Most SMB medical practices cannot afford the hefty price tag that larger commercial software development firms charge for their Emed software. As a result a thriving open source niche has sprung up to fill that vacuum. Now an HP security pro without naming names is saying that many of these open source apps have more holes than Swiss cheese. Is this just FUD being spread by a company that offers commercial E med packages or are open source apps really less secure than their commercial counterparts? This is an argument that has been hashed, rehashed and hashed some more again and again. But the fact that he wrote this and I am responding shows that the answer is still not clear.
The HP blogger is Rafal Los, who blogs under the name WH1T3RABBIT. The security blogging world is a relatively tight knit group. One of the things I do when I am not blogging on open source here on Network World is that I manage the Security Bloggers Network (SBN). The SBN is made up of over 300 blogs on security. Everything from HP and IBM security research to security pros the world over writing on security. We usually have a big security bloggers meet up and security blogger awards show at the RSA Conference in San Fransisco every year. So, I know Rafal and know that if he is writing that these open source apps have some holes, he has found them and they are there. The question is are they less secure than commercial apps.
Without naming the actual open source apps and their vulnerabilities, Rafal has offered to let people know privately if they are interested. His reason for doing so is that if you truly value the privacy of your patients and do now want to run afoul of the various health care record related regulations, you should be wary of using these apps. Here by the way is a list of some of the open source eMed apps.
It is easy to see the holes in open source, you have the source code and anyone can download the software to test it to your hearts content. That is not the case with commercial software. Getting a copy to check can be expensive and a pain in the butt.
Rafal makes the mistake of assuming that since a commercial app has "corporate-level accountability", ipso facto it must be more secure. I say bull! Just because some company puts their name on an app doesn't mean it is anymore secure than an open source app. In fact I would love to see how many companies have taken these open source apps, slapped their own GUI on them and are selling them in the market.
In fact as has been argued before, the open source apps can be more secure because of greater number of eyes on the code and its openness. Unless your commercial app provider is going to give you a respected 3rd party audit of their app showing its security worthiness, the fact that you are buying it instead of using FOSS is no guarantee that it is any more safe at all.
So lets be clear. I am not arguing that open source apps in health care are without security holes. I am sure they have their share. What I am saying, is that they are probably no less secure than commercial apps are.
The entrepreneur in me says to make lemonade out of these lemons. If open source health care apps have some security holes, start a company, take the code and tighten it up. Sell a more secure open medical app with service and support. The reason all of these open source apps are out there is obviously that the commercial applications are not meeting the markets needs. I would bet that the biggest reason is they are so darn expensive. So smaller medical practices cannot afford to shell out that kind of money. By the way, I am darn sure that the reason they are so expensive is not that they are secure.
Like everything else in our health care system, everyone has their fingers in the pie and likes to make a lot of money. So who winds up footing the bill? You and I every time we go to the doctor. The answer isn't choking small medical practices to shell out big bucks for commercial health care apps that are probably no more secure, but offer a deep pocket to sue if something goes wrong. This is exactly the type of situation where open source thrives. Nature abhors a vacuum and open source is filling it. If the open source apps aren't secure enough right now, if there is a need for them to be, the market and community will make sure they become more secure.