Healthcare IoT

Why It’s Wrong to Sync Medical Device Patching & Scheduled Maintenance

5 min read

Machines are indispensable, yet imperfect. They work fine one day and break down the next. What’s more, even if the machine remains in essentially the same working order, you’ll still need to reconfigure, adjust, reinforce, or add components if its environment is liable to change. 

That’s why equipment requires regular servicing and maintenance to perform optimally, ensure operational synchronicities, and extend lifecycles.

People normally think of maintenance as primarily concerning hardware. The truth, however, is that software maintenance (updates and patching) is just as important as hardware maintenance. In industrial environments, digital servicing is often bundled with physical servicing in pre-planned windows so that administrators can get the most bang out of their downtime buck.

Nonetheless, smart planning for hardware maintenance and software updates will rarely produce the same schedules. Hardware is subject to the constraints of the physical world, while software operates in the digital sphere. As such, the constraints and risk factors facing each are entirely different and evolve at different paces.

For hospitals, waiting until hardware is serviced to perform medical device patching leaves you open to attacks that could easily be prevented. When the operational integrity and usability of your machinery is just as or more likely to be inhibited by digital as physical means, software and hardware maintenance needs must be given equal consideration.

Software can no longer be relegated to the role of a maintenance tag-along. Treating it as an afterthought will only get you into trouble. If a vulnerability patch was released for your MRI machine yesterday and the next planned physical maintenance window is in another two months, you can’t wait it out. You need to install that patch ASAP. Better yet, you need to plan servicing windows ahead of time, proactively, to accommodate such software maintenance needs.

Indeed, the best way to maintain critical assets – to coax from them the greatest possible utility with the least possible risk – is to shift toward a predictive maintenance model, both physically and digitally.


Medical devices are used to provide lifesaving and sustaining care, on-demand and often for long continuous stretches. Medical devices are machines, and like any other machines, they’re subject to wear and tear and can be impacted differently and adversely by the different conditions in which they’re operated.

While it might not be a big deal if you take an extra 15 minutes to warm your car’s engine before setting about your day, 15 minutes in an emergency room can be the difference between life and death. Similarly, if your car battery goes dead, you can hail down the next good Samaritan and ask for a jump. No big deal. But if the medical device equivalent plays out in the operating theater, it’s a very big deal; which is why medical devices and other critical clinical assets need to be maintained and serviced extremely diligently and proactively.

In hospitals, malfunction or inoperability could result in patient harm. It should go without saying then that strong, reliable, and unimpeded performance is a must.

Since good modern healthcare is the product of a complex and delicate chain of inter-dependencies, it’s not enough that your devices themselves perform reliably, but that they operate without ill-effect to the broader medical environment in which they exist. For example, medical devices capture and store highly-sensitive patient data, which if compromised, could lead to lawsuits, regulatory penalties, and damage to organizational reputation. A "set it and forget it" approach to device hygiene simply does not cut it in the healthcare industry.

Software operates in the ever-changing digital environment, where new threats and vulnerabilities emerge daily. Waiting for scheduled hardware maintenance windows to patch software leaves your devices dangerously out-of-date and extremely vulnerable to cyber attack.

Instead, proactive maintenance – updating software on a regular basis and not just when it’s convenient – is essential to mitigating risk and keeping your clinical assets purring. Failure to do so leaves your network potentially exposed to attack and calibrated shy of ideal operating order.


Given the high stakes, it is especially alarming that a recent CyberMDX review of 30 hospitals found approximately 8% of medical devices to be in a persistent state of vulnerability to known remote code execution attacks. Think about that for a moment: that means that 8 out of every 100 connected devices have huge swinging saloon doors for would-be intruders to walk straight through and into your network!

As an industry, healthcare is still struggling to internalize the idea that digital device maintenance should be afforded the same consideration as physical device maintenance. We can and we must do better – not only for the sake of our patients, but also for our own long-term profitability.

The same logic that underlies smart hardware maintenance models needs to be applied to software: act smartly and proactively to increase uptime, boost productivity and efficiencies, extend lifecycles, decrease disruption, and limit wider system degradations.

Strategies for Managing the Maintenance Cycle

The concept of enterprise asset management (EAM) has been around for a long time and has been integrated into standard management practices across many industries. Hospitals are no different. But representing the sector of the economy most targeted by hackers, it’s important that healthcare EAM fundamentally incorporate the digital side of things.

Healthcare organizations need to be able to maintain device hardware and software continuously and comprehensively. In practice that means planning and scheduling maintenance for each independently – based on the facts on the ground and on smart data-driven modeling. Only by doing that will you be able to ensure that your critical assets remain in tip-top shape – invulnerable to unplanned downtime or malfunction.

