From AI-assisted diagnostics to remote patient monitoring and digital-first services, the healthcare sector is leveraging technology to enhance patient care and operational efficiency. However, beneath this wave of innovation lies a silent but significant crisis: a staggering 80% of audited healthcare, health tech, and life sciences codebases contain high-risk vulnerabilities, as highlighted in the 2025 Open Source Security and Risk Analysis (OSSRA) report. This statistic should serve as a wake-up call for governmental healthcare institutions, private health providers, and MedTech innovators.

Health Technology Insights: HealthTech Top Voice: Interview with Aldo Faisal, Professor of AI & Neuroscience at the Dept. of Computing and the Dept. of Bioengineering at Imperial College London

Unveiling the Complexity: The Layers of Healthcare Software

Healthcare software is a complex tapestry of electronic health records (EHRs), diagnostic platforms, medical devices, telehealth services, and AI-driven analytics. Open source software (OSS) is a critical component of this ecosystem, enabling rapid development and cost efficiency.

The OSSRA report reveals that 97% of codebases audited in 2024 included open source components, with the average application containing 911 such components. However, this reliance on OSS introduces a layer of risk. Many of these components, particularly transitive dependencies—those indirectly included via other packages—remain hidden from developers and security teams. In fact, 64% of the open source components identified were transitive, making them extremely difficult to track without specialized tools. This lack of visibility is the root cause of the crisis.

The healthcare sector is uniquely vulnerable to cyber threats. The OSSRA audit found that 81% of assessed codebases across all industries contained high or critical-risk vulnerabilities. In healthcare, where patient safety and data integrity are non-negotiable, these risks are particularly alarming. Common threats include cross-site scripting (XSS) vulnerabilities, often found in widely used libraries like jQuery, which could impact web-based applications like patient portals. Despite the availability of patches, these vulnerabilities persist because outdated versions continue to be used, sometimes buried deep within the software stack. It’s not that jQuery is inherently insecure; it’s that many organizations are using versions with known issues.

Health Technology Insights: HealthTech Top Voice Interview with Darren Cooke, Interim Chief Innovation and Entrepreneurship Officer at UC Berkeley

Outdated Components: The Silent Threat to Patient Safety

The sector’s dependence on outdated and unsupported components is a significant concern. The OSSRA report revealed that 90% of codebases contained open source components more than four years out of date. Additionally, 91% included components that hadn’t seen new development in over two years. What’s more, 88% used components that were both outdated and inactive.

This stagnation is not due to negligence but rather the challenges of updating legacy infrastructure. Many healthcare systems require extensive testing and certification, which can be costly and time-consuming. However, ignoring these issues is a recipe for disaster.

The 2017 WannaCry attack demonstrated how vulnerable healthcare systems can be, even when the root cause is a known vulnerability. With open source software forming the foundation of nearly every healthcare application, the attack surface is vast and fragmented. It’s not a matter of if another incident will occur, but when.

SBOMs: A Proactive Approach to Avoiding the Next Healthcare Crisis

The first step in addressing this silent crisis is achieving visibility. Software Bills of Materials (SBOMs) are formal inventories of all components within a piece of software, including their origins, versions, and licenses. They provide essential transparency and are becoming a requirement in public sector and vendor procurement contracts. SBOMs enable healthcare organizations to identify high-risk components and prioritize patching, track dependencies (both direct and transitive), ensure licensing compliance (reducing legal and operational risks), and assess software health during procurement, especially in mergers and acquisitions (M&A) due diligence.

When combined with Software Composition Analysis (SCA) tools, SBOMs can offer continuous vulnerability monitoring, allowing security teams to respond in real-time to newly disclosed threats. With open source software underpinning nearly every healthcare application, the potential attack surface is far more extensive and fragmented.

An Action Plan for Healthcare Leaders

To get ahead of this crisis, healthcare and MedTech leaders must take decisive action:

  • Mandate SBOMs in all software procurement processes. This will ensure that all components are identified and their risks assessed.
  • Invest in SCA tools. Continuous scanning for vulnerabilities is crucial in maintaining the security of healthcare applications.
  • Update legacy systems incrementally. Prioritize systems with high-risk components to reduce the overall attack surface.
  • Educate development teams. Training on secure coding and dependency management is essential to prevent the introduction of new vulnerabilities.
  • Collaborate across the ecosystem. Work with vendors to ensure they meet minimum security requirements and are transparent about their software components.

Cybersecurity in healthcare is not just an IT issue; it is a patient safety issue. With 80% of medical software containing high-risk vulnerabilities, the entire sector must act now. The OSSRA report is clear: we cannot manage what we cannot see. Visibility must be the cornerstone of healthcare’s digital future.

Health Technology Insights: HealthTech Top Voice: Interview with Dr. Guru Gurushankar of ColorTokens

To participate in our interviews, please write to our HealthTech Media Room at sudipto@intentamplify.com