Announcing NPIdentify

A while ago I was contacted by the folks at Health IT Transition (Now defunct.) regarding some NPI development. We decided to collaborate. They turned me on to the intricacies of the NPI database, and I have been doing skunkworks on the NPI database ever since. Sadly, they have been waiting on me since then, hopefully when I come out of skunk works mode, they (and you) will be pleased with the results. But those guy have been far from idle, I am pleased to prompt their announcement of

The site already does some pretty amazing things. It has a mechanism for viewing NPI taxonomy statistics and a tool that allows you to search through the NPI records for your state.

Soon, it will be the most advanced way to manage National Provider Identifier information on the web. Also see the new button on my side menu!!

(updated Feb 18, 2011) Note that my NPI work is now available at You can still download the same applications from if you want that type of interface. If you want really powerful National Provider Identifier search capabilities, is the best available!


On Being Threatened

Express Scripts, one of the nations largest pharmacy benefit management companies, is being blackmailed with the release of private health information. The blackmailer proved that he/she has access to the data by providing information on 75 Express Scripts customers.

The company has done a fine job of swallowing this bitter pill. They have done exactly the right thing by making a public announcement. This is not their fault and by choosing not to hide it they are demonstrating strong ethics in a tough situation.

I would much rather have my PHI with a company that will tell me when something like this happens rather than one that makes me “feel safe” by telling me nothing. I am a big fan of “the devil that you know”.

It bears mentioning that this is a real threat, rather than the dubious “lost laptop” problem. I have had a laptop with patient data stolen, but thanks to gpg, I have nothing to worry about. Laptops are easy to steal and easy to fence. Thankfully, there is no way for the average criminal to even know that there is potentially valuable PHI on a laptop when they steal it out of the back of a car. It is much more likely that the operating system will be reinstalled from scratch by a fence to ensure that there is no way that the laptop can be traced back to the original owner.

That means that when a laptop containing PHI is stolen, 99 times out of 100, there is nothing to worry about.

The 1 out of 100 times is when the thief already knows the PHI is on the laptop. Which is to say that a healthcare organization is the subject of a focused attack. Other security researchers are already guessing at how the blackmailer got the data. Here is my guess:

  • 65% chance this is an inside job. A rouge former or current employee is getting revenge.
  • 25% chance this is a foreign hacker. Siciliano (from the link about) correctly points out that only a foreigner would think that a US company would not go straight to the FBI after being blackmailed. A US hacker would have just sold the social security numbers to identity thieves.
  • 5% chance its a US hacker.
  • 3% chance it was a stolen laptop.
  • 2% chance something else happened.

It will be interesting to see how this plays out. If they catch the blackmailer or otherwise discover the attack vector, it will be informative for people like me, who obsess over the best way to protect health information.

If this happened because a laptop was stolen, I will eat my shorts.


Medsphere Growing in the right direction?

An important part of the reason why (some) people respect what I have to say with regards to FOSS Healthcare IT is that I do not pull punches. I also do not hesitate to admit when I am wrong.

Recently, Mike Doyle from Medsphere called me. I have a lot of respect for Mike, just about everything Medsphere has done since his arrival has been right-on. He has empowered other people at Medsphere that I have respect for. He was calling to let me know that some of the information in my recent post about Medspheres layoffs, was incorrect.

Most significantly, he said that the layoffs were part of the whole company moving away from proprietary land and towards open source. He maintained that Medsphere has been commiting more and more employees to, thier new community portal. I must admit, it is one of the best portals available. Matched only by the OpenMRS portal in my opinion. According to Mike, the sum total of “new hires for open source” vs. “retiring proprietary efforts” is a positive net gain of employees for open source.

The only difference between growth and decay is which parts change, and which parts stay the same.  If Medsphere is truly “retooling” its employees towards open source community members then much of my previous criticism is invalid.

