Let’s Worry About That Later

The Failed Economics of Software Maintenance in Healthcare

White Paper

September 4, 2025

Healthcare digital technology, including electronic health records (EHRs), diagnostic platforms and medical device software, is pervasive and indispensable. Hospitals bear the full risk and cost of breaches that result from insufficient maintenance of these critical systems, which are vital to patient care and hospital operations.

This white paper presents a microeconomic framework to understand systemic failure in software maintenance within healthcare settings as a form of market failure. In an ecosystem lacking supply transparency about software quality and maintenance, rational actors — both healthcare technology vendors and buyers — minimize security and maintenance investments to maximize economic returns. As technical debt accrues, the vulnerability of critical hospital systems and patient safety risks grow.

Research You Can Use

Do you develop healthcare technology?

Use this research to support a case for necessary investment in software maintenance.
Quantify the hidden costs of neglect.
Show the competitive value of ongoing quality investments.

Do you purchase and use healthcare technology?

Use this research to enhance your purchasing decision criteria.
Reduce future risks and costs associated with poorly maintained software and firmware.
Use the findings as leverage with your suppliers.

Download the paper to help make informed software maintenance and procurement decisions.

Key Insights

SecDevOps Does Not Solve the Economic Problem
Security vendors touting “shift left” and “DevSecOps” tools do not address this microeconomic challenge in healthcare.
Evolving the Economics of Healthcare Software Procurement
For better or worse, we have reached the point of Something’s Gotta Give. The FDA now requires a software bill of materials (SBOM) for medical device approval — a game-changer for hospital safety.
The Broken Economics of Vulnerability Management
In the private and the public sectors, vulnerability management is becoming a mandatory business process, and it is a required control in security frameworks or regulatory initiatives (NIST, SOC2, EO 14028). However, the processes for detecting and remediating known vulnerabilities are doomed from the start—for several reasons. The first is that most vulnerable and exploitable software, including malware in medical devices, does not have a common vulnerability and exposure (CVE), and never will.
How SBOMs Help Hospitals Assess Maintainability
SBOM analysis allows hospitals to evaluate whether software vendors are updating components proactively. Exiger’s research shows that many open-source vulnerabilities in healthcare platforms stem not from the OSS community, but from vendors using outdated components. Technical debt metrics can expose when a PACS or EHR platform is six versions behind on critical dependencies.

Adapted from the original article published in Cyber Security: A Peer-Reviewed Journal Volume 8 Number 2, ‘Crumbling bridges: The failed economics of software maintenance’ from Henry Stewart Publications.