Interneuron: A Case Study for Professionally Managed Open Source Software
In the modern digital climate hospitals increasingly rely on technology to provide quality patient care and manage day-to-day operations. Healthcare is a critical industry that has the potential to benefit significantly from the power of open source.
Open source software solutions are built on collaborative and community-driven development models, allowing for greater innovation, flexibility, and system interoperability, making them a good fit for the healthcare sector.
There have even been a few open source programmes in the NHS over the years, for example the coordination of work via initiatives such as Code4Health. The NHS Open Source Statistics Dashboard providing statistics on NHS-funded and/or supported open source code repositories and the publishing of its open source policy in the summer of 2022.
However despite so many clear benefits of open source solutions, they still remain the exception and not the rule in the health sector procurement process.
Open Source in the Health Sector
Open source solutions can be used both for medical software and healthcare software. Medical software specifically refers to medical devices and direct patient care/treatment. Healthcare software is a broader term covering any software developed for the healthcare industry.
However, the main barrier to take off is the risk associated with the unsupported nature of open source solutions. Its not hard to imagine the fall out of data breaches involving medical devices and services. Attackers could potentially exploit security vulnerabilities to retrieve patient data, alter medical records, launch attacks to prevent healthcare professionals accessing critical patient data when needed and disrupt the control of systems.
For example, back in 2021 news online circulated after the discovery of a GitHub repository exposing passwords, API keys and sensitive financial records which belonged to the Apperta Foundation. The sensitive data had supposedly been public for two years before discovery.
An even scarier prospect is the modification of the software that can cause actual patient harm – such as prescribing a drug a patient is allergic too, or not warning a user of a change in the patients vital signs.
Rightly so, the healthcare sector is risk averse and implementing open source across the healthcare sector would mean that the responsibility lies with them to manage it. If issues arise with proprietary solutions, support can be sought from the software provider. In the case of open source, there is no support to fall back on. This is not a suitable option for healthcare. Support for outsourced solutions is critical.
Interneuron: Assurance Built on Professionally Managed Open Source Software
Founded in the UK in 2017, Interneuron is an IT organisation focused on building, developing, and deploying software specifically for the healthcare IT industry. Working in a sector that needs assurance against the safety of software, Interneuron’s business is underpinned by the goal of providing professionally managed open source software as a medical device.
Their main product is OpenMCR (Open Modular Care Record), technology that provides a window into patients’ essential clinical information by hosting a growing list of clinical modules. Each module represents a discrete part of an electronic care record that allows clinicians to view and update essential clinical information.
Their flagship module OpenEMPA (Open Electronic Medicines Prescribing and Administrations), is just one example of the mission critical software they provide. This software provides hospitals with the ability to manage the prescribing and administration of drugs and medicines.
Interneuron’s mission is to provide the better alternative, by co-designing software with users, focusing on usability and attention to detail when it comes to safety. Not only is the software built in line with medical device regulations and clinical safety standards, but they recognised the importance of the software they develop. Therefore, building software in a way to also eliminate risk associated with open source software is essential.
This risk is mitigated and managed through three key management processes; the OpenChain License Compliance and Security Assurance Standards, Software Composition Analysis (“SCA”) and the production of Software Bill of Materials (“SBOM”).
Interneuron’s open source management process hinges upon both the ISO/IEC 5230 OpenChain License Compliance and the DIS 18974 OpenChain Security Assurance Standards. With the assistance of Source Code Control Ltd’s managed service, Interneuron’s adherence to both specifications indicates quality assurance in supplied software solutions composed of open source software.
A key element to this standard is the capability to track the open source software, licenses and security vulnerabilities use in software through a bill of materials. The most effective method of making this disclosure is to carry out SCA to produce an SBOM.
According to Matt Conway, CTO at Interneuron,
“Conformance to the OpenChain standards, helps us to police our own code bases and when delegating development decisions to our software engineers the standards provide us with the peace of mind of knowing what is in our products, that open source risk has been managed and mitigated and that we can be transparent by also providing this view across the supply chain”
Whilst operating in a sector where user and customer may vary, Interneuron even went that step further to also provide the customer with assurance. This was achieved through Source Code Control’s managed service.
Source Code Control: Increasing Assurance Through Managed Service
Source Code Control’s managed service provides an independent compliance review, tools and supplementary materials so clients can provide their customers with assurance in their software solutions.
With over 40 years of combined experience in software licensing and asset management Source Code Control provide a start to finish three-step process to help organisations manage the open source software Supply Chain:
Step 1: Conformance Review – This involves the assessment of open source software management in line with the conformance requirements of both OpenChain Standards, using Software Composition Analysis (“SCA”)( see Figure 1.).
Step 2: Documentation – A fully documented overview of an organisation’s management of open source software will be produced, including gap analysis and findings for each process and adherence to the OpenChain specifications such as SBOM’s and open source software policies.
Step 3: Implementation – Finally, a project plan is put in place outlining the process of conformance in line with the OpenChain specification requirements and targeting of areas of weakness
Conformance allows organisations to display and promote their adherence to these best practice requirements, increasing transparency and reliance in the software supply chain.
Source Code Control have also created a bespoke training program based on the OpenChain curriculum which can be used to educate a wider audience of the business or tailored for key stakeholders.
Interneuron’s journey started with education. Knowing Interneuron’s goal to be transparent with users and to assure customers as to the quality and reliability of their solutions, the apparent starting point was to educate on the subject of open source software and its risks.
Following the review, gap analysis and documentation of Interneuron’s open source management process’, the licensing and security issues were identified within Interneuron’s code and a policy was created to effectively manage risk moving forward.
The final step was to help Interneuron integrate an SCA tool into their development environment. This implementation automatically identifies vulnerability and licensing issues during the development process.
Joel Ratnasothy, Chief Executive of Interneuron, says,
“The decision to work with Source Code Control to achieve compliance with the OpenChain standard was not a debate, it became immediately valuable to us, our users and our customer’s.”
Open source software compliance is a journey, therefore, the managed service does not end here. Ongoing support is provided through continuous education around developments in the open source software risk landscape and individual SCA audits to identify risk in new releases
Conclusion
Interneuron develop professionally managed open source software by ensuring safety by design, safety by manufacturing and safety in the security of source code. Demonstrating it is possible for healthcare to benefit from the utilisation of open source solutions unhindered by the associated risks.
Professionally managed open source software as a service provides safety and assurance to both the customer and user of mission critical software to an industry that needs it. The open source community is also a vast and dynamic one. Looking forward, it will be interesting to see how the landscape of the healthcare procurement develops.
Written by: Holly Wyld of Source Code Control, Matt Conway of Interneuron and Joel Ratnasothy of Interneuron