It is not hard to tell that Medsphere is making an investment in the FOSS community. This is especially true in the mono community. They have hired several mono engineers and they are spending bug reports and sponsoring work. They have also been supportive of Dr. Valdes efforts to cross the streams between WorldVista and Medsphere CIS.

Doyle argues that, rather than decay, I should interpret the layoffs as growing pains. He made a good case, and so I am now forced to eat a little crow (at least it is still warm).


Trust but Verify and Trust but Fork

I have enjoyed participating in the National Dialogue about Health IT. One of the challenges put forward to my suggestion that decision makers should insist on FOSS in Health IT, was the following comment:

 in terms of privacy, there’s nothing inherent in FOSS that makes it superior to all proprietary products.

I have discussed this issue before, mostly when discussing HealthVault, but my comments have been spread out over several articles.

There is an inherent benefit to privacy, confidentiality and security for FOSS health IT systems.

There is another idea on the National Dialogue site that I thought was useful. It separates the concepts of privacy and confidentiality. Most people blur the concepts of privacy, security and confidentiality and talk about them in the same mouthful. For now I will consider that “privacy” is the ability to control who gets to see your data. Although my points apply to confidentiality and security as well.

FOSS Health IT  are inherently better ways to respect privacy because they support “trust-but-verify”, while proprietary systems just support trust.

The only way to know what a program is doing is to read the most human-readable version of that program, which is typically called sourcecode. There are countless examples of programs doing things other than what they appear to be doing. Viruses, Spyware, Monitoring features and Bugs are classic examples of this.

When a proprietary Health IT program says it respects your privacy, there is no way to know for a user to know if this is true directly, he must trust the proprietary vendor. The fact that most proprietary vendors are honest is irrelevant. The trouble with dishonest people is that you cannot tell the difference between them and honest people. We cannot know which proprietary Health IT vendors are respecting privacy and which are not. Also, the same large organizations who you might normally “trust” have in fact a very poor history of abusing privacy; Microsoft being the best example.

So does HealthVault respect privacy? Probably. But there is no way to be sure without reading the code.

Does Dossia respect privacy? Probably. But we can check by auditing the sourcecode of Indivo, because Dossia is based the FOSS Indivo project. Suppose that you believe that Indivo does not do a sufficient job of respecting privacy, or you find a back door (unlikely). You can fork the code, remove or change the offending portions of Indivo, and then run your own Indivo server with the privacy features that you want.

FOSS supports both trust-but-verify and trust-but-fork which is the only way to absolutely certain that privacy is maintained.

Therefore FOSS does have a fundamental advantage over proprietary software with regards to privacy concerns.


A National Dialogue is a site for proposing and commenting on ideas in Health IT created by the National Academy of Public Administration. (among others) The site is only open for a few days, and I have put forward my basic thesis:  Insist on Open Source in Health IT that my readers are used to seeing.

If you are fond of my arguments, then please rate this idea up and post friendly comments on it. We need to get this idea in front of the government decision makers and this is a great opportunity.


Medsphere Layoffs

I have been hearing rumors that Medsphere has been laying people off. A few days ago, the rumors bubbled to Histalk, which they always do eventually.

This is a big problem. The main advantage that Medsphere has over its number one competitor, ClearHealth Inc, was its capitalization.

The idea of a funded open source medical startup is that you sell most of the company to VC’s or angels and, in exchange, you get a massive chunk of change to play with. (I have toyed with the idea of doing this myself for many years, but seeing with the Shreeves went through has always made me hesitate.)

Then with cash in hand you do three important things:

  • Build a sales force; you will need to float your sales team as they ensure the long Health IT sales cycle.
  • Invest in your technical support; supporting VistA is non-trivial, it is enterprise software and requires multiple high-payed experts to keep it running.
  • Invest in your R&D; You need to have new shiny toys that give you competitive advantages.

In a software company, all of these investments are into employees.

If Medsphere is laying off anyone it means that they are running out of capital. This makes sense. They spent  enormous amounts of money attacking the Shreeves. Money that should have gone into one of the three buckets above.

