ISO compliance adds confidence in open source for UK healthcare

PRESS RELEASE: for 14th December 2020

Applications and software are increasingly being developed using open source (https://www.cnbc.com/2019/12/14/how-open-source-software-became-the-new-industry-standard.html; and https://techcrunch.com/2019/01/12/how-open-source-software-took-over-the-world/). This means licence confidence is now critical in open source applications for health and social care.

The Develop in the Open (DITO - https://dito.tech) project team has asserted that an ISO standard awarded to OpenChain will enable best practice sensible defaults to orgs investing in open source.

OpenChain is an auditable system of recording provenance, modification and license of digital assets and has now been approved as ISO standard "ISO/IEC 5230" (https://www.iso.org/standard/81039.html). This ISO certification is based on the ability to audit software to ensure it can be used for its intended purpose. Compliance enables the user to understand their licence obligations, which is vital when using open source for professional and business-critical applications.

Stuart Mackintosh, DITO lead, explains: "Open source is free to use and distribute, but what if there is a different licence or specific restrictions or caveats being used in one component of a solution, such as an open-source modified licence? For example, when an Open Source licence has the caveat of not being used to generate profit or to cause harm.

"Without a licence audit such as OpenChain, an organisation can't confidently determine if they can use, support or distribute software, without inadvertently contravening a licence."

Open-e-REACT, an electronic patient observation solution developed using the DITO process under the custodianship and governance of the Apperta Foundation, is open source and stores clinical data using open standards. It is due to be launched to the market in 2021. Through the Custodian Model, all health and care organisations can both use the product and contribute to its development, either directly or through an implementation partner.

David Jobling, Apperta Foundation, commented: “The OpenChain process is crucial in the development of an application like this so as part of the DITO project we are creating automated tools that will enable organisations to complete the audit of open source code required for the Openchain ISO certification, in a manner which is more effective to implement than if the auditing was attempted with manual or human processes. Any software developed through the Custodian Model will be automatically scanned to ensure ISO standards are met. This is integrated into the Accredited Professional Services Partners software deployment process.”

The DITO team worked with OpenUK, the UK Open Source industry association and Moorcrofts, one of Europe's leading open Source legal practices, to develop and support the Open-e-React OpenChain compliance.

Mackintosh comments: “It is essential that health and social care organisations have confidence that the compliance position is appropriate for their use. As with software security, licensing clarity should be a critical factor for purchasing decisions.”

About DITO

The Develop in the Open (DITO) project (supported by Innovate UK) was set up to advance how the Custodian Model can be used effectively and to develop an outline process and set of best practices. Led by OpusVL, the clinical partners are South London and Maudsley NHS Trust, the Cheshire and Wirral Partnership NHS Trust, research partner Coventry University, the Apperta Foundation, and OpenUK. More is at dito.

Sources and references

• https://www.iso.org/standard/81039.html