Expert Healthcare Hackers

(This is a preview of a talk that I am going to give next week at Healthcare::Refactored, with Karen Herzog)

There are two definitions of the word “Hacker”. One is an original and authentic term that the geekdom uses with respect. This is a cherished label in the technical community, which might read something like:

“A person adept at solving technical problems in clever and delightful ways”

While the one portrayed by popular culture is what real hackers call “crackers”

“Someone who breaks into other people computers and causes havok on the Internet”

People who aspire to be hackers, like me, resent it when other people use the term in a demeaning and co-opted manner.  Or at least, that is what I used to think. For years, I have had a growing unease about the “split” between these two definitions. The original Hackers at the MIT AI lab did spend time breaking into computer resources… it is not an accident that the word has come to mean two things.. It is from observing e-patients, who I consider to be the hackers of the healthcare world, that I have come to understand a higher level definition that encompasses both of these terms.

Hacking is the act of using clever and delightful technical workarounds to reject the morality embedded default settings embedded in a given system.

This puts “Hacking” more on the footing with “Protesting”. This is why crackers give real Hackers a bad name. While crackers might technically be engaged in Hacking, they are doing so in a base and ethically bankrupt manner. Martin Luther King Jr. certainly deserves the moniker of “protester” and this is not made any less noble because Westboro Baptist Church members are labeled protesters too.

Like protesting, Hacking is all about taking a certain set of ethical issues that are important to you, and then performing an act whose central purpose is to restore ethical balance. People with screwed up ethical compasses will give good protesters and good Hackers a bad name.

I like this broader definition because it really shows that Hacking is not at all limited to technology. It relates to “systems”, as long as the “system” is complex enough to encode moral notions. This means that protesting is really just a special kind of Hacking, in fact we might rename it “public opinion hacking”.

Consider Richard Stallman. Stallman realized when he couldn’t get access to printer control software because of a proprietary license, that the license itself was encoding something he had an ethical problem with. Rather than accept that embedded morality, he created a workaround solution (copyleft licenses) that created an alternative with an embed morality that he could live with. The system that Stallman was hacking was copyright and licensing and the modern Open Source movement is the result of this hack.

The notion that technology and other complex systems can have moral notions embedded is neither new, nor mine and I recommend Lessig’s Code and Other Laws of Cyberspace for a full discussion.

I came to this conclusion as we renamed our “meaningful use” book to “Hacking Healthcare“. David Uhlman (my coauthor) and Andy Oram (my editor) seriously considered “Hacking Healthcare Software”, as an alternative title. But in our discussions it became apparent to us that David and I were really hoping to teach people how to use software to change the Healthcare system itself. The software was merely the type of hack that we were proposing, rather than the system being fixed with the hack.

Any efforts to hack healthcare should be embraced because the default settings on the Healthcare system really suck.

We have too many medical errors. We have overtreatment, undertreatment, fraud and disconnected care. Worse, until very recently, we had incentives that were virtually guaranteed to make these problems worse. These problems are merely symptoms of the wrong set of morals being encoded into the healthcare system.

Which leads me to introduce Karen Herzog to you. Karen makes my efforts to hack healthcare look somewhat childish. Like other, more famous e-patients like e-patient Dave and Regina Holiday, Karen, along with her husband Richard Sachs refused to accept the default settings of the healthcare system when their daughter Sophia was born with a rare genetic disorder. Shortly after Sophia’s birth, Karen and Richard were informed that their daughter disease was incurable and that she was dying.

The default settings for the healthcare system in these circumstances could not have been worse. Karen and Richard were offered occupational therapy, physical therapy, grief counseling and “when she turns blue let us know..” by their doctors in a manner that was obviously code for “we cannot help you, sorry for your situationa but get out of our hair”.  Karen and Richard refused to accept this. They did go home, but rather than allow the healthcare system to “wash their hands” of Sophia they created a garden. This literal garden was the first step in creating a community of care that re-engaged their doctors, who were themselves feeling hopeless and overwhelmed a safe environment to try to make Sophia’s life better and to seek a cure. Like all of the greatest “Hacks” Karen and Richard repurposed simple solution and made it apply to a problem that was regarded as unsolvable. They created a literal space that was so welcoming that it inspired collaboration in a group of clinicians that were not used to collaborating worked beautifully. They found ways to make it obvious that Sophia’s space would not be a deathbed, but a different kind of space altogether.

