Administrative Departmental Procedure
This department-specific procedure applies to the operations and staff of the Information Services
Department of the University of Wisconsin Hospitals and Clinics Authority as integrated effective July 1,
Procedure Title: System Maintenance and Management
Procedure Number: IN-PRO-011
Effective Date: 2/26/16
This procedure describes the processes for implementing vendor-provided software patches to
resolve vulnerabilities and/or fix errors in common software applications used by UW Health.
II. DEFINITIONS (optional)
III. POLICY ELEMENTS
This procedure supports the following policy:
System Maintenance and Management Policy (IN-POL-011)
It is best practice to roll out updates on a test group of systems before doing a system-wide
implementation, to ensure there are no adverse effects on system functionality. After testing is
complete, a full rollout is performed. In some cases, testing is not possible.
A. Windows Server Update Services
1. Microsoft releases updates to the Windows operating system (OS) and the Office
suite of applications on the second Tuesday of each month. This schedule is
maintained by Microsoft unless there is an out of band patch that requires immediate
action and cannot wait for the next scheduled monthly update.
2. The UW Health Windows Server Update Services server connects to Microsoft and
downloads any updates. UW Health IS deploys updates and hotfixes that are deemed
either critical or recommended by Microsoft.
3. UW Health IS releases the updates to IS departmental workstations on the second
Thursday of the month. The updates are applied to IS workstations for two weeks
before being deployed the broader UW Health computer environment, to allow IS
staff to test the update and document any issues or problems.
4. UW Health IS releases the updates to all UW Health workstations on the fourth
Thursday of the month.
5. UW Health IS monitors workstations that have been updated to ensure compliance.
B. Windows Client Updates
Windows OS on workstations is updated on the same schedule as the Windows server updates, as
described above in A. Windows Server Update Services.
1. Windows OS updates are downloaded from Microsoft on the second Tuesday of
2. The Server Team releases the OS updates to IS workstations on the second Thursday
of the month. The updates are applied to IS workstations for two weeks before being
deployed the broader UW Health computer environment, to allow IS staff to test the
update and document any issues or problems.
3. UW Health IS releases the updates to all UW Health workstations on the fourth
Thursday of the month.
4. UW Health IS monitors workstations that have been updated to ensure compliance.
C. Mobile Device Encryption
When a new version of AirWatch is available, current users are notified and have to manually
download the new version of AirWatch. It is not automatic.
Note: Any mobile device must be encrypted in order for AirWatch to allow the device to connect
to UW Health systems and data. If the device is not encrypted, AirWatch does not allow the
device to access UW Health networks and corporate data. Encryption of mobile devices is done
by the user on their phones and does not require an updates by UW Health IS. Refer to the UW
Health IS Mobile Device Policy for more information about AirWatch and the minimum
requirements for encryption on mobile devices accessing UW Health networks and data.
D. Scanners Handheld Devices
Handheld devices are used 24/7 in UW clinical settings for medication management for patients,
and they experience a great deal of wear and tear to both hardware and software.
IS does not perform any updates to the OS of these handheld devices. If errors are found in the
operation of software on a handheld device, perform the following steps:
1. Wipe the handheld device of all data.
2. Reinstall the OS.
3. Re-image the handheld device.
4. If the handheld device has hardware problems, it is returned to the vendor for repair.
E. POS Devices
POS devices are typically replaced when updates are required. The software for POS devices is
native to the hardware. Perform the following steps to update a POS system:
1. Remove the POS device from the network.
2. Replace the POS device with a new device.
Note: In some cases, the device firmware may be updated by the vendor, without replacing the
F. PACS Reading Workstations
PACS reading workstations are managed by the PACS Windows Server Update Services server
in a similar manner as IS workstations are managed by the IS Windows Server Update Services
server. The main difference is that only patches approved by McKesson can be applied to PACS
1. Windows OS updates are downloaded from Microsoft on the second Tuesday of
2. McKesson validates each patch and marks each as one of the following on their
• ok to apply
• do not apply
3. All patches marked as ok to apply are approved for the test workstation group on the
third Wednesday of each month. The workstations are then tested for functionality.
4. On the fourth Wednesday of each month, the qualified patches are approved for all
PACS reading workstations.
G. Firmware/BIOS Updates
Firmware updates from vendors are frequent and happen whenever the vendor finds a problem
with BIOS. Additionally, IS may look to vendors for firmware updates to resolve problems on
UW Health systems.
The Application and EUTS teams are in charge of firmware updates, as part of the imaging
process. Most updates are made as needed, because of compatibility issues with new software.
The process for firmware/BIOS updates is essentially the same for servers and workstations.
1. The manufacturer pushes the firmware to servers and workstations.
2. If a BIOS change is needed, Dell Device Configuration (DDC) is used to create a
BIOS file with the proper settings. This allows IS to take a piece of firmware created
by Dell and make changes to the BIOS settings.
3. Using Altiris, the update is pushed to the appropriate servers and workstations based
on the model type of the target device.