I have taken to calling the “new” Medsphere Medsphere 2.0

Medsphere 2.0, lead by solid people in the CEO, COO and CMO roles, has made some pretty smart moves. These moves have lead me, and others within the community to start giving the new company some slack. But smart moves does not undo the stupidity of the past. Most of these good moves are exactly the things the Shreeves were sued for proposing.

While I am glad to see the company come to it senses, that does not undo the harm in the past. There are two important connections with the past that Medsphere 2.0 cannot undo: The same board and the same money.

The BOD of the “new” Medsphere is the same as the old Medsphere. That BOD has done some colossally stupid things. Larry Augustine is supposed to be the money guy who understands Open Source. But he utterly failed to serve either the interests of the community or the investors with Medsphere. It was his job to explain to the BOD that the Shreeves were not a threat to Medsphere. It was his job to keep the BOD from suing the Shreeves and gutting the original company. I, along with Eric Raymond, made an offer to him personally to help him in this role. He never replied to either myself or Eric. As far as I know he never reached out to anyone in the community. In his silence he failed the community at large too.

What does all of this have to do with the “new” Medsphere? Larry is still on the BOD. That means that no matter how much Mike Doyle impresses me, I cannot fully trust Medsphere. But Mike Doyle is an position to succeed with community trust where Larry has failed. The new and releasing valuable software under the AGPL are evidence that the new leadership, if not the BOD, is trustworthy.

The other thing holding Medsphere back is the money. Medsphere spent a tremendous amount of money suing the Shreeves. This is money that Medsphere cannot afford. As an Open Source company, you cannot trap your customers using a proprietary license. That means you need to trap your customers with golden handcuffs, you need to make the service so reliable that they would never be able to consider the hassle of finding another vendor. Good service translates to “Good Employees” for an EHR company.

Now you see why Layoffs are such a bad sign. If Medsphere is laying off employees that means that it is running out of capital. But good employees are the only thing that Medsphere has as a competitive advantage. Any layoffs have to hurt their ability to do one of the three core functions above.

If Medsphere is laying off employees then it means that the ghost of Steve and Scott Shreeve (as employees of course… they remain very much alive) are coming back to haunt the company.

Normally when a company like Medsphere needs more capital it can go for more further funding rounds, it can sell to a larger company (like IBM or EDS) or it can make a public offering. The current market state renders going public impossible. For a sale or a new round of funding, the new money will come with the simple question “What are we buying?”. For Medsphere, here is the current answer:

  • An infant community on that the Shreeves wanted to start years ago.
  • Lingering Mistrust from the larger VistA community
  • A technical support and R&D team (valuable employees)
  • A sales team (more valuable employees)
  • Several important clients
  • A massive lawsuit expense

Notice what is not on the list! Software! All of the really valuable software is already open source. The first two essentially mean that they have no community, although they will if they keep doing the same things they are now, and are given more time to earn back the trust of the community.

That means that the only really valuable things on the list are the clients and the ability to service those clients (translation: employees).

See why Layoffs are so concerning? If Medsphere is laying off people it means that it is reducing one of its few valuable assets in order to save capital. The only way that Medsphere could fully justify layoffs is if the company was profitable as a result. Otherwise they are just slowing the bleeding that will eventually kill the company.  Now the questions becomes what cards can Medsphere play, before the bleeding becomes fatal?

In any case, layoffs are not good news for Medsphere.

Please contact me through if you can confirm or deny the Medsphere layoffs.


HIMSS a lobby for proprietary Health IT vendors

Today, I recieved a letter in my mailbox regarding HIMSS take on the recent legislation proposed by Stark.

HIMSS Stephen Lieber and Charles E. Christian, president and chairman of HIMSS respectively, write:

 However, HIMSS believes the legislation has negative consequences, including discounting the current efforts of “AHIC 2.0” and the development of an open source “health information technology system” by the federal government.  Specifically, HIMSS has concerns with the following provisions in this legislation:

(other stuff)

Development of an open-source “health information technology system” through the auspices of the ONC: The legislation directs the National Coordinator to provide for coordinating the development, routine updating, and provision of an open source “health information technology system” that is either new or based on an open source health information technology system, such as open source VistA. The system is to be made available to providers for a nominal fee.

