We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

The State of Free Software in Healthcare

00:00

Formal Metadata

Title
The State of Free Software in Healthcare
Title of Series
Number of Parts
33
Author
Contributors
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Health is a very special 'good', and it deserves special attention in terms of security and privacy. But what is the reality? This talk gives an overview about the status of free/libre systems in healthcare, the difference in development & procurement compared to proprietary solutions - and how openSUSE supports healthcare software 'the safe way'
Virtual realityFreewareState of matterOpen sourceMusical ensembleState of matterInformation privacySoftwareInformation securityFreewareBitComputer animation
Core dumpOpen sourceFreewareInformation privacyInstallation artRow (database)Data storage deviceInformation securityStatuteCodePhysical systemSummierbarkeitVideo trackingFacebookMobile appCentralizer and normalizerData storage deviceComputerCodeCartesian coordinate systemPressureBit rateFreewareExpert systemProjective planeProcess (computing)Regular graphCASE <Informatik>Decision theoryFlow separationClosed setStatement (computer science)FacebookInformation securityInstallation artInformation privacyOpen sourceTrailSoftwareEmailKey (cryptography)NumberWhiteboardOnline helpInformation technology consultingDigital rights managementShared memoryExecution unitArithmetic meanoutputSource codeGame controllerInformationPhysical systemState of matterRight anglePoint (geometry)Public-key cryptographyRSA (algorithm)Ocean currentMultiplication signInternet forumChainGastropod shellAddress spaceDigital photographySmartphoneOpen setCore dumpGoogolXMLComputer animation
Video trackingInstallation artOpen sourceFacebookGoogolState of matterSystem programmingPhysical systemComputer configurationOperations researchComputer networkHacker (term)Observational studyInformation securityComputer hardwareSoftwareControl flowDigital signalCartesian coordinate systemResultantPoint cloudOpen sourceInformationContent (media)SoftwareShared memoryWindowOffice suiteHacker (term)Physical systemComputer hardwareStack (abstract data type)Game controllerComputer configurationExterior algebraProjective planeGroup actionAreaCASE <Informatik>BitData transmissionInformation privacyState of matterSpywareInformation securityCellular automatonEvent horizonServer (computing)InternetworkingComputerType theoryMereologyData analysisAverageSource codeData typeMaxima and minimaPlastikkarteMilitary baseMultitier architectureGoogolBeta functionCloud computingSet (mathematics)Row (database)Musical ensembleService (economics)BuildingMetadataMeta elementNon-standard analysisMultiplication signExploit (computer security)Computer animation
Computer hardwareSoftwareControl flowDigital signalDistribution (mathematics)Installation artData storage deviceInformation privacyPropositional formulaOpen setSoftwareSoftware frameworkTerm (mathematics)IntelDigital rights managementInternetworkingInstallation artFreewareSupersymmetryOpen setSmartphonePhysical systemMathematicsComputer hardwareTheoryGame controllerBootingDigitizingInformationDistribution (mathematics)Musical ensembleProduct (business)Cartesian coordinate systemAndroid (robot)Mobile appService (economics)Arithmetic meanFilm editingEnterprise resource planningFlow separationEncryptionCoprocessorStandard deviationComputerStack (abstract data type)Propositional formulaComputer configurationOperating systemData storage deviceSource codeInformation securityProcess (computing)TelecommunicationDatabaseMoment (mathematics)CASE <Informatik>Server (computing)Right angleInformation privacySoftware developerUniform resource locatorOperator (mathematics)XMLComputer animation
Open setSoftwareCryptographyTraffic reportingInternationalization and localizationCore dumpModule (mathematics)DatabaseModule (mathematics)Installation artTerm (mathematics)Core dumpAreaDigital rights managementChainProjective planeHypermediaComputer animation
PressureOpen sourceModel theorySoftware maintenanceSoftwareEnterprise architectureCodeSelf-organizationInformation securityStandard deviationBasis <Mathematik>Stack (abstract data type)Control flowMusical ensembleInformation securitySoftwareBasis <Mathematik>Computer hardwareStack (abstract data type)Game controllerModel theorySource codeInformationModulare ProgrammierungServer (computing)Software developerSoftware maintenanceModule (mathematics)FreewareStandard deviationProjective planeCodeState observerCASE <Informatik>Data storage deviceHand fanRow (database)Cartesian coordinate systemPay televisionService (economics)Process (computing)Total S.A.Text editorCustomer relationship managementSlide ruleMIDIOpen sourceComputer animation
VideoconferencingVirtual realityHypermediaXMLComputer animation
Transcript: English(auto-generated)
Welcome, everybody, to OpenSUSE Conference 2021 and to my talk about the state of free software for healthcare. As you all know, health is a very special good and it needs special attendance when it comes to data protection
and security around healthcare software. And this is basically where I want to talk about. A little bit about me. I'm an electrical engineer by education. I work as a project manager and business consultant
and help companies to optimize their supply chain, often but not always, in conjunction with SAP software. I'm a happy user of free software since the 90s. End of 1998, I think, I converted completely to SUSE at that time.
