Category Archives: Healthcare industry

Rampant cyber attacks – Is the healthcare industry suitable for using open source software?

Preface: In our world that is more and more vulnerable to hackers or data breaches.

Strategy Challenge: According to data privacy, security matters when choosing new software system today. Can we choose open source software deploy in medical or healthcare areas? If it is possible to use, which is Better for Open Source software?

Healthcare Cybersecurity Trends – 2019 – The National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient. Apart of different country laws and regulations governance. A major reform in the European data protection framework establish GDPR. The GDPR introduces an obligation on data controllers to report breaches of patients’ health records to the data protection authority within 72 hours from becoming aware of the incident. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The maximum administrative fine contemplated by the GDPR is of 20 million (Euro). Or 4% of a company’s annual revenue. As the above regulations and penalties are mandatory. Whereby , for the data governance prospective. The related industry define a road map. The concept of idea shown as below:

Can I use open source software for healthcare operations?

Quote: Absolutely. All Open Source software can be used for commercial purpose; the Open Source Definition guarantees this. You can even sell Open Source software. However, note that commercial is not the same as proprietary. said opensoure.org

How about the vulnerability management? As a matter of fact, it is rare for healthcare industry make use of open source software directly. In some circumstances, 3rd party vendor will do a customization on their solution thus integrate the business function to open source software. Below example can provide the details.

OpenEMR is the most popular open source electronic health records and medical practice management solution. OpenEMR is an ONC Certified HIT 2014 Edition Complete EHR product. Although it is the open source software, but it is a computer products and it is hard to avoid vulnerability occurs. The vulnerabilities occurs in two different function (see below). Hacker can be exploit these vulnerabilities by SQL injection. Since this is a SQL injection and therefore it might involves data privacy. Follow up the response from vendor side. Found that the corrective action take place and do the remediation. Perhaps the rating of the response time not easy to judge because of Common Vulnerabilities and Exposures reporting criteria and procedure. However these limitation not limit to open source software vendor. Even though the vulnerability management do not have major difference. OpenEMR issue the remedy posted on Aug 2018.

OpenEMR has released software updates at the following link: OpenEMR 5.0.1 Patch 7

The moment of truth: A decade before , If you interview with enterprise firm CTO, are they willing to use open source software. We will receive a standard answer. It is not possible! But may be we are not aware. The open source software living with us for long time actually. PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Summary: As a matter of fact, the cyber attack not merely based on a single element or component. In order to avoid the attack, even though you are not using open source software. You should have to enhance the detective and preventive control. Therefore if you would like to deploy the healthcare application system with opensource software. You have to fulfill below requirements.

Software and Patch Management
Log Management
Network Segmentation
Block Suspicious Activity
Credential Management
Establish a Baseline for Host and Network Activity
Organization-Wide IT Guidance and Policies

End of document.