The private sector makes significant investments in research and development for healthcare IT products. Healthcare IT is available via a competitive market in which vendors compete on the basis of price, quality, and functionality of a product. The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government and such product development should remain in the private sector.

First of all, I do not think the Federal Government should support just *one* open source EHR system, and you really cannot guarentee a fee for Libre/Open Source software.

But the spirit of Starks proposal is right-on and it is time to do something about HIMSS.

HIMSS is anti-Open Source and pro-propretary software. They allow us “Open Source” guys to give talks and even have working groups because they would be violating their charter if they did not. But they do not like us. They are terrified of us, and they should be. HIMSS lives off of the fat in Healthcare IT. Mature proprietary EHR systems have been around for decades, and they still have 5%-15% penetration. Why? They are too expensive and too risky. The doctors recognized that the vendor lock-in that they painfully experienced with Practice/Hospital  Management systems would be much worse with EHRs, and they have no intention of taking out extra mortages to make that happen.

HIMSS charges proprietary vendors obscene amounts of money for space at the their conferences. Open Source vendors cannot afford it to go, because they are service companies who cannot charge for products. Medsphere is the only all-FOSS company that had a booth last year, and they only reason why they can do this is because they have VC funding. The other top vendor, ClearHealth, has so-far not seen the value in buying a booth.

Even if they did see the value. There is no way that Medsphere, or ClearHealth or any other FOSS vendor is ever going to buy a half-acre plot at HIMSS. To afford that you need to be able to lock-in your customers.

Ahh.. but you want facts to back up my accusation. Ill give you two.

  • First, lets deal with ‘The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government ‘. The Federal government already releases a “open source compatible” EHR: the VA VistA. VistA is really, really good. So good in fact that WorldVistA was able to achieve CCHIT ceritification using it, and a Medsphere client (Midland) is one of only nine HIMSS Stage 6 healthcare facilities in the United States. (yes…. the same HIMSS) The cool thing about the Midland accomplishment? It cost less than any of the other nine stage 6 winners. So apparently, the federal goverment is just as capable of doing this, as anyone else. The private sector is supposed to be competing on “price, quality and functionality” yet VistA is cheaper, better and more functional. Nonetheless, HIMSS is writing letters.
  • Second, the HIMSS EHR vendor association is proprietary-only. Take a look at the requirements to join EHRVA. For those who do not want to read a pdf, I will record the relevant section here:

The HIMSS Electronic Health Record (EHR) Association chartered this effort to ensure equal, fair and consistent criteria for Membership into the EHR Association. The EHR Definitional Model includes an operational EHR definition, key attributes, essential requirements to meet attributes, and measures used to assess the extent to which companies design, develop and market their own proprietary Electronic Health Record software application.

HIMSS is not interested in seeing vendor lock-in and the other fundemental problems with proprietary health applications go away, rather they exist solely to perpetuate these problems. HIMSS defines itself as “HIMSS is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare IT and management systems for the betterment of healthcare.”

In reality, HIMSS in in current form, is just a lobby for the very proprietary vendors who have failed move our nation into the age of digital healthcare information.

Peter Bodtke taking a VistA tour

Peter Bodtke, the current vice president of WorldVistA, is doing a VistA tour. He is planning on touring Central and South America to raise awareness for VistA. Maybe they should make a shirt that says “It was an EHR before it was an Operating System”. They might be able to find a more pithy wording.

I donated a little money to his cause (WorldVistA) you should too.


Two standards approved for pharmacy billing

          For those who do not follow ancient history (more than 2 years on the Internet) of the Free and Open Source health software movement, I got my start with FreeB, which was the first GPL medical billing engine. It was designed to help address the medical bill formatting problem. If you are not sure what that means then you should read the interview I gave to LinuxMedNews called Fred Trotter on Medical Billing, much of it is still relevant.

