I have not applied any hotpatches for CVE's since my ISE deployments are all intranet-facing devices. I will rather wait for the next regular patches and apply those. I reserve the use of hotpatches for things that fix a burning issue that can affect my users. Not saying it's wrong to apply an openssh patch - but this CVE IMHO does not warrant a hotpatch, And generally, applying a hotpatch should not break your ISE deployment, since they are only replacing a very small thing in ISE.
If you're still unsure, patch one lab node (and then one production node) and then always test your services before proceeding to the next nodes. I use that methodology all the time and it's never let me down