{{Short description|Process to maintain system integrity across patches}}

'''Patch management''' (or '''patch management policy''' or '''patch policy''' or '''patch management process''') is concerned with the identification,<ref>{{Cite news |last=Ventura|first=Jeremy|date=August 9, 2023|title=Why Shellshock Remains a Cybersecurity Threat After 9 Years|url=https://www.darkreading.com/cyberattacks-data-breaches/why-shellshock-remains-cybersecurity-threat-after-9-years|archive-url=http://web.archive.org/web/20250825131642/https://www.darkreading.com/cyberattacks-data-breaches/why-shellshock-remains-cybersecurity-threat-after-9-years|archive-date=2025-08-25|access-date=2026-05-14|work=Dark Reading|language=en|type=Commentary}}</ref> acquisition, distribution, testing and installation of patches to systems.<ref name=":03">{{Cite news |last=Farrell|first=Keith|date=September 2009|title=Wordpress Hack And Other Patch Problems Demand Patch Policies|url=https://www.darkreading.com/cyber-risk/wordpress-hack-and-other-patch-problems-demand-patch-policies|archive-url=http://web.archive.org/web/20250219124946/https://www.darkreading.com/cyber-risk/wordpress-hack-and-other-patch-problems-demand-patch-policies|archive-date=2025-02-19|access-date=2026-05-14|work=Dark Reading|language=en|type=Commentary}}</ref><ref name=":12">{{Cite web |last=Zyamzin|first=Victor|date=2024-01-17|title=Emerging trends in data breaches and how to address them|url=https://www.techradar.com/pro/emerging-trends-in-data-breaches-and-how-to-address-them|access-date=2026-05-14|website=TechRadar|language=en}}</ref><ref name="techtarget" /> Proper patch management can be a net productivity boost for an organization. Patches can be used to defend against and eliminate potentialvulnerabilities of a system, so that no threats may exploit them. Problems can arise during patch management, including buggy patches that either fail to fix their problem or introduce new issues. '''Patch management tools''' help orchestrate all of the procedures involved in patch management.

== Description == ''Patch management'' is defined as a sub-practice of various disciplines including vulnerability management (part of security management), lifecycle management (with further possible sub-classification into application lifecycle management and release management), change management, and systems management. The practice is broadly concerned with the identification, acquisition, distribution, and installation of patches to systems. Some definitions of patch management are as a software-level practice,<ref name="rapid7">{{cite web |url=https://www.rapid7.com/fundamentals/patch-management/ |publisher=Rapid7 |title=Patch Management: Definition & Best Practices |access-date=15 July 2024}}</ref> while others are as a systems-level process: software, drivers, and firmware.<ref name="techtarget">{{cite web |url=https://www.techtarget.com/searchenterprisedesktop/definition/patch-management |title= What is patch management? Lifecycle, benefits and best practices |author1=Essex |author2=Posey |publisher=TechTarget |access-date=15 July 2024|date=May 15, 2024|first=David|first2=Brien}}</ref><ref name="intel">{{cite web |url=https://www.intel.com/content/www/us/en/business/enterprise-computers/resources/patch-management.html |title=What Is Patch Management? |publisher=Intel |access-date=15 July 2024}}</ref><ref name="ibm">{{cite web |url=https://www.ibm.com/topics/patch-management |title=What is patch management? |date=20 December 2022 |publisher=IBM |access-date=15 July 2024}}</ref>

== Cost–benefit analysis == While reserving time for patching takes up enterprise resources, there are balancing factors which can make proper patch management into a net productivity boost for an organization. Up-to-date systems often perform more efficiently, less costly, with less errors, less security risks, and better user workflow. Additionally, compliance with changing local and federal regulations are more likely to be satisfied.<ref name="techtarget" /><ref name="rapid7"/><ref name="intel"/><ref name="ibm"/>

Patching security vulnerabilities has been one among many competing priorities for organizations, leading to longer periods before patching for some organizations.<ref name=":03" /> Equifax was too slow to implement its 2015 patch management plan to be able to mitigate or prevent the 2017 Equifax data breach, leading to scrutiny from regulators.<ref>{{Cite web |last=Arghire|first=Ionut|date=2019-03-11|title=Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says|url=https://www.securityweek.com/equifax-was-aware-cybersecurity-weaknesses-years-senate-report-says/|access-date=2026-05-14|website=SecurityWeek|language=en-US}}</ref>