Eventually Sophia died, but only after receiving care that was orders of magnitude better that what could have been accomplished if Sophia would have been hospitalized full time. Hundred of clinicians, friends and family came together to make Sophias garden into a success, in a collaboration that never could have occured inside the walls of any given healthcare institution.

This success was hard-fought. Together, Sophia, Karen and Richard experienced just about every significant problem that patients and caregivers can have. For each hurdle, Karen and Richard continually refused to accept the “default settings” that the healthcare system offered, by responding with hack after hack.

I am humbled to be speaking opposite Karen. Since Sophia died, Karen and Richard have pivoted their design group into one of the preeminent “Patient UX” shops in the country. They have leveraged their troves of poor experiences with the healthcare system, and their methods of working around them, into a series of fundamental insights about how to improve patient experiences with technology and design. They are my default recommendation for design work in the healthcare space.

I have been watching what e-patients like Karen and Richard are able to accomplish for years and I have come to realize that in many ways, they are far more deserving of the honorific of “Hacker” than the bozos who deface websites to make political points. In much the same way that the recognition that MLK Jr was a protester, makes it embarrassing that we have to label the Westboro church members with the same label.

Like the original Hackers who built the Internet and the first computers, e-patients are blazing a trail through the healthcare system. Decades from now we will look back on this class of patient and realize that they remade healthcare by simply refusing to accept the aspects of the healthcare system that typically suck. In the future, when the new norm for doctors is respect patients enough to actually let them finish sentences, we will have this generation of e-patients to thank. Much the same way that we recognize that our iPhones and Androids would not be possible without the pioneering Hackers of the *nix community.

Karen and I will be doing a “dueling keynote” at Health::Refactored, asking each other difficult questions about the state of the art in design and technology in healthcare. I hope that the audience will learn some tidbits from me about how to work with software to help fix healthcare, but I think I have made my case that Karen will be the real healthcare Hacker on the stage.



How to change the world over the weekend

I love hackathons.

I love winning them. I love competing in them. I love winning them.  I love judging them. I also love not losing them.

This weekend, I am acting as a mentor to the first Health 2.0 hackathon in Houston Texas. As far as I know (which is not that far, really) this is the first hackathon in Houston to be focused exclusively on healthcare. Serving as a mentor rather than having the opportunity to directly win might seem counter intuitive, given how competitive I am. But I have had complaints about being a “professional” Health IT expert entering these contests, and as one of the organizers of the event, I do not want to be seen as unfair. This was a hard decision to me because in most cases, if I have to choose between winning and being unfair, I choose winning.. but my Houston Health 2.0 co-conspirators prevailed upon me this time…

I do well in hackathons because I know how to avoid the number one pitfall in healthcare hackathons: It is too tempting to make toys.

To really rock a Healthcare Hackathon you have to have a real strategy to build something that will make a difference, but something that you can still prototype in two days. Here are general thought strategies that have worked for me:

  • Have you carefull searched the web for someone implementing your first-blush idea? The android iphone app stores? Your idea is probably not original?
  • Rather than focus on original “ideas” to find “original problems”, clinician partners on your team are critical for this perspective!
  • Seek problems where there is no money to made solving them. Problems that already have money already have attention, it is hard to do original work in those spaces!
  • Only a few doctors are enlightened enough to pay attention to the hacking approach. How can we multiply the impact of a very few doctors?
  • Most patients are not e-patients, they are reactive and unwilling or unable to change their own healthcare behaviors. How can we minimize what each patient must do, but still have an impact?
  • Are there patient pain points so strong that we can rely on at least a few highly motivated beta testers?
  • How can we leverage the cloud, even with HIPAA limitations?
  • How can we crowd-source effectively, ensuring that every participant is evenly and instantly rewarded for contributions? How can we make crowdsourcing fun?
  • How can we leverage pre-existing Open Source code or APIs? Stand on the shoulders of giants… Hello! Obvious!!
  • How can I flesh out my team at a hackathon by pitching to clinical, educational, design, art or video collaborators?
  • If a programming task is hard for me, can I find a geek that can do in a few minutes what it would take a whole week for me to learn?
  • Getting a good idea is easy. Getting a good idea that is small enough for me to finish in two days is hard. How do I trim all the fat?

Here are some ideas that I will be pitching to participants to this weekends hacking contest. If I can find geeks with the required programming skill-sets and the team to ensure that they have the clinical and design backup that they need, I think these are all doable in two days.

Big Data on medical students:

Medical students are the only ones who understand the problems in medical school. I have designed a hack that will allow us to use big data on them directly to discover and fix the issues with our process for making doctors. I think this will require a team who can code in cross-platform Java… but a web-platform programmer could be tolerated in a pinch. SQLlite experience is a plus.

Better medical wikis

Only Wikipedia has the critical mass to sustain itself, so the only way to make a medical Wikipedia is to do it inside Wikipedia. But how do we ensure that the medical parts of Wikipedia are accurate enough for clinicians and experts, but simple enough for the average patient to find them useful. I think I have found a way to use the Wikipedia API’s to dramatically improve the quality of Wikipedia articles on health issues, but I will need a team who knows how to either build a chrome or firefox module…. are perhaps super fancy JavaScript bookmarklet

Cross the channels at health conferences

Every healthcare conference has a back channel, and in my experience at healthcare conferences, many of the real experts are in the crowd tweeting. Conversely the people who line up to ask questions at a microphone are unvetted, a tragic portion of those who ask questions are actually pitching their own projects, or exercising an obsession, or asking a stupid question (and yes… there is such a thing as a stupid question… or at least there are many morons who feel comfortable wasting my time with questions). I am pretty sure it will require something like Node or Pythons Twisted, but I think we can use Twitter to hack health conference Q&A for the better….

The calculus of pain

In healthcare we have policies that help to ensure that “drug seekers” are unable to access excessive amounts of opioid pain killers. Assuming we define “denying a patient pain medications as a positive”, then these policies are “high sensitivity”  (has few false negatives). Said another way, they have been shown to reduce the number of deaths from medication overdoses in those states that apply them. But good policies are also “high specificity” (has few false positives). In this case, a “false positive” is to deny a patient who has legitimate untreatable-without-opioid pain access to effective pain control. The debate is mostly rhetoric here, with law-enforcement and organizations who represent pain patients both resorting to rhetoric  because there is no way to accurately measure false positives. But what if we could create a dynamic visualization that estimated false positives from the data that we do have? Essentially, we could create a “calculus of pain” diagram that both sides could ‘agree’ on, but use differently. As you might expect, this ‘rhetoric negation GUI’ will require extensive D3/javascript expertise.

Simple games for fitness

I am interested in creating tools that use Geocoding and QR codes together to motivate health. I need IOS and/or Android developers for this one.

Twitter plus epatients

Lastly I am interested in the ways that e-patients tend to favor twitter and I might be interested in developing an e-patient specific twitter tool. Need to code in a web-friendly language.

Quantified Self device hacking tools

The QS community very clearly needs a specific tool that I have gotten alot of requests for. You must know either hardware interfacing (usually C or C++ for usb drivers etc) or web authentication (OAuth et al)

Do something awesome using Natural Language Interfaces.

One of the API sponsors for this hackathon is Ask Ziggy which is essentially a “Siri as an API” for app developers. Its a clever idea and there are lots of possible uses here… no specific technical requirements other than to us this API.

Do something awesome with DocGraph

This is of course, our own data set.. and you can read about it at the main DocGraph site.

Do these sound vague enough?

I hope these are pretty vague ideas. I intentionally am leaving out the critical “how” part of each idea!

