Healthcare

Canadian Hospitals Must Shift to Open Source Health IT

Canadian's health information is mostly digital now and stored in systems powered by American technology giants with dubious intentions

David Jardine

12 May 2026 — 12 min read

Source: The Globe and Mail

Open-source software can cause discomfort for those who don’t understand the specifics of how software works – which is to say most people. This unease is very understandable. It makes a lot of sense when you hear there two types of software, one being secret or private (closed-source) and the other being publicly accessible (open-source). Based on this information it is fair to draw the conclusion that using open-source software leads to a less secure computer system.

Professionals more qualified and intelligent than I have already settled this debate, and I don’t have anything new to add but to save the reader from having to do their own research I can (hopefully) summarize the basics in three quick points.

1) More Eyes Are Better

Having code be open-source means that professionals can scrutinize it and point out flaws or vulnerabilities before they can be exploited. Open-source developers have long worked collaboratively to support each other’s work and a huge amount of the fundamental software that is used today, even by companies making their own closed-source software, is directly or based on open-source software. Research shows that open-source software makes up 40-60% of the software used across the various disciplines of software engineering [1].

2) Software is Open-Source, Your Data Isn’t

When a piece of software is open-source that does not mean that any information the user puts into it is public. One might think making your computer code public is like hanging your key outside your front door so anyone can copy it but that isn’t an accurate analogy. Passwords, user data, everything that is specific to your usage of the software is still as secret as you want it to be. In fact, open-source gives a stronger guarantee that secrets remain private because if software is closed-source you can’t know for sure how the software stores information like passwords; they might be poorly encrypted or even intentionally being handed over to the owner of the software.

3) Security is not Achieved Through Obscurity

Proper code cannot be “hacked” even if it is fully available to the bad actor trying to infiltrate the system. To continue with the home security analogy, a closed-source house could mean you hide the front door and windows so no one can even begin to try and enter.

This might still sound like an improvement, but in reality what ends up happening if you have to go through a maze or some other complicated steps to even get to your front door you might not want to have the extra burden of remembering and using a key so you might end up leaving your door unlocked thinking ‘no one is going to make it to the door anyway’.

The best way to ensure your home is safe is to keep your key safe and build the doors and other access points with strong materials so they can’t be broken into. The same is true for software.

Hopefully this provides a decent understanding of why open-source software is trusted by the vast majority of technology professionals. I encourage you to investigate deeper into this topic with some of the sources included at the end of this article, but for now lets get to the original point.

The Need for Open-Source Healthcare Systems

In addition to the above reasons for open-source being a more secure and reliable choice, the most obvious one has become extremely relevant in today’s geopolitical landscape: freedom from corporate control. All of the traditional technology giants are based in the United States and have a long history of questionable decisions regarding how they make use of the data their software collects. Now consider recent threats to Canada’s sovereignty alongside the increasing use of executive and legislative powers to force American companies to surveil not only their own citizens but also those outside their borders – including in Canada.

This situation where citizens' most private data is controlled by any corporation should have never been permitted, but we’ve also allowed it to happen where these corporations are almost entirely beyond our governments reach if it did ever choose to try and enforce better protections.

Most Canadian hospitals, as well as many other healthcare institutions from clinics to labs to pharmacies, rely on a piece of software called EPIC [2]. It is a type of Electronic Medical Record (EMR) software that integrates many different functions that a hospital requires (patient charts, medication orders, maintenance, etc.) into one single application. Some may be more familiar with the public facing application MyChart, which is basically the patient-facing side of EPIC where you can access some of your health records (if your provider makes them available) as well as things like upcoming appointments.

Of course, EPIC adheres to our privacy laws and most of the larger healthcare institutions will run their instance of EPIC’s software on an isolated server here in Canada, thereby not using any of the cloud-based servers EPIC offers and maintaining privacy for patient data. But some smaller providers are likely using these EPIC-run servers and given the rapidly declining situation regarding human rights in the USA it is not inconceivable to imagine a near future where the US government decides it wants health data on a Canadian and the EPIC corporation will have no choice but to hand over what they have.

A much worse, and hopefully less likely (but not unlikely enough to consider it far-fetched), possibility could see the government requiring an American EMR company like EPIC to secretly build a backdoor into their software so that even the instances running on secure servers in Canada are “phoning home” to American servers and providing data on Canadians.

Concerns regarding American healthcare IT giants misusing patient data are only heightened when you learn that the top two companies in terms of EMR market share, Cerner and EPIC, have close ties to the Trump White House. The 2nd largest EMR in the USA [3], Cerner, belongs to the Oracle corporation [4], which began as a CIA project [5] by Larry Ellison – who has gone on to defend the NSA’s mass citizen surveillance programs [6] and has donated record-breaking amounts to Trump-friendly Republicans since 2016 [7]. Meanwhile the largest EMR provider in the USA and Canada [2][3], EPIC, was one of the first companies to willingly sign on to the White House’s initiative to create a unified digital health system [8] and while it is framed as an initiative to reduce barriers for patients accessing their health records – any healthcare company going out of its way to work with the same administration that pushes conspiracies about pandemics, autism, and in general destroys confidence in healthcare cannot be trusted.

The Open-Source Alternatives

The purpose of writing this is not to cause fear that our health data has already been, or is about to be stolen. Given all we’ve seen from the new age fascist movement emerging in America they are still heavily prone to infighting and I feel safe saying that they aren’t competent enough to get away with anything on the massive scale of stealing massive amounts of Canadian health data, at least not without getting caught fairly expeditiously. Though I don’t think we should sit back and wait for them to learn – and the good news is we don’t have to.

There are several widely used, well tested, and open-source EMR systems, including one that was developed here in Canada. This program is called OSCAR McMaster (Open Source Clinical Application and Resource) and is intended for use in primary care clinics or doctor’s offices, but has the core features that could be extended to serve larger institutions like hospitals [9]. There is also a pretty popular open-source software called “OpenEMR” that is accredited / certified for use in the United States [10].

None of the existing software solutions are ready to be implemented in a large inpatient hospital setting tomorrow, but they could be extended to meet the needs or at least provide a strong reference point to build a new system. Even huge systems like EPIC and Cerner take months, if not years, to customize to the needs of a hospital when first being adopted.

OSCAR McMaster has been in development since 2001 and since it is led by a team out of McMasters Family Medicine department I can see no reason why they would not share their expertise and insights with a Canadian hospital/team looking to bring more open-source software to healthcare providers. It is very possible to create a usable open-source solution for healthcare institutions, the only part missing is buy-in from hospitals.

The Case for Switching

It is only in the past 10 – 15 years that the vast majority of Canadian hospitals made the switch from their legacy systems to EPIC. Even though EPIC is a massive corporation with an estimated 45% market share in the USA (3), the process to adopt it in Canada was not quick, simple, or painless. The transition took some hospitals almost a decade as there are always parts that lag behind and need to be customized or worked around for various reasons that are specific to the institution.

If the same time and energy was put into developing a solution that the hospital fully owned and controlled the freedom would be more than worth it. Even when using a solution like EPIC which is supported by a massive corporation, hospitals still need to maintain a large team of technicians and specialists to perform maintenance and other support functions. This is on top of the massive fees that hospitals have to pay to use EPIC which are estimated to be between $5 and $20 million to implement, and around $200,000 annually [11][12]. All of the reasons that typically hold organizations back from adopting open-source software (being responsible for your own servers, maintenance, and security) are unavoidable in this case even when using proprietary software because of the privacy standards healthcare institutions must meet.

Even ignoring the sovereignty and privacy concerns that have become more immediate in the second Trump presidency, the benefits of a hospital fully owning its EMR are clear. The only clear downside is that it will be another large undertaking to shift from existing systems to a new one. That undertaking however, pales in comparison to the prospect of having to make a switch to a new EMR if the existing ones we rely on are suddenly compromised.

There are two paths ahead of us:

1) Remain dependent on proprietary software to run our healthcare systems

On this path we have to hope that no threat to our healthcare data ever comes from the American government, despite already documented cases of American agencies taking shocking steps to obtain Canadian’s personal data through large technology companies [13]. If a threat were to occur we would be forced to develop our own software in a rushed manner, potentially requiring hospitals to move back to pen-and-paper until the new system is ready to implement.

