The challenge
NHS Digital commissioned OpenUK to offer solutions that will address the daily challenges hindering the delivery and use of contemporary technology within UK healthcare.
These challenges affect every aspect of the supply and operations chain, from the acquisition of software in a cost-effective manner, through to the users of the applications in operational healthcare settings.
In contrast, notable technological advancements are evidenced across the globe on a daily basis with just a fraction of the budget of a UK healthcare project.
It has been identified^[ComputerWeekly: Legacy lock-in and lack of skills hamper public sector cloud adoption https://www.computerweekly.com/news/252435687/Legacy-lock-in-and-lacks-skills-hampers-public-sector-cloud-adoption] that lock-in is a significant factor preventing choice and innovation in the healthcare sector despite policy and guidelines on both open standards^[Open standards for government data and technology https://www.gov.uk/government/collections/open-standards-for-government-data-and-technology] and open source^[Be open and use open source https://www.gov.uk/guidance/be-open-and-use-open-source] at a Government level.
Lock-in takes many forms, from straightforward commercial restrictions through soft lock-in and cloud lock-in. A direct consequence of lock-in is that it becomes uneconomic to change supplier or product, therefore removing any incentive for an incumbent to deliver quality and value.
NHS Digital have stated their desire to realise the benefits of technological improvements with transparency and open data^[NHS Digital: Supporting open data and transparency https://digital.nhs.uk/supporting-open-data-and-transparency], and contemporary technology and methods^[Jeremy Hunt – Vision for available health records https://www.theguardian.com/society/2017/sep/11/jeremy-hunt-to-unveil-plans-for-digital-led-nhs-treatment-by-2018]. Shortly after his appointment as Secretary of State for Health and Social Care in July 2018, Matt Hancock stated that electronic systems could "reduce medication errors by up to 50%"^[Matt Hancock lists top three priorities as tech, workforce and illness prevention https://www.theguardian.com/society/2018/jul/20/nhs-to-receive-487m-technology-boost-matt-hancock]. However the sector has failed to implement wide-scale practical mechanisms to enable these outcomes.
This desire was shared by nurses during a 2018 consultation^[Every Nurse an E-nurse: Insights from a consultation on the digital future of nursing https://www.rcn.org.uk/professional-development/publications/pdf-007013]. The consultation found shortcomings in some of the most basic operations. Participants voiced "complaints about the lack of adequate technology in many parts of health and social care". However the report also states that "More than four out of five (81.4%) felt that data, information, knowledge and technology would make a large positive contribution to nursing and midwifery".
The Apperta Foundation was established to educate the UK health sector on the issues faced and provides insight and direction toward solving these issues. The Foundation has made progress with establishing a professional, healthcare-friendly and sustainable open source^[NHS Open Source Programme https://www.england.nhs.uk/digitaltechnology/open-source/] support and supply ecosystem. Apperta's recent publication, 'Defining an Open Platform'^[Defining an Open Platform https://community.apperta.org/forums/905251-request-for-comment/suggestions/32077336-defining-an-open-platform], cites a McKinsey and Co report^[McKinsey and Co "How healthcare systems can become digital-health leaders" https://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/how-healthcare-systems-can-become-digital-health-leaders] that suggests an 11% saving of total healthcare costs is achievable with open innovation platforms.
Many clinician-led grass-roots open healthcare projects are in development and operation throughout the sector, and a large proportion are non-funded or personally led projects. These admirable systems prove the viability of cost-effective digital technology and (in many cases), the principles of open projects. However, working outside the rigour of professional software development practices, can put the reputation of the open source approach at risk.
Of greater concern is the reliance on feral systems for critical healthcare applications^[Feral Systems (or I've got a great big Access database) http://www.woodcote-consulting.com/feral-systems/] where the code is managed by a single person and may be issued under a proprietary licence.
For those working in the modern digital technology industry, it is apparent that technology is not the limiting factor, but positive culture and attitude to innovation are as important as professional software development and implementation practices when addressing these issues.
Goals and objectives
This paper consists two parts. Part One, this report, addresses the issues, proposed approach and recommendations for an open digital approach for health and care IT. It presents an overview of the policies, principles and practices that support the delivery of open projects.
- > Policy
- What is the current policy, and how do the recommendations within this document support it?
- > Principles
- What are the principles that are both practical and able to meet the policy and recommendations?
- > Practices
- What must be done to work operationally to those principles, and how can this be measured?
Part Two expands the high level direction into an open project implementation manual. It describes how teams should approach open projects, including methods of measurement to ensure that the desired outcomes are met. This implementation manual is expected to be published during 2019.
This combined paper supports NHS Digital and Apperta with their goal to ensure that open source best practice is used across all software projects in order that the suppliers operate openly and investments are portable between suppliers. It is intended to encourage wider open source developer engagement, ensure transparency and prevent soft lock-in, supporting the creation of the Apperta Developing In The Open (DITO) principles due for publication in 2018.
David Jobling, Code4Health & Ecosystems Development Lead at NHS Digital, describes NHS Digital’s expectation of this paper:
"NHS Digital has commissioned this project in support of The Apperta Foundation to design and implement a set of principles, policies and operational guides that set the standard for open software development in the health IT sector and to improve the technical custodianship of its products. The Apperta Foundation wishes to remove all barriers surrounding the development of software, and operate openly in line with the recommendations and principles suggested in Apperta's recent RFC 'Defining an Open Platform'."
"By developing and implementing the above, NHS Digital and the Apperta Foundation aim to improve the choice available to the health IT communities by removing soft vendor lock-in, improving quality and choice for the community, and enabling the communities to focus on design and development decisions that improve patient outcomes."
A key objective of this report is to provide guidance for the use of open platforms and open software, whilst encouraging wider open source developer engagement, resulting in increased transparency and a reduction of the various forms of lock-in.
Documentation projects similar to this are under way across the EU - and further afield - to assist with the production and use of open technology assets for Public Administrations. This report includes references to these related documents throughout, as well as further references in the appendices in section 7 to support the recommendations and statements presented.
Summary of recommendations
Recommendations offered within this document are based on open principles and relate to the acquisition and management of digital technology for the NHS.
They are:
- Adopt an open-first policy for the NHS
- Actively avoid all forms of lock-in
- Understand when cloud is appropriate and when it is not
- Employ Apperta Custodian Technical Services
- Justification required for non-open source (build or buy)
- Improve discoverability
- Digital Capability Review to acknowledge the Open approach
- Use supplier transparency as measure of value offered
- Develop an NHS 'Intelligent Customer'
- Produce open information architecture specifications
- Establish NHS brand management of open digital assets
- Invest in local skills and SME services
The detail of these recommendations can be found in Section 5.
Conclusions
Use of digital technology has the ability to support the clinician and enable improvement of services within the public healthcare sector. The main benefits are derived from improvements to: human and computer communications; storage and access to data; and freedom to innovate.
It is important that an open approach to digital technology is mandated, in order to realise the benefits and gain a higher return on digital investment for the UK healthcare sector.
This report does not offer a revolutionary approach, but simply proposes the application to the UK healthcare sector of highly successful and robust processes already in everyday use throughout the global open technology community, augmented with the necessary governance.
Forms of lock-in are commonplace across the NHS ecosystem. If inadequate attention is paid at the point of acquisition, lock-in may also be created when using open source. It is hard to quantify the financial or operational impact of this lock-in in real terms so this must be avoided.
Locked-down systems encapsulate processes developed as a result of the investment of many decades of research and experience throughout the healthcare sector, which are then in effect leased back in controlled conditions.
Over-funded projects lead to over-complexity^[Dave McComb: Are You Spending Way Too Much on Software? https://www.strategy-business.com/article/Are-You-Spending-Way-Too-Much-on-Software], and can therefore generate new technical debt and so increase lock-in. It is essential that investments in digital systems are open, outcome-focused and strategic to enable the opportunity for ‘lift & shift’ re-platforming of digital services when necessary.
There is strong evidence of commitment to open source and open standards at every level through UK, EU and global policies. This commitment must be used as a platform to drive practical change on the ground within the UK healthcare industry.
Despite leading the way with forward-thinking policies, the UK is falling behind other nations in the implementation of these policies and aspirations.
Even with the published appetite for an open approach and increased digital competence, the majority of spend across the public sector does not encourage these outcomes, and in many cases works against them.
The transition from the legacy digital technology environment will not be rapid, and many new lessons are to be learned on the way. The technology components to enable delivery exist, but success also depends on good planning and strategic investment. The cultural entrenchment and procurement processes geared to servicing the existing supply base present as much of an updating challenge as does bringing the technology to the market.
Continued effort and focus on an open approach is required to level the playing field and achieve the outcome that is desired by the sector and users. An understanding of the characteristics of healthy technology requires an education across the sector before better decisions will be reached.
It is intended that the outcome of adhering to the principles in the first part of this report and implementing the practices contained within the second part will be that: new lock-in is avoided, better community engagement is fostered; and ultimately better value is delivered for the citizen.
Introduction
This report presents published policies and intent supportive of an open approach published by the UK Government, Department of Health, NHS Digital and Apperta as well as in the EU, Asia and the Americas. These are connected to the practices required to implement and measure the application of commodity open source technology practices.
The open digital ecosystem and the meaning of '[open source]' is explained (ie, more than just software or choice of licence). This report offers a justification that every digital project is approached in an open manner.
The Implementation Manual puts forward the characteristics of an open project to help a delivery team determine if a project 'feels' right. This expands into specific technical activities that can be used to measure if a delivery team is embracing the values of an open project.
Policies, Principles & Practices
Actionable and measurable technology practices are already used every day across the innovative technology industry and underpin the majority of connected devices, ranging (for example) from home entertainment^[TiVo - GNU/Linux Source Code https://www.tivo.com/legal/opensource/linux] and building management systems^[Open Source Building Management System http://www.ictinnovations.com/open-soruce-building-management-system], to automotive applications^[Open software platform for automotive applications https://www.automotivelinux.org/] and super computers^[Linux Now Runs on All of the Top 500 Supercomputers November 14, 2017 https://itsfoss.com/linux-runs-top-supercomputers/].
