Securing software foundations for future healthcare services
Established in 1987 and now part of EMIS Group, Egton Medical Information Systems provides the software and IT services that support over 5,000 healthcare organisations across the UK. As a UK wide technology provider to GP practices, community care and social care providers in the NHS and public eHealth and Care organizations, the Group has invested in the future of digital health technology through expansion of its product management, technology innovation and software engineering roles. This part of the Group has grown from 22% to 37% of the organization from 2018 to 2019. Headquartered in Leeds, EMIS impacts millions of patients and clinicians. Providing patient-facing services, improving mobile working and enabling access to real-time clinical data, EMIS is in the vanguard of making information instantly available for healthcare professionals to do their jobs effectively and ultimately improve patient health, now and tomorrow.
EMIS has a large in-house software development team of over 600 developers building code multiple times on a daily basis, innovating and maintaining 100s of applications. Almost every project built is underpinned by open source software that enables forward thinking companies to innovate and grow. They use several frameworks in Go, Python, and .NET development and the variety of languages and tools has been evolving.
“We needed continuous monitoring of open source risks that could catalyse our team's productivity in shipping software reliably, confidently and securely. That's what Meterian delivered.”
Principal Solutions Architect | Egton Medical Information Systems
The Challenge: Managing and monitoring open source component consumption policy
Rachel Warrington, Head of Technical Quality Assurance, at EMIS explains the challenges her teams were facing before discovering Meterian: “Before implementing Meterian's solution, we relied on GitHub Security and would manually check with developers the open source components and copyright licences they were using. As we grew and since investing in a digital transformation project to bring the next generation of healthcare technology to primary and secondary markets of GPs and pharmacies across the UK, we knew we needed a faster and more scalable solution.”
“Our manual approval process was time consuming, and eventually we reached the point where anyone requesting permission for use of a new component was denied. We just didn't have the time to identify or analyze the specific components for security and licence risks. One worry I had was if we didn't find a solution, people would stop caring about risks we couldn't control and therefore lose confidence in the software the team would release. Over time this can have a knock-on effect for customer trust and goodwill in our technology and services."
Chris Watts, Principal Solutions Architect at EMIS first started looking at third-party dependencies management tools on the market to avoid licence infringement of open source libraries used by their application development teams. When his team used Meterian's solution to mitigate licence compliance risk, developers also appreciated the security and stability risk scores which cast a light on areas they would not have thought to address as part of their day-to-day development. He explained, “In providing technology solutions to physicians, pharmacies and patients, we want to be able to lead the way quickly and confidently. Our teams take pride in supporting the NHS and patients across the UK by bringing the best next generation of healthcare services technology to our customers.”
The Solution: Meterian delivers precise information on open source copyright, licensing and provides automated policy compliance checks in minutes
As a forward-thinking company leveraging software technology to continually innovate its business services to meet the health industry's demand for online solutions, EMIS must deliver secure and stable apps with software licences in good order.
A vulnerable open source component could be several levels deep in the supply chain. Manually researching in the code beyond the first or second level of software dependencies to check for compliance is impractical. Laborious. Error-prone. Absolutely not a good use of human labour when such tasks can be automated. With Meterian, every developer has immediate access to security, stability and licensing risk information about their application's components. Since each developer could immediately see which issues created real risks, they could take action immediately.
"Fortunately, Meterian's analysis reports tell you right away if there is a safe version of the component available. This saves us a great deal of time: not having to hunt for a solution that already exists or just knowing that we must make our own solution," said Rachel. "Our customers benefit from high quality products without known vulnerabilities that could result in a cyber exploit.” She further emphasised, “It is paramount we avoid any risks of legal lawsuits due to software licence violations."
Since Meterian fits in seamlessly with EMIS' development workflow -- using GitHub, Jenkins, as well as Meterian's GitHub Actions integration -- development teams benefit from automated and continuous compliance to EMIS' software governance policies with respect to security and intellectual property.
By removing known risks in the dependencies used by their open source frameworks and libraries, Meterian helps organisations build and maintain high expectations in the trust and confidence in the software released. It also reduces the stress and frustration that developers may suffer as a result of problems that become humanly unmanageable.
Developers love to do creative work and solve interesting problems, but software often has bugs: new vulnerabilities are discovered daily, software components need updates, and periodic upgrades are required. They appreciate that early identification of security vulnerabilities and licence risks minimises re-work. When such issues are discovered later in the product life cycle, entire modules or features may need to be rewritten.
Information rich reports help EMIS automate compliance
Easy to read reporting streamlining security and licence compliance management
Rachel explained the concerns of quality control and risk management for the company: “If a known risk results in an IP or data breach, that can have terrible consequences that are very costly and difficult for the business to recover from. Since open source software components can change anytime and new vulnerabilities are found daily, it's critical for our product quality control to stay up-to-date. With Meterian, developers are empowered to assure the security of all the open source dependencies they use in their code every time they build the code. That's a significant time savings and peace of mind worth having for everyone's benefit -- us, our customers, and their customers too.”
Meterian's automated solution helps EMIS reduce their security, stability and licensing risks in the open source software supply chain continuously. This makes the EMIS application portfolio and development team sustainable and more resilient to changes, such as reorgs and product changes.
Chris loves how all the developer and QA teams can use one tool. “We use several frameworks in Go, Python, and .NET development, and so the sheer number of open source components that need assuring is humanly impossible to manage. With automation, Meterian allows us to keep pace with developers consumption of open source components
and catalyse secure development practices within our teams.”
The Outcome: EMIS automates legal and security compliance in its development practice
EMIS benefits from automated legal and security compliance checking of its open source software dependencies with Meterian integrated in its software development process. Applications get security built in from the start and continuous checks maintain their secure posture to fend off cyber and legal risks. This is an important investment, as part of their digital transformation project, to ensure they can innovate for the future of healthcare in the UK and beyond.
Rachel and Chris are happy to see that software development, quality control, and compliance teams gain valuable insights about the software supply chain in the applications they develop. Chris added, “With Meterian's platform, we can continue to operate our software development pipeline at a high velocity that scales with the growth of our team and the pace of our business. We're very excited that Meterian manages the security and legal compliance checking so we can keep innovating for our customers.”
〉Location: Leeds, UK
Head Of Technical Quality Assurance
Egton Medical Information Systems
“When it comes to health checks and automobile MOTs, usually these are done annually at best. For software risks, we believe it is imperative to always evaluate the licensing and security of the open source components we're using. As new issues and vulnerabilities appear everyday, we love how Meterian fits into our developers' continuous workstream of software development.”