Most SMB medical practices cannot afford the hefty price tag that larger commercial software development firms charge for their Emed software. As a result a thriving open source niche has sprung up to fill that vacuum. Now an HP security pro without naming names is saying that many of these open source apps have more holes than Swiss cheese. Is this just FUD being spread by a company that offers commercial E med packages or are open source apps really less secure than their commercial counterparts? This is an argument that has been hashed, rehashed and hashed some more again and again. But the fact that he wrote this and I am responding shows that the answer is still not clear.
The HP blogger is Rafal Los, who blogs under the name WH1T3RABBIT. The security blogging world is a relatively tight knit group. One of the things I do when I am not blogging on open source here on Network World is that I manage the Security Bloggers Network (SBN). The SBN is made up of over 300 blogs on security. Everything from HP and IBM security research to security pros the world over writing on security. We usually have a big security bloggers meet up and security blogger awards show at the RSA Conference in San Fransisco every year. So, I know Rafal and know that if he is writing that these open source apps have some holes, he has found them and they are there. The question is are they less secure than commercial apps.
Without naming the actual open source apps and their vulnerabilities, Rafal has offered to let people know privately if they are interested. His reason for doing so is that if you truly value the privacy of your patients and do now want to run afoul of the various health care record related regulations, you should be wary of using these apps. Here by the way is a list of some of the open source eMed apps.
It is easy to see the holes in open source, you have the source code and anyone can download the software to test it to your hearts content. That is not the case with commercial software. Getting a copy to check can be expensive and a pain in the butt.
Rafal makes the mistake of assuming that since a commercial app has "corporate-level accountability", ipso facto it must be more secure. I say bull! Just because some company puts their name on an app doesn't mean it is anymore secure than an open source app. In fact I would love to see how many companies have taken these open source apps, slapped their own GUI on them and are selling them in the market.
In fact as has been argued before, the open source apps can be more secure because of greater number of eyes on the code and its openness. Unless your commercial app provider is going to give you a respected 3rd party audit of their app showing its security worthiness, the fact that you are buying it instead of using FOSS is no guarantee that it is any more safe at all.
So lets be clear. I am not arguing that open source apps in health care are without security holes. I am sure they have their share. What I am saying, is that they are probably no less secure than commercial apps are.
The entrepreneur in me says to make lemonade out of these lemons. If open source health care apps have some security holes, start a company, take the code and tighten it up. Sell a more secure open medical app with service and support. The reason all of these open source apps are out there is obviously that the commercial applications are not meeting the markets needs. I would bet that the biggest reason is they are so darn expensive. So smaller medical practices cannot afford to shell out that kind of money. By the way, I am darn sure that the reason they are so expensive is not that they are secure.
Like everything else in our health care system, everyone has their fingers in the pie and likes to make a lot of money. So who winds up footing the bill? You and I every time we go to the doctor. The answer isn't choking small medical practices to shell out big bucks for commercial health care apps that are probably no more secure, but offer a deep pocket to sue if something goes wrong. This is exactly the type of situation where open source thrives. Nature abhors a vacuum and open source is filling it. If the open source apps aren't secure enough right now, if there is a need for them to be, the market and community will make sure they become more secure.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.