==Relation to security management==

Patches can be used to defend against and eliminate potentialvulnerabilities of a system, so that no threats may exploit them; therefore, patch management can be considered a sub-discipline of vulnerability management. Every patchable device in a system presents an attack surface that must be secured.<ref name="ibm" />

=== Time plan === Automatic updates are where the patch is applied automatically with little to know actions or planning required.<ref name=":03" /><ref>{{Cite web |last=Cunningham|first=John Paul|date=November 4, 2024|title=Can Auto Updates for Critical Infrastructure Be Trusted?|url=https://www.darkreading.com/vulnerabilities-threats/can-automatic-updates-critical-infrastructure-be-trusted|access-date=2026-05-14|website=Dark Reading|language=en}}</ref> This approach is recommended for many individuals<ref>{{Cite news |last=Barrett|first=Brian|date=March 8, 2019|title=Turn On Auto-Updates Everywhere You Can|url=https://www.wired.com/story/turn-on-auto-updates-everywhere/|access-date=2026-05-14|work=Wired|language=en-US|issn=1059-1028}}</ref> and organizations.<ref name=":12" /><ref>{{Cite web |last=Sibanda|first=Isla|date=November 29, 2024|title=Automated patch management: A proactive way to stay ahead of threats|url=https://www.computerweekly.com/feature/Automated-patch-management-A-proactive-way-to-stay-ahead-of-threats|access-date=2026-05-14|website=ComputerWeekly.com|language=en}}</ref>

Some organizations also have to prioritize which patches to prioritize given limited resources.<ref name=":2" />

Patch Tuesday is the most common process when major companies like Microsoft and Adobe release patches on a known date so that companies can plan resources around implementing the patches more quickly.<ref name=":2">{{Cite web |last=Athalye|first=Shailesh|date=2021-07-09|title=Why Linux’s biggest strength is also its biggest weakness|url=https://www.techradar.com/news/why-linuxs-biggest-strength-is-also-its-biggest-weakness|access-date=2026-05-14|website=TechRadar|language=en}}</ref><ref>{{Cite web |last=Lyons|first=Jessica|date=2023-10-11|title=Microsoft Patch Tuesday turns 20|url=https://www.theregister.com/security/2023/10/11/microsoft-patch-tuesday-turns-20/686894|access-date=2026-05-14|website=theregister|language=en-US}}</ref>

Linux is open-sourced and patches can be released at any time, leading some to rely on mailing lists or other ways to be alerted to updates.<ref name=":2" />

=== Inventory === Taking an inventory of software and hardware, including versions can make it easier to correlate with bugs or patches as they become known.<ref name=":3">{{Cite web |title=GEEK GUIDE - LINUX IN THE TIME OF MALWARE |url=https://www.linuxjournal.com/sites/default/files/2018-11/GeekGuide-Bit9-3.pdf |website=LinuxJournal |date=2015|last=Kereki|first=Federico}}</ref><ref>{{Cite web |last=Atherton|first=Martin|date=2010-04-23|title=Server patching principles|url=https://www.theregister.com/on-prem/2010/04/23/server-patching-principles/575989|access-date=2026-05-14|website=theregister|language=en-US}}</ref><ref name=":2" /> Taking stock of how much education and support others in an organization need to install their patches can also help for planning how to implement the patch or design systems to begin with.<ref name=":03" /><ref name=":3" /> Streamlining the process by using tools that can communicate with each other can also help to reduce the time of exposure to known vulnerabilities.<ref name=":2" />

==Challenges==

There are a multitude of problems that can arise during patch management. A common issue is buggy patches, which either fail to fix their problem or introduce new issues. Another issue is deployment synchronization, since various subsystems may receive instructions to update at different times. Similarly, the difficulty of patch management across many devices may grow at an uncontrollable rate depending on organizational size.<ref name="techtarget" />