Professionals across the healthcare industry observe progress across all sectors^[Why 2017 will belong to open source https://cio.economictimes.indiatimes.com/news/strategy-and-management/why-2017-will-belong-to-open-source/56646676], yet do not feel that they or the sector are benefiting from the advances and commercialisation of technology.
At the time of writing, there is little specific detail on exactly what to do when acquiring digital technology within the NHS, and the broad policy guidance is open to interpretation at the technical implementation level.
This report presents the issues, proposed approach and links to the policies that support these assertions. It is not a scientific research paper or thesis, but looks to support proposals and statements with sufficient evidence of credibility. Subject matter for this document covers the way digital technology projects are developed and the background behind the methods. It does not enter into clinical matters nor does it consider the use of any specific application.
Open Project Implementation Manual
To ensure that the policy can be implemented from a technical delivery perspective, the Implementation Manual (published separately) provides clear guidance and instructions for the activities required to deliver the policies and principles described in this report.
Successful digital technology implementation requires an open approach, and this is as much about people as it is about digital technology. The manual explains how to think about an open project, project management techniques, business models and technology choices, as well as providing technical instructions to ensure the persistence of the open approach throughout the life cycle of a digital asset.
A gap between what was anticipated and what is delivered will often occur when a digital technology project sponsor is unable to set appropriate quantifiable measures and evaluate adherence throughout the delivery of the project. By the time a product is delivered, it is too late to retro-fit the methods and measures required to ensure that the intended open outcome is delivered.
The Implementation Manual is a living document and is provided to the clinical and technical community as a base to build upon. With the rapid advancement of techniques and technology, the manual will evolve under the custodianship of the Apperta Foundation in cooperation with OpenUK.
Issues
Background
The UK Government is working to 'have achieved a high degree of digital maturity by 2023'^[While some trusts may need time to prepare to go digital, all trusts should be largely digitised by 2023 https://www.gov.uk/government/publications/using-information-technology-to-improve-the-nhs/making-it-work-harnessing-the-power-of-health-information-technology-to-improve-care-in-england]; and the published NHS Digital strategy^[Information and technology for better care https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/443353/HSCIC-Strategy-2015-2020-FINAL-310315.pdf] presents the high-level strategy as to how this will be delivered.
It states:
"Our overarching objective is that by 2020 we will have revolutionised the way technology, data and information are used to transform the delivery of England's health and social care services. This five year strategy outlines our contribution to making this ambition a reality."
Apperta supports the delivery of the stated outcomes through the use of 'open' digital technologies.
Eight principles for an open platform are documented in ‘Defining an Open Platform’^[Defining an Open Platform https://apperta.org/_attachment/DefiningOpenPlatform/Apperta_Defining_an_Open_Platform_SP.pdf], released by Apperta in November 2017. This publication highlights key issues and proposes methods to improve healthcare technology.
However, despite this well-documented vision, policies, standards and technology, a gap exists between the intent and implementation^[To Combat Physician Burnout and Improve Care, Fix the Electronic Health Record https://hbr.org/2018/03/to-combat-physician-burnout-and-improve-care-fix-the-electronic-health-record].
Whilst the NHS Digital report titled “Fit for 2020 – Report from the NHS Digital Capability Review”^[NHS Digital Capability Review https://digital.nhs.uk/transforming-health-and-care-through-technology/fit-for-2020-report], released in July 2017, explores the need for better analysis and planning, it does not recognise the part that open source^[NHS open-source Spine 2 platform to go live next week https://www.computerweekly.com/news/2240227114/NHS-open-source-Spine-2-platform-to-go-live-next-week] has already played in digital successes. This includes the “100% reliability of NHS Spine” through 2017-2018^[NHS Digital’s annual report and accounts for 2017 to 2018 https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/nhs-digital-s-annual-reports-and-accounts/nhs-digital-annual-report-and-accounts-2017-to-2018].
In addition, although it calls for "Industrialising the delivery model"^[NHS Digital ‘capability review’ questions its role and clarity of offer http://healthcare.governmentcomputing.com/news/nhs-digital-capability-review-questions-its-role-and-clarity-of-offer-5877271] it overlooks the 'open' concept, as does The Parliamentary Review of Health and Social Care in Wales^[Transforming Health and Care in Wales http://gov.wales/docs/dhss/publications/180116reviewen.pdf].
Cultural factors^[Will an anti-innovation culture in the NHS kill off technological progress? https://www.theguardian.com/healthcare-network/2014/jun/10/health-app-nhs-hackday-hospital] can also prevent acquisition of safe and innovative solutions. These are re-enforced by the lack of measures and metrics that would enable a non-technical professional to make informed strategic decisions based on the current industry-standard technology levels.
Having recognised that a healthy culture improves patient care, The King's Fund provides guidance and tools^[The Kings Fund: Improving NHS culture https://www.kingsfund.org.uk/projects/culture] which explain characteristics of such a culture. These are equally applicable to the approach to technology and align with the practices employed within the typical open source community.
The issues outlined have been established through discussions with subject matter experts when acquiring digital technology in the healthcare sector and supported with references.
The professional perspective
Through consultations with healthcare professionals, NHS Digital and Apperta have identified many issues, some covered in the Open Platforms^[Apperta: Defining an Open Digital Platform https://apperta.org/openplatforms] publication.
The most prevalent issues are:
- Lack of detailed digital technology policy to support commissioned developments within the NHS ecosystem
- Disjointed digital systems
- Lock-in (including soft lock-in)
- Technical debt
- Feral systems
- Poor user experience
- Entrenched culture
Battling with the current disjointed digital systems and vendor lock-in leads to a poor user experience with the digital systems, and ultimately compromises optimal patient outcomes.
Apperta observes that whilst current suppliers are working to current policies, there are gaps which need to be addressed, and openness is not the default position. A lack of clear guidance and policy provides excuses for individual suppliers who are making unchallenged technical decisions and working in isolation. This is a root cause of many of the issues identified and ultimately of poor value for the taxpayer, as well as reduced quality for the service user.
Within the 'Defining an Open Platform' publication, Apperta assert that this is not an oversight but intrinsic within the business model of the supplier.
"it must be recognised that many established vendors have business models reliant on customer lock-in and will resist opening up their systems in a way that undermines this core business approach"
With the mission of moving away from this current position, Peter Coates, Head of Ecosystem Development at NHS Digital, states: "An open approach puts the power in the hands of the community, and the community represents all stakeholders."
It is worth noting that, historically, the general education system has been accused of focusing on training students to use a few desktop applications ^[School ICT to be replaced by computer science programme http://www.bbc.co.uk/news/education-16493929] rather than on the technology that underpins the internet and most modern information systems and this has reduced exposure to commodity digital technology.
The House of Commons Science and Technology Committee June 2016 report on the digital skills crisis^[Digital skills crisis Second Report of Session 2016-17 http://www.publications.parliament.uk/pa/cm201617/cmselect/cmsctech/270/270.pdf] called for action to improve this:
"The evidence is clear that the UK faces a digital skills crisis. Although comparative nations are facing similar challenges, only urgent action from industry, schools and universities and from the Government can prevent this skills crisis from damaging our productivity and economic competitiveness."
This shortage is both a symptom of the propensity to focus on locked-in digital technology, and a contributing factor to further entrenchment within the public sector, particularly in healthcare.
With a higher value traditionally being placed on recruiting individuals with a history working for proprietary software organisations, the self-developed digital engineer who possesses the necessary skill set to deliver open digital technology has often been overlooked until recent times^[Jobs Report: Demand for Open Source Skills Climbs, Topped by Linux https://adtmag.com/articles/2018/06/25/open-source-jobs-report.aspx], as have the skills to recruit and manage these individuals.
A further contributing factor is the focus on proprietary digital technology within the UK investment community due to a lack of understanding of the open source models^[Perspectives on Investing in Open Source Startups https://www.linuxfoundation.org/blog/2018/04/perspectives-open-source-startups/].
A steer toward the development of open digital skills and methods within the healthcare sector will increase the innovation capability^[Theories of Open Innovation http://www.meaningprocessing.com/personalPages/tuomi/articles/TheoriesOfOpenInnovation.pdf] and help break this cycle.
It is recognised that we are now in the early stages of a UK healthcare-ready open source digital technology supply chain, with new suppliers emerging or existing suppliers establishing new ‘open’ business models^[Marand on Postmodern EHRs at OSEHRA http://www.openhealthnews.com/content/marand-present-postmodern-ehrs-osehra-open-source-summit]. New companies moving into this space need support to establish their own delivery models and build strong networks with the sector.
An incumbent supplier will face a greater journey than does an embryonic organisation, as the incumbent supplier will need to undertake both an internal culture transformation, as well as a technology shift.
Proprietary software
Although ‘Black-box’ software may suit the requirements which it was originally created to address, when a subsequent need is identified to accommodate an obvious interaction from another perspective, it is likely that only the vendor can make appropriate adaptations to the black-box application. Thus, without vendor support, an application can become outdated and not evolve with changing needs.
Proprietary software has a greater propensity to lead to lock-in due to the closed nature of the products. Therefore reliance on a single supplier is likely and the customer is unable to react should it have issues with its supplier.
Some vendors have the intent to be supportive, yet unable in practice to assist with required software changes as they themselves do not have any access to the underlying source code.
With closed proprietary software, a customer may not have the necessary internal controls to manage the critical software asset that it relies on for its business as usual operations.
Should a vendor choose to impose unfavourable terms, for example raising licence fees or restricting use, the customer may be disempowered and unable to seek alternatives.
Closed software can also create clinical risk according to a June 2018 BCS report^[Inside medical software: When programming costs lives https://www.bcs.org/content/conWebDoc/59560]. The report cites a case where a medical device contained a software error that put lives at risk.
In some cases the original vendor development team is reassigned to other commercial projects or (for other reasons) no longer available^[Wikipedia: Abandonware https://en.wikipedia.org/wiki/Abandonware] resulting in the vendor itself no longer having the knowledge and insight required safely to make changes, address security issues or add features.
In some instances, intellectual property is bought out by a 3rd party which operates a business model of aggressive exploitation of existing users of products or systems which embody that intellectual property^[This American Life: When Patents Attack! https://www.thisamericanlife.org/441/when-patents-attack].
