One principle of bazaar economics (vs. cathedral), is "given enough eyeballs, all bugs are shallow" (Linus's Law). Caveats: you need experienced eyes sometimes; and "shallow bugs" is a mixed metaphor, unless we mean we see insects as psychologically immature.
Earlier in my career, back in the Free Geek days under Ron Braithwaite, MMT tried to get some good alchemy going twixt FOSS and nonprofits (NGOs as some call 'em, though in some cases that N|G barrier is difficult to detect (in part thanks to revolving doors in HR)).
We got a great client and dove in with gusto: Postgres, SQL Clinic, a pipeline from Access, Perl front end (this was also pre AJAX, not sure how it developed since, as we went our separate ways (I'm not much of a Perl diver or whatever they call themselves -- "mongers" or like that)).
MMT = Meyer Memorial Trust by the way, a major charitable foundation in our neck of the woods. Staff there sees itself paying over and over and over for the same software solutions, whereas in open source world, many of those same mortgages have been paid off, are now owned free and clear. Apache for example. And of course Python. MySQL. OpenOffice.
So what's happening is medical specialists will band together within and across hospital systems to agree on registries, basically data dictionaries guided by research needs and standards. The point is to do followup, to get good feedback about what seems to work best, in terms of treatments, yes, but also in terms of brand name devices, even serial numbers.
Patients' true identities, on the other hand, are on the other side of a firewall. It's like playing Sims, but with real data. You don't get to know, don't need to know, who each person is, in order to do outcomes research. This is an old practice in medical literature: patient names are changed to protect anonymity, and yet doctors still learn plenty from the case histories.
At Free Geek, we mocked up gobs of data (that was one of my jobs), so we could simulate a work experience, without actually violating anyone's privacy.
Then we built this secure pipeline that could be run again and again, that'd pipe legacy data (from Microsoft Access) into a powerful multi-user database server (Postgres in this case). The client could run that at several points along the way, to get a feel for the new program, as if it were ready to go live tomorrow.
My expectation is more health systems, in an effort to use resources more efficiently, in ways of benefit to patients and staff alike, will turn increasingly to open source solutions where appropriate. That doesn't mean the end of proprietary systems.
Also "source" is only "open" if you have the training and/or interest to read in those languages, so although many of these projects will be open to public scrutiny at some level, it's still an insiders' game much of the time. Having some of the common assets be open, doesn't mean one must surrender all secrets.