I'm an OpenSUSE contributor and on the OpenSUSE board since a couple of years. Additionally, I work on the GNU Health Core team and support the OpenForum Europe,
which is a Brussels-based think tank for policymakers in decision and research. So, what is free software? If you take a look at your smartphone, for example,
you have a hell of apps on it, probably around 100 plus. And for how many have you really paid? If you think quickly about it, I think in my case it's about five or six apps that I have paid for. And for the rest, you pay basically with, you know, you pay nothing.
But is this now free software or is it gratis software? In many cases it is gratis software because you pay with your data and you have no control about it. So, free of charge or gratis does not necessarily mean
that the software is really free as in freedom. So, if you cannot look into it because it is not open, then you have to trust what the supplier tells you about his software.
So, if you don't know anything, you have to believe everything. And some common statements about security and data protection are, well, your privacy and the protection of your data is important for us. We treat your data in accordance with GDPR.
Yes, we have to believe this. But how is the reality? Let's take a look at the Luka app. The holy Luka app that was promoted by a hip-hop singer and suddenly said, yeah, this is the solution for our
corona issues. That was originally a closed source program which by public pressure was then released under open source. It pointed out quite quickly that it has a hell of open source license violations. And additionally, it has some severe security issues.
So, it allows you to, for example, a code injection that would enable you to take the Ministry of Health down. You would be able to see data that was not intended for you.
So, basically, the Luka app is used to check in at a restaurant or something like that. So, you could see other people's names and data around it. And this has everything that we really do not want. It has, for example, a central data storage with a private company,
a private profit-oriented company. So, everything that we wanted with the corona warning app to what we wanted to avoid with the corona warning app is coming around with this Luka app. And surprisingly, when you usually need five offers,
if you want to buy about 10 pencils for 20 euros, some German states have just bought these licenses without a regular procurement process. And they've wasted about more than 20 million euros on it. And the security experts rating on this application is,
it has a lot of money for a very low benefit and very high risk. So, if I'm going to a restaurant and somebody asks me to use the Luka app, I just deny it. Another example from the German healthcare system
is the electronic patient record, Electronische Patzientenakte, which is publicly available since the 1st of January of this year. And if you look at the app stores from Google,
or unfortunately not an Android, for example, you don't find them, or for iOS and Apple, you find around, I don't know, 90 or 100 electronic health records, one for each insurance company.
And I'm really asking myself at this point, public money, public code, so have every health insurance invented their own electronic patient record? That really looks like it is. But the main issue with these electronic health records are,
the user has no ownership or you don't have any control over your data. And the Federal Data Protection Commissioner of Germany advises not to use it in its current state, because everything is freely visible. You cannot share your information with a certain doctor,
but it's everything just visible for everybody. An improvement about this is expected for January 2022, when the next release of this electronic patient record comes out.
Until that point in time, I would really not advise anybody to use it. If you think this is worse, no, it can, the worse can even be improved, for example, with the Vivi app. This is an electronic health record as well. It's also closed source.
It's Gratis. It has in between probably some 100,000 installations, more than when I created these slides. It is promoted by more than 40 German health insurances. And right at the start, there were severe data security issues detected.
Basically, all documents that you've shared with your doctor were public visible. You share the information who shared what with which doctor, your name, photo, mail address, date of birth, insurance numbers from you, but as well as from the doctors were visible.
