How healthcare organizations should navigate government regulatory activity impacting open source

In 2024, cybersecurity risk impacts patient outcomes, doctor burnout, and care success at nearly every healthcare organization. 

Many organizations are making investments on their own to ensure they are protected, but they are also paying close attention to cybersecurity guidance and regulations published by the federal government. Several government agencies, including the FDA, OMB, and NIST are putting in place more stringent cybersecurity requirements that require new consideration and investment, not only to stay compliant, but also to build technology that is secure throughout its lifecycle. 

Open source is a particular concern for many leading healthcare technologists, as the open source that organizations are bringing into their applications creates its own set of security challenges. 

Here are a few ways healthcare technology and security leaders address this risk today: 

• Implementing an approval processes for open source components, which sometimes can slow development and innovation
• Using software composition analysis tools to find vulnerabilities, which can lead to developer overwhelm trying to chase down and remediate long lists of vulnerabilities that are difficult to prioritize 
• Ripping and replacing open source components that are found to be unmaintained or insecure, which can steal valuable development cycles that could be invested in new innovation 
• Producing software bills of materials, which may not even reflect the full list of open source in use because they don’t account for transitive dependencies 
  
  

Do any of these issues resonate with you? Good news: we have brought together a group of people who are thinking about these issues every day, and have ideas for how to address them. We host a panel of industry experts including Om Mahida, VP of product from Medcrypt; Keavy Murphy, VP of security at Net Health; and Lauren Hanford from Tidelift.