Healthcare and Public Health Sector Warned About Open Source Software Risks

Posted by Steve Alder

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

Michigan Increases Penalties for Violence Against Healthcare Workers

Posted by Steve Alder

In the absence of federal legislation to protect healthcare workers, Michigan has introduced a new law that expands the definition of protected workers to include healthcare workers and has increased the financial penalties in an attempt to curb the growing problem of workplace violence.

Workplace Violence in Healthcare Continues to Increase

The number of reported instances of nonfatal workplace violence has been increasing year-over-year, especially in healthcare. According to data from the Bureau of Labor Statistics (BLS), workplace violence incidents that required workers to take time off work were five times higher in privately operated healthcare and social assistance establishments than in private industry overall. Since the BLS started tracking workplace violence incidents in 2011, cases have continued to increase almost every year. These incidents can result in serious injuries or worse. On average, between 2016 and 2020, BLS data show an average of 44 homicides of private healthcare workers every year.

There have been repeated calls from industry associations for federal protections to help tackle the problem. In, 2022, Sen. Tammy Baldwin, (D-WI) introduced the Workplace Violence Prevention for Health Care and Social Service Workers Act, which called for OSHA to create violence prevention measure requirements for healthcare and social services workplaces. The legislation failed to advance and was reintroduced in April this year. In September 2023, Sens. Joe Manchin, (D-WV) and Marco Rubio, (R-FL) introduced the Safety from Violence in Healthcare Act, which sought to make assaults on healthcare staff a federal crime. The Act also calls for penalties to be increased for assaults that result in bodily injury; however, the legislation has failed to advance in Congress.

In March 2023, the Occupational Safety and Health Administration (OSHA) announced that it is in the process of developing an enforceable Prevention of Workplace Violence in Healthcare and Social Assistance standard in an attempt to address this growing problem.

New Michigan Law Doubles Penalties to Deter Workplace Violence

In the absence of federal protections, many states have introduced their own laws in an attempt to deter violence against healthcare workers. Almost 40 states have now passed legislation to increase penalties for violence against healthcare workers, with Michigan the latest state to do so.

Michigan already had laws in place concerning violence against protected workers, which include police officers, firefighters, and EMS personnel. In response to the rise in bullying, violence, and the viciousness of attacks on healthcare workers, the classification has been extended to include healthcare professionals and medical volunteers. Any assault on a protected worker could result in a felony charge, and while the potential jail time has remained unchanged, the financial penalties have doubled. Medical facilities in the state must now post signs in areas visible to the public that warn of the increased fines.

The new law (House Bill 4520-21) was led by Rep. Mike Mueller (R-MI) and was signed into law on December 6, 2023. “This new law is a step toward providing a secure working environment for hospital personnel, discouraging acts of violence, and ensuring that anyone who targets them with violence is held responsible.,” said Rep. Muller. “I am proud to see this bipartisan plan come to fruition after working on it for more than a year.”

The post Michigan Increases Penalties for Violence Against Healthcare Workers appeared first on HIPAA Journal.