Health IT Discovers the Obvious

Computer scientists at UCL Medical School and Warwick University in the UK report that open source medical records software is more secure than proprietary software. In an accompanying press release, the researchers explain:

Critics of Open Source often argue that, because the code is public, an attacker can more easily find and exploit vulnerabilities. But our work at the University of Warwick and UCL shows that the evidence does not bear this out and in fact Open Source Software (OSS) may be more secure than other systems.

Proprietary systems often rely on a ‘security through obscurity’ argument, ie that systems that hide their inner workings from potential attackers are more secure. However security through obscurity alone completely fails when code is disclosed or otherwise discovered using tools such as debuggers or dis[as]semblers. Worse, it has been suggested that the cloak of obscurity tends to encourage poor-quality code. Opening the source allows independent assessment of the security of a system, makes bug patching easier and more likely, and forces developers to spend more effort on the quality of their code.

Now for the real question: why does the medical community need to be told this? An open source web browser is inexorably eclipsing its biggest proprietary competitor by being more secure, an open source operating system now dominates the server market because it’s the most secure, and open source content management systems such as this one, this one, and this one now run most of the highest-traffic sites on the internet because – you guessed it – they’re the most secure. Come on, hospital administrators, get with the program.