1. Criteria & weights
Each project is scored 0–100 on eight axes. The composite score is the weighted average. For C3 (Cloud/Institutional Gravity), a higher score means the ecosystem is more neutral/local by default.
| Criterion | Weight | Description | What gets penalized |
|---|---|---|---|
| C1 — License & Governance | 10% | OSI FOSS license quality, forkability, capture-resistance; copyleft valued higher for server/network tools. | Open-core dynamics, enclosure paths, weak governance signals. |
| C2 — Self-Hosting & Offline / Air-Gap | 20% | Ability to run entirely on hardware under local control (LAN/air-gapped) without mandatory SaaS. | Always-online requirements; essential remote services. |
| C3 — Cloud / Institutional Gravity | 15% | What docs/ecosystem nudge toward by default: local neutrality vs big-cloud / institutional pipelines. | “Default = Google/AWS/Azure” patterns; institutional-first architecture. |
| C4 — Hardware / Closed-Device Independence | 10% | Commodity/open hardware support vs reliance on proprietary medical devices (CGMs, pumps, vendor stacks). | Required proprietary device ecosystems. |
| C5 — Privacy / Telemetry / Trackers | 15% | Privacy-by-default, no trackers/analytics, no “phone home” behaviors in typical builds. | Telemetry extensions, trackers, default analytics, opaque data flows. |
| C6 — Operational Complexity | 10% | How hard it is to deploy and maintain for a small node (home, clinic, community lab). | High admin burden; complex stacks; fragile upgrades. |
| C7 — Composability / Foundational Role | 10% | How well it serves as a building block (APIs, standards, modularity, extensibility). | Closed interfaces; hard-to-integrate vertical silos. |
| C8 — Community Maturity & Resilience | 10% | Longevity, active maintenance, releases, and a credible path to survival over 5–10+ years. | Single-maintainer fragility; stagnation; weak documentation. |
Interpretation rule: low C6 (complexity) does not mean “bad” — it often means “heavy infrastructure”. High C7 indicates strategic foundationality even when C6 is lower.
2. Final ranking (composite score)
Composite scores are rounded to one decimal. Ties are allowed. A correction is baked in for Fasten OnPrem: the repository itself states it does not integrate with EHRs directly; it supports manual entry and importing FHIR bundles exported through other means, and the CCDA converter used for some imports is not open source.
| Rank | Tool | Composite | Tier | Cluster | Primary anchors |
|---|---|---|---|---|---|
| 1 | OpenTracks | 95.5 | Tier S | Personal primitive | F‑Droid · Site |
| 1 | Orthanc | 95.5 | Tier S | Imaging backbone | Site · Security FAQ |
| 3 | MITK | 95.0 | Tier S | Imaging framework | Site · GitHub |
| 3 | ITK | 95.0 | Tier S | Imaging library | GitHub · Software Guide (PDF) |
| 3 | VTK | 95.0 | Tier S | Visualization library | Site · License |
| 6 | Simpill | 94.5 | Tier A | Personal primitive | F‑Droid · Source |
| 6 | openScale | 94.5 | Tier A | Personal primitive | F‑Droid · GitHub |
| 6 | MedTimer | 94.5 | Tier A | Personal primitive | F‑Droid · GitHub |
| 9 | 3D Slicer | 94.0 | Tier A | Imaging workstation | Site · Telemetry extension |
| 10 | Weasis | 93.5 | Tier A | Imaging viewer | Site · License FAQ |
| 11 | GNUmed | 88.5 | Tier B | EMR backbone | Docs · Debian package |
| 12 | GNU Health | 87.8 | Tier B | HIS backbone | Site · FAQ (license/code) |
| 13 | SENAITE LIMS | 87.5 | Tier B | Lab backbone | Site · senaite.core |
| 14 | OHIF Viewer | 82.2 | Tier C | Imaging bridge | GitHub · GCP deployment guide |
| 15 | Fasten (OnPrem) | 82.0 | Tier C | PHR bridge | GitHub · Releases (CCDA note) |
| 16 | Nightscout | 74.8 | Tier D | Diabetes bridge | Docs · Cloud platforms |
| 17 | AndroidAPS | 74.2 | Tier D | Hardware-bound autonomy | Docs · Build guidance |
3. Full scoring matrix (C1–C8)
All scores are 0–100. Composite weights: C1 10%, C2 20%, C3 15%, C4 10%, C5 15%, C6 10%, C7 10%, C8 10%.
