In Digital Health, Open Source Warrants Due Diligence

What healthcare organizations and digital health ventures must know about open-source software before tracking and implementing it.

Open-source software can be a tempting option for many digital health start-ups, but legal experts claim it can also cause a number of headaches if companies aren’t careful.

Open-source software (OSS) comprises source codes that are publicly available. That makes it a cost-saver. It also means, at least theoretically, that the code undergoes more regular scrutiny, making it safer from security vulnerabilities. But the very attribute that makes the software appealing also makes it risky.

Still, those facts, along with other points, have made OSS popular across industries, including healthcare. However, companies that use this software would be smart to ensure they’ve done their due diligence, said Nigel L. Howard, a partner at Covington and Burling LLP, who specializes in technology and intellectual property.

In an article in the National Law Review, Howard and colleagues Winslow Taub and Lily Katharine Hines urged digital health firms to consider security, licensing implications, and potential effects on mergers and acquisitions before using OSS.

Howard told Healthcare Analytics News™ he and his colleagues wrote the piece as a preventative measure.

“In many cases, some awareness of OSS and best practices for managing OSS would have saved the client time and money, so we thought the post would be helpful,” he said.

Howard said he’s also particularly interested in VistA, the electronic health records (EHR) platform used by the United States Department of Veterans Affairs and is also made available as open-source code. (The agency is moving to the commercial EHR vendor Cerner, as HCA has reported extensively.)

One issue Howard and his colleagues note is that open-source products don’t have the same kinds of security accountability as proprietary software. Although it’s true that the transparent nature of OSS might result in more thorough vetting, organizations who suffer losses as a result of vulnerabilities in the source code might not have any recourse against the software maker. And despite their small armies of developers, open-source programs do sometimes suffer from holes, as noted late last year when OpenEMR was found to have a glaring weakness.

Healthcare industry firms also have to worry about Health Insurance Portability and Accountability Act security compliance, something that can be more difficult because security updates to OSS aren’t automatic in the same way they are with proprietary software. With OSS, healthcare firms typically must either track updates on their own contract with a third-party vendor.

Another issue is licensing. OSS often has licensing restrictions that limit how commercial entities can use the software, or which require that the resulting software be made available under a similar license.

Finally, Howard and his colleagues noted that when a digital health venture is the subject of an acquisition, OSS is likely to come up during the due diligence phase. Buyers will want to know where and how the acquisition target is using the software. They want clear and careful records.

Despite the cautions, Howard said OSS is used in the majority of businesses in his experience, regardless of whether a company is a startup on a shoestring budget or a large corporate powerhouse. Thus, his message to healthcare organizations is simply to be vigilant.

“The article is not meant to deter companies from using open-source software but rather to encourage companies to be thoughtful about how they use and manage it,” he said. “The key is that business people, software engineers, and lawyers need to collaborate to determine what makes sense for a business, both in the short term and in the long term.”