Eric S. Raymond discusses the recent Microsoft security debacle in which an engineer inserted a back door in a library that allowed access with the phrase ‘Netscape engineers are weenies!’ The article notes that ‘Apache will *never* have a back door like this one. Never may sound like a pretty strong claim. But it’s true.’ he further states ‘Anybody who trusts their security to closed-source software is begging to have a back door slipped on to their system…’ Clearly, in medical systems which contain patients most personal information, this is unacceptable.
Having recently gone through a lengthy bidding process for a hospital EMR system, I note that no open-source system or Unix based system was even on the table. It was all Microsoft based, with closed-source Electronic Medical Record(EMR) software added on. Unless conditions change, this will be the most common type of system for the forseeable future.
Without a doubt, security flaws on these systems will be found and exploited, giving EMR’s a black eye and putting the adoption of these systems back in the setting of a rightfully nervous public.
Raymond’s other points are compelling when he states that ‘Microsoft HQ is doubtless sincere when it says this back door wasn’t authorized… sincerity will [not] be any help at all…If you don’t have any way to know what’s in the bits of your software, you’re at its mercy…Open-source software, subject to constant peer review, evolves and gets more secure over time.’
A risk that is peculiar to medicine, which the article doesn’t discuss is the possibility of intrusion of government and insurance into patient data. The only way to insure against a government or insurance company back door (legal or otherwise) is to have an open source, secure system that a practitioner owns. Patient advocacy groups and practitioners can then at least know or have the potential to know about back doors and safeguard against them.
Practitioners are gambling with their patients confidential information if they use closed source. It is only a matter of time before a security hole is exploited in a closed source EMR. This will result in lasting damage to public opinion and the adoption of these life-saving systems. This is unacceptable. This is why open source in medicine is the only option.