I hope this list is enough to spark some interest and get developers to attend this conference. I will not be the only one pitching ideas, and teams attending with pre-baked ideas typically do well at these kinds of events. Still if you want to use my ideas, and hear me explain how to do them and why they will work then you need to meet my specific criteria. First, you must be willing to develop  in the open, and under Open Source licenses. I am giving you a hackathon winning idea for no money. (and I am fairly certain, given that I have judged more health 2.0 contests than anyone else) Even if you do not win the contest, these ideas are so good that I will probably be able to make you fairly famous in the Health IT and Health 2.0 communities.

By working on my ideas you kind of hedge against losing at all. If you are able to pull of the projects, then I will give you credit publically for your awesomeness, which is valuable to anyone looking to make a name. For this valuable insurance service,  I need to be able to start from where you left off if you decide to abandon the project after the hackathon… That means github and the FOSS license of your choice (I like the AGPL)

You also -must- have the skillset that I require for a given project for me to give you the details on a project. I cannot have my best ideas just “out there” for people to run off with!! I am pretty sure that I have at least one project for every kind of developer that I can think of listed above. If I could do all of these ideas myself with my programming skill set.. guess what… I would have already done them or I would save them so that I could win some other hackathon! Each of these projects leverages a very specific hack of some kind. Either hacking hardware interfaces, user expectations, software design, data levers or something like. After I describe the “how” of each project there will be an “aha/wow” moment, when you think “We didn’t I think to do that?” (Note I felt this way after seeing IFTTT for the first time). If I am handing you a “wow” world-changing hack then I have to know that you will make us both look awesome when you pull off the hack. Don’t worry if you do not have a specific skillset I define here. I have lots of other ideas based on what you are good at! This especially applies to designers and other artistic types and to clinicians!! All of these projects could use clinical/design help!!

If you have not signed up yet, then I would get over to the signup page now. So far, every Houston Health 2.0 event has sold out so far, and we expect this one too as well. I have some pretty awesome project proposals but I can tell you now that these will just be a few of the awesome ideas that we are bringing to the table for this Hackathon. Most importantly, if you already have a project in mind, then you will be able to find a team to help you hack on your project! All you need is alot of motivation, a little skill and a willingness to collaborate. Or even just one of those three would do…

Looking forward to seeing you there!!






Practical collaborative document writing for patient communities


I have a lot of experience with collaborative document writing, and now, in my role with Cautious Patient Foundation, I have been providing technical help to several patient communities. I helped write the security standards for the NWHIN Direct project and I am currently working with the e-patient/QS community to create a document detailing Doctor friendly Quants and Quant friendly Doctors.

My advice is pretty simple:

  • Use a forum, either a facebook thread or a mailing list to determine who the primary authors should be, and what the general content of the document should be.
  • If you have several authors, use Google Docs or a Wiki for initial document creation. If you are writing alone, use whatever you want as your initial author tool.
  • Once you and your co-authors feel OK about the resulting document, copy it over to, and allow your entire community to comment on it. (For Geeks: Co-ment is the successor to the stet project which was used to coordinate comments on the GPLv3.) There is a free version of co-ment but the service is cheap and probably worth it. It allows a community to comment on specific parts of a document, and it will automatically generate a “heat-map” of the more controversial parts of the document.  These are the areas that you will need to spend time with, ensuring that you have blessing of your community.
  • When the comments stop coming in, the document is done.
  • Keep your document as short and concise as possible. All of us operating in the various patient communities are short on time, and by keeping what you are asking us to read short, you are respecting that.

The insight here is that while a wiki makes it easy to update and maintain documents, they are not always the right tool for building consensus in a community. What you want is to have your documents reflect the will of your community at large, rather than the will of the most obsessive wiki-editor in your community.

Hope this helps.


Hacking data: showing patterns in kids health

Here is my submission for the Local Children’s Data Health 2.0 developer challenge. The challenge was to make data available through come alive.