Access to stored data is not always permitted with closed software. Even when it is, the data may not be representative of the underlying data structures, and so not portable to other systems or reusable without significant investment; it can be both challenging and expensive to reverse-engineer or export the data and structures.
Lock-in
With the attrition of the use of an ‘intelligent customer’ role, public sector organisations now live with an increased risk of becoming captive to supplier technologies and services.
Choice and competition are limited when a customer finds itself locked-in^[2006 The Linux Information Project http://www.linfo.org/vendor_lockin.html] to a single vendor solution^[Wikipedia: Vendor lock-in https://en.wikipedia.org/wiki/Vendor_lock-in].
The industry has recognised vendor lock-in for a long time and it has become known as an 'antipattern'^[AntiPattern Name: Vendor Lock-In https://sourcemaking.com/antipatterns/vendor-lock-in] meaning ‘industry vocabulary for the common defective processes and implementations’^[What Is an AntiPattern? https://sourcemaking.com/antipatterns]. It is a behaviour that also exists in other industries^[Vendor lock-in, DRM, and crappy EULAs are turning America's independent farmers into tenant farmers https://boingboing.net/2018/03/08/you-are-the-product-5.html] and occurs wherever the customers allow and fund it.
As lock-in has proved to be a highly successful revenue model for digital technology providers, the practice has grown over many years and has in effect become normalised.
A customer is often unaware of its own inadvertent contribution to creating a future locked-in position, and sometimes will not have sufficient resources to seek and evaluate alternative solutions.
It is rarely the customer’s conscious choice to seek vendor lock-in; yet it is avoidable if the full costs of entry and exit are considered and weighed up against the alternatives^[The Good, the Bad and the Ugly of Vendor Lock In https://amido.com/thinking/the-good-the-bad-and-the-ugly-of-vendor-lock-in/] supported by active management.
As a result of lock-in, it can become harder for challengers to compete, as the cost of exit from the incumbent can be too great to justify a change^[Techopedia: Vendor Lock-In https://www.techopedia.com/definition/26802/vendor-lock-in].
From the vendor’s perspective, the more a secure revenue stream is generated (even with reduced delivery of value to the customer), the shareholder will benefit and there will be little incentive to make any change.
For the customer, the lock-in becomes further entrenched due to the lack of competitive options, and the vendor may at any time choose to increase charges or reduce performance.
Once locked-in for an extended period, underlying flaws and vulnerabilities that exist in the technology can be at risk of exploitation^[The procurement angle behind the NHS ransomware attack http://www.telles.eu/blog/2017/5/15/the-procurement-angle-behind-the-nhs-ransomware-attack]; and remedies required under distress tend to cost more, as well as being unplanned.
Strategic investments and supplier management can help avoid generating future vendor lock-in^[Inviqa: 8 tips for avoiding vendor lock in https://inviqa.com/blog/8-tips-for-avoiding-vendor-lock-in] as well as to increase choice, competition, supplier performance and service received.
To measure the level of lock-in, validate that the software can be executed at will, that data can be retrieved, and that a viable and affordable option exists to migrate at any time to an alternative provider or application.
Mandating open source and open standards within digital technology opens up the supply base and encourages weight being given to value and service as selection criteria.
Soft lock-in
The most common form of lock-in is ‘soft lock-in’, where a customer is not explicitly constrained by overt contract terms, and may even feel that it has made positive choices to avoid lock-in.
Selecting open source does not prevent soft lock-in. Documentation can be withheld, code can be poor quality and dependency created on an individual. Further risks include dependency-based^[New Kind Of Vendor Lock-In And Purchasing Concerns https://www.forbes.com/sites/peterbendorsamuel/2018/02/20/new-kind-of-vendor-lock-in-and-purchasing-concerns/#6fdc70b62be6] lock-in, customer de-skilling and implementation of closed standards.
Examples of soft lock-in are where a product is provided under an open licence (and source code is made available), but insufficient documentation, organisation or process are available to enable the customer organisation to take ownership of (or to exit) an application.
Soft lock-in is permitted through:
- Passive management of acquisition or commissioning
- Insufficient resource to fully evaluate options
- Ignorance of the characteristics of soft lock-in
- Poor technical processes and coding standards delivered
- Lack of documentation throughout a project
- Projects not designed or built in the open
Forms of soft lock-in include:
- Intellectual Property, trademarks and ownership
- Architectural
- Process
- Dependency-based and open-core
- Closed or obscure standards
- Data structure / storage
Soft lock-in does not therefore technically or legally lock a customer in to a product or vendor, but creates a situation where it is uneconomical to achieve independence or exit, and the overall result for the customer is therefore likely to feel equivalent to vendor lock-in.
Where source code is available, and licence terms permitting, process knowledge could be extracted and re-implemented in new software. Some, albeit limited, choices are therefore available to the customer.
For the healthcare sector, soft lock-in is preferable to contracted vendor lock-in, but is nevertheless unnecessary and undesirable, as this economic lock-in further inconveniences progression of digital healthcare technology and reduces value to the service user.
Another consequence of soft lock-in is that it can be difficult, expensive or impracticable to engage alternative suppliers or products. The pick-up cost then often prohibits SME engagement, so creating costly support demands and potential for fragile systems.
Cloud lock-in
Following a recent announcement by the Department of Health^[Government advises that NHS data can be safely hosted in the US and other countries http://publictechnology.net/articles/news/government-advises-nhs-data-can-be-safely-hosted-us-and-other-countries], hosting of NHS data in the 'cloud' is now considered safe. This is to some extent a reaction to the failures and excessive costs of existing healthcare systems and supply chain.
It is important to understand exactly what cloud is before making long-term decisions. One can think of cloud computing as renting a fully serviced flat instead of buying a home of your own.^[explainthatstuff: What is cloud computing? http://www.explainthatstuff.com/cloud-computing-introduction.html]
Delegating to cloud services as a replacement for a data centre for primary services drives cost and maintenance benefits. However, replacing self-managed applications with cloud applications and databases may create entrenchment deeper than that of vendor lock-in owing to the fact that the user may not have access to the underlying processes, software or data.
Various service models^[Wikipedia: Cloud Service models https://en.wikipedia.org/wiki/Cloud_computing#Service_models] exist and one can engage with the cloud at different levels^[Cisco: An OSI Model for Cloud https://blogs.cisco.com/cloud/an-osi-model-for-cloud], from the base operating systems, through container layers and control panels, to application-centric solutions.
Cloud systems are typically managed through higher-level web interfaces which does make it easier for a user to manage the services but in turn re-skills an organisation to learn the particular interfaces, rather than the underlying technology. When multiple cloud providers are used, the management of different systems can prove to be no less complex and time consuming than what is required to manage dedicated equipment.
Although it is often reported that cloud systems have no single point of failure, the underlying automation adds complexity and new opportunities for system failures which no major platform is immune to^[CRN: The 10 Biggest Cloud Outages Of 2017 https://www.crn.com/slide-shows/cloud/300097151/the-10-biggest-cloud-outages-of-2017.htm].
To avoid lock-in^[Cloud Computing's Vendor Lock-In Problem: Why the Industry is Taking a Step Backward https://www.forbes.com/sites/joemckendrick/2011/11/20/cloud-computings-vendor-lock-in-problem-why-the-industry-is-taking-a-step-backwards/#25ac165a7267], it is important to ensure that the services provisioned on the cloud are portable, and that data is not kept behind a platform which prevents it being exported and re-used elsewhere. The ability to 'lift and shift' applications and processes is a baseline requirement to mitigate the risk of being beholden to one provider and must be designed into a service.
As a measure of portability, it is reasonable to expect that a typical digital technician is able to validate and demonstrate that the service can be brought in to production on an alternative platform.
Almost any internet research on the subject of cloud returns positive messages relating to cloud migration, mostly from cloud vendors or organisations with a vested interest. There are opposing views which consider this positive NHS cloud statement as a ‘dangerous move’^[ORG slams NHS Digital's data off-shoring plan as a dangerous move https://www.theinquirer.net/inquirer/event/3025252/org-slams-nhs-digitals-data-off-shoring-plan-as-a-dangerous-move] and suggestions that the case for off-shoring data is flawed^[NHS offshore data deal is bad for British business – and dangerous for you. https://www.thememo.com/2018/01/24/nhs-offshore-data-sharing-cloud-storage-patient-privacy-google-amazon-health/], so a balanced view must be taken giving primary weight to the overall desired outcome.
Taking the wider view, migrating to cloud will not simply address existing issues of process evolution or disjointed systems – and this is the area that requires attention.
Emotional decisions
Across all sectors, digital technology purchases are often based on emotional judgement despite comprehensive supplier evaluations and this can be hard to avoid.
As digital technology can be highly complex, it is usually not economically feasible to evaluate all of the parameters, promises and requirements compared in a scientific way against a variety of supplier proposals in order to support an objective decision.
Without a firm basis, this can lead to perceived least-risk purchases, which may blindly follow the behaviour of peers, or re-signing with an existing supplier, rather than a decision based on the true current organisational needs.
Least-risk purchasing is more likely when the decision is delegated from the sponsor to a purchaser who may not understand the full vision of the sponsor, the day to day needs of the user and the technicalities of the solutions on offer.
In times of discomfort, it is normal to find a safe place^[Psychology Today: The Comfort Zone https://www.psychologytoday.com/blog/the-tools/201205/the-comfort-zone] and this commonly leads to renewals of the same licences and agreements as before; however this behaviour will only lead to marginal change. Further, this emotional reaction can generate and propagate excuses and myths which further entrench existing failing methods and approaches.
Technical debt
A choice to enter technical debt ^[Wikipedia: Technical debt https://en.wikipedia.org/wiki/Technical_debt], like financial debt, can be an enabler if used wisely, and where the cost of borrowing from the future is fully considered.
Due to the invisible and complex nature of software, it is common for a project sponsor to under-value existing liabilities on the basis that the current software operates satisfactorily. However, in doing this, rather than using the opportunity to learn lessons and avoid repetition, the customer is losing the knowledge previously acquired by their team.
This action also disposes of tacit knowledge and learnings to this point rather than using the lessons to avoid repetition^[HBR: When We Learn From Failure https://hbr.org/2014/05/when-we-learn-from-failure-and-when-we-dont].
