Source Code Escrow Absurdity

Software source code escrow with Electronic Medical Records (EMR) is an idea so flawed that it is remarkable anyone accepts this as a serious argument when making EMR purchasing decisions. Yet it repeatedly appears as a check off item on Request for Proposals (RFP) and in ‘vendor neutral’ EMR Implementation Guides. Often (always?) availability of Free/Open Source Software (FOSS) licensing does not appear as a check off item on RFPs. Bias towards proprietary EMR software seems evident. Proprietary marketers must love source code escrows. Purchasers should flee from it and get the real thing: verifiable, testable FOSS licensed EMR software in which the end users has complete access to usable EMR source code from the very beginning.

Source code escrows for proprietary EMR software sound good on the surface but even a cursory examination reveals many fatal problems. A source code escrow is defined by Wikipedia as a: “…deposit of the source code of the software into an account held by a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.”

Garbage in, garbage out. With proprietary EMR software, how does anyone outside the company know if the escrow source code is any good to begin with? Much less when it goes into the escrow? By the time the code is found to be bad or worthless the company is long gone. The 3rd party escrow agent is superfluous unless they can fully examine and successfully compile the entire source code as well as run regression tests. This would be a remarkably costly operation but even if accomplished it still does not shield the buyer.

If a company is about to go out of business, or even under ordinary circumstances, there is a low possibility that a code escrow is going to be updated regularly and a high possibility that deployed software will get out of synch with the escrow. What is the possibility that the source code within the company is being properly maintained when a company is under such dire circumstances? In short, what is the likelihood that a dead or dying company already in bankruptcy or worse is going to honor something so small as a source code escrow contract?

The quite likely scenario is that upon receiving a source code escrow from an agent after a proprietary company has gone out of business that then and only then does the customer finally find out for the first time how out-of-date, badly done, archaic, enormous and disorganized the software was to begin with and how few people can help with it. One can argue against this, but it is impossible for those skilled in the art of software engineering to verify the truth or falsehood of the previous sentence. That is precisely the problem.

Even under the best of circumstances: all proprietary development tools still available and for a reasonable price, source code is compilable and passes regression tests, now what? The source code is probably still not owned by the customer and it is still a dead end that is probably not maintainable by the resources of the customer. Now the customer will likely have to expensively start all over again with new EMR software. Hopefully this time a FOSS licensed EMR in which the customer has the source code and development tools from the very beginning.

Why cannot proprietary EMR software companies source code be scrutinized from the very beginning? What are they afraid of? Competition stealing ideas or source? This is doubtful given the 100’s of EMR software out there essentially doing the same thing. Could it be that the proprietary EMR software companies under no circumstances want their source code to be scrutinized? Especially not by current or future customers or patients? For good reason since it is impossible to meaningfully criticize or compare something that cannot be fully scrutinized such as proprietary EMR software.

In many cases people don’t really care how software is written as long as it works. A problem is that this is software that can give or deprive people of life, give or deprive privacy/security, or might improve the quality and lower the cost of health care. It also needs to last 7 generations. Pretty important software, isn’t it? Given this setting, and unlike other software, EMR software should have the ability to be scrutinized by 3rd parties anytime they wish by default. FOSS licenses confer this benefit.

The fantastic gyrations of the EMR industry to accommodate proprietary business models continues. The concept of proprietary EMR source code escrow had to be dreamed up by proprietary EMR marketing departments. Source code escrows give a false sense of security and confuse buyers from getting the real thing: Free/Open Source Software (FOSS) licensed EMR software in which the source code is available all the time. Yet EMR RFP’s seem to have a bias towards proprietary EMR software since there seems to be a check item for ‘source code escrow available?’, but not ‘FOSS licensing available?’.

Leave a Reply

Your email address will not be published. Required fields are marked *