The reason were that there were conceptual misunderstanding in the usage of RSA encryption and key management. And these could be used, for example, to read the secret keys,
the private keys of your doctors as well. And if this is not enough, they share a lot of personal data with so-called third-party tracking tools. I come to the meaning of the third-party tracking tools later on. But let's have a look at another example.
This is, for example, the ALDA Health app. Same as before, it's closed source and it's Gratis. It has more than 500,000 installations. It gives you a unit tracking ID. It shares your personal data and symptoms as well with third-party trackers. And it shares your data with the trackers and Facebook even before you get
the data protection guidelines presented and you can approve or deny it. That means even if you say, oh no, I don't want this app, I deny the use of my data, then Facebook was already informed about it.
They're also sharing your health insurance data with Facebook, for example. I don't know why they do it, but they just do it. And as you know, it is a US-based company. US cloud allows US officials to access the data without informing you about this.
So this is basically an issue with all cloud-based applications. So while we talk about the third-party trackers, once your data is available, once it's in the wild,
there is basically no chance to get the data back. And these third-party trackers are sharing your information as well with so-called fourth-party trackers. And there was an analysis of about 24 health apps some time ago.
And scientists who did this research allocated about 200 fourth-tier companies who have potentially access to your data. So most of the data is not really fully anonymized and it's enriched with metadata. So it should be possible to identify with a big data analysis of the data
to identify individuals by combining multiple sources. Well, there was a project that was stopped later on where the National Health Service in the UK wanted to share data with Google.
After this was stopped, Google found an agreement with one of the largest US-based companies, Ascension, to collect and analyze health data of millions of patients. So neither the patients nor the doctors have been told about the project
and they haven't given their content to Google to access their data. So they probably don't even know that Google is processing their data. And everybody knows how well networked Google is. It combined all information about you from many different sources.
And last but not least, not to forget, Google has recently bought Fitbit. Fitbit is a producer of smartwatches and health trackers and something like that. So what they're doing in the end of the day is they take your data because you have to have a cloud account with Fitbit to process this data,
analyze these data and maybe sell those results back to you. This is another example where you really don't have any, but really not any control over your data. So the situation on the smartphone and with your health applications is quite difficult.
How does it look on a desktop? So the federal data protection officers of the German states analyzed, for example, Windows 10, and they see little options to use Windows 10 in a legally compliant manner.
So if you buy a computer nowadays, and it mostly comes pre-installed with Windows, you basically have no chance to avoid an ID, a record, an account with Microsoft.
They just don't let you do it. Or you need to search the internet upfront to find the tricks how to get around it. But for the average user, it's fairly impossible. They are sharing data with their servers in the US
and they do not tell you what data they are really sharing, nor are they seeking your consent upfront. So you can only select between little data sharing and much data sharing. But nothing about the details. Even if you have reduced the data transfer to an absolute minimum,
and this can only be for those areas where it is known in between that is transferred, there is still a reminder of encrypted data being transferred in the US.
And it is not told what data this really is. Microsoft just denies the information. And as long as it is not clear, it has to be treated as an illegal data transfer. And I'm really surprised that there is nothing done against it.
But my assumption is, if they do anything about it, then the public sector has immediately a problem, because most of them are using proprietary software. So if you think this is bad, it's even worse for Office 365 and Teams.
365, for example, submits between 23 and 25,000 so-called event types to Microsoft, whereas Windows 10 only submits about 2,000 data types. And it is not in detail known what this is.
But nevertheless, if you think you can trust Microsoft, remember, Microsoft is partnering with the NSA, with the National Security Agency. This is the spyware network of the US.
And they are showing Day Zero exploits to the NSA that would allow them to spy on basically everybody. But let's come back to healthcare. For various reasons, healthcare is magnetizing hackers.
So not only that healthcare is part of a critical infrastructure, every device that is connected somehow can be a target of attack. We have seen in the last year's various cases where single hospitals
or nearly the half healthcare system has to be shut down due to ransomware attacks. But if we think on a little bit more, you mostly do not know when you are really infected unless something happens.
And in case of a geopolitical crisis, it can happen that your healthcare system is shut down by a remote attacker who was maybe on your system for some time already, but you just didn't know. Another interesting area are search results and large data sets,
for example from clinical studies. And here it is said that especially hacker groups coming from China are interested in these data sets. And we're not just talking about here search results on COVID
or vaccination material for that. So by hiding our source code, having security by obscurity, we do not really have an option to avoid hacker attacks or to increase the security.