If one considers all predecessor implementations of a process as a prototype, the asset that exists within the project can be extracted.
All technical projects contain an element of asset and of liability, and recognising both is essential. Even without functioning software, assets may include:
- Design
- Process improvement or alteration
- Training
- Documentation
- Learning and experience
- User feedback
Existing liabilities present themselves in other ways:
- Technology choices
- Interfaces and standards implemented
- Re-worked code
- Evolution of need since design
- Third party integrations
The balance of assets against liabilities can really only be quantified against an up to date requirements analysis, as the measure of the software must be against what the current and future needs are. For example, a fully functional and robust platform may be suitable for previous need, but not for current operations.
When the current state of affairs has been assessed, one can make decisions as to what must be done to address the issues, and the options to redevelop or rework can be weighed up.
Change management and engagement
Where stakeholders and users are not fully engaged with a digital technology project, there is increased risk of rejection of the technology, irrespective of the level of openness of the project.
A 2017 study of non-adoption of digital projects^[Beyond Adoption: A New Framework for Theorizing and Evaluating Nonadoption, Abandonment, and Challenges to the Scale-Up, Spread, and Sustainability of Health and Care Technologies https://www.jmir.org/2017/11/e367] explores challenges to digital technology projects and focuses on situations where investment has been made in healthcare technology without a tangible result.
Lack of appropriate change management^[Changing change management https://www.mckinsey.com/global-themes/leadership/changing-change-management], therefore a lower level of buy-in from stakeholders, can occur when they feel that they have no influence over the digital tools built for them to use.
With closed or proprietary software, a user will have reduced opportunity to freely explore and become familiar with the proposed technology themselves, and have less chance to affect the development or operation of the application.
A well-designed and easy to deploy open application may not be accompanied by commercial restrictions to early engagement. Making applications available early will encourage engagement from key users. The user experience can provide early warning of issues, and also validate choices made.
Feral systems
When existing systems are not functioning optimally, technically capable clinicians have created their own solutions, known as feral systems^[Wild or untamed projects https://en.wikipedia.org/wiki/Feral_information_systems] (or FIS^[Feral Information Systems Development: Managerial Implications https://www.igi-global.com/book/feral-information-systems-development/84171] or Shadow IT^[Feral Information Systems, Shadow Systems, and Workarounds https://www.sciencedirect.com/science/article/pii/S1877050916324504]). This can be of great immediate benefit, but these often do not find themselves on any asset register and can remain unmanaged.
Consider a feral system as a prototype that encapsulates knowledge and process. It exists because of a need observed by a subject matter expert who possesses the capability to create a solution.
Risks introduced through the reliance on feral systems include:
- Unstructured support and maintenance
- Ill-defined or undefined licensing^[No License https://choosealicense.com/no-permission/]
- Absence of security and information governance processes
- Ambiguous business continuity and disaster recovery processes
- Single point of failure risk / single developer reliance
It is suggested that there are hundreds of 'feral systems' in an average large hospital^[Woodcote Consulting: Feral Systems (or I’ve got a great big Access database) http://www.woodcote-consulting.com/feral-systems/] and many underpin critical operational functions.
Although these systems are already in daily use, basic controls can enable immediate management and mitigation of some of the risks.
Failing to discover feral systems creates unmeasurable contingent liability throughout any organisation. Having a register of feral systems including the maintainer, licence and location of source code is the least that must be in place to enable another to step in if the original developer becomes unavailable.
Disjointed digital systems
The healthcare sector operates many independent systems; this is in part a result of the issues outlined above and in part due to the federated and distributed nature of the UK health sector.
Symptoms of isolated systems range from inconvenience to the compromising of patient safety^[Six out of ten health professionals who took the Guardian survey say IT systems are not fit for purpose https://www.theguardian.com/healthcare-network/2018/mar/20/nhs-it-health-service-staff-guardian-survey].
Highlighted in Professor Robert Wachter’s 2016 review, the need for interoperability was stated as a "core characteristic of the NHS digital ecosystem to support clinical care" and "to promote innovation"^[Robert Wachter's Making IT Work https://www.england.nhs.uk/digitaltechnology/info-revolution/wachter-review/] within the 10 specific recommendations to inform the digital technology approach.
Although strong commitments to repair this situation exist^[NHS moves to end "fractured" care system https://www.england.nhs.uk/2017/06/nhs-moves-to-end-fractured-care-system/], constraints relating to lock-in and technical debt must be addressed to enable these aims to be met, both now and in the future.
At an Apperta Open Platforms meeting in February 2018, Peter Coates expressed the potential for service user benefit from the use of open and joined-up technology:
"The care provided is somewhat limited by the lack of open technology standards. If joined up databases were in place and open standards demanded, certain treatment would be opened up and could be carried out in local surgeries therefore requiring less hospital visits. The technology currently used is limiting this."
Proposed approach
Introduction
NHS England states its appetite to alleviate the persistent issues faced across the sector in its 2017 publication ‘Next steps on the NHS Five Year Forward View'^[https://www.england.nhs.uk/publication/next-steps-on-the-nhs-five-year-forward-view/] which describes the aspiration to create the "most transparent health systems in the world" and "leverage the potential of technology and innovation".
To this end, alternative approaches to digital technology are required.
Here we present an open approach to digital projects and offer specific recommendations.
An open approach covers the full life cycle of a project from inception to business-as-usual operation; and all that is in between. Therefore this report and the associated implementation manual consider how a project in its entirety is imagined, developed, delivered and maintained in the open.
The issue is not isolated to the technical build and deploy phases or even the software element. It is very hard for a developer to create a useful function when the original user request (and its context) are filtered out through the development process.
Equally, supporting a project where the developer’s comments are not accessible can lead to re-work and disruption, e.g., when the support engineer cannot establish the motivation behind a technical decision.
Legacy suppliers have traditionally focused the customer on a particular software application, rather than methods that are of most benefit to the customer. In isolated cases, this may be appropriate, but it is not a suitable method for the complex network of the NHS and associated data flows.
Critically, this proposed open approach describes the buying of the whole product journey, not just the software that is output.
Included should be all output from design meetings through documentation and code, which enables the all important motivations behind choices to be later discovered.
By employing this approach, the stakeholders of digital projects should expect to have perpetual and unencumbered use of the applications that they rely on within their organisation.
This report asserts that the overarching principle of an open project is that the supplier creates digital technology assets for the next developer. They should pass on all digital assets as they would expect to receive them.
Information architecture
On one hand, the NHS deals with patients who are generally similar to the patients in any other healthcare setting around the globe. On the other, the NHS is configured in a unique federation of inter-connected organisations, between which individual patients move.
Despite common subjects, technical challenges for the NHS are compounded by the unique NHS business model. This in turn creates issues of data protection, requirements for real-time access from many disparate locations and devices, and an overall contention between convenience and security.
A useful NHS 'digital machine' requires an overall architecture containing modular and exchangeable components, each created at the appropriate size and complexity for optimal utility.
The development of the internet could be considered a point of reference, being the largest distributed technology project. It can be observed that many developers worked in small teams^[Only a few developers do the major work on any project https://www.itworld.com/article/3268001/open-source-tools/open-source-isnt-the-community-you-think-it-is.html], or individually, to deliver micro projects that, connected with open protocols^[RFC Index https://www.rfc-editor.org/rfc-index.html], collectively facilitate the internet.
Being open by design, the community naturally coalesces around the challenges of the day and members work together to find solutions that best suit all parties.
To facilitate a similar way of working, a managed open source approach built to a commonly agreed information architecture can lead to lower cost of production and operation, with higher quality outcomes.
Software re-use
Unlike assets in the physical world, software does not wear out or degrade, no matter how many times it is used or copied; software itself is not affected by entropy in the same way as physical objects^[Wikipedia: Entropy (arrow of time) https://en.wikipedia.org/wiki/Entropy_(arrow_of_time)]. However, the service provided by the software can be disrupted by the following external conditions that are affected by entropy:
- Requirement evolution: what was originally wanted has changed
- Function omission: the function was never performed by the software
- Environment change: the running software has been changed (either planned, unplanned or malicious)
- Infrastructure fault: the underlying platform or connectivity has physical issues
- Capacity: infrastructure is not sufficient for the current operational load
Therefore well-designed software will operate indefinitely, subject to the above.
Using this principle, minimal applications designed on a specific function and accessed through open standard interfaces should be re-usable across domains to perform the same function in different environments.
With this approach, the cost of support and operation can be minimal, enabling more investment in ongoing development of an application.
When the application is available as [open source], and operated within a governance model (for example, the Apperta Custodian Model), all parties benefit from the collective investments and budgets go further^[OpenUK Case Study: Open-eObs at the South London and Maudsley (SLaM) https://openuk.uk/wp-content/uploads/2018/09/OpenUK-Case-Study-Open-Source-at-SLaM-NHS-Screen.pdf].
When issues are encountered and improvements required, funding and development management can be undertaken by any organisation in conjunction with the user community for the benefit of the other users, leading to the re-use of improvements and the sharing of investment. Free and open source software (FOSS) enables software re-use.
Open source software
Background
A concept as old as digital computing itself^[Bell Labs: The Evolution of the Unix Time-sharing System https://www.bell-labs.com/usr/dmr/www/hist.html], 'free' software describes the need for a user or stakeholder of a digital asset to have the choice to share, study and modify^[Free Software's Four Freedoms https://fsfe.org/freesoftware/basics/4freedoms.en.html] the code as required.
The word ‘free’ can mean freedom as well as the absence of a price, two very different connotations. In the context of software, using the word ‘free’ to mean liberated rather than gratis helps better to understand the context used within this document.
To qualify as ‘free’, software must adhere to the four essential freedoms^[https://www.datamation.com/osrc/article.php/3717476/Interview-with-Richard-Stallman-Four-Essential-Freedoms.htm]:
- The freedom to run the program as you wish, for any purpose
- The freedom to study how the program works, and change it so it does your computing as you wish
- Access to the source code is a precondition for this
- The freedom to redistribute copies so you can help your neighbour
- The freedom to distribute copies of your modified versions to others
- By doing this you can give the whole community a chance to benefit from your changes
- Access to the source code is a precondition for this
It is unlikely that any software customer or user would object to these freedoms and an alignment between these free and open source software principles.
