NHS Users

MacDonald, Nicola

unread,

Jan 12, 2022, 8:58:52 AM1/12/22

to ope...@googlegroups.com, Singh, Harkirat

Hello,

We’re still struggling to implement OpenREM in NHS Lothian, the current issue is our Health Board’s unwillingness to allow open source software to be used. The most recent reply I got stated

“Thanks for your email but NHS Lothian Digital IT Security policy states:

“Unless exceptional circumstances exist, NHS Lothian does not permit the use of shareware or freeware software packages on the infrastructure, as it is often difficult to assess the risk that these packages may have on the infrastructure.”

The Scottish Government also audits us yearly and all software we use must be fully licensed & supported by a supplier and provided with regular updates/security fixes. There is also a mandatory requirement to patch within 14 days of an update being released for a critical or high risk vulnerability.

If this software is used in other hospitals/boards, then it would be useful to see their completed risk assessment(s) and how they manage the risks, which may provide us with some assurance.”

Are you able to give me an idea of how many other UK Trusts/Boards use the system and any names of people I can contact for information on their risk assessments?

Thanks,

Nicola

--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.

--------------------------------------------------------------------------------------------------------------------------------------------------------

Ed McDonagh

unread,

Jan 12, 2022, 5:43:35 PM1/12/22

to ope...@googlegroups.com

Hi Nicola

Sorry to hear that your IT department/Board policies are not helpful in this regard. The language used in the policy also demonstrates a likely lack of understanding of open source software.

Addressing the requirements stated:

The OpenREM software is fully licenced
The support from the supplier (the OpenREM development team) can only extend to email support like this, on a best endeavours voluntary basis.
Updates and security fixes cannot be guaranteed within a particular time frame.

I have not needed to complete a risk assessment along the lines described for using the software at my institutions, so I can't help you there.

I wonder if maybe putting a message on the MED-PHYS-ENG mailbase asking for examples of Scottish Health Boards or NHS Trusts that have explicitly approved the use of open source software might be a good idea?

One option, if required and desired, would be to procure the services of a software company that will provide you with a support contract for OpenREM. I have not had the discussions recently, but a few years ago I spoke with some people who would be interested in such a relationship.

I don't have a list of current NHS Trusts using OpenREM, as there is no obligation to tell me or the team that you are using the software. Hopefully some of the people reading this might respond to you?

Sorry I can't give you exactly what you need to make progress!

Kind regards,

Ed

--
You received this message because you are subscribed to the Google Groups "OpenREM" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrem+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openrem/LO4P123MB530358570906BAE485796952F3529%40LO4P123MB5303.GBRP123.PROD.OUTLOOK.COM.

dpla...@gmail.com

unread,

Jan 13, 2022, 3:36:17 AM1/13/22

to OpenREM

Hi Nicola,

Andrew Reilly's IQWorks project is open source, and written whilst he was working in Scotland. I imagine that is still in-use.