Article · Wikipedia archive · Last revised May 27, 2026

Patch management

Patch management is concerned with the identification, acquisition, distribution, testing and installation of patches to systems. Proper patch management can be a net productivity boost for an organization. Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them. Problems can arise during patch management, including buggy patches that either fail to fix their problem or introduce new issues. Patch management tools help orchestrate all of the procedures involved in patch management.

Last revised
May 27, 2026
Read time
≈ 6 min
Length
1,278 w
Citations
41
Source
Wikipedia ↗

Patch management (or patch management policy or patch policy or patch management process) is concerned with the identification,1 acquisition, distribution, testing and installation of patches to systems.234 Proper patch management can be a net productivity boost for an organization. Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them. Problems can arise during patch management, including buggy patches that either fail to fix their problem or introduce new issues. Patch management tools help orchestrate all of the procedures involved in patch management.

Description

Patch management is defined as a sub-practice of various disciplines including vulnerability management (part of security management), lifecycle management (with further possible sub-classification into application lifecycle management and release management), change management, and systems management. The practice is broadly concerned with the identification, acquisition, distribution, and installation of patches to systems. Some definitions of patch management are as a software-level practice,5 while others are as a systems-level process: software, drivers, and firmware.467

Cost–benefit analysis

While reserving time for patching takes up enterprise resources, there are balancing factors which can make proper patch management into a net productivity boost for an organization. Up-to-date systems often perform more efficiently, less costly, with less errors, less security risks, and better user workflow. Additionally, compliance with changing local and federal regulations are more likely to be satisfied.4567

Patching security vulnerabilities has been one among many competing priorities for organizations, leading to longer periods before patching for some organizations.2 Equifax was too slow to implement its 2015 patch management plan to be able to mitigate or prevent the 2017 Equifax data breach, leading to scrutiny from regulators.8

Relation to security management

Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them; therefore, patch management can be considered a sub-discipline of vulnerability management. Every patchable device in a system presents an attack surface that must be secured.7

Time plan

Automatic updates are where the patch is applied automatically with little to know actions or planning required.29 This approach is recommended for many individuals10 and organizations.311

Some organizations also have to prioritize which patches to prioritize given limited resources.12

Patch Tuesday is the most common process when major companies like Microsoft and Adobe release patches on a known date so that companies can plan resources around implementing the patches more quickly.1213

Linux is open-sourced and patches can be released at any time, leading some to rely on mailing lists or other ways to be alerted to updates.12

Inventory

Taking an inventory of software and hardware, including versions can make it easier to correlate with bugs or patches as they become known.141512 Taking stock of how much education and support others in an organization need to install their patches can also help for planning how to implement the patch or design systems to begin with.214 Streamlining the process by using tools that can communicate with each other can also help to reduce the time of exposure to known vulnerabilities.12

Challenges

There are a multitude of problems that can arise during patch management. A common issue is buggy patches, which either fail to fix their problem or introduce new issues. Another issue is deployment synchronization, since various subsystems may receive instructions to update at different times. Similarly, the difficulty of patch management across many devices may grow at an uncontrollable rate depending on organizational size.4

One prominent demonstration of the challenges facing proper patch management was the buggy Falcon Sensor patch by CrowdStrike which caused one of the worst IT outages of all time.16

Implementations

A patch management tool (alternatively patch manager, patch management system, patch management software, or centralized patch management) help orchestrate all of the procedures involved in patch management. Tools can be in-house (applied locally by local administrators), or external, as with managed service providers (applied externally by a provider).