A parallel between the free software values and the values of the Hippocratic oath has been asserted^[Open Source Is The Only Way For Medicine https://github.com/pacharanero/opensourceistheonlyway]; further a conclusion of the French National Assembly in January 2016 was that ‘software source code is information’. And just like other public administrative documents, it should be publicly accessible^[OSOR: Compiling laws https://joinup.ec.europa.eu/node/149107].
The term 'open source' was created in 1998^[Open Source Initiative https://opensource.org/] to focus on a key outcome of free software: having the right to see how the software was created and how it operates. It was considered that this term would be more acceptable than the ambiguous and perceptually politically-focused term 'free software'^[OSI: Coining "Open Source" https://opensource.org/history]. Owing to the free and open source software principle, software is now abundant, not scarce^[Wikipedia: Post-scarcity economy https://en.wikipedia.org/wiki/Post-scarcity_economy].
This document uses the description 'open source' to include free software. However, it is important to note that the fact that the source is open does not make the software free (libre) so qualification of open source in its fullest sense is required.
The Open Source Initiative (OSI) is the custodian of the term 'open source', and provides a governance function for licences^[OSI: About Open Source Licenses https://opensource.org/licenses] that can be considered open source friendly; however not all of these meet the Free Software definition.
Open source has no geographical boundaries, and UK developers benefit from the fact that it is generally written in English.
As open source software is developed through a global community, developers communicate to find the best way to work together and commonly develop standard interfaces and connectors to enable better distribution of tasks. This community approach enables every stakeholder to take ownership and contribute^[Technology developers should shadow nurses https://www.digitalhealth.net/2018/01/developers-should-shadow-nurses/] to the digital asset.
A side-effect of coding in the open is that poor quality work or short-cuts are openly visible, therefore there is sometimes the unanticipated overhead of things being done properly.
Modern open source software
Modern digital systems are made up of many layers of software on top of the hardware platform.
Over the last few decades, the layers themselves have increased in their modularity, both horizontally and vertically. Therefore having a monolithic application that connects on one side to the hardware and the other to the user is rare^[Quora: What is the difference modular vs monolithic programming for applications? https://www.quora.com/What-is-the-difference-modular-vs-monolithic-programming-for-applications], and only seen in specialised applications.
Despite being considered at the leading edge of digital technology, the lower open source layers are based on concepts founded in the 1960s and 1970s^[FOSDEM: Unix Architecture Evolution from the 1970 PDP-7 to the 2018 FreeBSD https://fosdem.org/2018/schedule/event/unix_evolution/].
These foundations were created through early experiments by pioneers and explorers, creating a small quantity of systems for the largest organisations, and for the most critical uses in defence^[So, who really did invent the Internet? http://www.nethistory.info/History%20of%20the%20Internet/origins.html#packets] and telecoms^[Origins and History of Unix, 1969-1995 http://www.faqs.org/docs/artu/ch02s01.html]. The GNU/Linux^[Debian: What is GNU/Linux? https://www.debian.org/releases/jessie/amd64/ch01s02.html.en] operating system benefits from this foundation and is the cornerstone of free and open source computing.
In the modern day, it can be assumed that almost every digital technology tool or application that the everyday user requires at home or in business has been written and is available within the open source ecosystem. Many of these are available in the 'Public Code directory'^[OpenUK / FSFE publiccode.directory project http://publiccode.directory].
Why and how does it exist?
Software is not free to create, operate and support. However, once it exists, the costs of sharing with another is negligible.
There are many reasons why individual developers may choose to share their work^[Analyst Watch: Ten reasons why https://sdtimes.com/communities/analyst-watch-ten-reasons-why-open-source-software-will-eat-the-world/]. Some common motivations for software sharing are:
- Developers get satisfaction from having their efforts generate maximum utility rather than short-term tactical needs
- To prove competence: companies hire people who can evidence their capability
- A developer may be an expert in their subject matter, so creating a function for them can be trivial
- To make the software better or more secure: peers and even competitors have the chance to test your software and provide criticism
- To express creativity, or to prove a concept which others can progress and build upon
- Communities can create solutions to problems that are relevant to others
- In the case of organisations, to market their capabilities
- To solve a problem^[Focus : meeting the challenges http://wardle.org/clinical-informatics/2018/01/19/focus-solutions.html]
- As a by-product: when working on a commercial project, components that are not of competitive value could be released freely
In some cases, the motivation is simply the same as when one holds the door open for the next person – they had to open it anyway so offered the person behind the benefit at minimal cost, or an alteration of behaviour by a community means that everyone benefits without additional effort^[Allegory of the long spoons https://en.wikipedia.org/wiki/Allegory_of_the_long_spoons].
This is demonstrated with the creation of Govstrap.io^[Govstrap.io - It's all about accessibility and re-use https://govstrap.io/about] which was created as a by-product of the Code4Health^[Code4Health https://code4health.org/] website project, re-using the accessibility investment^[An accessibility reading list https://accessibility.blog.gov.uk/2017/10/23/an-accessibility-reading-list/] of GDS in the gov.uk website.
It is the developer’s prerogative to choose to make the effort to share their work, and in return, they may benefit from the contributions of others.
By way of example, the company behind the rapidly growing^[300,000 users shift to Nextcloud for file sharing https://www.zdnet.com/article/open-sources-big-german-win-300000-users-shift-to-nextcloud-for-file-sharing/] open source NextCloud file sharing application set out its operations based on the following principles:
- Sustainable company with no external investment
- Software is 100% free and open source
- There are no contributor licence agreements (CLA), therefore the ownership of the software is shared
- Everything is open standards
- Usage must be able to offer federation and decentralisation
- Open operations, sharing discussions and plans with the community
- Diversity of community members to represent wide-ranging needs
Successful open source projects work because they have community engagement^[The 5 Os of healthcare IT - 3. Openness - Allow debate. Make your work transparent. http://wardle.org/clinical-informatics/2017/12/06/5os-health.html], and experts and users alike have the opportunity to challenge the developers or get involved to support the efforts.
This process can lead to better results than for proprietary software which is created in isolation.
Who uses it?
In 2011, it was calculated that it would cost $3bn^[The Linux Kernel: It’s Worth More! https://www.dwheeler.com/essays/linux-kernel-cost.html] to build the Linux kernel. Not a piece of work that any one organisation (with a very few exceptions) would have commissioned, but the Linux kernel is now a critical component in most mobile phones^[From phones and watches to cars and TVs, customise your digital life with Android https://www.android.com/], space exploration^[Open-Source Space https://www.linuxjournal.com/content/open-source-space], the CERN Large Hadron Collider^[How open source supports CERN's Large Hadron Collider https://www.computerworld.com.au/article/641880/how-open-source-supports-cern-large-hadron-collider/], televisions^[Tizen Mobile, Tizen TV, and Tizen Wearable https://www.tizen.org/], tablets, wearables^[11 wonderful wearable open source projects https://opensource.com/article/16/12/yearbook-11-wonderful-wearable-open-source-projects], routers and even cars^[Development and adoption of a fully open software stack for the connected car https://www.automotivelinux.org/].
It is true that many cloud and proprietary software companies build their solutions on open source technology (for example Google^[Google Open Source: Bringing better technology to the world by promoting open source https://opensource.google.com/], Microsoft^[Open Source at Microsoft https://opensource.microsoft.com/], Apple^[Apple Open Source https://opensource.apple.com/], Amazon^[Amazon Web Services is part of the open source ecosystem https://aws.amazon.com/opensource/]) and that they contribute components back to the open communities. Yet the services which are provided are not open source.
At a leadership conference, Jim Zemlin, Executive Director of the Linux Foundation reviewed usage statistics^[Open source community crams itself into big tent https://www.theregister.co.uk/2018/03/06/open_source_community_crams_itself_into_big_tent/]:
"Linux has 100 per cent of the supercomputer market, 82 per cent of the smartphone market (Android), 90 per cent of mainframe customers, 90 per cent of the public cloud, 62 per cent of embedded systems, and is the number one internet client (Android)."
In recent years, momentum has increased toward the open approach in public administrations and there are many success stories, the city of Barcelona^[Using Free Software to build a more democratic, inclusive and sustainable digital society https://fsfe.org/news/2018/news-20180705-01] being one which has fully embraced this approach. The Ontario Institute for Cancer Research employs an open source approach to encourage global collaboration^[OICR explains why it is backing open source software and commodity hardware to help accelerate the pace of cancer research across the globe https://www.computerweekly.com/news/252442112/Ontario-Institute-for-Cancer-Research-uses-open-source-clouds-to-aid-cancer-research]. Further links to open source resources can be found in the appendices.
The prevalence of open source across the digital technology sector is now beyond question.
Brand management
Although code can be fully available, brands can be established in order to separate supported (or professional) versions of software from the community versions.
For example Mozilla, the creator of Firefox and Thunderbird, uses trademarks to indicate the quality of its distribution and so can enforce restrictive terms on the use of its brand assets.
"Mozilla's Trademark Policy attempts to balance two competing interests: Mozilla's need to ensure that the Mozilla Marks remain reliable indicators of quality, source, and security; and Mozilla's desire to permit community members, software distributors, and others with whom Mozilla works to discuss Mozilla's products and to accurately describe their affiliation."
This policy does not prevent others from using the underlying code, but only the official distribution can use the Mozilla brand^[Mozilla Trademark Policy https://www.mozilla.org/en-US/foundation/trademarks/policy/].
The policy was tested when the Debian Project^[Debian -- The Universal Operating System https://www.debian.org] which produces a Linux distribution decided that the restrictive use of the brand assets was not compliant with its own policies, and therefore used alternative branding^[Mozilla software rebranded by Debian https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian] for the software.
IT security considerations
The subject of IT security is vast and evolving rapidly. Although a matter of implementation, there is ongoing debate as to the security risks of open source solutions opposed to proprietary software^[A Security Comparison of Open-source and Closed-Source software http://www.swdsi.org/swdsi07/2007_proceedings/papers/236.pdf].
With any connected digital system there is always a level of insecurity, whether it is open source or proprietary software. Individuals often make the incorrect assumption that a connected system can be made secure because the relevant tools have been applied to it. However, all connected systems should be considered vulnerable, no matter the mitigations applied.
