0

I work at a clinic where we need to pseudonymize patient data. I wrote a small app for this using R (RStudio). R will be installed on computers with access to internet but my idea is to use R offline, i.e. fully blocking it with a firewall in order to prevent hacks on our pseudonymization app.

But before anything gets installed on any computer in our clinic it must be approved by our unit responsible for security. One worker from the unit asked me how the security updates will be installed since I want to use R offline. But I learnt that there are no security updates in R at all. Therefore it seems like my R app will get no approval from the security unit. I am surprised because R and RStudio seem to be widely used in professional context.

I am completely unfamiliar with cyber security. So in simple terms: How secure is the usage of R and RStudio in my context?

Edit

  • Internet access: Not the computer itself will be connected to the internet but it will be connected to the local work network.

  • "how do you get the data onto your computer to begin with": Data will be entered by the staff. This is also now the case. There will be no need for usb transfer.

Igor stands with Ukraine
  • 103
  • 4
  • R is a programming language, even if a very domain specific one. Do the people asking you the question understand that, and ask how people receive non existent security updates to their C compilers? – Bruno Rohée Apr 29 '22 at 18:16
  • @BrunoRohée I told them that there are no security updates (SU) and am waiting for an answer. Writing that there are no SU made me wonder how save R is and led to this question. – Igor stands with Ukraine Apr 29 '22 at 18:49
  • It's a programming language, you can do about anything with it, including very insecure thing. The library question woud be a good one but R itself makes little sense. – Bruno Rohée Apr 29 '22 at 21:33
  • Do you know the difference between security updates and virus scanners? – Joseph Sible-Reinstate Monica Apr 29 '22 at 22:03
  • @JosephSible-ReinstateMonica As far as I know R does not have either of the two.. Would be glad to read the opposite if you have a source – Igor stands with Ukraine Apr 30 '22 at 19:03

2 Answers2

2

Let's chat about the general security model for software.

Other than supply-chain attacks, software does not just wake up one day and decide to have a security incident. Broadly speaking, security incidents happen when a bad guy sends input to your software that causes it do something that it shouldn't. Generally that input comes from a network connection; a web server handling a malicious request, a browser connecting to a malicious website, an SMS app handling a malicious message, etc.

I assume that your R program will not make or receive any network connections of any kind (you imply as much by calling it "offline"), so that entire category of attacks is moot.

You could also consider that the data file it's processing could be crafted to exploit vulnerabilities in the R program, but you can probably convince your security people that your data files are created by your employees and so is a very low-risk attack surface.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Thanks! If possible to be answered in a few words: How would you judge the risk in case R is online? It's hypothetical for me now but I just started working and will most probably encounter this situation.. – Igor stands with Ukraine Apr 29 '22 at 19:05
  • @PuckFutin I don't know about about R to answer that :( Relevant questions would be whether it has listening ports, whether it can be tricked into downloading and running R scripts from arbitrary URLs, etc. Also, love the name. – Mike Ounsworth Apr 29 '22 at 19:14
  • Alright, thanks! ;) – Igor stands with Ukraine Apr 29 '22 at 19:20
  • R/Shiny is a framework for making web apps with R. Often data dashboards and whatnot. But, yeah, if you are exposing the web app to the internet you are opening a whole new can of worms. If you are just running the web app on localhost (like how you typically do via RStudio) then the situation is less risky. – hft Apr 29 '22 at 20:20
1

How secure is the usage of R and RStudio in my context?

You have not provided enough details about your "context" for anyone to give you a definitive answer.

You said that the R/Shiny computer is not "connected to the Internet." But is it connected to any network whatsoever? E.g., your local work network? If so, then it is connected to some computer that is connected to the Internet.

If it is really not connected to any network whatsoever, it would be referred to as "air gapped." In that case, I would not be very worried about attacks, since most come from the network. But, in that case, how do you get the data onto your computer to begin with? You have to plug in a USB every time you want to look at new data?

If it is air gapped it can not easily receive updates, but this is usually offset by the protection air gapping provides.

Anyways, I think you should just explain what you want to do to your IS team as clearly as you can and then go with their recommendation unless it seems totally crazy.

hft
  • 4,910
  • 17
  • 32
  • Updated the question. Yes, I will follow their instructions. Anyway, this question was of interest to me and thus I asked. My situation is not "air gaped" if I get it right. – Igor stands with Ukraine Apr 29 '22 at 18:38