Generally, the red circles correspond to the percentage of child allergy suffers who had -seen- a doctor, but had no specific plan to address their condition. The red tags, are healthcare providers from the NPI database that are listed as experts in kids allergies… the top of the field for asthma treatment. We are using these “super experts” as a proxy for the availability of specialist care for allergies generally. Notice the under-served areas… The specialist are clustering in the high-population areas. Hopefully this map will inspire an expert to move to Eureka, or Santa Maria..

Here was my process for this for my hack:

  • I would only use Open Source software or Open APIs. The idea here is to show just how powerful FOSS tools can be in health data analysis.
  • I have just created the best API to the National Provider Identifier database at, so I have this rich datasource that previously has not been available as an API.
  • I wanted to target something from that was directly related to the availability of healthcare, something that you can measure geographically using the API.
  • I chose Asthma, because this is something that clearly responds to treatment.
  • I wanted to document my process to show how easy this kind of analysis is with the right tools.

Ok here’s what I did…

  1. First, I browsed for asthma information. That leads you straight to this analysis of asthma hospitalizations for young children over the last few years.
  2. Then I started digging for source data. It looks like the California Health Interview Survey was a substantial source of the data.
  3. They offer Public Use Files of the original survey data. I signed in, and the terms of use for the data were reasonable, and not contrary to my purposes or Open Source. So I signed up and went to download the data.
  4. Sadly, the data was only available in three proprietary data formats, Strata, SPSS and SAS. This was obviously designed for academics that think using proprietary software is ethical and normal. Thankfully there are other options. The R project is where I usually turn first for stats help, but I actually found that there was an Open Source SPSS alternative called PSPP. Using PSPP I was able to open the SPSS data file. Victory for Open Source! It would be nice if organizations like CHIS would release in simple XML or CSV, which is much friendlier to hackers and people who believe in software freedom.
  5. My feeling of elation was short lived. The data had no geo-coded information. Which makes sense, that would make re-identification much easier. There had to be another way to get geo-coded data.
  6. And there was. AskCHIS is a powerful data reporting tool that allowed for xls data download. Again, I am amazed that CHIS would chose to run with a proprietary format without an open alternative. They used alot of advanced xls layout options that meant that an export to CSV would never work. An API would be even better, but at least CSV would allow me to actually parse a file instead of cutting and pasting which is what I ended up doing.
  7. But I had access to lots of data. I could see several different measures of asthma that I could have used in my mashup. This included lots of stuff like missed school days, emergency room visits, diagnosis of asthma, symptoms in the last twelve months… etc etc. If CHIS had given this data up using an API, I would have been able to merge the various asthma measures into an overall asthma status score… but it would have take a week of cutting and pasting to do that manually.
  8. So I had to choose one data point and run with it. I chose “Health professional ever provided asthma management plan“. This was asked to parents whose kids already had a doctor who was “treating” the asthma. I thought this was an interesting question because it seemed to correlate strongly with doctor-availability, something that I had good geo-coded data on.
  9. Now what provider data should I compare it to? Using I can easily grab a list of all/most of the doctors in California who specialize in treating allergies in children I decided to use that as a proxy for “available allergy specialists”. Of course, I had a serious advantage here, because I had already done the work of changing the NPI database into something I could access using an API (that is the idea behind This easily saved me 30 hours of work on this project alone.
  10. So now I have the data I want… but what now? I had addresses for the doctors and clinics from the NPI database, but the asthma data was coded by county. No problem, I just needed to geocode the counties into longitude and latitude. If I had a rich data source from CHIS, it would have been worth writing a script to do this, but since I was using cut-and-paste data, with about 75 rows, it was much simpler to just manually geocode everything. Which is what I did. More cut-and-paste.
  11. But now I have geo-coded data for both data sources.
  12. I needed a method to graphically display geo-coded scoring. This is pretty easy to do using proprietary GIS tools, even costless tools like Google Earth. But I wanted to keep things simple and Open Source at the same time. Enter the EInsert extension to Google Maps API v2. This allowed me to overlay png circle graphics on a Google Map, and size them in accordance with their percentage (bigger is worse, it means more of the kids did not have asthma plans).
  13. Then something tickled my brain. Using circles to represent scaled data is problematic. There is solid research indicating that humans have trouble estimating the area of circles in relation to each other… So I used the ratio suggested by James Flannery to counter this effect. Now the circles are sized in a way that indicates their relative meanings in a somewhat more appropriate way.
  14. Now I had a Google Map that displayed data regarding the frequency of plans as meaningfully sized circles over the California state. This data shows some predictable effects. First, the worst areas are either very urban or very rural. Exactly the places that have trouble attracting medical talent. That means that on this map, Ureka and Los Angeles urban counties have similarly sized circles.
  15. Now all I needed to do was overlay the doctor data on this map. This turned out to be pretty simple. I already have a link to provide a Google Map display of any small search on For instance, here is the link for the map for the search on allergists in California. All I needed to do was copy the html and javascript for the doctor map and integrate the map with the Asthma data map I had already made.
  16. So far, that maps looks pretty good. However, there is no easy way to tell which county, specifically, a given circle represents. I decided that the simplest way to address this was to dynamically rewrite the png using the gd library of php. I would pass the php script a label, and it would generate a circle with a label on it. This would allow me to label all of the circles on the map. As usual, stackoverflow provided a quick and dirty solution. (update 4-20) I realized that the label should show both the name of the county, and the percentage without a plan… now it does.