Say it very frankly, security by obscurity has never worked so far. So what is the alternative? The alternative is digital serenity. We need to have full control over the software stack and ideally about a hardware stack as well,
if we want to have digital serenity. We have some discussion going on sometimes about whether we should let Huawei support the 5G cell network buildup.
Many public bodies are scared that there may be a kind of skill switch or spyware software or whatever within the network devices of Huawei.
But I mean, nobody talks about, for example, the largest supplier for network infrastructure, which is, for example, Cisco. Cisco has as well frequently issues with their security in terms of software.
But as well, there were software devices manipulated, sold by a Swiss company for many, many years, who allowed the secret services to spy on the customers of exactly these devices. Another enemy that nearly everybody has on his desktop
is the Intel Management Engine. So every Intel-based computer has the so-called Management Engine on board, which is a small processor in itself. It has a separate operating system and it's completely undisclosed what this thing is doing.
So cut the Intel Management Engine what this thing is doing. Gitvita. Intel denies any information about the Management Engine and keep in mind it has access to all resources
even before the software your operating system boots. So it can basically do anything. As a consequence of this, China has announced to ban all foreign hard and software and to only run on local resources.
So locally produced hardware, locally produced software. So that means in theory, China is doing the right thing to gain digital sovereignty. But in fact, they're doing it for the wrong purpose. They're doing it for censorship, for control and for social scoring and not for the sake of freedom.
So let's have a look at what means free software and what does it mean to the user. So first of all, we need to be able to run it in the way that we wish for any purpose about it. We need to be able to distribute the software that we're just running
and give copies to our friends or whatever. We need to be able to study how it works and to change the source code as we need it. And we need to be able to distribute the software with changes.
So if you compare this with the hardware that you're running on your desktop or the system that you're running on your desktop and your smartphone, how does it match the reality? Okay, we're on the OpenSUSE conference. I guess most of you run OpenSUSE, you're on the safe side. But I guess for the smartphones, it's really still an issue.
For free software in healthcare, there is a market. Here is an overview about a couple of healthcare systems that claim to be free software. Some of them are unmaintained in between,
like GMAT, for example. Some of them are for special purposes, for example, for US veterans hospitals. And others are, for example, only available in some countries.
For example, Hospital OS, which has some more than 200 installations in Thailand, for example. Even if they claim in a name that they are an open software, then that does not always mean that this software is really free
because it may build on top of proprietary technology. So if you have a free software healthcare system that runs on, let's say, Microsoft SQL Server, it's not a free system anymore. Full stop.
Some of these so-called open systems, like Open Dental, may ask you for a trial license to try and start this software. Forget it. It's not an open software anymore. Open Dental is a very bad case because they claim, oh yes, we are a free software, and we have released our source code.
But if you look at it, the source code that they released is five or ten years old and has nothing to do with the software that they're distributing and their standard proprietary solution nowadays. And another option or another issue may occur that the software runs free at the moment,
but as soon as you need an upgrade, for example, you're entitled to send, for example, the database to the supplier and they do the upgrade for you and charge you for this. And if you have these kind of hidden locks, it's also not a free software solution as well. If you want to read more about this, take a look at gnu.org
when free software depends on non-free, for example, which describes very well what the issue is if we don't have a fully free software stack. So let's take a look at some free software application. For example, the Corona warning app is free software.
It is developed by the Robert Koch Institute in Germany. Technical development is done by telecom and SAP. It's released under the Apache license and has some more than 28 million installations so far.
The development process itself is transparent and open. I mean, it's hosted on GitHub, which is not ideal as well as GitHub is run by a privately owned company who keeps for them the right to do whatever they want.
And as we had the cases already, they were discriminating users based on their physical location. So the hosting on GitHub is not really ideal, but better than completely unfree hosted.
The app itself has a decentral and privacy focused data store completely in opposite to what we've seen at the Luca app before. I think the producers of the Corona app did many things right. But when it was announced in the beginning,
it was a completely overrated, if not to say a hyped value proposition of what it can do. And in the end, or after the first release, it pointed really out that the benefit for the user is really limited.
