Superbugs in medical software are driving a healthcare security crisis
"81% of codebases contained high or critical-risk vulnerabilities - an unacceptable risk when patient safety and data integrity are paramount."
Healthcare is an environment that demands absolute trust and safety. So news that four-fifths of codebases in health and key related industries contain high-risk vulnerabilities was understandably concerning.
Organisations worldwide are accelerating their digital transformation, experimenting with technologies ranging from AI-assisted diagnostics to remote patient monitoring. Yet as they push forward, a silent crisis is unfolding within the sector's software infrastructure.
According to the 2025 Open Source Security and Risk Analysis (OSSRA) report, 80% of audited healthcare, health tech and life sciences codebases contain high-risk vulnerabilities. This statistic should sound alarm bells across the NHS, private health providers and MedTech innovators alike.
Critical care for unhealthy systems
Healthcare software is built on layers of complexity, like electronic health records (EHRs), diagnostic platforms, medical devices, telehealth services and AI-driven analytics. Open source software (OSS) underpins much of this innovation and is a powerful enabler of speed and cost efficiency. The OSSRA report found that 97% of codebases audited in 2024 contained open source components, with the average application comprising 911 such components.
However, with this ubiquity comes risk. Many of these components, especially transitive dependencies, those indirectly included via other packages, remain invisible to developers and security teams alike. In fact, 64% of the open source components identified were transitive, making them incredibly difficult to track without specialised tooling. This opacity is the root of the crisis.
The OSSRA audit showed that 81% of assessed codebases across all industries contained high or critical-risk vulnerabilities. In healthcare, where patient safety and data integrity are paramount, such risks are unacceptable.
Among the most common threats were cross-site scripting (XSS) vulnerabilities, found in widely used libraries like jQuery, which could impact web-based applications, like patient portals. D
espite available patches, these vulnerabilities persist in systems simply because outdated versions remain in active use, sometimes buried several layers deep in the software stack. It's not that jQuery is inherently insecure; it's that many organisations continue to use versions with known issues.
The chronic condition of outdated components
Perhaps most alarming is the sector’s dependence on outdated and unsupported components. The OSSRA report revealed:
- 90% of codebases contained open source components more than four years out of date.
- 91% included components that hadn’t seen new development in over two years.
- 88% used components that were outdated and inactive.
This stagnation isn't due to negligence. Many healthcare systems run on legacy infrastructure that can’t be updated without extensive testing and certification, a costly, time-consuming and often deprioritised process. But ignoring the problem only invites serious consequences.
When attackers exploited the infamous Log4Shell vulnerability in 2021, the urgency of patching a single open source logging library brought entire IT teams to a halt. Now, imagine a healthcare application with hundreds of similar dependencies, many of which are invisible due to transitive complexity. The next Log4Shell moment could target a medical imaging tool, a diagnostics engine or a patient record system.
The first step toward solving this silent crisis is visibility. Software Bills of Materials (SBOMs) are formal inventories of all components within a piece of software, including their origins, versions and licenses. They provide essential transparency and are rapidly becoming required in public sector and vendor procurement contracts. In fact, the U.S. Food and Drug Administration (FDA) already requires that medical device manufacturers provide SBOMs as part of their filing process, which allows manufacturers to sell their products in the U.S.
SBOMs enable healthcare organisations to:
- Identify high-risk components and prioritise patching.
- Track dependencies, both direct and transitive.
- Ensure licensing compliance, reducing legal and operational risks.
- Assess software health during procurement, particularly in M&A due diligence.
When paired with Software Composition Analysis (SCA) tools, SBOMs can offer continuous vulnerability monitoring, helping security teams respond in real-time to newly disclosed threats.
Why this matters and what healthcare leaders should do
The UK’s healthcare system is already under pressure from workforce shortages to strained budgets. Adding a significant cyber incident caused by an outdated or unpatched open source component could prove catastrophic. The 2017 WannaCry attack showed how vulnerable NHS systems could be, even when the root cause was a known vulnerability.
With open source forming the foundation of nearly every healthcare application, the attack surface is far more extensive and fragmented. It's not a question of if another incident will occur, but when.
Recognising the growing cyber threat to critical infrastructure, the UK government recently announced new cyber laws aimed at strengthening digital resilience across the economy, including healthcare, by imposing stricter security requirements on essential services and digital suppliers. These regulations are a clear signal that improving software security, especially in sectors as vital as health, is no longer optional—it’s a legal and economic imperative.
To get ahead of this crisis, healthcare and MedTech leaders must:
- Mandate SBOMs in all software procurement processes.
- Invest in SCA tools that continuously scan for vulnerabilities and automatically generate SBOMs
- Update legacy systems incrementally, prioritising those with high-risk components.
- Educate development teams on secure coding and dependency management.
- Collaborate across the ecosystem, ensuring vendors meet minimum security requirements.
Cybersecurity in healthcare isn't just an IT issue; it's a patient safety issue. When 80% of medical software contains high-risk vulnerabilities, the entire sector must act decisively. The OSSRA report makes it clear: we can't manage what we can't see. Visibility must become the cornerstone of healthcare’s digital future.
Tim Mackey is head of software supply chain risk at Black Duck