One prominent demonstration of the challenges facing proper patch management was the buggy Falcon Sensor patch by CrowdStrike which caused one of the worst IT outages of all time.<ref>{{cite web |last1=Milmo |first1=Dan |last2=Kollewe |first2=Julia |last3=Quinn |first3=Ben |last4=Taylor |first4=Josh |last5=Ibrahim |first5=Mimi |title='Largest IT outage in history' hits Microsoft Windows and causes global chaos |url=https://www.theguardian.com/australia-news/article/2024/jul/19/microsoft-windows-pcs-outage-blue-screen-of-death |website=The Guardian |access-date=19 July 2024 |date=19 July 2024}}</ref>

==Implementations== {{See also|:Category:Patch utilities |:Category:Software update managers}}

A '''patch management tool''' (alternatively '''patch manager''', '''patch management system''', '''patch management software''', or '''centralized patch management''') help orchestrate all of the procedures involved in patch management. Tools can be in-house (applied locally by local administrators), or external, as with managed service providers (applied externally by a provider).

===Patch management software===

* Windows Update for Business, System Center Configuration Manager, and Windows Server Update Services offer control over patch deployment, with features enabling testing, scheduling updates, and setting custom configurations on Windows platforms.<ref name="techtarget"/><ref name="purplesec">{{cite web |url=https://purplesec.us/learn/windows-patch-management |title= Windows Patch Management Best Practices For 2023 |last=Firch |first=Jason |date=30 March 2023 |publisher=PurpleSec |access-date=15 July 2024}}</ref>

===Managed service providers=== {{main article|Managed service provider}}

== Regulatory requirements (United States) == Timely patching of software vulnerabilities is a requirement under multiple regulatory frameworks in the United States.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to protect electronic protected health information by implementing security measures sufficient to reduce risks to a reasonable and appropriate level, which industry guidance has long interpreted to include timely patch management.<ref>{{cite web |title=Security Standards: Administrative Safeguards |url=https://www.hhs.gov/hipaa/for-professionals/security/guidance/administrative-safeguards/index.html |publisher=U.S. Department of Health and Human Services |access-date=2026-03-23}}</ref> A proposed new HIPAA Security Rule would make patch management requirements explicit, mandating that covered entities and business associates deploy security patches and updates within a defined risk-based timeline and maintain written procedures for prioritizing, testing, and applying patches to systems that store, process, or transmit ePHI.<ref>{{cite web |title=HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information |url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information |work=Federal Register |date=2025-01-06 |access-date=2026-03-23}}</ref> The 2025 proposal continues to receive industry pushback as of December 2025.<ref name=":0">{{Cite web |last=Waldman |first=Arielle |date=December 23, 2025 |title=Industry Continues to Push Back on HIPAA Security Rule Overhaul |url=https://www.darkreading.com/cyber-risk/industry-oppose-hipaa-security-rule-overhaul |access-date=2026-05-14 |website=Dark Reading |language=en}}</ref> HIPAA was last updated in 2013.<ref name=":0" />

The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to protect system components from known vulnerabilities by installing applicable security patches within one month of release for critical patches.<ref>{{cite web |title=PCI DSS v4.0 |url=https://www.pcisecuritystandards.org/document_library/ |publisher=PCI Security Standards Council |access-date=2026-03-23}}</ref>

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities (KEV) catalog that compels U.S. federal agencies to remediate listed vulnerabilities within specified timelines.<ref>{{cite web |title=Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities |url=https://www.cisa.gov/news-events/directives/bod-22-01 |publisher=Cybersecurity and Infrastructure Security Agency |date=November 3, 2021 |access-date=April 3, 2026}}</ref> Agencies are typically required to patch within 3 weeks, though some vulnerabilities must be fixed within 24 hours.<ref>{{Cite web |last=Greig |first=Jonathan |date=January 8, 2026 |title=CISA sunsets 10 emergency directives thanks to evolution of exploited vulnerabilities catalog |url=https://therecord.media/cisa-sunsets-10-emergency-directives |access-date=2026-05-14 |website=therecord.media |language=en}}</ref>

== References == {{reflist}} {{Computer security}}

{{DEFAULTSORT:Patch management}}

Category:Information technology management Category:Configuration management Category:System administration Category:Computer security