Experts believe open source is more secure for health sector, Research says OSS stronger and cheaper


09 Mar 2011 12:52 | by Matthew Finnegan in London

Health care IT systems should look to open source software (OSS) as an alternative that is more secure, as well as offering a cheaper option.

And with local hospitals in UK soon to resemble Crimean-war era triage tents due to lack of funding it seems that the once impressive NHS could certainly now do with a few extra bob.

Billions are spent on health care IT, though open source is looked at as a less viable option for a number of reasons, one of which is that security is thought of as weaker than proprietary software.

However research at the University of Warwick’s Institute for Digital Healthcare and the Centre for Health Informatics and Multiprofessional Education at UCL Medical School has found that OSS is in fact more secure than the expensive alternatives.

The research supposedly shows that while one of the weaknesses of OSS is thought to be the public access to codes, this does not in fact make it any less safe than proprietary software, and can mean that it is stronger in many cases.

“Critics of Open Source often argue that, because the code is public, an attacker can more easily find and exploit vulnerabilities,” said Professor Jeremy Wyatt at the University of Warwick.

“But our work at the University of Warwick and UCL shows that the evidence does not bear this out and in fact OSS may be more secure than other systems.”

The researchers claim other systems rely on the argument that security is maintained through the ‘obscurity’ of software that hides its code from public view, however this fails when the code is discovered by means such as debuggers or dissemblers, or even just being given away.

It is even claimed that due to the defences built around the code this can lead to poorer quality in the code itself, something that open source avoids as it demands more effort going into code production.

“Opening the source allows independent assessment of the security of a system, makes bug patching easier and more likely, and forces developers to spend more effort on the quality of their code,” said Professor Wyatt.

Furthermore, the researchers were also keen to debunk the myth that OSS means liability being placed on the user, meaning that it is less risky to implement.

“Typically a large organization will pay a contractor for an OSS implementation and support package. Many contractors providing OSS implementation and support offer legal indemnity to clients in exactly the same way as proprietary vendors.”

TechEye spoke to security expert at Sophos, Graham Cluley, who believe that while open source software can meet needs in many cases, it requires careful consideration.

“Many systems across the world use open source software and it works fantastically,” said Cluley.

“However it is not necessarily inherently better or worse as there are certainly vulnerabilities in both, so it is difficult to be too black and white about whether it should be used over proprietary software.

“OSS certainly does offer a lot in respect to being reviewed independently, however it depends on each specific piece of software in terms to how much they are actually reviewed meaning that some pieces of software are better suited than others.

“Particularly for a service as large as the NHS there is a lot of information that is highly important and a good judgement needs to be made in order to keep such information secure, and while OSS certainly works very well it should be looked at on a case to case basis rather than in too simplistic a view.”

Read more: