Healthcare organizations seeking to reduce their risk of cybersecurity breaches in the supply chain may want to reassess their approach to software security to lower risk and liability from third-party software.

Cybercriminals see healthcare organizations as “soft targets” that are not as well defended; they need to be accessible to users and have heavy traffic of files and records, which leave multiple attack vectors open for criminals. In addition, healthcare is in the midst of a technology expansion, with explosive growth in Internet of Things (IoT) connections, patient portals and telehealth.

All these new medical technology applications run on software. MarketsandMarkets Research says healthcare IT spending will grow more than 20% every year through 2026, and most of that growth will come from enterprise software. The software development process — both for custom and off-the-shelf programs — often relies on what’s known as “Software of Unknown Pedigree/Provenance (SOUP),” or code from open-source libraries or other sources that developers use to save time and money by copying the programming of common functions. The practice lets them develop and update software at speed and scale, but can also expose vulnerabilities that attackers can use to steal patient and PII data or install malicious code such as spyware or ransomware that can disrupt critical healthcare services.

In this environment, protecting medical devices from security vulnerabilities in open source and third-party code is imperative. Supply chain attacks are a growing concern among all industry sectors, and medical devices present a large attack surface for this type of threat.

Read the full article at Medical Design and Outsourcing.