Official vulnerability records evidence greater quantities of issues with open source compared to the alternatives^[Top 50 Products By Total Number Of "Distinct" Vulnerabilities https://www.cvedetails.com/top-50-products.php].
However, open source has greater opportunities for issues to be detected and remedied, where closed software does not provide the user the option of exploring the software or to apply fixes.
Peer review of open source provides further facility for interested parties to investigate the workings of an application and determine the risks. With closed-source, there is reliance on the vendor to detect, advise and remedy issues.
Recommendations
The following recommendations aim to address the issues outlined and cover both the content of this report and the associated Implementation Manual. Each recommendation requires active management by suitably informed leaders.
Adopt an open-first policy for the NHS
Open source, standards, data and projects support points 5,6 and 7 of the NHS core principles^[Principles and values that guide the NHS https://www.nhs.uk/NHSEngland/thenhs/about/Pages/nhscoreprinciples.aspx] described in the Handbook to the NHS Constitution.
- Recommendation
- With the support of Apperta, NHS fully embraces and implements the open principles proposed within this document.
Actively avoid all forms of lock-in
Lock-in must be recognised and actively avoided to allow for innovation and digital progress. An exit path must be designed in when making digital acquisitions. Persistent monitoring of the digital technology estate is required to avoid unintended lock-in.
The specific forms of lock-in are detailed in the lock-in section and include both soft lock-in and cloud lock-in.
- Recommendation 1
- Ensure all stakeholders, including specifiers and procurement teams, understand the various forms of lock-in, and how they can be measured.
- Recommendation 2
- Ensure any software development commissioned operates in accordance with the Apperta DITO (Develop In The Open) principles and standards published September 2018.
- Recommendation 3
- Demonstrate active bias against all forms of lock-in.
Understand when cloud is appropriate and when it is not
The NHS guidance stating that cloud is 'safe'^[NHS and social care data: off-shoring and the use of public cloud services https://www.digital.nhs.uk/article/8486/NHS-and-social-care-data-off-shoring-and-the-use-of-public-cloud-services] creates confusion as the term 'cloud' is not sufficiently defined. Economics can also be ambiguous and the ability to achieve scale, cost and capacity has been questioned^[451 Research: Busting the Myth of Private Cloud Economics https://pages.ubuntu.com/rs/066-EOV-335/images/Advisory_BIB_Canonical.pdf].
The term is used to describe many layers of hosted technology, some offering greater benefits and efficiency of scale, others locking in the customer to a greater extent than before.
Cloud services can increase vendor lock-in where the customer does not get access to the given applications, and therefore require further consideration of risk. This can also add complexity and additional points of failure and should be weighed up against the benefits of consolidated services.
- Recommendation 1
- All NHS organisations implementing digital services that rely on the Cloud should employ a risk assessment that considers the real possibility of data subsequently becoming inaccessible (through either technical issues or commercial constraints), and that addresses how continuing service to the user would be provided should this occur.
- Recommendation 2
- Non-commodity applications that are critical to the delivery of services must always be portable, to enable ongoing choice of provider.
- Recommendation 3
- The term ‘cloud’ needs to be more thoroughly defined, to enable informed interpretation of the published guidance.
Employ a Custodian Technical Services function
Management of digital technology projects and suppliers by an appropriate informed person with an understanding of the required outcome and open methods and how this can increase the technology level of the sector.
This role may be performed by the customer or a third party contracted to provide Custodian Technical Services (CTS).
Apperta is currently providing active management and governance capability for software applications, either imported or developed. This enables the public sector customer to gain the benefit of a single point of contact without the risk of vendor lock-in or single-supplier dominance.
Custodian services include:
- Customer community management
- Curating requirements
- Managing the supplier base
- Selecting relevant open standards
- Introducing or recruiting a technical custodian
- Ensuring that code and assets are available and up to date
- Managing ongoing maintenance including security and feature development
- Facilitating regular technology reviews
- Driving compliance including safety cases and clinical standards
- Recommendation 1
- Engage Apperta to ensure suitable governance and management of software throughout the UK public health sector.
- Recommendation 2
- The price of a digital technology project should make allowance for the cost of maintaining a CTS role.
Using Apperta as a custodian enables the governance and control, and in parallel use with the methods described in this document, will enable the creation of professional and scalable open source systems relevant to the healthcare industry.
Justification required for non-open (build or buy) digital acquisitions
An open approach thrives when every component is open and is hampered when it is not.
Suppliers and sponsors should be required to justify why future digital technology acquisitions are not open source and the response analysed and challenged. It is rare that a situation occurs where non-open source can be justified.
Matters of national defence have been cited as one example where it may be justified to take a closed approach to software development, in the interest of security. Healthcare however exists to manage the patient or the processes to support the patient, so there is no obvious case as to why the technology, processes or methods cannot be open.
- Recommendation
- Procurement should only consider the acquisition (build or buy) of a non-open products and services on an exceptional basis and with documented justification.
Improve discoverability
Many open source projects exist around the world. A sign-posting directory of code and indication of maturity would enable organisations to re-use what already exists and build on top of existing efforts.
- Recommendation
- Make funding available for the creation, curating and maintenance of a directory of healthcare related open digital technology assets; and promote the directory throughout the sector.
Digital Capability Review to acknowledge the Open approach
Despite the global push toward open source, clear Government direction and evidence of successful clinical open source projects, the report from the NHS Digital Capability Review July 2017^[NHS Digital Capability Review https://digital.nhs.uk/transforming-health-and-care-through-technology/fit-for-2020-report] does not include the word 'open'. The report does explore the need for better analysis and planning.
- Recommendation
- NHS Digital should acknowledge and direct that an open approach is required in order to meet its digital technology aspirations.
Use supplier transparency as measure of value offered
Understanding the business model of the supplier, and the supplier’s own goals and aspirations, helps provide understanding of the level of the supplier’s engagement and alignment with the customer. Working with a supplier that does not declare how it charges, or how much of its revenue goes to the delivery of services, makes it hard to determine the comparative value offered.
- Recommendation
- Develop measures of supplier transparency; and give preference to suppliers who demonstrate greater transparency.
Develop an NHS 'Intelligent Customer'
An intelligent customer role can play a part in supporting purchasers' objective evaluation of suppliers. This is of particular importance at a time of major transition from the incumbent to a new supplier, solution or approach.
Engage capability that is sufficiently proficient to manage a supplier technically, and be familiar with the specialist customer domain. This may be a re-use of existing capabilities within Apperta or Government Digital Services, or the development of a healthcare-specific ‘intelligent customer’ function.
The Intelligent Customer is able to state the requirement and to assess proposed solutions with respect to satisfaction of the requirement, design, necessity of the solution and price.
Apperta offers the skills and resources to support the development of such a role and educate on its use.
- Recommendation
- To make informed technology decisions, challenge suppliers from a position of strength and knowledge, so building an intelligent customer function.
Produce open information architecture specifications
Facilitate sustainable communities of clinical and digital professionals to review the current healthcare digital assets (including systems – Spine; protocols – HL7; standards – OpenEHR) and assess the gaps to agree definitions and produce an overall architecture.
This activity should be managed by professionals who can curate and organise the data, and work in the open on the overall architecture in a semantic manner.
- Recommendation
- Further develop an overall NHS open information architecture. specifying the standards and trunk routes for data flows, to enable the technical and clinical teams to work together more effectively and build joined-up applications of greater utility and value.
Establish NHS brand management of open digital assets
A brand carries significant weight with users and customers.
To encourage openness in designing and building applications, digital applications endorsed under the NHS brand should provide confidence that they adhere to best open practices. This will support the development of re-usable code and components for the wider benefit in the sector.
Establishing and governing brands that convey the open principles enables the customer to make informed choices. Brand management can assist a user when selecting software and, owing to the ability to legally control a brand, can be used to set standards for quality.
- Recommendation 1
- The NHS should establish, control and promote professional open source brands for applications that meet the appropriate quality and openness criteria.
- Recommendation 2
- All digital applications endorsed under the NHS brand should be open source and open standard.
Invest in local skills and SME services
A federated and distributed supply chain can be delivered by supporting local organisations and the SME open source supply chain. When software is opened up, any suitably skilled person or organisation is then able to contribute. This may be across a variety of disciplines, including documentation, testing and implementation, in addition to the design and development of software.
Instead of encouraging a low-value software reseller model, demand for open source software generates local skills^[Local Entrepreneurship with Open-Source and Peer-to-Peer Production http://www.resilience.org/stories/2018-02-16/fab-labs-supports-local-entrepreneurship-with-open-source-and-peer-to-peer-production/], which in turn encourages higher-value software professional services models and improves digital skills^[Canada: Support for the Local Economy and Communities https://github.com/canada-ca/Open_First_Whitepaper/blob/master/3_Open_Source_Software.md#support-for-the-local-economy-and-communities] across the UK.
A further benefit is the reduction in reliance on a small number of foreign companies^[Canada: Increase use of Canadian Resources https://github.com/canada-ca/Open_First_Whitepaper/blob/master/5_Open_Markets.md#increase-use-of-canadian-resources] to deliver critical UK systems at significant cost^[£1 in every fiver that UK biz, public sector spent on software in 2017 went to drumroll Microsoft https://www.theregister.co.uk/2018/08/24/winners_and_losers_in_the_uk_enterprise_software_rankings/].
- Recommendation
- Invest in open source services from local and SME resources so as to improve the digital workforce, deliver more value, and reduce lock-in.
Conclusions
Implementation of free and open source within the public sector is much more than software – it is an organisational approach.
Individual software components of a digital project are a small part of the overall package. The package encompasses developer/customer engagement, design, documentation, collective thinking, interaction between people, technical build, selecting components, working out licensing. Even deployment technology, performance and ongoing support must be factored to support the open approach.
A fear of the simple can create scepticism that a commodity and free solution can work in an environment where lives depend on the technology. Yet, many contemporary critical digital technology systems already rely on free and open source software to operate, but do not pass the benefits of the open technology to the customer.
When working on complex and joined-up systems, an open approach is required at all levels. The customer has purchased the journey, not just the final compiled application.