| Tool | Composite | C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|---|---|
| OpenTracks | 95.5 | 95 | 100 | 100 | 100 | 100 | 95 | 80 | 85 |
| Orthanc | 95.5 | 95 | 100 | 95 | 100 | 95 | 80 | 100 | 95 |
| MITK | 95.0 | 90 | 100 | 100 | 100 | 100 | 75 | 95 | 90 |
| ITK | 95.0 | 90 | 100 | 100 | 100 | 100 | 65 | 100 | 95 |
| VTK | 95.0 | 90 | 100 | 100 | 100 | 100 | 65 | 100 | 95 |
| Simpill | 94.5 | 95 | 100 | 100 | 100 | 100 | 95 | 75 | 80 |
| openScale | 94.5 | 95 | 100 | 100 | 90 | 100 | 95 | 80 | 85 |
| MedTimer | 94.5 | 90 | 100 | 100 | 100 | 100 | 95 | 80 | 80 |
| 3D Slicer | 94.0 | 90 | 100 | 100 | 100 | 90 | 75 | 95 | 95 |
| Weasis | 93.5 | 95 | 95 | 95 | 100 | 95 | 80 | 90 | 95 |
| GNUmed | 88.5 | 100 | 95 | 80 | 100 | 90 | 60 | 90 | 90 |
| GNU Health | 87.8 | 100 | 95 | 75 | 100 | 90 | 50 | 95 | 95 |
| SENAITE LIMS | 87.5 | 95 | 95 | 80 | 100 | 90 | 55 | 90 | 90 |
| OHIF Viewer | 82.2 | 90 | 95 | 40 | 100 | 85 | 75 | 90 | 90 |
| Fasten (OnPrem) | 82.0 | 95 | 90 | 60 | 100 | 80 | 70 | 85 | 80 |
| Nightscout | 74.8 | 95 | 80 | 50 | 40 | 85 | 65 | 90 | 95 |
| AndroidAPS | 74.2 | 95 | 80 | 60 | 30 | 85 | 60 | 85 | 95 |
4. Tier map
Tier meanings are interpretive layers over the composite score.
Tier S (95+)
Structurally near-ideal: FOSS, offline/self-hostable, minimal gravity toward cloud, strong composability and longevity.
Tools: OpenTracks, Orthanc, MITK, ITK, VTK
Tier A (93–95)
Highly aligned. Minor deductions usually reflect optional telemetry, complexity, or mild dependency on commodity peripherals.
Tools: Simpill, openScale, MedTimer, 3D Slicer, Weasis
Tier B (87–89)
Backbone systems: extremely powerful, but heavier and more institution-shaped in workflows and ops burden.
Tools: GNUmed, GNU Health, SENAITE LIMS
Tier C (≈82)
Bridge layer. Useful, but ecosystem gravity or optional external services must be explicitly controlled.
Tools: OHIF Viewer, Fasten (OnPrem)
Tier D (≈74–75)
High-value autonomy in narrow domains, but structurally tied to proprietary devices, cloud patterns, or regulated supply chains.
Tools: Nightscout, AndroidAPS
How to read the tiers
Tier does not equal “importance.” Foundational toolkits can be strategically essential even when operational complexity is high.
The matrix is optimized for sovereignty + privacy + self-hosting first, not convenience.
5. Tool-by-tool analysis (with embedded links)
Each tool has a collapsible card with: composite score, the C1–C8 scores, and a short rationale. Links are embedded inside the relevant tool card (no link-dumps at the bottom).