In building a smart, digitally informed EAM strategy, you’ll find three primary approaches to maintenance:

1.  Reactive maintenance

Reactive maintenance responds to a problem when something goes wrong. Reactive maintenance is difficult to budget for and manage, as the maintenance cycle depends wholly on when devices fail. Moreover, a reactive maintenance model is bound to interrupt operations when critical systems go offline. Despite these obvious shortcomings, reactive maintenance was the dominant model from the industrial revolution until the 1950s. Today, however, it is considered inefficient and a bad practice.

When it comes to medical devices, patient safety is on the line. Reactive maintenance becomes not just wasteful, but potentially deadly. If a device has broken or gone offline unexpectedly, the maintenance plan has already failed and risks grave consequences. Healthcare organizations simply cannot afford to rely on a reactive maintenance model, especially when it comes to their most critical devices and systems.

2.  Preventative maintenance

preventative-maintenance-in-healthcarePreventative maintenance focuses on keeping devices operational so they are unlikely to break or go offline unexpectedly. Preventative maintenance models grew out of decision-makers' realization there was a better way to do things. Planned preventative maintenance could maintain operational continuity, decrease maintenance costs (repairs tend to be cheaper than replacement and planning maintenance allows for downtime to be scheduled when least costly), and extend the life of equipment. This model reigned supreme from the 1950s to the 1990s and remains common today.

Preventative maintenance involves performing planned tasks – like changing oil, cleaning filters, replacing bearings, swapping drive belts etc. – on a fixed interval or usage basis. Preventative maintenance reduces a device's downtime, increases its overall lifespan, and helps prevent unexpected issues.

Compared to a reactive maintenance model, preventative maintenance makes sense. But when compared to a more granularly and dynamically informed predictive maintenance model, it seems almost clumsy – often serving machinery without actual need, failing to prioritize devices most urgently in need of attention, and neglecting to intervene in the face of less common degradation scenarios.

3.  Predictive maintenance

Predictive maintenance uses device feedback, often through sensors or device monitoring software, to reliably predict when a device requires servicing. The variables examined to build a predictive model can include factors like energy consumption, vibration, or heat build-up. Deviations in these measurements beyond the normal range can paint a picture suggesting when maintenance is required. This approach empowers technicians to reserve their efforts to where and when they’re needed – streamlining the process and making efficient use of organizational resources.

A case study revolving around extruders in the chemical manufacturing space clearly demonstrates the power of predictive maintenance, delivering an 80% reduction in unplanned downtime and cost savings of $300,000 per asset. In fact, predictive maintenance is projected to lead to global cost savings of $200 billion to $600 billion by 2025 in the manufacturing industry alone.

The Internet of Things has unlocked a lot of the potential for predictive maintenance and made it much more accessible to medium-sized and enterprise operations alike. Now the Internet of Medical Things is doing the same for healthcare. But somehow, inexplicably, digital maintenance is still treated as an afterthought.

Trends in Medical Device Patching & Maintenance

Most healthcare organizations today employ a preventative maintenance model, which takes care of mechanical issues but doesn’t account for software patches. So long as that software is left out-of-date, patient data and safety remain at risk.

Just like the body would be of little use without the mind, so too is the utility of most modern medical devices linked to the network ecosystems in which they operate. Factors like risk score, patch status, instructions per cycle (IPC), network traffic, and remote commands should be added to your predictive maintenance modeling to better safeguard and holistically preserve device performance.


For example, the Wannacry ransomware attack that seized networks worldwide in May 2017 could have been prevented by a software patch released in March 2017. Only out-of-date devices were affected, and yet organizations around the world fell victim to the attack. The takeaway could not be clearer: regular medical device patching and digital monitoring must be built into smart maintenance strategies and treated with equal vigilance as physical servicing requirements!

Improving Cybersecurity Through Medical Device Maintenance Schedules

If you take seriously the specter (pun intended) of cyber attacks, (and you should) you need to build a maintenance schedule informed as much by digital expectations and experiences as by physical ones. Vulnerabilities are discovered and disclosed every day and must be patched as soon as the patch is made available. The day after disclosure, unpatched systems are much more exposed than they were the day before – despite the underlying vulnerability being the same.

The first step is to establish a live inventory of all the connected devices you have deployed. After that, it's a matter of interfacing your CMMS with the relevant patch and vulnerability channels and cross-referencing that information against each device's current operating system and supporting software versions. You’ll also want to correlate that information with the location of each device in your network architecture, it’s configuration, manner of connection, and risk profile. Drawing on the insights of that system, you’ll be in a position to swiftly take action whenever action is needed – and before any ill-effect is had on your operation.  

Combine that with operational analytics and APM intelligence and you can build predictive models to help you smartly plan software maintenance windows just like you would for your hardware.

If hospitals are going to get the most out of their asset investments and aim to continue improving the quality, consistency, and resilience of care, a maintenance model that predictively caters to physical and digital servicing must be adopted. If you’re waiting for your machine to be physically serviced in order to be patched, you’re a sitting duck.