Many official NHS reports referred to in this document offer aspiration and optimism for better patient outcomes supported by digital technology, but more pragmatism and recognition of the problems of the day are required. It is true that many advances have been made, but many more opportunities are yet to be taken.
Procurement is often cited as a barrier or creation of resistance to the acquisition of free and open software. It is crucial to understand that the procurement professional is critically important to the safe acquisition of this technology. Better framework agreements are required to reduce friction.
The healthcare sector is vulnerable to exploitation, due to its large technology spend and separated nature. Safeguards need to be developed to ensure that the value returned is commensurate with spend, and that investments by one trust benefit others. Mandating the transparency of suppliers, open source software and implementing an ‘intelligent customer’ approach will help to mitigate these risks.
Vendors who have benefited from highly profitable projects with the healthcare sector are more inclined to maintain the current level of technology. Change must be driven from the buy-side of the relationship.
Guidelines issued by the UK Government mandate the use of open standards^[You must use open standards when designing and building your service unless you've been granted an exemption. https://www.gov.uk/service-manual/technology/working-with-open-standards] and require consideration of open source^[To meet point 3 of the Technology Code of Practice your plan or design must show you have considered the use of open source and publishing your code openly https://www.gov.uk/guidance/be-open-and-use-open-source] when creating software. Evidence of this in practice can be seen at the GDS Github code repository^[Github: Government Digital Service https://github.com/alphagov]. However, these guidelines are not mandated in the same way when buying (opposed to building) digital technology, and this accounts for £3.2bn^[Digital Services + Digital Outcomes and Specialists + G-Cloud https://www.gov.uk/government/collections/digital-marketplace-sales] of trade through the Digital Marketplace in 2017.
Maintaining the position as a global digital leader requires the UK public sector to invest in UK-based open source organisations and export the knowledge and processes to other nations. Software is now a commodity, and freely available. The opportunity for the UK is to apply this abundant resource in useful ways to benefit the citizen and the NHS has an opportunity to lead.
Apperta has the potential to manage the development of community-engaged software through its Custodian Technical Services (CTS) model. This will in turn accelerate the progress of fit for purpose apps that are interoperable and are adaptable by design, enabling them to grow with the inevitable evolution of care and technology. NHS leaders should take the time fully to understand the proposed CTS model and work to refine and adopt it as standard practice across technology projects.
To deliver the stated vision of the Government and NHS, open source must be mandated for digital technology – whether bought in or created.
Advocacy for open source is easy to find and there are many cases to support the open source methods, but it is hard to find such support for proprietary software with the exception of the benefits to the shareholders of the proprietary company. However, the public health sector has remained dogmatically supportive of the proprietary closed methods and largely ignored the open options offered.
The limiting factor is the culture to implementing the approach – not the digital technology. Legacy methods of buy/supply in the health care sector require updating to become compatible with the acquisition and exploitation of modern open software.
Improvement is required, particularly around cultural and behaviour, to enable the healthcare sector to make a wholesale break-out of the current technology trap. This is not a technology problem.
An open strategy that considers the design, build, deployment and support of assets is required to ensure that digital technology does not become a limiting factor.
Such a shift requires confident direction from the leadership of the NHS and support for the learning stages of the process. Without the right level of energy and support, any progress will be negated by reverse travel in other areas.
If change is to be enacted, it is essential that this is sought at all levels and throughout the sector. With this combined effort and reliance as a team on the strengths and expertise of others, addressing the technological and cultural challenges can be swift, safe and effective.
Enabling the "patient power decade"^[Keynote address: Jeremy Hunt 12 September 2017 https://www.england.nhs.uk/expo/wp-content/uploads/sites/18/2017/10/Jeremy-Hunt-keynote.pdf] by putting the patient "in the driving seat of their own healthcare destiny" can only be achieved with an open approach.
It is the hope and intention of the author that this report will go some way to removing excuses for maintaining the current position, and will enable an opportunity to deliver better healthcare to the stakeholders of the NHS – the citizens of the UK.
Appendices
Supporting policies, studies and resources
Readers should gain an understanding of the existing policies and documents published by UK and EU Government and the NHS to place into context the recommendations within this document and the associated manual.
In addition to the many references throughout the report, this section provides references to supporting UK and EU policies, as well as to supportive statements from other nations. Also included are statements from various nations and public resources of their commitment for open source support and technology.
Apperta publications
Open Platforms
The Apperta Foundation released a publication describing open platforms in November 2017. This describes an open platform as 'vendor and technology neutral, eliminates lock-in, facilitates innovation and competition, and forces vendors to compete on quality, value, and service'.
It presents the following recommendations:
- Adopt and support the development of open source components towards a reference implementation of an open platform to stimulate the global ecosystem.
- Minimum Viable Open Platform (MVP) – We believe this blend of open standards and open source to be the right way forward and recommend such an approach to be adopted more widely.
- Conclusion, Recommendations and Next Steps – Adopt and support the development of open source components towards a reference implementation of an open platform to stimulate the global ecosystem.
DITO
Developing In The Open (DITO) principles (due for publication September 2018) describes a structure that the health and care IT economy can work toward. It sets the principles and ground work for developing IT solutions and intends to be the foundation to develop a technical standard.
UK Public Sector
In addition to the many healthcare-specific documents and references, numerous others relate to the wider UK public sector.
Tallinn Declaration
On 6 October 2017, the UK co-signed the Tallinn eGovernment Declaration^[Public Technology https://www.publictechnology.net/articles/news/uk-among-32-signatory-countries-tallinn-egovernment-declaration] under the Estonian Presidency of the Council of the European Union^[Conclusions of the Prime Minister of Estonia Jüri Ratas https://www.eu2017.ee/news/insights/conclusions-after-tallinn-digital-summit].
The declaration makes explicit commitment to interoperability by default, declaring that signing nations will drive the use of open standards and open source technology within their respective jurisdictions. The aim is to "make ICT solutions owned by or developed for the public administrations more readily available for reuse in private sector and civil society".
The following is an extract from the declaration:
We will in our countries:
enhance the re-use of emerging joint solutions under the Connecting Europe Facility (CEF) programme or other common frameworks – in particular eID, eSignature, eDelivery, eProcurement and eInvoicing – and promote their implementation in more domains, while avoiding sectoral duplication of service infrastructures;
make more use of open source solutions and/or open standards when (re)building ICT systems and solutions (among else, to avoid vendor lock-ins), including those developed and/or promoted by EU programmes for interoperability and standardisation, such as ISA2;
make ICT solutions owned by or developed for the public administrations more readily available for reuse in private sector and civil society, for example, by developing and publishing terms and conditions on how third parties may reuse the solutions.
We call upon:
the EU institutions to implement the European Interoperability Framework and the Interoperability Action Plan (including within all Commission services), especially for cross-border services within the Single Market – by the end of 2021;
the Commission to discuss cross-border interoperability principles and work to reach relevant agreements with global partners, especially the eIDAS framework for global interoperability and mutual recognition of electronic identities and trust services;
the Commission, building on the Council Conclusions on mainstreaming digital solutions and technologies in EU development policy, to submit proposals on how to fully integrate digital considerations into the EU's external development policy support instruments, to ensure interoperability with EU frameworks and standards when third countries make investments to digital infrastructure and services with EU assistance – by the end of 2019;
the Commission to consider strengthening the requirements for use of open source solutions and standards when (re)building of ICT systems and solutions takes place with EU funding, including by an appropriate open licence policy – by 2020.
Technology Code of Practice
Created by Government Digital Services under direction from the Cabinet Office, the Technology Code of Practice is a set of criteria to help government design, build and buy technology. The document has broad coverage and explains various concepts around open source. The code of practice is used as a tool to support the Cabinet Office spend control^[Cabinet Office controls https://www.gov.uk/government/publications/cabinet-office-controls] process.
It states "Be open and use open source"^[Publish your code openly and use open source technology https://www.gov.uk/guidance/be-open-and-use-open-source] and instructs the developer to "Publish your code and use open source to improve transparency, flexibility and accountability".
The document provides advice including:
Your technology project or programme could benefit from:
- Solving common problems with readily available open source technology
- More time and resource for customised solutions to solve the rare or unique problems
- Lower implementation and running costs
Be aware that open source software is not completely free, so take into account the total cost of migrating, including exit and transition costs.
Digital Service Standard
Created by Government Digital Services under direction from the Cabinet Office, The Digital Service Standard is a set of 18 criteria to help government create and run good digital services^[Digital Service Standard https://www.gov.uk/service-manual/service-standard].
The standard sets the criteria that all new code should be open^[8. Make all new source code open https://www.gov.uk/service-manual/service-standard/make-all-new-source-code-open] and published under an appropriate licence.
Greening Government ICT Strategy March 2013
As a sub-strategy of the Government ICT Strategy, the Greening Government ICT Vision published in March 2011 seeks to create "A cost effective and energy efficient ICT estate, which is fully exploited, with reduced environmental impacts to enable new and sustainable ways of working for the public sector."
The report recommends reuse of applications and that the code is stored as open source^[App Store will hold open source code and solutions for reuse https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/155098/greening-government-ict-strategy.pdf]. Open source and open standards are defined as the method to "Ensure technical standards support interoperability to facilitate integration and shared services".
Open Contracting Partnership
The Open Contracting Data Standard was created in 2014 to provide a framework for transparency in the supply chain. This provides "a global non-proprietary standard structured to reflect the complete contracting cycle"^[We connect governments, civil society and business to open up and monitor public contracting https://www.open-contracting.org/].
The standard was developed by the World Wide Web Foundation^[Delivering Digital Equality https://webfoundation.org/], and includes technical implementation documentation^[Open Contracting Data Standard: Documentation http://standard.open-contracting.org/latest/en/].
Open Government Partnership Open Source policy
The UK has committed to the Open Government Partnership (OGP)^[UK Open Government National Action Plan 2016-18 https://www.gov.uk/government/publications/uk-open-government-national-action-plan-2016-18/uk-open-government-national-action-plan-2016-18] and has "pledged support for the open source policy, making it an official part of the ‘Paris Declaration’"^[Bulgaria, France, UK, US support OGP free software policy https://joinup.ec.europa.eu/community/osor/news/bulgaria-france-uk-us-support-ogp-free-software-policy] at the 4th Global Summit of the OGP.
