Safeguard
Regulatory Compliance

HIPAA compliance and software composition analysis for he...

HIPAA doesn't name software composition analysis, but auditors increasingly expect it. Here's how healthcare teams use SCA to manage third-party risk and protect ePHI.

Marina Petrov
Compliance Analyst
7 min read

Healthcare software runs on other people's code. A typical patient portal, EHR integration, or telehealth app is built from hundreds of open-source libraries, and any one of them can carry a vulnerability that puts electronic protected health information (ePHI) at risk. HIPAA software composition analysis is the practice of systematically inventorying those third-party and open-source components inside healthcare applications, tracking their known vulnerabilities, and proving — to auditors, business associates, and yourself — that you know what's running in production. HIPAA doesn't say "SCA" anywhere in its text, but the Security Rule's risk-analysis requirements make it functionally impossible to comply without something like it. This post walks through why that's true, how much third-party risk actually sits inside healthcare stacks, what happened when it went wrong, and what a compliance-grade SCA program looks like in practice.

Is HIPAA Software Composition Analysis a Legal Requirement or a Best Practice?

It's a legal requirement in substance, even though the regulation never uses the term. The HIPAA Security Rule (45 CFR §164.308(a)(1)) requires covered entities and business associates to conduct an accurate and thorough risk analysis of "all electronic protected health information" the organization creates, receives, maintains, or transmits — and that includes information passing through third-party libraries, SDKs, and frameworks embedded in your application. You cannot assess risk to a component you don't know you're running. HHS made this connection explicit in its January 2025 Notice of Proposed Rulemaking to update the Security Rule, which would add specific requirements for maintaining a technology asset inventory and network map, patching known vulnerabilities within defined timeframes, and verifying the security posture of technology suppliers — language that describes software composition analysis almost exactly, even without naming it. Whether or not that NPRM is finalized as written, OCR has already signaled that "we didn't know what was in our software" is not a defensible answer during a breach investigation.

Why Does ePHI Application Security Depend on Third-Party Code?

Because the vast majority of code touching ePHI in a modern healthcare application wasn't written by the healthcare organization at all. Industry code audits consistently find that 70–90% of the codebase in a typical web or mobile application is open-source or third-party — parsing libraries, authentication middleware, logging frameworks, image-processing packages, and the dozens of transitive dependencies those packages pull in. ePHI application security can't be reasoned about only at the level of the code your engineers wrote; it has to account for every library that ever touches a request containing a patient name, diagnosis code, or insurance ID as it moves through the application. A vulnerable JSON parser or logging library sitting three dependency layers deep is just as capable of leaking ePHI as a bug in your own authentication code — arguably more dangerous, because it's the layer teams audit least.

How Much HIPAA Third-Party Software Risk Is Hiding in a Typical EHR Stack?

More than most security teams expect, and it grows every sprint. A mid-sized health-tech application commonly depends, directly and transitively, on 400–800+ open-source packages, and the number rises with every new integration — FHIR libraries, payment SDKs for patient billing, PDF generators for after-visit summaries, analytics tags. Each of those packages ships new versions on its own schedule, independent of your release cycle, which means HIPAA third-party software risk isn't a one-time assessment you complete during initial development — it's a continuously changing attack surface. The National Vulnerability Database logged over 40,000 new CVEs in 2024 alone, and a meaningful share land in packages common to healthcare stacks: web frameworks, XML/JSON parsers, and image libraries used for handling scanned records and imaging attachments. Without automated, continuous SCA, a healthcare organization's actual risk posture is effectively unknown between audits.

What Happens When an Unpatched Library Exposes ePHI?

Patients' data gets exposed, regulators get involved, and the cost is measured in the tens of millions. The clearest industry-wide example is Log4Shell (CVE-2021-44228), disclosed in December 2021: a single deserialization flaw in the ubiquitous Log4j logging library, embedded — often unknowingly — inside hospital systems, medical device software, and EHR-adjacent platforms worldwide. Healthcare organizations spent months scrambling to even determine whether Log4j was present in their environments, because no inventory existed. More recently, the February 2024 Change Healthcare ransomware attack, which stemmed from compromised credentials rather than a library CVE, still illustrates the same structural problem: a single technology dependency deep in the healthcare supply chain disrupted claims processing for roughly a third of U.S. patient records and ultimately affected an estimated 190 million people, according to HHS OCR's own accounting. Neither incident required a sophisticated zero-day — both exploited the gap between what organizations were running and what they actually knew they were running.

What Should Healthcare SCA Tools Do Differently Than Generic Scanners?

They need to connect a vulnerability finding to ePHI exposure, not just spit out a CVE list. Generic software composition analysis tools built for general application security tell you that a package has a known vulnerability and a CVSS score. Healthcare SCA tools need to go further: they should map which services and code paths actually process ePHI, prioritize findings based on whether the vulnerable component sits in that data path (versus, say, an internal admin dashboard with no patient data), and generate the audit-ready documentation — software bill of materials (SBOM), remediation timelines, exception justifications — that HIPAA risk analysis and OCR investigations expect to see. A vulnerability in a library that never touches PHI is a lower-priority ticket; the same CVE in a library sitting inside the patient record pipeline is a compliance-relevant incident. Tools that treat every finding identically force security teams to either drown in noise or, worse, start ignoring the queue entirely — which is how real ePHI-adjacent vulnerabilities get missed.

How Do OCR Investigations Treat Component-Level Vulnerabilities?

They treat an unpatched, known-vulnerable component as evidence the risk analysis was incomplete, which is itself a violation independent of whether a breach occurred. HHS OCR's resolution agreements repeatedly cite "failure to conduct an accurate and thorough risk analysis" as a standalone finding, and a growing number of settlements reference unpatched software or inadequate vendor and technology risk management as contributing factors — not just the breach itself. In other words, having a documented, continuously updated inventory of third-party components and their known vulnerabilities is protective evidence during an investigation, even in incidents where the eventual breach vector was something else entirely, like phishing or stolen credentials. Enforcement in this area has also expanded outward: OCR's guidance and recent settlements make clear that business associates — including the software vendors and SaaS platforms that healthcare organizations integrate with — are expected to meet the same bar for supply chain visibility, not just the covered entities themselves.

How Safeguard Helps

Safeguard gives healthcare and health-tech teams continuous software composition analysis purpose-built around the questions HIPAA risk analysis actually asks: what third-party and open-source components are running, where do they sit relative to ePHI-handling code, and how fast can we prove it's being managed. Safeguard automatically builds and maintains a live SBOM across your application portfolio, flags newly disclosed CVEs against your actual dependency graph rather than a static point-in-time scan, and prioritizes findings by proximity to data flows that touch patient information — so a critical vulnerability in your billing SDK doesn't sit in the same queue as a low-risk issue in an internal tool. When OCR, a business associate agreement review, or a customer security questionnaire asks for evidence of your third-party risk management program, Safeguard produces the audit trail directly: component inventories, remediation SLAs, and historical vulnerability disposition, all mapped to the systems that process ePHI. For security and compliance teams juggling HIPAA third-party software risk alongside SOC 2, HITRUST, or state privacy obligations, that means one continuous source of truth instead of a spreadsheet rebuilt before every audit.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.