Take a look at the final result.

Notice that the shapes scale automatically as you zoom in. Try zooming in to Los Angeles or San Francisco to compare the compacted counties more closely. Also note that you can actually get the name of particular doctor that specializes in the treatment of asthma directly from the map. If you click the link you can get all of the contact information from

Which brings us to the point of this exercise.  A better view of the data can prompt change.

If you are a parent of a child with Asthma in one of the “big circles” you need to know that the long term treatment of Asthma requires a plan. If you do not have a plan, the reason might be that there are not enough doctors around you to provide the help you need. This map can put you in touch with the nearest expert.

If you are a doctor, who specializes in childhood allergy treatment, this is an opportunity map for you. Eureka is much smaller than LA or San Francisco, but you would have a near monopoly on a population that needs help with asthma. These people do not have the same access to specialized care and that might be a business opportunity for you. Moreover, a doctor who chose to focus on the urban areas in the larger cities might also be able to gain patients and profit. The data here shows that while there are lots of experts -around- the densely urban areas they are not meeting the demand for care. If a doctor could find a way to make money on a Medicare/Medicaid population in these urban areas, this might also be an opportunity.

Seeing the health data in a new way can provoke change. I hope you think my application is cool and sexy, but frankly I do not give a damn about that. I want to make a difference, not toys.

People remember Florence Nightengale as the mother of modern nursing. But she once made a diagram that changed the way people thought about war. It was that diagram that gave her much of the political clout she needed to create the field of professional nursing that we know today.

I have made the NPI data more liquid with Organizations like CHIS need to a much better job of making their data accessible. If I had been able to access the data from AskCHIS in a normalized and open format using an API, I would have been able to make mapping system that would allow the overlay of -any- type of doctor with -any- health data measure that they survey.

So that leaves me with a call to action for three groups: Patients -> find better care near you. Doctors -> go where the patients need you. Researchers -> expose your data in open formats using APIs and open file formats.

Of course, I publish my source code under an Open Source license. Enjoy.


You might be a cyborg….

People often do not get why I am so convinced that only GPL Software should be used in Medicine. I can understand why. Without understanding the nature of Healthcare, people assume that I am being religious about the issue. This is the furthest thing from the truth.

It has been a while since I have blogged over at In fact you can see that I still have some site maintenance to do. But recently more attention has been given to the issue of Open Source and Software Freedom in medicine.

The Software Freedom Law Center has just released a paper called Killed by Code: Software Transparency in Implantable Medical Devices

Awesome title. Even more awesome paper.

The form of the argument is so simple:

  1. Hey you are putting hardware AND software in my body? yep.
  2. I cannot look at the software? nope.
  3. And the software is hackable? yep.
  4. Well that kinda sucks.

Feels kinda icky don’t it?