With similar aims, the Organisation for Economic Co-operation and Development (OECD) has set out to create an 'Open Government Toolkit'^[OECD examines open government strategies https://joinup.ec.europa.eu/news/oecd-examines-open-government] following on from a 2017 consultation. The outcome was published in December 2017^[Online public consultation on the draft OECD Recommendation of the Council on Open Government http://www.oecd.org/gov/recommendation-open-government-public-consultation.htm] which recommends open working between public administrations and co-creation of solutions.
Open Standards Board
The Open Standards Board was established in 2013 and "includes expert users drawn from government and not-for-profit organisations as well as volunteers from academia and industry. They consider open standards recommendations from standards panels"^[Open Standards Board https://www.gov.uk/government/groups/open-standards-board].
Open Document Format guidance
To ensure that the Government is not locked-in to office applications by the format of documents created, a commitment to Open Document Format was made and guidance issued^[Open Document Format (ODF) guidance https://www.gov.uk/government/collections/open-document-format-odf-guidance].
The guidance includes an overview of ODF software^[A non-exhaustive list of productivity solutions https://www.gov.uk/guidance/open-document-format-odf-guidance-for-uk-government/overview-of-productivity-software] and cost benefits^[Useful information for building a business case for moving your organisation to ODF. https://www.gov.uk/guidance/open-document-format-odf-guidance-for-uk-government/costs-and-benefits-of-odf].
Local Government Association
The Society for IT practitioners in the public sector (SOCTIM) report^[Understanding the changing IT procurement landscape https://blog.socitm.net/2017/07/27/understanding-the-changing-it-procurement-landscape/] on the LGA 'National Technological and Digital Procurement Category Strategy'^[LGA: National technological and digital procurement category strategy https://www.local.gov.uk/sites/default/files/documents/11.29%20National%20technological%20and%20digital%20procurement%20category%20strategy%20v02_4.pdf] cites 'IT as an enabler' as a key theme of the report. The report describes the opportunity for 'expanding on open source opportunities, championing interoperability and greater use of technology standards'.
The strategy describes benefits brought from the implementation of open source, open standards and open architectures.
OpenUK professional open source overview
OpenUK provided a high level briefing paper^[Professional re-usable software principles for the Public Sector https://openuk.uk/wp-content/uploads/2016/07/OpenUK-A4-x-8pp-Re-use-Principles-June-2016-FINAL.pdf] to inform the reader of the professional open source options for the public sector including policy extracts from various departments and links to public sector and NGO supporting organisations in the UK.
EU & Global statements
Many public administrations have published policies and statements supportive of an open source and open standards approach. This is a non-exhaustive list of policies and statements from the EU and other regions.
- Australia
- Design principles (Based on gov.uk principles)
- Basque Country
- Basque Country Decree specifies open source by default
- Bulgaria
- Custom software developed for the government must have its code published online in an open source format
- Canada
- Treasury Board of Canada Secretariat seek shift to open approach
- Estonia
- Information Society Strategy 2013
- e-Estonia delivered with Open Source
- Government plans to build a new electronic land registry in partnership with other countries
- European Union
- Tallinn Ministerial Declaration on eGovernment
- European Interoperability Framework (EIF)
- Promoting sharing and reuse of IT solutions in the EU (common framework)
- European Union Public Licence (EUPL)
- European Commission's open source Software Strategy
- FSFE template Open Source policy for use by Public Administrations
- Open Source Observatory Annual Report 2016
- Public Sector Information (PSI) Directive for document reuse
- France
- Government policy on free software (Circulaire Ayrault)
- DISIC Open Source Policy Template
- Document interoperability guidelines (Référence Général d’Intéropérabilité / RGI)
- Hungary
- Hungary aims to get rid of IT vendor lock-in
- Israel
- Israeli Government shift to open source
- Italy
- Article 68 of the Codice Amministrazione Digitale, mandates open source in Italy’s public administration
- Developers Italia – The Italian government digital transformation team
- Developers Italia presentation at FOSDEM – what happens when a nation goes Open
- Italy’s Team Digitale urges use of technological principles in ICT procurement
- Malta
- Open Source Software Directive
- Netherlands
- Logius digital government services open standards statement (Dutch)
- Logius open source system catalogue (Dutch)
- Poland
- Poland to start a central source code repository
- Portugal
- National Digital Interoperability Regulation (RNID) promotes open standards
- Slovakia
- 40% ICT systems to use open source by 2020
- Spain
- Guidelines on publication and licensing of assets recommends open source
- City of Barcelona migrates to open source
- Barcelona's free software guidelines (in English)
- Sweden
- National Procurement Services require open standards
- Sweden cloud policy
- Sweden updates list of mandatory IT standards
- Public Open Source Software Procurement Models: The Next Generation
- Sweden to boost open source through procurement
- USA
- U.S. Government Federal Source Code Policy
- Department of Veterans Affairs statement on open source
The Free Software Foundation Europe (FSFE)^[Free Software Foundation Europe https://fsfe.org/] has published an extensive review of policies of many nations^[FSFE EU Policy overview https://wiki.fsfe.org/Activities/EU_Policies_overview_FS] and the OpenUK 2016 review^[OpenUK open source policy review 2016 https://openuk.uk/review-of-global-open-source-policy-across-the-public-sector/] includes USA, India and UK policy. A further extensive review^[Open Source Observatory Annual Report https://joinup.ec.europa.eu/sites/default/files/document/2017-01/open_source_observatory_annual_report_3.pdf] is available from the European Commission Open Source Observatory (OSOR)^[Open Source Observatory (OSOR) https://joinup.ec.europa.eu/collection/open-source-observatory-osor].
Open source resources
Communities, networks & lists
The world of open source is rich with communities and resources. The following is a selection of health-related resources:
- 'Awesome' healthcare applications list
- Civic Stack index of open source tools for social change
- FSFE Public Money Public Code campaign
- International Society for Telemedicine & eHealth (ISFTEH) open source working group
- Medfloss overview of medical informatics and healthcare apps directory
- Medispring Co-operative GP software development (Belgium)
- Open Health Information Exchange Community
- Open Health News (OHNews)
- Open source guide and applications
- Open source research project framework
- OSOR Case studies
- PublicCode directory of open source for public administrations
- Pubmed – US National Library of Medicine
Apperta
The Apperta Foundation (Apperta) is a not-for-profit community interest company (CIC) supported by NHS England and NHS Digital (also known as the Health and Social Care Information Centre – HSCIC). It is led by clinicians, to promote open systems and standards for digital health and social care.
Apperta was set up to manage healthcare open source projects, and to address professional healthcare needs whilst maintaining the open source community values. It intends to be recognised as an organisation that leads change and invokes measurable change.
"Apperta's mission is to improve patient outcomes by changing the way the health economy works and it will do this in the open and using open methods."
As well as guidance, Apperta has produced several publications. These include the design of a commercial model of engagement for open digital technology suppliers, and the “Apperta Custodian Model”^[Apperta Custodian Model https://apperta.org/_attachment/custodian/Apperta_Custodian_Model.pdf]. This model is designed to replicate methods borrowed from the common Open Source community model of development whilst adding the governance to enable an organisation ultimately to take control of a digital asset in a healthcare setting.
At a high level, the purpose of this model is to bridge the community and healthcare environments to:
- Encourage community engagement and quality software as one finds across the open source communities; and
- Ensure that an application is managed in a way compatible with use in professional healthcare environments
A diagram of the Apperta Custodian Model is on the Apperta website^[Custodian Model diagram https://apperta.org/_attachment/custodian/Apperta_Custodian_Model.pdf], and an overview of the roles is available from OpenUK^[OpenUK website https://openuk.uk/wp-content/uploads/2018/03/20160406-MEDETEL-Slides-SJM.pdf].
Using the Apperta Foundation as the custodian enables the governance and control; in parallel use of the methods described in this document enable the creation of professional Open Source systems relevant to the healthcare industry.
To address the wider architecture of digital healthcare systems, 'Defining an Open Platform'^[Apperta: Defining an Open Platform https://apperta.org/assets/Apperta_Defining_an_Open_Platform_April.pdf] describes the approach and standards required for delivering a national open platform.
The Apperta Foundation CIC is registered in England and Wales as a private company limited by guarantee without share capital. Company registration number: 09483987
{#id .class height=101 width=213}
OpenUK
OpenUK is registered in England and Wales as a not-for-profit company limited by guarantee. Company registration number: 11209475

The author
Stuart J Mackintosh
Chair, OpenUK – The Free & Open Source technology industry association
Email: stuart.j.mackintosh@openuk.uk
Web: https://openuk.uk
Twitter: https://twitter.com/OpnSrcCons
Tel: 030 3040 2030
Acknowledgements
The following people have contributed to this document in various forms:
- Basil Cousins
- Etienne Saliez
- Gijs Hillenius
- Nichola Evans
- Tony Ford
A special mention of thanks to David Jobling of NHS Digital / Apperta who was the catalyst for the commissioning of this document and significanr contributions to the content.
Document licence
This document is provided under the 'Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)'^[Attribution-ShareAlike 4.0 International https://creativecommons.org/licenses/by-sa/4.0/] licence.
For any purpose, even commercially, you are free to:
- Share – copy and redistribute the material in any medium or format.
- Adapt – remix, transform and build upon the material.
This licence is acceptable for Free Cultural Works.
The licensor cannot revoke these freedoms as long as you follow the licence terms, as follows:
- Attribution – You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you, or your use.
- ShareAlike – If you remix, transform, or build upon the material, you must distribute your contributions under the same licence as the original.
- No additional restrictions – You may not apply legal terms or technological measures that legally restrict others from doing anything the licence permits.
Notices:
- You do not have to comply with the licence for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.
- No warranties are given. The licence may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.

About this document
This document has been created using Markdown and Pandoc^[Pandoc https://pandoc.org/] to generate the formatted output document. The source is available in a Git repository and the compilation tools are included.
Version 1.0.0 of this document was first published 21st September 2018.
\itshape
Document information
\small
Version: PPP-1.0.13 PUBLISHED (pdf)
Document date: 9 October 2018 (Compiled: 3 December 2018)
Word count: 14645 (1134 lines)
\normalsize \normalfont
Change log
- 30/11/2018 Cover page updated