So I got started with medical billing and I am still interested in it.

Joseph Conn (a reporter to follow if you are interested in Health IT) has just written an article detailing how HHS (who sets the billing standards in the U.S.) will allow two different standards for certain pharmacy billing systems.  This is the kind of thing that give me headaches, even though it is unlikely that I will need to support the new standards.

Part of the problem is that X12 is an old-school EDI transfer standard. It is hardly human readable, and it is pretty intimidating for the end-user. Much better would be an xml-based system.


Security in Medical Devices, implications

There are more and more examples of how standard hacking techniques apply in healthcare, with serious consequences. Recent issues include RFID hacking and interference issues.

Recently, a talk at BlackHat regarding hacking medical devices, including pacemakers, has begun appearing in popular blogs.

What is most dangerous about this is not actually the hack itself, but the fact that the hacks could become widespread. Think about it; there is no real benefit to a hacker to simply kill a person. It is a serious crime and unless there is something to gain by doing it, it is unlikely to generate new interest with blackhat hackers.

Now that the information regarding the vulnerability is in normal media channels, a Cracker (another name for a blackhat hacker) can blackmail a person with a pacemaker. “give me ten thousand dollars or I will remotely shut down your heart.” Before a victim would say “that’s impossible” and not worry about it. Now they go to Google and discover that it is possible. Both Victim and Cracker are aware that the only way for the Cracker to prove to the Victim that he has the ability to stop the Victims heart is for the Cracker to actually kill the Victim. Now the Victim is wondering “Can I afford to take this chance?”

If this even happens once in the real world, you will see a slew of social engineering attacks with this threat as the basis. A Cracker will simply threaten a hundred people with this attack and see how many will pay up. The Cracker would not even need to know how to make the hack work. All he would need is a list of people with pacemakers.

Now we get to the real implications. Where is the information about who has a pacemaker installed and who does not? Perhaps someday they will invent “pacemaker wardriving” but for the time being, the easiest way to get a list of people with pacemakers is to hack into someone’s Electronic Health Record system.

Currently, the Healthcare Industry under-invests in Information Technology. However, with these new vulnerabilities, the value of personal health information is steadily rising. Usually, a typical cracker strategy was to use identifying information inside PHI to steal someone’s identity, or to use healthcare information (like sexually transmitted diseases) to blackmail someone. These new vulnerabilities increase potential profit of hacking into an EHR, and hospitals, even large ones, do not typically have the kind of defence systems that banks usually invest in.

Have you ever considered why “the club” works? These devices are relatively easy for a determined thief to overcome. They work because when you park your BMW in a parking lot, and put the club on it, there is typically another BMW in the parking lot, without the club. The thief will take the car that is easier to take. The club works because of the “low-hanging fruit” principle of security. A person who has decided to take an unethical risk by stealing or cracking is basically saying; “I can tolerate this risk, because it is easier to do this then have a similar economic gain, by legitimate means”. Perhaps some are thrill-seekers, but typically people who break the rules for profit are lazy. The “low hanging fruit” principle might be phrased “A thief or cracker will always try the easiest way to profit unethically first”

As the number of ways to profit from PHI goes up, hospitals and practices will become the low-hanging fruit. This is a problem because your small country doctor is already being squeezed by third-party payers. He does not feel that he has the money to invest in proper electronic security measures, and he does not actually have the skills to tell what would be legitimate security measures in any case. Information technology mom-and-popism is rampant in healthcare. The “computer guy” for many doctors is the nephew of of the office manager; he might be the smartest kid in 9th grade, but he has no idea how to properly secure PHI. Healthcare institutions have always been easy to hack, but now they are becoming profitable to hack. They are becoming “low hanging fruit”.

Concern for these kinds of issues will do little but grow.


Update: Jon Bartels wrote to mention that Chinese researchers have pushed this concept further.