One thing I love about people with pacemakers or other implantable medical devices, is that they know they are cyborgs. Most people living in modern countries are cyborgs, but unlike people with pacemakers, they do not see it that way, because they carry their electronics, rather than implanting them. Makes no difference. In fact lets play a variant of “You might be a redneck“: I call it “You might be a cyborg..”;

  • If you leave your cell phone at home, and you -must- to leave work to go home and get it, you might be a cyborg.
  • If you will sleep through the morning unless a machine wakes you up, you might be a cyborg.
  • If your spouse is jealous of your cell phone, tablet, laptop, server or workstation, you might be a cyborg
  • If not wearing a watch makes you uneasy, you might be a cyborg
  • If you view any relationship you have with an online service as an addiction, you might be a cyborg
  • If you try to avoid walking more than 100ft in favor of a segway, bicycle, golf cart, or automobile, you might be a cyborg
  • If you try to avoid walking more than 100ft in favor of a lawn mower, you might be a cyborg and a redneck

Our relationship with technology is becoming more and more personal, and the operating system to your mobile phone, the software your medical devices uses and the EHR system that your doctor uses to track your health information make software freedom ethical issues into personal freedom ethical issues.

Today, its people with pacemakers, but tomorrow, there will things that people consider normal to do with their own bodies that will either use software that the user controls, or software that some random company controls.

Thanks to the Software Freedom Law Center, for helping to make this issue more personal.


OpenMRS shines in Haiti

I am utterly not surprised to hear that OpenMRS is shining in Haiti.

This reminds me of the tremendous reponse that the VA had to hurricane katrina using VistA. For fun you should ask those involved for the inside scoop of how VistA enabled an entire hospital to uproot and move over the course of a single week.

Sometimes people do not really understand why we need software freedom in healthcare. These are two perfect examples.

Can you imagine the headache that per-seat or per-doc or per-patient EHR licenses would have caused in -any- haiti clinic? Of course they could always -ask- the vendor for temporary seat licenses, and because the vendors are decent human beings they would probably give them to them. Of course that only works when the phones work or the Internet is up.

Emergencies highlight the fact that health software users may have -very- different needs than the software vendor’s vision or even their own understanding. I know that the OpenMRS project will change substancially in response to the earthquake in Haiti. More importantly those changes will spread to other areas of the world… but those other users of OpenMRS will get the haiti lessons -before- the mudslide/tsunami/earthquake/bombing happens in their area.

In fact I can just imagine and administrator setting up OpenMRS for the first time and wondering “Hmm why would you ever need that???” and ten years later, when those features make OpenMRS better able to handle a disaster in that area, the same administrator will say “Ohhh… that’s why….”

Everytime I hear about something like this from the OpenMRS project I feel again guilty that I am not more involved….


VistA License debate: its about proprietarization

It looks like WorldVistA is, for now, holding fast to the GPL and AGPL for VistA licensing. I have been a vocal advocate for compromising with DSS and Open Health Tools around the LGPL. The LGPL would allow for some innovations to be licensed under the GPL, and others, in the core of VistA to be compatible to bundle with proprietary software.

Recently, Skip McGaughey was quoted in modernhealthcare as saying:

“I believe it’s all about community-building,” McGaughey said. “I believe people have focused too much on technology and licenses and they need to focus on the care of individuals. If we can switch the focus from licensing and technology—the VistA community has a tremendous opportunity to fundamentally alter care throughout the world.”

“They’re starting from a base that has a tremendous knowledge base, built by care providers, tested and modified over a long period of time,” McGaughey said. “So, the opportunity is tremendous. So what we have to do is change the focus and quit worrying about the individual ‘me’ and talk about the ‘we’ together,” he said.

“If we enable an environment for people to collaborate in building infrastructure that everybody can use, to share the expense, what we can do is build the integration and interoperability and build a collaborative spirit,” McGaughey said. “Then people can climb the value stack to provide added value that can make money.”

