In Reply: We thank Mr. Eack and Mr. Singer for expressing their concerns about the use of open-source software, and we're grateful to have an opportunity to discuss these issues further. They state that our "assumption" that open-source is cheaper, easier, and more customizable has limitations. Our reasoning is not based on an assumption. It is based on experience. SQL Clinic has been running in our shop for several years, and we have successfully helped other agencies run it.
Editorial considerations prevented our elaborating on the cost of implementation. In regard to the concerns raised by Mr. Eack and Mr. Singer, Saint Vincent's Catholic Medical Centers (SVCMC) offers inexpensive support packages that include customization. The goal is to help customers find and train a database administrator who is able to do in-house customization, which is now much easier to accomplish. The tools used in SQL Clinic are so ubiquitous that many younger programmers already have some degree of proficiency.
The approach used in SQL Clinic is documented in MySQL and Perl for the Web by Paul DuBois (1). The cost of Web and database servers is negligible, as SQL Clinic does not require expensive hardware. SVCMC paid $1,600 two years ago for our small IBM e-server X225, which is still running very well with large amounts of data stored on it.
Mr. Eack and Mr. Singer caution that "free" software can quickly become costly. This is a common misconception. The track record of FOSS (free or open source software) is quite good, which is the reason that many municipalities in Europe and South America are switching to it.
Mr. Eack and Mr. Singer point out that HIPAA regulations require an unprecedented level of security, and they state that SQL Clinic transfers information in clear text. Web applications are not encrypted (or unencrypted). Encryption is done at the level of the transmission medium. SQL Clinic runs over 28-bit encryption when it is running on a Web server set up to use Secure Sockets Layer (SSL). Linux offers SSL as a standard feature of the Apache Web server package. Run SQL Clinic on https://your_private_network/clinic and you have the same level of encryption as an online bank. SQL Clinic has many other security features. Transactions are logged internally, in database tables. Clearance levels reflect the needs of the user (for example, caseworker or administrator). We should also mention that SQL Clinic is not run over the Internet, simply because it is a Web-based application. SQL Clinic is run most often on a private network—and behind a firewall when the network is connected to the Internet for e-mail and other purposes. We do not advise anyone other than experienced Internet Service Providers to run SQL Clinic over the Internet. It is unwise and unnecessary.
Finally, we agree with Mr. Eack and Mr. Singer that organizations considering open-source solutions should be sure that they are well informed. I encourage anyone with concerns to contact us directly, because we have doubtless confronted similar concerns in the process of developing SQL Clinic.