OpenTracks
Tier S
Personal primitive
Apache-2.0
95.5
A sport tracking app explicitly framed around privacy: the F‑Droid listing highlights no Internet access, no ads, and an Apache‑2.0 license. The project also maintains an official website describing privacy-first sharing controls.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 100 | 100 | 100 | 100 | 95 | 80 | 85 |
Orthanc
Tier S
Imaging backbone
GPLv3+
95.5
A lightweight, open-source DICOM server positioned as a local “mini‑PACS” with a web interface, REST API, and a standalone architecture. The Orthanc Book provides explicit guidance on securing DICOM flows and REST API exposure.
Licensing nuance: Orthanc’s core server is GPLv3+; Orthanc’s own download page notes that some plugins/viewers may be AGPLv3+.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 100 | 95 | 100 | 95 | 80 | 100 | 95 |
MITK — Medical Imaging Interaction Toolkit
Tier S
Imaging framework
BSD-3-Clause
95.0
A BSD‑licensed, openly developed imaging interaction toolkit and application framework built on top of ITK and VTK. Strong local/offline posture with a high composability score, balanced by a real operational/engineering footprint.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 100 | 100 | 100 | 100 | 75 | 95 | 90 |
ITK — Insight Toolkit
Tier S
Imaging library
Apache-2.0
95.0
A cross-platform toolkit for N-dimensional image processing, segmentation, and registration. As a library it has no inherent network surface: privacy properties are determined by the host application and deployment.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 100 | 100 | 100 | 100 | 65 | 100 | 95 |
VTK — Visualization Toolkit
Tier S
Visualization library
BSD-3-Clause
95.0
A foundational scientific visualization toolkit used globally across research and industry. Like ITK, it is local by design; operational cost is in build/tooling rather than in data-leak surfaces.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 100 | 100 | 100 | 100 | 65 | 100 | 95 |
Simpill
Tier A
Personal primitive
GPL-3.0-only
94.5
The F‑Droid listing states: no ads, no trackers, no data collection, and it works even if Internet access is blocked. Narrow scope (med reminders) but extremely clean from a privacy/offline standpoint.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 100 | 100 | 100 | 100 | 95 | 75 | 80 |
openScale
Tier A
Personal primitive
GPLv3
94.5
The F‑Droid listing states it has no ads and requests no unnecessary permissions; location permission is only used to discover Bluetooth scales and can be revoked after pairing. It does not require an account.
Note: there is an optional openScale sync add-on which can synchronize to external services (e.g., Health Connect / MQTT) — that is optional and not required for local operation.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 100 | 100 | 90 | 100 | 95 | 80 | 85 |
MedTimer
Tier A
Personal primitive
MIT
94.5
F‑Droid describes MedTimer as fully offline and privacy-focused, storing all data on-device with no Internet connection required. MIT license, no ads, and local backups/exports.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 100 | 100 | 100 | 100 | 95 | 80 | 80 |
3D Slicer
Tier A
Imaging workstation
BSD-style
94.0
A free and open-source platform for medical image data analysis, with a BSD-style license. Core usage is local/offline, but telemetry can be introduced via extensions (notably SlicerTelemetry), and community guidance emphasizes user consent when collecting usage data.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 100 | 100 | 100 | 90 | 75 | 95 | 95 |
Weasis
Tier A
Imaging viewer
EPL-2.0 / Apache-2.0
93.5
A multifunctional, modular DICOM viewer (standalone and web-based). The documentation states it is dual-licensed (EPL‑2.0 or Apache‑2.0), providing flexibility for different deployment needs. Cloud integrations exist, but the default posture remains broadly on‑prem and viewer-centric.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 95 | 95 | 100 | 95 | 80 | 90 | 95 |
GNUmed
Tier B
EMR backbone
GPL-2.0-or-later
88.5
A GNU Project electronic medical record emphasizing longitudinal care and patient privacy. Strong licensing and self-hostability, with the main deductions coming from operational complexity and clinic-style workflow assumptions.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 100 | 95 | 80 | 100 | 90 | 60 | 90 | 90 |