So you could see that you had some risk persons around you, but it didn't tell you when this happened and where this happened. This has to do with some technical restrictions between the Bluetooth stack on Android and something like that.
But I mean, they're learning and they're picking up and in between you can add your vaccination status to this Corona application. And I think it was the right move. And then of course, we have GNU Health, which is a fully free software stack.
It's an official GNU package supported by the Free Software Foundation. We have open documentation. It is built to run on free software like Linux-based systems, FreeBSD. OpenSUSE is actually the only Linux distribution
that ships GNU Health already in the standard. It is also tested on OpenQA. The underlying technology is free as well. So OpenPostgres SQL, for example, it's developed on Python. The encryption is done with GNU PG.
We use the Qt and Kirigami stack for the mobile application and use the Triton ERP framework as background. GNU Health itself is modular. It has a core module and we can install many modules around it.
Its origination was in social medicine, where it is now beginning to gain attention again in terms of COVID-19 pandemics. We can use GNU Health for contact tracing, for example, that is used for exactly this in Argentina, for example.
But we can also work on precision medicine as we've incorporated the genome database from the Unipod project, for example. And besides this, we have everything that you need to run a hospital like financial accounting, supply chain, pharmacy module,
management of beds and health professionals and something like that. And we cover basically all medical areas that are needed. In the latest release, we've added a module for dental health care.
So you can have now also an odontogram from your teeth, for example. Mignu Health, the personal health record, was built in cooperation with the KDE team. And it will show up in Tumbleweed very soon.
So Mignu Health keeps the data that you want to record, it keeps it personal, it keeps it on your device. It does not share it with anybody else unless you want to do so.
We want to set up a federation server for that, where you are free to connect to. But as said, our main goal is to keep your information with yourself and make it available to you, first of all.
Let me at the end talk about the difficulties that we're having when implementing free software in health care. The development models of free and proprietary software are completely different. So if you have, for example, the 28th edition of a screencasting module
or a screenshot editor, you really have to think about what can I add additionally to make my customer pay for the next release. So in many cases, this software is completely over-engineered.
The development is quite slow. You have to pay upfront. The maintenance is maybe based on license fees, so they charge you some additional 20% to 25% annual fees from your original license amount just to get the maintenance for the software.
So this ends up in total in a very high total cost of ownership. The open source development model is quite different. We have really proven software and proven software modules that are being used in there.
As the development process itself is collaborative, it is also fast. You don't have to pay upfront. You only pay for what you need. If you say, I hosted myself, I run it myself, you don't have additional fees. If you want to have service for it, you can buy a subscription
and you get service for your software. This is, for example, where SUSE, one of our largest sponsors, makes the money. In the end of the day, it points out we have a lower total cost of ownership. But the world is not all green because we are really here knocking on the door
of big business modules of the proprietary software vendors. So they are spreading fears and uncertainties and doubts. So like the quality of the code is bad. There is no support. It is unsecure and so on. And this is complete bullshit. The only thing on this slide that is halfway through is the last one.
You're mostly not getting fired when you're buying IBM or Microsoft or SAP. If the shit hits the fan, then you can say, oh, but if that was with SAP or something like that, if they cannot do it right, how could anybody else do it right?
I mean, I remember one case where a software introduction at a retail store went wrong and they burned some 500 million euros on this failed software implementation with SAP. I think in this case, this last sentence is not fully true as well.
So another aspect on this is the way that the software gets into the company. A proprietary software is always pushed into a company or into a hospital while a free software needs to be pulled in because there is simply no sales team, right?
I don't know of any free software, fully free software project that has a sales team. But if you're saying, oh, I want to have a CRM software or something like that, and you are asked the typical vendors, they come around with a sales team next door, next day, and they're on your doorsteps and telling you why you have to tell
that why you have to buy this software. There is some lack of understanding still in the industry, in the market, in the industry, about how free software is being used and how it has to be handled.
So to come to the end of my talk and to summarize it up, our health and our medical data require special observance, and we really need the highest security standards. As we have seen, many of the proprietary software solutions do not meet these standards
and for this reason may not be trustworthy. So if you really want to deal with your health care in a sensitive manner, make sure that you reuse some free applications for that.
And we need to have the full control over our software stack and hardware stack as the basis for security and freedom. Thank you very much for your attention. In case of questions, feel free to ask. Thank you.