Practice Management Alert

Question: We’ve been shopping for new software for our healthcare practice and haven’t found any that we’re happy to purchase and deploy in the organization. One of my staff members suggested using open-source software, so we could try it out at a lower startup cost. I’m not very familiar with open-source software, but “lower startup costs” sound like there could be different, higher costs down the line.

Am I overthinking the risks of this software in our healthcare practice?

Oregon Subscriber

Answer: You’re right to be cautious of open-source software in your healthcare operations. While open-source software offers many benefits, such as lower starting costs, flexible development options, and easy license management, there are just as many risks to consider.

In December 2023, the Office of Information Security and the HHS Health Sector Cybersecurity Coordination Center (HC3) issued a brief outlining some of the risks of using open-source software in healthcare.

Types of open-source software used in the health sector include:

• Electronic medical records (EMR) software
• Clinic management software
• Medical billing software
• Inventory management software

Open-source software has a history of being developed and distributed to the public free of charge, which means that anyone can review a software’s code and make changes as they want. Also, with the code being publicly available, anyone (including malicious threat actors) can scour the code for vulnerabilities or security issues. If multiple software developers have used similar open-source software to build their proprietary software, the vulnerabilities can be embedded into several applications at the same time.

As a result, open-source software needs frequent updates to address security vulnerabilities. “Oftentimes, organizations fail to track where open-source code has been used and are completely unaware of any components that need updating,” HC3 writes in the brief.