Operational disruption in healthcare associated with software functionality issue due to software security patching: a case report

Abstract

Despite many benefits, the extensive deployment of Health Information Technology (HIT) systems by healthcare organizations has encountered many challenges, particularly in the field of telemetry concerning patient monitoring and its operational workflow. These challenges can add more layers of complexity when an unplanned software security patching is performed, affecting patient monitoring and causing disruption in daily clinical operations. This study is a reflection on what happened associated with software security patching and why it happened through the lens of an incident report to develop potential preventive and corrective strategies using qualitative analyses—inductive and deductive approaches. There is a need for such analyses to identify the underlying mechanism behind such issues since very limited research has been conducted on the study of software patching. The incident was classified as a “software functionality” issue, and the consequence was an “incident with a noticeable consequence but no patient harm”, and the contributing factor was a software update, i.e., software security patching. This report describes how insufficient planning of software patching, lack of training for healthcare professionals, contingency planning on unplanned system disruption, and HIT system configuration can compromise healthcare quality and cause risks to patient safety. We propose 15 preventive and corrective strategies grouped under four key areas based on the system approach and social-technical aspects of the patching process. The key areas are (i) preparing, developing, and deploying patches; (ii) training the frontline operators; (iii) ensuring contingency planning; and (iv) establishing configuration and communication between systems. These strategies are expected to minimize the risk of HIT-related incidents, enhance software security patch management in healthcare organizations, and improve patient safety. However, further discussion should be continued about general HIT problems connected to software security patching.