not unlucky. They were given a specific, public, actionable warning and did not act on it for three months.
When You Cannot Patch in 14 Days
Sometimes a patch is not immediately available, or the system is a legacy clinical device that cannot be updated without vendor coordination, or the update requires downtime you cannot schedule for two weeks. The 14-day rule does not break here — it shifts from "patch" to "mitigate or isolate." Compensating controls buy you time defensibly:
- Network segmentation. Move the vulnerable system off the flat network so a compromise cannot spread laterally to systems holding PHI.
- Access restriction. Limit which accounts and which source addresses can reach the vulnerable service. An exposed service reachable only from two admin workstations is a far smaller target.
- Heightened monitoring. Point your log review directly at the unpatched system so that if exploitation is attempted, you see it immediately.
The key is that the decision is documented. "We could not patch within 14 days, so we segmented the device and increased monitoring, and here is the dated record of that decision" is a defensible risk-management posture. Silence is not.
You Can Only Triage What You Can See
The KEV approach has one prerequisite: you have to know what is actually running on your network. A vulnerability on a device you forgot you owned does not get patched, because nobody is looking at it. This is why an accurate, current asset inventory underpins the whole practice — and why it is one of the requirements moving from "addressable" to expected in the proposed Security Rule updates. You cannot triage against the KEV catalog if you do not have a reliable list of what is on your network and what versions it is running.
This is where continuous network security monitoring earns its place in a HIPAA program. Automated discovery keeps the asset inventory current as devices come and go, and cross-referencing discovered software against the KEV catalog turns the 14-day rule from a manual research project into a managed queue. The system tells you "this device is running software with a known, actively exploited vulnerability" — and the clock starts.
Folding It Into the Program
The 14-day KEV rule is not a standalone activity; it is one lane of a broader patch-management practice that auditors and cyber-insurers increasingly expect to see operating. Make it visible: a standing item in your quarterly mini-audit that reviews KEV-listed findings, time-to-remediate, and any mitigation decisions. Over a year, that record becomes powerful evidence — it shows you were not patching at random but triaging against the most authoritative public signal of real-world risk, and acting on it within a defined window.
The breaches making headlines in healthcare are rarely the result of zero-day genius. They are the result of known, listed, publicly warned vulnerabilities left open long enough for a patient attacker to walk through. The KEV catalog is the warning. The 14-day rule is the answer.
Related Reading
- Continuous network security monitoring in 2026
- What the 2025 Security Rule overhaul means
- The audit control requirement almost nobody reviews
- Software supply chain security in healthcare
Call to Action
Not sure what is running on your network — or whether any of it is on the KEV list right now? Schedule a walkthrough to see how HIPAA Security Suite discovers your assets and cross-references them against actively exploited vulnerabilities, or take the 3-minute readiness quiz to find your highest-priority gaps.