GGrantIndex
← Search

NSF Safe-OSE: Cultivating a Security-Focused Community Infrastructure for Open Medical Records System (OpenMRS)

$1,500,000FY2025TIPNSF

Indiana University, Bloomington IN

Investigators

Abstract

This Safety, Security, and Privacy of Open-Source Ecosystems (Safe-OSE) project focuses on OpenMRS, which serves as critical healthcare infrastructure for over 18 million patients across 40+ countries, functioning as the world's largest open-source electronic health records platform, particularly where healthcare access is most vulnerable. Across the healthcare sector, recent security vulnerabilities have exposed patient data to potential exploitation, with attacks on healthcare systems causing average losses exceeding $10 million per incident while disrupting life-saving medical services. This project addresses urgent security gaps in OpenMRS through comprehensive vulnerability management, developer security training, and community-driven security governance that will protect millions of patients' sensitive health information. The enhanced security framework will benefit populations who rely on safety-net healthcare providers using open-source systems, while strengthening U.S. emergency preparedness capabilities. By establishing security best practices for open-source healthcare software, this work creates a replicable model for protecting digital health infrastructure globally by ensuring that healthcare systems can access secure, sophisticated electronic health records without prohibitive costs. This Safe-OSE project focuses on advancing cybersecurity science through systematic integration of healthcare-specific Common Vulnerability Scoring System (CVSS) implementation with machine learning-powered vulnerability prediction for open-source healthcare software ecosystems. The project's intellectual contributions include: (1) development of healthcare-contextualized CVSS metrics that account for patient safety impact and clinical workflow disruption, extending beyond traditional information technology security frameworks; (2) implementation of proactive security architecture using threat modeling integration, predictive code pattern analysis, and continuous security pipeline automation that prevents vulnerability classes rather than reactively addressing discovered issues; (3) establishment of a community-driven security governance model that balances open-source collaboration with rigorous security controls through formal bug bounty programs, structured security training certification, and systematic penetration testing workflows. The methodology advances open-source software security research by demonstrating scalable security enhancement approaches for mission-critical systems serving vulnerable populations. Technical innovations include automated security testing pipelines with healthcare-specific threat detection, supply-chain security through cryptographic checksums, and behavioral analysis for anomaly detection in distributed healthcare deployments. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →