Closed Medical Software Poses Unacceptable Risk

Eric S. Raymond discusses the recent Microsoft security debacle in which an engineer inserted a back door in a library that allowed access with the phrase ‘Netscape engineers are weenies!’ The article notes that ‘Apache will *never* have a back door like this one. Never may sound like a pretty strong claim. But it’s true.’ he further states ‘Anybody who trusts their security to closed-source software is begging to have a back door slipped on to their system…’ Clearly, in medical systems which contain patients most personal information, this is unacceptable.

Having recently gone through a lengthy bidding process for a hospital EMR system, I note that no open-source system or Unix based system was even on the table. It was all Microsoft based, with closed-source Electronic Medical Record(EMR) software added on. Unless conditions change, this will be the most common type of system for the forseeable future.

Without a doubt, security flaws on these systems will be found and exploited, giving EMR’s a black eye and putting the adoption of these systems back in the setting of a rightfully nervous public.

Raymond’s other points are compelling when he states that ‘Microsoft HQ is doubtless sincere when it says this back door wasn’t authorized… sincerity will [not] be any help at all…If you don’t have any way to know what’s in the bits of your software, you’re at its mercy…Open-source software, subject to constant peer review, evolves and gets more secure over time.’

A risk that is peculiar to medicine, which the article doesn’t discuss is the possibility of intrusion of government and insurance into patient data. The only way to insure against a government or insurance company back door (legal or otherwise) is to have an open source, secure system that a practitioner owns. Patient advocacy groups and practitioners can then at least know or have the potential to know about back doors and safeguard against them.

Practitioners are gambling with their patients confidential information if they use closed source. It is only a matter of time before a security hole is exploited in a closed source EMR. This will result in lasting damage to public opinion and the adoption of these life-saving systems. This is unacceptable. This is why open source in medicine is the only option.

Brain Mapping Project Uses Linux

Michelle Head of www.LinuxNews.com writes about an interesting development in the area of brain mapping in which the advantages of using Linux has made the project of an accurate topology of the human brain possible. She quotes Tony Harris of Massachusetts General Hospital as saying: “There is Open-Source software for many of the problems that we face on a daily basis,” it also lists some of its disadvantages such as an initial lack of drivers for high-end systems. Slashdot scooped me on this one.

Linux in Education

A pair of articles on education and Linux are on the net, Getting Linux into Schools, on TheLinuxGurus.org and another longer one on Freshmeat.net that discusses the current strengths and weaknesses of Linux in education. While not specific to medicine, many of the same issues apply. The articles refer to the entrenched Microsoft phenomenon which is perpetuated by institution sponsored classes that focus on a single company’s product, not general concepts. Update: Slashdot.org has an Ask Slashdot about laptops in education that was posted 53 minutes after my pointer. Coincidence? Jealousy of LMN? Heh, heh.

Healthcare Secure Transaction Group to Form

Updated 4/12/00: An alert reader wrote in saying that News.com is reporting about a group of companies forming a standards body for secure healthcare transactions on the web. Read about it here. The group includes some heavies: ‘…Aetna, PlanetRx.com, the California Medical Association, Cisco Systems, Intel, MedicaLogic, Oracle, Sun Microsystems, VeriSign and Securify…’ This isn’t totally altruistic, the government ‘asked’ them to come to Washington. Cisco? Intel? Hmmm. Interesting article on 32bitsonline about Intel’s plans to Open Source its security software.

Dan Johnson’s Open Source Perspectives

Dan Johnson has an excellent perspective essay of clinical computing software and open source based upon ‘an interest in office ergonomics for about 30 years.’ LinuxMedNews listing of projects is more up to date, but Dan’s views are excellent. He is also the author of QuickQuack a clinical computing specification dating back to 1986 and ‘updated for current technology’. Great reading for anyone interested in open source medical computing.

Medicine’s Dirty Software Secret

Medicine’s dirty software secret is that it has wasted untold millions on failed software projects. But you’ll never hear exactly how much money has been wasted. Find out why.

Financial accounting has never been a strength of medicine, so it isn’t surprising that there is little to no public information about how much it has spent on software failures. A check of the medical informatics literature reveals many articles that hint at software failures and how to avoid them, but only two articles since 1978 that directly address the problem. To my knowledge there are no articles that quote dollar figures lost.

No one is talking about it, probably because it is difficult to single out someone to blame and people are simply reluctant to discuss failures. Particularly expensive failures. As a student of clinical computing for over 10 years, I have personal knowledge of many software failures, one of which ran into the tens of millions of dollars in one city, in one hospital. I have first-hand knowledge of several more smaller-scale failures. If one multiplies this over several cities and over several decades, the amount of money lost is potentially amazing.

The cost of these failures has simply been absorbed by patients and taxpayers over the years. In fact, it should come as no surprise that these failures occur. One estimate is that 75% of all large software projects fail. A number that should give pause to most medical organizations that undertake this.

The reasons are obvious: There is no single undertaking other than writing an entire operating system that rivals the complexity and knowledge required for a successful clinical computing system. In addition, good clinical software using the closed-source model requires large investments in time and talent to make a viable product, much less market one. Even if it is successful, there is little economy of scale in medicine given its relatively small number of potential customers. Finally, it is software that has to grow and change quickly, something that one single software company is unlikely to be able to pull off after the hurdles of development and marketing are passed. In short, a closed-source medical software development model is either doomed to failure, or doomed to be prohibitively expensive.

Yet there is probably no other type of software that holds such promise of benefit to patients and practitioners.

This is why the Open Source movement is so exciting and such a perfect fit for medicine. Failure is never really failure since ‘failed’ Open Source projects can be used as fertile soil for new ones. Time and talent are available for minimal cost and can be carried forward over generations of programmers. It can grow and adapt to meet new medical challenges.

Endowing a single Open Source software foundation is likely to be a stupendously good investment from the clinical computing point of view. But closer to home, if a closed source failure occurs, requesting that it be open sourced can give it new life. Insisting on Open Source from vendors may be another way to jump start the process. One day it will happen and the dirty secret of medical software will fade into the past.