Apps and Devices Powered by Open-Source Code Are Pervasive in Healthcare
Open-source software is pervasive in healthcare. It is used in critical systems such as electronic health records and components contained in medical devices. Federal regulators are urging healthcare sector firms to be vigilant in managing risks and threats involving open-source software.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in a threat report Thursday said the potential risks and threats posed by open-source software used in the healthcare sector – as well as in other critical infrastructure sectors – are far-ranging.
“Open-source software is part of the foundation of software used to support every single critical infrastructure sector and every national critical function,” according to HHS HC3.
“While open-source software is the bedrock of modern software development, it is also often the weakest link in the software supply chain.”
A recent study by security firm Synopsis found that 96% of examined software codebases across various sectors contain open-source code, while 76% of code studied in the codebases was open source, HHS HC3 said.
Also, researchers have found that the percentage of codebases that contain open-source code in the healthcare, medical technology and life sciences industries is increasing – from around 65% in 2018 to about 80% in 2022, HHS HC3 said.
“While there was a decrease over time from 2019 to 2021 in the percentage of codebases containing high-risk vulnerabilities in the health sector from around 80% to 40%, this number is on the rise again,” HHS cautioned.
Some medical industry security experts agree with HHS HC3’s assessment of the multitude of risks posed to healthcare involving open-source software.
“The healthcare sector faces several critical risks and threats related to open-source software,” said former longtime healthcare CIO David Finn, vice president of the Association for Executives in Healthcare Information Security, a CISO professional group within the College of Healthcare Information Management Executives.
“We know that third-party based attacks have been very successful. They are the most difficult to protect against – due to the hyper-connected ecosystem of healthcare and what we don’t know about open-source software, or any software for that matter,” Finn told Information Security Media Group.
Some of the most common and concerning risks around open-source software include typosquatting, which often takes the form of putting malicious code into packages closely named to impersonate popular software; code injection of malicious code to gain access to sensitive data or take control of the system; and malware of all types, he said.
“Ransomware remains a major threat to healthcare organizations. Those threats are exacerbated by open-source software compromise,” Finn said.
“Using open-source software can introduce cybersecurity risks, intellectual property issues, lack of security, operational inefficiencies and poor developer practices,” he said.
HHS warned that threats involving open-source software – including exploitation of vulnerabilities, supply chain attacks and weaponized open-source software – all pose critical concerns for the healthcare sector.
“Many eyes on open-source code does not mean people are checking for vulnerabilities or security issues. If the source code of software is put in the public domain, it can be accessed by anyone. While this is generally a good thing, bad actors can also access the code to look for vulnerabilities,” HHS said.
Vulnerabilities in open-source libraries may be embedded into thousands of applications, thereby weakening supply chains with even a single line of code, HHS warned.
Some healthcare-specific applications, such as open-source electronic medical records and hospital information management systems, have also been areas of risk, HHS said.
In January, the nonprofit behind open-source electronic health record OpenEMR released a patch fixing a trio of security flaws that could allow attackers to steal patient data and potentially compromise an organization’s entire IT infrastructure. The OpenEMR flaws also were the subject of an alert from HHS’ Health Sector Cybersecurity Coordination Center (see: OpenEMR Flaws Could Allow Attackers to Steal Data, More).
In July 2020, CISA issued an alert about vulnerabilities discovered by an independent security researcher in OpenClinic GA, an integrated hospital information management system developed by an open-source community on SourceForge (see: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems). CISA then issued an updated alert about a year later, in June 2021, about the OpenClinic GA vulnerabilities.
But other open-source software that’s used across many industries, including healthcare, also poses ongoing risk.
One is the Log4Shell vulnerability in the open-source logging utility Log4j maintained by Apache, which was first announced in 2021.
“The vulnerabilities in the Apache Log4j logging library continue to pose problems for healthcare organizations,” Finn said.
“We see this kind of issue very often in medical devices,” he said. In fact, LogJ4j vulnerabilities were among factors driving the federal government – including the Food and Drug Administration with medical devices – to push for software bill of materials requirements from manufacturers and suppliers, he said. “We knew what we were buying but had no idea of what was in it,” he said.
A compromise of widely used open-source code is no trivial matter, Finn said. An estimated 4,000 organizations are still at risk to LogJ4j, and the vulnerability has affected over 44% of corporate networks globally, Finn said.
“Healthcare organizations should be vigilant about these open-source software risks and implement robust security measures to protect patient data and critical systems.”
Steps to Take
HHS HC3 said the push for software bills of materials, as well as software composition analysis – an automated process that identifies the open-source software in a codebase – could help to reduce some of the risks with open-source software in the future.
Besides demanding SBOMs from vendors, Finn said healthcare organizations should take other important steps to reduce their open-source software and components.
“Use or buy from trusted sources. That means: Look for vendors that provide packages that are built from source and privately hosted on secure infrastructure, so you can be confident that your open-source software supply chain is secure from the start,” he said.
Also, when vendors need access to systems, software or platforms, “assure you have well-managed and tracked user access controls,” he recommended.
“Security-conscious organizations want to be able to control access to private packages and channels. It’s best if you can provide that access to specific individuals or groups in your organization or outside your organization who may need access.”
Finn also urged healthcare entities to implement reliable curation of common vulnerabilities and exposures. “Your best bet here is a platform that doesn’t just scan for CVEs but has open-source experts who curate them to reduce the instances of false positives.”
Looking ahead, the next big threat involving open-source will likely be around artificial intelligence, Finn said.
“We don’t have a good understanding of AI, and we certainly don’t have good controls, due diligence or governance in place around the software, algorithms or datasets required,” he said.
“Bringing open-source software into that unfortunate combination may be like throwing gasoline on a fire. We must proceed but we must do so with thoughtful planning, appropriate controls and experienced leadership and management around deployments,” he said.
Meanwhile, connected devices – including remote patient monitoring, consumer fitness/wellness apps and other IoT gear that is retrieving or sending information to electronic health records – are also potential hotbeds for problems involving open source, Finn said.
“These may be devices the healthcare provider doesn’t know about, and even if they do, they can’t touch it. People are doing EKGs on their iPhone now – what could possibly go wrong?”