4. New firmware is tested on the same hardware models on which the update is to be
installed. If no problems are found, testing usually takes about two days.
5. When a computer OS or software is updated, firmware updates may be needed for
BIOS to be compatible with the OS or new software. If the firmware cannot be
updated on the existing hardware, new hardware may be needed.
6. When a BIOS update is needed to be compatible with software, other systems using
that firmware with older software need to be tested to make sure they are compatible.
H. Unix/Linux Server Operating Systems
1. Fixes for Unix systems may be supplied by IBM or requested from IBM by IS.
2. Updates are made on test systems and tested for approximately two weeks.
3. When testing is successfully completed on the test systems, updates are made on non-
production internal IS-facing systems and tested for two more weeks.
4. When testing on internal IS systems is complete, the updates are released to
I. Server Virtualization Software (VMWare and Hyper-V)
1. The latest updates of server virtualization software are downloaded from the vendor
(VMWare or Microsoft).
2. The updates are installed on the test host servers.
3. Testing occurs over approximately 2 to 4 weeks or as driven by requirements.
4. After successful testing, the production host servers are updated.
J. Hardware/Drivers (Including Network Infrastructure Hardware)
Updates to hardware and drivers are performed when features are needed or there is a bug that
needs to be fixed. There is no set schedule for updates and they are usually driven by IS need.
1. The vendor is alerted to the problem or a need for new features.
2. The vendor recommends an update, if available, to fix the problem or add the needed
3. IS evaluates the update and determines whether to implement it.
4. When possible, IS implements updates on a smaller network to make sure it works
before releasing it to other production networks. There is no dedicated test platform
for network and driver updates.
5. Updates typically take 2 to 4 weeks to go systemwide.
K. Health Link (Epic)
Tri-weekly and bi-monthly updates are supplied by Epic and include an array of bug fixes and
enhancements. Application teams are responsible for testing in all phases. The Technical team
deploys all updates.
1. Epic submits to UW Health IS requests for authorization (RAs) so they can deliver
changes or make changes to the Health Link system. The bi-monthly RAs are treated
in the same fashion as the smaller tri-weekly RAs but the bi-monthly RAs usually
have a larger package of updates with multiple components.
2. When update packages are received, they enter a proof of concept phase for three to
four weeks of testing.
3. After proof of concept testing is complete, the updates enter a verification
environment, internal to IS.
4. When verification testing is complete and issues are resolved, the updates are sent to
5. When updates are rolled out to production, server updates are implemented first,
followed by client updates, on either a server, a PC, or a Citrix server.
6. Hyperspace updates are deployed via Citrix for testing.
7. Production deployments are performed by the EUTS and Application Deployment
teams through both Citrix and thick client.
L. Software Applications
Software applications are updated as needed or as directed by policy and vendor requirements.
Refer to the Service Now Application Configuration Database for more information about
maintenance and management of software applications.
Email Exchange servers are updated as needed, usually less frequently than Windows updates.
However, they are included in the same update packages as the Windows updates.
1. Regular Microsoft updates for Windows are released the second Tuesday of every
month. Exchange specific updates and fixes are released with these packages as
needed, but are not regularly scheduled.
2. Exchange servers download any needed updates from Microsoft when they are made
3. Updates are typically installed about one month after release to allow for discovery of
any issues with the updates, because there is no test environment for Exchange
4. Updates are performed in a set order:
a. Client access servers are updated first, usually after 10 PM, and then
rebooted. Impact on end users is minimal.
b. The hub transport servers are updated next. These servers route all email.
End users are not impacted by these updates at all, so these updates are
performed during the day, with the assistance of a load balancer to handle
email traffic appropriately.
c. The mailbox servers are updated last, typically after 8 PM or on the
weekends. Impact on end users is minimal. They may encounter slight delays
in accessing their mailboxes.
N. Database Systems (Cache, Oracle, and SQL)
The process for updating individual database systems varies by system, but in general the
databases do not have regularly scheduled updates. Database administrators continually assess the
availability and need for updates.
Updates are typically driven by IS project needs or notification of updates from the vendors. Once
an update is identified, the following steps take place:
1. Database administrators determine if the update should be implemented.
2. If the update is determined to be needed, it is implemented in the test environment for
a period of days or weeks. Typically, most updates are tested for about four weeks,
though more aggressive timelines are followed for critical security updates.
a. When the updates are successfully tested, they are then released to the UW
Health production environment.
b. If an update fails in the test environment, it is not implemented in production
until a fix is found.
V. FORMS (optional)
VI. REFERENCES (optional)
Systemwide Malware and Antivirus (IN-POL-005)
Sr. Management Sponsor: UW Health CIO
Author: UW Health IS Director - Infrastructure
Reviewer(s): UW Health IS Directors
Approval Committee: UW Health IS Directors
UW Health CIO
Effective Date Next Review Summary of Changes Change Authors
2/26/16 TBD/2017 Annual review/revision. S. Schroeder, E. Bakkum
1/8/2015 1/8/2016 Original release. UW Health IS Director - Infrastructure