2) Develop home-grown software solutions that better meet our healthcare systems’ needs

In the worst case scenario, we undertake a large project to transition hospitals away from proprietary technology and no privacy threat ever occurs from the USA. I believe that even in this case we still come out ahead because it frees our hospitals from the massive expenses that come with using the proprietary software. If executed properly, it could even lead to a source of income as our hospitals could serve as a consultant and support service for other institutions worldwide that want to follow our lead.

The Choice is Clear

I believe the choice is clear, but I’m not claiming it is easy. With a topic as large as this there are too many factors and moving parts to ever know with 100% certainty what the right thing to do is. No one would have taken claims that the USA would be thought of as a top threat to Canada’s security seriously 10 to 15 years ago when hospitals were making the choice to adopt EMRs like EPIC.

What is true is that the benefits of open-source software have remained the same since the advent of computing. I also believe, though I lack the resources to perform a survey to prove it, that most Canadians will always believe their healthcare data is safer when fewer parties outside of their care team have control over it. Barring any planet-wide society-altering events (aliens invading, a mass collapse of every technological system, etc.) where we will have far greater concerns to attend to, shifting to using open-source EMRs in Canadian hospitals will bring benefits to hospitals, healthcare workers, patients, and the country as a whole.

We just need the courage to commit to making it a reality.

If you made it this far, you should also check out this article from The Conversation about open-source software in Canada's healthcare system:

More About Open-Source Software

You can check out the following resources to learn more about how open-source software is viewed within the software development field.

References

The State of Global Open Source 2025, The Linux Foundation (https://www.linuxfoundation.org/hubfs/Research%20Reports/2025GlobalSpotlight_Oct-27-2025%20V4.pdf?hsLang=en)
Top 10 EHR vendors in Canadian hospitals, Definitive Healthcare (https://www.definitivehc.com/blog/top-canadian-hospitals-ehr-vendors)
Most common hospital EHR systems by market share, Definitive Healthcare (https://www.definitivehc.com/blog/most-common-inpatient-ehr-systems)
Oracle buys Cerner, Oracle Acquisitions (https://www.oracle.com/ca-en/corporate/acquisitions/cerner/)
The life and career of Oracle's Larry Ellison, Business Insider (https://web.archive.org/web/20230418233555/https://www.businessinsider.com/rise-of-oracle-founder-larry-ellison-2017-1)
Oracle’s Larry Ellison talks about Edward Snowden, isn’t a big fan, Tech in Asia (https://www.techinasia.com/orcales-larry-ellison-data-privacy-working-japan)
Larry Ellison pumps $15M into super PAC aligned with Tim Scott, Politico (https://www.politico.com/news/2022/02/19/larry-ellison-pumps-15m-into-super-pac-aligned-with-tim-scott-00010377)
White House, Tech Leaders Commit to Create Patient-Centric Healthcare Ecosystem, Center for Medicare and Medicaid Services (https://www.cms.gov/newsroom/press-releases/white-house-tech-leaders-commit-create-patient-centric-healthcare-ecosystem)
OSCAR-EMR Overview, McMaster University Family Medicine (https://fammed.mcmaster.ca/oscar-emr/)
OpenEMR Features, OpenEMR (https://www.open-emr.org/wiki/index.php/OpenEMR_Features)
Epic EHR Cost 2026: Complete Pricing Guide & Budget Analysis, Taction (https://www.tactionsoft.com/blog/epic-ehr-cost/)
How Much Does Epic Cost | Implementation & Integration Guide, Folio3 Digital Health (https://digitalhealth.folio3.com/blog/how-much-does-epic-cost/)
Canadian sues U.S. Homeland Security, which allegedly sought his Google data after critical social media posts, CBC News (https://www.cbc.ca/news/world/us-dhs-aclu-lawsuit-canadian-john-doe-9.7187851)

Additional Relevant Context on Canadian Data Privacy

The issue of Canadian Data / Information Privacy is being covered in outlets that lean towards both the traditional right and left. It is a widely acknowledged issue yet action from decision makers in government and industry remains minimal.