Is Open Source technology the healthy option for medical devices?
Locations
However, many consider open source software (OSS) to be an underutilised resource in digital healthcare. Fieldfisher partner Chris Eastham pros and cons and whether we're making the most of OSS.
Why should the technology providers to healthcare consider open source software?
Whilst OSS code is frequently used as a building block for proprietary software solutions, there are good reasons for technology vendors to consider developing medical software entirely in the open.
Policy and Public Sector Terms: A particularly high-profile adoption of OSS in UK healthcare was the Covid-19 Test and Trace app. This was created by NHSX, which was at the time the digital arm of the National Health Service and is now integrated within the NHS Transformation Directorate. The NHS has a policy[1] that all new source code that it produces or commissions should be "open and reusable by default: such that anyone can freely access, use, modify, and share the relevant code for any purpose".
The National Health Service recognises that it is much easier to write code in the open from the beginning of a project than it is to open it up later, but also accepts that in some cases there may be reasons to develop behind closed doors and publish under an open source licence later. The downside of course is that feedback and contribution by third parties is only available after publication in those cases, and so the NHS generally encourages development in the open.
In addition, the UK government's Technology Code of Practice emphasises the need to ensure that open source and the publishing of code has been considered. Indeed, public sector contracts (including procurements by the NHS) now often require new code to be published under open source licences.
Patient Demands: It is widely recognised by public health bodies such as the National Institute for Health and Care Excellence (NICE), the Medicines & Healthcare products Regulatory Agency (MHRA), and the NHS, that the patient should no longer be treated as a passive recipient of care. Clinicians and service providers must engage patients in their own treatment, and patients are becoming more sophisticated when it comes to engaging with their health. We've even spoken to some who are starting to question the stability, security, and sustainability of the software operating their medical devices.
As those devices become increasingly sophisticated they become more prone to cyber-attack. This is potentially a significant risk to device-users, as successful attacks could result in physical harm or even death. Bearing in mind that the software in medical devices is categorised and regulated along with the medical device itself, it is crucial to ensure software is developed using best practices and does not introduce additional risks. Freshly developed proprietary software often contains many errors, and may be prone to introducing patient safety problems through bugs or vulnerabilities that others have already solved in other software products, and it can be a case of a sub-optimal re-invention of the wheel. Developing in the open is widely regarded as being better practice both through reusing proven code, and the identification and resolution of vulnerabilities by the community. In contrast, the closed nature of proprietary development means it is not subject to the same wide peer-review process and consequently it may not be as secure.
Proprietary software that is only supported by its creator introduces a sustainability risk—should that vendor go out of business users of devices incorporating its software are placed in a difficult and potentially dangerous position. It also exposes healthcare providers to the risk of being locked in to a particular vendor, and potentially held to ransom over rising support fees. On the other hand, open source code allows healthcare providers and their users to choose how support is provided and by whom.
Flexibility and Lower Barrier to Entry: By virtue of its public availability and permissive licensing regime, open source packages can be developed and tailored to meet any particular requirement. Having tried and tested code available to developers means that the development lifecycle can be shortened, reducing cost and making it easier to develop a working product. This flexibility means open source is particularly useful for the healthcare industry where, through active collaboration between IT suppliers and user/clinician communities, solutions can be refined quickly to maximise patient benefit and return on investment.
Are there any downsides?
Despite its many positives, open source software is not a 'magic bullet'. Whilst the development of new software behind closed doors can be capital-intensive, new applications will sometimes appear well in advance of open source equivalents. This first-mover advantage might provide an important competitive edge for software developers addressing new market demands.
Whatever the development methodology—whether open, proprietary, or hybrid—good software development practices will be critical to ensuring that products meet the stringent requirements of the healthcare sector. Good governance (including, for example, the use of software bills of materials) should always be implemented to support licence compliance.
Some vendors might be concerned about how the use of open source will fit within a successful business model, but customers shouldn't see open source as a cost-free solution and it is important to recognise that the characteristics of OSS don't prevent it being lucrative for vendors. Open technologies can be monetised in a variety of ways, for example from charging for development, to dual licensing models, managed services, and cross-selling related products.
In opting to use open source, customers and their vendors should consider engagement with the open source community, which in turn helps with the stability and security of the OSS code for everyone. Those that get involved quickly realise that there is a huge and diverse community out there that is passionate about the benefits of open technologies. Moreover, many of the world's leading names in software have realised that engagement with the community is seen as a pull-factor for recruiting the best software engineers.
When reviewing software development contracts we've often found that the wording used is somewhat narrow, and doesn't really account for open source development. We'd therefore encourage those wanting to take advantage of open source, whether in a hybrid model or entirely open, to ensure contractual terms support the proposed development model.
Conclusion
Whilst there is no doubt that proprietary software has its place in healthcare, customers and providers should consider the potential utility of open source software and its numerous advantages. It isn't just a case of opting for open over closed development however, and thought will need to go into structuring and documenting the project to ensure success for all stakeholders.