Vetting the Security Risks of Open-Source Code in HealthcareTechnology Attorney Steven Teppler of Sterlington PLLC on Critical Considerations
Healthcare organizations must carefully scrutinize any purchase or implementation of applications, software suites and other technology platforms that could contain open-source code because of the potentially serious security risks - and patient safety issues - posed by these components, says attorney Steven Teppler of the law firm Sterlington PLLC.
"There is a huge adoption of open-source code across all sectors and enterprises, and healthcare is no exception," he says.
Any open-source component - especially those that have access or can be configured to have access to critical information or processes within a hospital environment - must be vetted thoroughly to minimize the potential for a cybersecurity compromise, he says.
"If you use open-source code which permits the introduction of ransomware into your hospital system and the hospital systems freezes, even if you go back to pen and paper, certain diagnostic services will likely be unavailable," he says in an interview with Information Security Media Group.
"If that happens and the provision of healthcare is delayed, the delay can cause injury - and fatalities as well."
In a hospital environment, open-source code components could be embedded in equipment ranging from clinical diagnostic tools to elevators, whose ability to function properly could be greatly impaired by the exploitation of a security vulnerability, he says.
Speaking about the possibility of an open-source code cyber incident affecting the elevators, he asks, "If you have a patient that has to be moved from the seventh floor to the ninth floor, from the ICU to an operating room, and you can't do that - and you can't wheel the patient up the stairs - what do you do?"
"You'll never get rid of every potential problem or risk, but organizations should be paying attention to what they buy and who they buy it from," he says.
In the interview (see audio link below photo), Teppler also discusses:
- Steps healthcare sector entities can take to help improve their visibility into the open-source code components contained in third-party software applications and services used in their environments;
- Healthcare sector issues involving Apache Log4j vulnerabilities;
- Potential civil liability and regulatory concerns related to cyber incidents involving open-source code.
Teppler is a partner at Sterlington PLLC, where he leads the law firm's cybersecurity, privacy and electronic discovery practice. He's also the former co-chair of the American Bar Association's Information Security Committee and a founder and former co-chair of the ABA's IoT National Institute and its National Institute on Electronic Discovery and Information Governance.