My boss and I were on a conference call today with a vendor with whom we will be sending a test team in order to test their system. This engagement is with a medical device company whose machines work with radiation. We were talking about patch management and how the company sets their policy of updating and patching their machines. What came out was an interesting story.
They mentioned to us that they handle ALL patching and updating for everything installed on the system. Because of the nature of the software (and that it controls radiation levels being administered to a patient) they do not patch the machine until that patch has gone through rigorous testing. They told of a system administrator that saw one of the vendor's machines on his network, without the latest patches. Without looking further at the machine, he remotely pushed out a whole bunch of patches to the machines. What the system administrator did not know was that the machine was actively administering radiation to a patient. The patches locked the machine, preventing the dosing engine from completing. Had a technician not been carefully monitoring the procedure, and hitting the emergency override switch....who knows what would have happened.