GNU Health
Tier B
HIS backbone
GPLv3+
87.8
A full hospital and health information system with strong copyleft licensing (GPL v3 or later) and explicit self-hosting posture. The main penalties come from operational burden and the fact that workflows are shaped around institutional standards and large deployments.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 100 | 95 | 75 | 100 | 90 | 50 | 95 | 95 |
SENAITE LIMS
Tier B
Lab backbone
GPL-2.0
87.5
An enterprise-focused open source LIMS that covers laboratory workflows end-to-end. The core repo states it is GPLv2 and derived from BIKA LIMS. Strong sovereignty posture via self-hosting, with deductions reflecting operational complexity and admin burden.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 95 | 80 | 100 | 90 | 55 | 90 | 90 |
OHIF Viewer
Tier C
Imaging bridge
MIT
82.2
A zero-footprint web DICOM viewer (progressive web app) designed for DICOMweb archives. Architecturally it can be deployed against self-hosted DICOMweb sources; however, its official documentation includes a dedicated Google Cloud Healthcare integration path, creating strong ecosystem gravity toward big-cloud deployments.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 90 | 95 | 40 | 100 | 85 | 75 | 90 | 90 |
Fasten (OnPrem)
Tier C
PHR bridge
GPL-3.0
82.0
Self-hosted Personal Health Record (PHR) manager with a clear “data stays local” posture. The repository README explicitly states that the OnPrem app does not integrate with EHRs directly; it supports manual entry and importing FHIR bundles exported through other means.
External-service caveat: the Fasten OnPrem releases include a CCDA feature note “powered by Health Samurai” and state that the converter is not open source and runs on Fasten Health infrastructure (no data sent back to Health Samurai during conversion).
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 90 | 60 | 100 | 80 | 70 | 85 | 80 |
Nightscout
Tier D
Diabetes bridge
AGPL
74.8
A web-based CGM dashboard for remote viewing of glucose data. The official documentation describes installing the Nightscout cloud application using hosting services from various cloud providers, and “new user” docs enumerate popular vendor platforms.
Score deductions come primarily from: (1) reliance on proprietary CGM hardware ecosystems, and (2) cloud-forward deployment patterns.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 80 | 50 | 40 | 85 | 65 | 90 | 95 |
AndroidAPS
Tier D
Hardware-bound autonomy
AGPL-3.0
74.2
An open source artificial pancreas system running on Android. Documentation states that use requires three compatible devices: an Android phone, a CGM, and an approved insulin pump. APK distribution is constrained by medical device regulations, so the docs emphasize building the app rather than downloading.
Score deductions primarily reflect deep reliance on proprietary CGM/pump ecosystems and regulated supply chains, despite strong open-source posture.
| C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 |
|---|---|---|---|---|---|---|---|
| 95 | 80 | 60 | 30 | 85 | 60 | 85 | 95 |
Scores are tool-scoped. Privacy and sovereignty properties depend on deployment discipline and the surrounding OS/device stack, especially for mobile and for hardware-bound medical workflows.
6. Embedded sources
External references are embedded inline where they matter (per tool, per claim). Key pages used repeatedly include:
- F‑Droid listings for OpenTracks, openScale, Simpill, and MedTimer.
- Orthanc official site and Orthanc Book (security, licensing, HTTPS).
- ITK/VTK/MITK official sites/repos and license pages.
- 3D Slicer official site/docs and the SlicerTelemetry extension repository.
- Weasis official docs (including license FAQ) and GitHub license file.
- GNU Health HIS documentation and FAQ (license and code hosting details).
- GNUmed documentation and Debian package metadata.
- OHIF GitHub/docs and explicit Google Cloud deployment guidance.
- Fasten OnPrem README (scope limits) and releases (CCDA converter note).
- Nightscout docs showing cloud-platform deployment patterns; Nightscout GitHub repository.
- AndroidAPS docs describing device requirements and build-from-source constraints; AndroidAPS GitHub license file.