Organisations should be aware of open source pitfalls, warns expert as NHS England announces open source plans

Out-Law News | 03 Jul 2013 | 5:00 pm | 2 min. read

Organisations may encounter problems as well as achieving benefits through their use of open source IT solutions, an expert has said.

In a new report entitled 'Safer Hospitals Safer Wards: Achieving an integrated digital care record', (52-page / 700KB PDF) NHS England outlined plans to make use of 'open source' IT products and solutions.

'Open source' is software showe underlying code is made available by developers for others' use without the need to pay royalties or licensing charges. Responsibility for upgrading open source software rests with its community of users.

NHS England said that it aimed to "develop a vibrant market of products and solutions that are available as national solutions or would be made available under Open Source licensing arrangements for local implementation" by hospitals. It said that it hopes adopting the open source approach will enable it to cut the "initial capital outlay" associated with licensing "Common Off The Shelf (COTS) products".

Technology law specialist Alison Ross-Eckford of Pinsent Masons, the law firm behind, said that organisations that make use of open source solutions must be aware of the shortcomings associated with doing so as well as the benefits it can deliver.

"In general open source solutions by their nature do avoid ‘vendor lock-in’ and the licensing costs associated with proprietary software, but there are still disadvantages to open source," Ross-Eckford said. "The most common problems cited by businesses are the lack of ongoing support and maintenance, scalability, problems with upgrading, interoperability, crashes and bugs, and consequential downtime."

"The resulting demand for stability and recourse to a provider when things go wrong often drive businesses back to proprietary solutions," she said.

NHS England said it had visited the Veterans Health Administration in the US where it had assessed how the body had made use of the open source approach to create VistA, an electronic medical record information system which doctors can access and in which they can update patient details. NHS England said it is currently in the process of assessing the capability of VistA and what "customisation" would need to be done to it to "make it fit for use" in the NHS.

Ross-Eckford said there were a number of data privacy and security concerns that NHS England would have to consider around the VistA programme.

"Proponents of an NHS VistA have consistently emphasised the potential savings, improved patient choice, collaborative ethos, and modular structure of VistA," she said. "However, what is not mentioned in the report is that VistA is dependent on patient records – sensitive personal data – being held in the cloud."

"This gives rise to the usual security and privacy concerns regarding data in cloud-based solutions: security measures for stored data, protection from interception in transit, adequacy of encryption measures, maintenance and deletion of data, access rights, and jurisdiction issues," the expert added.

"From a data protection perspective, liability for patient records and the responsibilities of the data controller and data processor would need to be clearly delineated. Although the cloud computing market and regulatory regime are becoming more sophisticated and security issues remain top of everyone’s priority list for cloud solutions, for a project such as this where patient records are at its centre, the potential risks are substantial and the potential for reputational damage is significant," Ross-Eckford said.

However, Ross-Eckford said there is clear need for improved information sharing and data access within the NHS.

"Whilst there are clearly examples of successful clinician-driven collaborative solutions to date – Moorfields, Kings College Hospital, and Leeds Teaching Hospital are all cited in the report – it remains to be seen how local collaborative solutions and the spectrum of products to be made available by NHS England under the initiative will ultimately lead to a fully integrated national system of digital patient records by 2018. Nonetheless, this report sets out the preliminary steps on that path," she said. 

Health Secretary Jeremy Hunt has previously outlined his vision for the NHS to be 'paperless' by 2018 and for health care providers to have access to a single digital medical record for each patient.