Patch management software

Managed service providers

Regulatory requirements (United States)

Timely patching of software vulnerabilities is a requirement under multiple regulatory frameworks in the United States.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to protect electronic protected health information by implementing security measures sufficient to reduce risks to a reasonable and appropriate level, which industry guidance has long interpreted to include timely patch management.18 A proposed new HIPAA Security Rule would make patch management requirements explicit, mandating that covered entities and business associates deploy security patches and updates within a defined risk-based timeline and maintain written procedures for prioritizing, testing, and applying patches to systems that store, process, or transmit ePHI.19 The 2025 proposal continues to receive industry pushback as of December 2025.20 HIPAA was last updated in 2013.20

The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to protect system components from known vulnerabilities by installing applicable security patches within one month of release for critical patches.21

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities (KEV) catalog that compels U.S. federal agencies to remediate listed vulnerabilities within specified timelines.22 Agencies are typically required to patch within 3 weeks, though some vulnerabilities must be fixed within 24 hours.23

References

References

  1. Ventura, Jeremy (August 9, 2023). "Why Shellshock Remains a Cybersecurity Threat After 9 Years". Dark Reading (Commentary). Archived from the original on 2025-08-25. Retrieved 2026-05-14.
  2. Farrell, Keith (September 2009). "Wordpress Hack And Other Patch Problems Demand Patch Policies". Dark Reading (Commentary). Archived from the original on 2025-02-19. Retrieved 2026-05-14.
  3. Zyamzin, Victor (2024-01-17). "Emerging trends in data breaches and how to address them". TechRadar. Retrieved 2026-05-14.
  4. Essex, David; Posey, Brien (May 15, 2024). "What is patch management? Lifecycle, benefits and best practices". TechTarget. Retrieved 15 July 2024.
  5. "Patch Management: Definition & Best Practices". Rapid7. Retrieved 15 July 2024.
  6. "What Is Patch Management?". Intel. Retrieved 15 July 2024.
  7. "What is patch management?". IBM. 20 December 2022. Retrieved 15 July 2024.
  8. Arghire, Ionut (2019-03-11). "Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says". SecurityWeek. Retrieved 2026-05-14.
  9. Cunningham, John Paul (November 4, 2024). "Can Auto Updates for Critical Infrastructure Be Trusted?". Dark Reading. Retrieved 2026-05-14.
  10. Barrett, Brian (March 8, 2019). "Turn On Auto-Updates Everywhere You Can". Wired. ISSN 1059-1028. Retrieved 2026-05-14.
  11. Sibanda, Isla (November 29, 2024). "Automated patch management: A proactive way to stay ahead of threats". ComputerWeekly.com. Retrieved 2026-05-14.
  12. Athalye, Shailesh (2021-07-09). "Why Linux's biggest strength is also its biggest weakness". TechRadar. Retrieved 2026-05-14.
  13. Lyons, Jessica (2023-10-11). "Microsoft Patch Tuesday turns 20". theregister. Retrieved 2026-05-14.
  14. Kereki, Federico (2015). "GEEK GUIDE - LINUX IN THE TIME OF MALWARE" (PDF). LinuxJournal.
  15. Atherton, Martin (2010-04-23). "Server patching principles". theregister. Retrieved 2026-05-14.
  16. Milmo, Dan; Kollewe, Julia; Quinn, Ben; Taylor, Josh; Ibrahim, Mimi (19 July 2024). "'Largest IT outage in history' hits Microsoft Windows and causes global chaos". The Guardian. Retrieved 19 July 2024.
  17. Firch, Jason (30 March 2023). "Windows Patch Management Best Practices For 2023". PurpleSec. Retrieved 15 July 2024.
  18. "Security Standards: Administrative Safeguards". U.S. Department of Health and Human Services. Retrieved 2026-03-23.
  19. "HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information". Federal Register. 2025-01-06. Retrieved 2026-03-23.
  20. Waldman, Arielle (December 23, 2025). "Industry Continues to Push Back on HIPAA Security Rule Overhaul". Dark Reading. Retrieved 2026-05-14.
  21. "PCI DSS v4.0". PCI Security Standards Council. Retrieved 2026-03-23.
  22. "Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities". Cybersecurity and Infrastructure Security Agency. November 3, 2021. Retrieved April 3, 2026.
  23. Greig, Jonathan (January 8, 2026). "CISA sunsets 10 emergency directives thanks to evolution of exploited vulnerabilities catalog". therecord.media. Retrieved 2026-05-14.