HC3 Explores Open-Source Software Risks in Healthcare Sector

December 12, 2023 - Open-source software (OSS) is the foundation of modern software development, but it can also expose critical infrastructure sectors to cybersecurity risks, the HHS Health Sector Cybersecurity Coordination Center (HC3) reasoned in its latest brief.

“Open-source software is a field of software development in which the source code for tools, projects, and programs is made freely available to download, modify, and share,” the brief stated.

“The complete source code is usually posted publicly via code-sharing platforms like GitHub, allowing anyone to examine it and make changes. Common examples include FireFox and Linux.”

Open-source software is widely used across critical infrastructure. In healthcare, examples of OSS include EMR software such as OpenEMR and OpenMRS, and prescription software such as Open Hospital and PatientOS. Its popularity is justified – sectors using OSS benefit from lower starting costs, more flexible software development processes, easier license management, and faster project starts.

Despite these benefits, HC3 also described OSS as a “double-edged sword.”

“While open-source software is the bedrock of modern software development, it is also often the weakest link in the software supply chain,” HC3 noted.

Vulnerabilities and security issues are common with OSS, and the public nature of OSS means that threat actors can freely scan the code for vulnerabilities to exploit. What’s more, vulnerabilities in open-source libraries may be present across thousands of applications, leaving many organizations vulnerable to risk.

HC3 also emphasized the fact that open-source code is frequently updated and can become outdated very quicky. Sometimes, organizations may incorporate open-source components in applications and then fail to update it, exposing it to further risk.

“Open-source projects typically lack centralized quality control, resulting in no guarantee that the code has been rigorously tested for security flaws,” HC3 added.

“There is limited vendor accountability, and so unlike commercial software vendors who often provide dedicated support, open-source projects tend to lack the structure or resources required to take accountability for security issues.”

There have been documented cybersecurity issues stemming from OSS in healthcare in the past, HC3 reasoned. Notable incidents include the Heartbleed flaw in 2014, which left networks vulnerable to eavesdropping and data theft, and the Log4j compromise in 2021.

Rather than ceasing the use of OSS altogether, HC3 recommended that organizations conduct OSS evaluations to determine safety and security. These assessments entail analyzing the codebase’s security and assessing the project maintainer’s level of involvement and responsiveness to security issues.

Software bill of materials (SBOMS) and software composition analysis (SCA) are also key ways to reduce risk. SBOMs provide transparency into the software supply chain by listing all components and dependencies that make up a piece of software. An SCA is an automated process that identifies the open-source software in a code-base.

HC3 encouraged healthcare organizations to use OSS responsibly and take action to mitigate risk.