Monday, 23 May 2011

Should the NHS IT Project go Open Source and what about its security?

As expected by many, the UK's NHS IT program is going downhill: http://www.computerweekly.com/blogs/public-sector/2011/05/nhs-it-system-condemned.html

I am on thread that asked the question 'should NHS be buying FOSS Code' and my initial reaction is YES!!

Here are my thoughts:

I think the FOSS (Free and Open Source Software) angle should be explored here, since if the source code of what was developed was released under a Free license the buyer (UK Gov and NHS) would have a lot more control over the technology developed.

And in a case like the NHS where one needs global standards implemented from the bottom up (i.e. adopted by each NHS practice), a core technology stack that is Free would give a LOT of independence to the local NHS practices (they could accept the 'mothership' packages or develop their own). Yes their might be some fragmentation but we would probably be much better than where we are today.

Note that the requirements of delivering such technology in such Open/Free way, would force the main/code developers to have strong engineering practices (namely in the areas of application interdependencies and deployment).

But I guess the first question is: How much FOSS is already included in this project? What technologies are they using?

I have to admit that I don't know a lot of details about this project, but it would be very weird it was all 'proprietary' technology.

Also, since my specially is Application Security, are you guys aware of any published information about the security reviews done to these applications? (my experience is that systems that 'struggle' to work as they were supposed to, are usually full of serious security vulnerabilities (since there is a moment where the mandate is '...just get it to work...' which usually means that 'application security' is moved even down on the priority scale))