Assessing Risk with OpenMRS Licensing

I’m putting together a presentation for my colleagues and came up with a few scenarios and want to make sure I’m correct with the risk based on how the license reads. Is there anyone well-versed in the realm of licensing that could make sure I understand and assess the risk correctly?

These are the two scenarios I’ve come up with:

Scenario One:

As a developer, you have implemented a module that helps diagnose a patient. In an error, you included logic that will misdiagnose a patient. Because of this error, a patient was misdiagnosed and the medical facility says your code is to blame. Both the medical facility and the patient want to sue.

So in this scenario, since the MPLv2 is used, Section 7’s “Limitation of Liability” has a liability limitation where the creators are liable in the case of death or injury. However, the Health Care Addendum removes the liability for death and injury but does not erase Section 7 so then would that make us still liable?

Scenario 2:

As a developer, you have created a search option in the Patient Module only available for Administrators. Unfortunately this logic has introduced a Cross-Site Scripting (Injecting a Client-Side Script into a Web Page) vulnerability and privilege escalation to OpenMRS. A malicious actor has discovered this and dumped the patient database and is now threatening to leak it if the medical facility doesn’t provide payment for it.

In this scenario, since we are providing software “as is”, we would not be liable for any damages incurred.

Would I be correct in the understanding of these two scenarios? Any help would be appreciated.

Hi Ben, I am not a lawyer.

That said, your interpretations of both scenarios seems right.

I personally worked with the author of MPL 2.0 (Luis Villa) to ensure that the healthcare disclaimer worked exactly to support scenario 1. He’s an independent lawyer, so I personally feel comfortable with protection in this scenario.

Scenario 2 is a more general character of open source software.

In both cases, if a third party is looking to provide implementation services, they would take on the corresponding risk of the implementation. This hopefully will continue to drive those who benefit from the software to improve it and harden it as much as possible.

So far so good. :slight_smile:

1 Like

That’s my understanding as well (not a lawyer, but I’ve worked closely with a lawyer re: open source licences).

Note that a developer can choose to release their code/module under any compatible licence they prefer, regardless of openmrs core license. Same for every open source library we use.

We cannot re-license someone else’s code. Effectively, every software that exists today is shipped with a miriad of licences.

So, Paul, even though Section 7 remains, there is no liability due to the Health Care Addendum?