22 May
2025
Paul Mathews
Paul Mathews

Open-source code, the foundation of software used in the digital health industry, is a “double-edged sword” if there ever was one. 

Open-Source Code: A Boon

Open-source software code (software whose source code is publicly accessible, allowing anyone to view, use, modify, and distribute it often under specific licensing terms) forms the backbone of the digital economy and has been a key factor in the explosive growth of digital health solutions. Leveraged by developers for a myriad of reasons, open-source software (OSS) code is most frequently used to accelerate product development, enhance code security and reliability, and significantly reduce development and operational costs. With 78% of businesses globally relying on open-source software, contributing an estimated $60 billion in savings for businesses annually, serial health IT entrepreneur and current President & CEO of the IT startup company TripleKey, Scott McCullough, is sure OSS will “forever be a cornerstone of modern technology”. 

Open-Source Code: A Bane

Yet, OSS code is not without its challenges.

While its clearly understood how OSS can hasten software development and product launch timelines, properly vetting open-source code to satisfy the increasing demands for SOC 2 (System and Organization Controls 2) compliance in vendor contracting, can take significant time and resources. Yet, it is the due diligence burden around software intellectual property (software IP) and licensing that is a “blind spot” of particular concern for digital health vendors, according to McCullough.

Software IP covers any computer code, program, or application legally protected against unauthorized use. Though software IP can belong to the company that either created the software or purchased the rights to it, disputes about IP ownership can and do frequently arise when software code changes or updates are challenged, and software IP licensure agreements are unclear or appear to have authorship issues. A concern highlighted by one study which found around 54% of codebases had open-source code with license conflicts.

While SOC 2 compliance is a key factor in ensuring the secure and responsible use of OSS by a vendor, McCullough notes that “the rapid rise of artificial intelligence (AI), its deep integration with OSS and the murky relationship with patentable subject matter that is particularly concerning about the future of software IP ownership in an AI-driven world”. Unfortunately, too many software companies overlook the due diligence required around open-source licenses. A concern particularly applicable to startup healthcare IT ventures, McCullough claims. “As startup principals understandably prioritize the creation and launch of their products, it’s not uncommon for them to neglect to properly identify and protect IP assets. As a result, vendors might unknowingly violate licensing agreements resulting in costly legal disputes”.

McCullough notes OSS licensing violations can be “particularly challenging with ‘copyleft’ licenses” (open-source codes that allow for free use and distribution but require any modifications or derivative works to be released under the same license). Integrating code under copyleft licenses can obligate vendors to release their proprietary code under the same open terms unintentionally undermining patent protection and loss of IP exclusivity.

McCullough further notes software IP concerns are also significant when considering upstream OSS contributors. “It’s not uncommon for open-source code contributions to come from a distributed global network of volunteers. This diffuse provenance makes it difficult to establish a clean chain of title and IP ownership. A single contributor's code, if not properly licensed, can stain an entire product's IP standing”. 

Clearly, vendors must be vigilant about reviewing the origins of all open-source components their developers use.

The Burden of Verifying IP Ownership

Given the significant risks of unclear IP ownership, Scott strongly encourages digital health vendors to verify and track their software IP; a process involving extensive searches of databases to confirm software IP originality, ownership, and protection potential. That said, McCullough is quick to acknowledge that verifying software IP is a “daunting and resource-intensive task”. “The sheer volume of code used by various developers” he asserts, “makes this an arduous task”. Scott further notes this is complicated by developers using “a blend of proprietary software, third-party vendor solutions, and open-source applications; each with unique licensing requirements making IP management challenging”. Add to all this, the absence of a centralized dedicated license monitoring system combined with frequent software updates makes the process of verifying IP ownership “an administrative nightmare”.

The Need for an Automated IP Ownership Verification Solution

Clearly, software vendors need a robust automated solution to streamline software IP verification; a tool designed to provide clarity and transparency about the ownership and licensing status of their software.

With that in mind, McCullough offers a few critical issues to keep in mind when reviewing requirements of an automated software IP ownership verification solution:

1. Compliance with healthcare regulations

The tool should ensure compliance with healthcare-specific regulations such as HIPAA (Health Insurance Portability and Accountability Act), and GDPR (General Data Protection Regulation), as well as other industry standards. It should verify that the software adheres to these legal requirements, protecting both patient data and hospital operations.

2. Accuracy and thoroughness of IP verification

The tool should accurately verify the IP status of all software components. This includes checking open-source licenses, proprietary software components and any third-party dependencies to ensure that the software ecosystem is properly licensed and free from any IP infringement risks.

3. Reporting and documentation capabilities

The tool should generate clear, detailed yet easy to understand reports that outline any IP-related issues, such as license violations or unlicensed software. These reports should be customizable and easy to audit, helping IT and non-IT leaders make informed decisions and mitigate any potential legal risks.

4. Real-time monitoring and alerts

A robust IP verification tool should offer real-time monitoring and automated alerts for any changes in software licenses so organizations can quickly implement corrective actions should issues arise.

What Leaders Can Do

Vendors in the digital health sector must carefully consider the role open-source software plays in their product strategy. This involves a sophisticated evaluation of the benefits of community-driven innovation against the potential risks related to intellectual property dilution, regulatory challenges, and liability issues. A good starting point is to identify areas of uncertainty and seek expertise from professionals such as patent attorneys, regulatory consultants, and technical advisors. This should be complemented by investing in automated tools for managing open-source licenses and conducting security scans, such as the one offered by TripleKey (click here to learn more about TripleKey’s solution). 

With these fundamentals in place, McCullough firmly believes digital health vendors will be “well positioned to use open-source code as a sustainable strategy to significantly enhance innovation while at the same time safeguarding vital intellectual property. A critical factor in assuring the market that one’s software code is positioned for success in a dynamic and rapidly evolving digital health industry”.

Whose IP Is It Anyways? Digital Health’s Coding Blind Spot
Code Snippet
go
Learn more
“When you understand your RER, you gain clarity on where to focus your efforts. That insight transforms development from chaotic to controlled”
— Sophia Liang, CTO at TripleKey
1. Reduced Technical Debt
Proactive risk management prevents future bottlenecks.
2. Enhanced Team Morale:
Teams equipped with clear risk insights feel empowered.
3. Faster Time to Market:
Efficient risk handling eliminates unnecessary delays.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

“Efficiency isn’t just about speed—it’s about navigating risks with precision to keep your development pipeline resilient and agile.”

— Sophia Liang, CTO at TripleKey

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

const calculateRER = (riskResolved, codeChanges) => {
  return (riskResolved / codeChanges).toFixed(2);
};

// Example calculation:
const resolvedRisks = 35;
const codeUpdates = 150;

console.log(`Your RER is: ${calculateRER(resolvedRisks, codeUpdates)}`);