Tech & Innovation in Healthcare

Reader Question:

Survey the Risks of Open-Source Software

Question: We’ve been shopping for new software for our healthcare practice and haven’t found any that we’re happy to purchase and deploy in the organization. One of my staff members suggested using open-source software, so we could try it out at a lower startup cost. However, I’m not sure it’s the best idea.

Am I overthinking the risks of this software in our healthcare practice?

Alabama Subscriber

Answer: You’re right to be cautious of open-source software in your healthcare operations. While open-source software offers many benefits, such as lower starting costs, flexible development options, and easy license management, there are just as many risks to consider.

In December 2023, the Office of Information Security and the HHS Health Sector Cybersecurity Coordination Center (HC3) issued a brief warning of open-source software risks in healthcare.

Types of open-source software used in the health sector include:

  • Electronic medical records (EMR) software
  • Clinic management software
  • Medical billing software
  • Inventory management software

Open-source software has a history of being developed and distributed to the public free of charge, which means that anyone can review a software’s code and make changes as they want. Also, with the code being publicly available, anyone (including malicious threat actors) has the ability to scour the code for vulnerabilities or security issues. If multiple software developers have used similar open-source software to build their proprietary software, the vulnerabilities can be embedded into several applications at the same time.

As a result, open-source software needs frequent updates to address security vulnerabilities. “Oftentimes, organizations fail to track where open-source code has been used and are completely unaware of any components that need updating,” HC3 writes in the brief.