It should be noted that I was not at the talk and did not hear exactly what Skip said. I know Skip and I know that he is a good guy, I think he intended to bring a message of reconciliation regarding licensing which is very good.  I may actually agree with Skip’s position, but I cannot agree with this quote. While I am in favor of compromising with Open Health Tools, the position of WorldVistA on insisting on the full GPL is not unreasonable and it is certainly not anti-people.

Lets be clear, when you talk about proprietary friendly licenses in medicine, you are not talking about a way for people to “make money” or “earn a living”, you are talking about a mechanism that traps software consumers into a monopoly relationship with a software provider.  Proprietary software in healthcare is so famous for abusing this monopoly position to the detriment of its clients that the issue is being investigated by congress and is even the subject of in-depth lampooning.

To trivialize licensing and indicate that is about “people” is typical and insincere. The software license defines the basic power structure of a relationship between software developer and software consumer. Full copyleft ensures that the developer and the consumer are always equals. Proprietary licenses ensure that the software vendor is in control. Open Source licenses that allow for proprietarization are a grey area. If software consumers are careful only to use Open Source components, they can maintain a balance of power, but if they ever allow a proprietary module into their ecosystem, then the license for that module puts some vendor back in the drivers seat.

If there was an “open” movement in the prisons around the world so that all prisoners were limited to just one shackle, they would still remain prisoners. Similarly as long as one software vendor can dictate terms to a clinic or hospital, they have a problem. Proprietary vendors who do not abuse their clients are like kind wardens. Just because they are nice a prisoner, does not change the fundamental power dynamic in the relationship.

The LGPL is a compromise precisely because it allows people who value freedom to work with people who are willing to compromise with proprietary vendors.

When you start hearing people saying things like “value stack” and “let people make money”, you are hearing the argument that being trapped is sometimes OK, if what you get for it is worth it.

This kind of power dynamic is precisely what prevents communities from trusting each other and cooperating. If you want to create community, you better not ignore licensing concerns.


Open Source Health Software Conference

So I have two small news items.

First, I am renaming the yearly Houston Open Source Conference from fosshealth to OSHealthCon, which just stands for Open Source Health Software Conference. Why the name change? Well, it is caused by the need for me to distance myself from the term “free”. I know what “free” means when you are talking about software, but again and again, the term is abused by people with a proprietary agenda.

People would talk about the differences between “free software” vs “commercial software” implicitly insulting any professional who wants to use freedom-respecting licenses.So I am throwing in the towel. I am not going to fight this battle any more. At some point, I have to decide if I am going to advocate for freedom, or for one particular way of talking about freedom.

The other important news item is that I have started posting the 09 Videos up to

This is our first stab at videoing our own conference, and the results are just as amateurish as you might expect. Still, if you can tolerate the sound, there is a tremendous amount of insight available there.

I will be posting new videos there as I sort out how to make transcoding work on GNU/Linux.


Enabling open core

What license should you consider for your new Health IT platform? As you consider that, you should think carefully about your user audience. You want people in the Open Source community to develop against your code. You want people to add value to your core. To achieve this you have to recognize that our community does not share universal motivations. The most important detail that you need to understand about our community is the ways in which we we relate to proprietary software.

There are two general ways of thinking about how to relate to proprietary software within the FOSS movement.

There are those that believe that the most important potential feature in software is the ability to change and share it without restriction, which is software freedom.

Others in the FOSS community feel that the important issue is that we have a good method for collaboratively developing good software and if people want to make money selling software that restricts freedom (the definition of proprietary software) thats fine.

I am solidly in the first camp. However, for the purposes of this article I will treat them as equally valid perspectives. This respect for an opposing opinion is crucial for the FOSS community because we want to be able to develop software together!

People in the first group we might call freedom sticklers and the second group we will call pragmatic openers.

Before we move on we should discuss the basics of licensing. I have written on licensing before, but you will find my freedom stickler bias in those writings. I will try to avoid that here.

The most important thing to understand about licensing (for this discussion) is to consider the perspective of the person who accepts a license with the intention of redistributing the sourcecode with other software.

Imaging that Ozzie the Originator released some valuable software called coreware. He decides to release the code as open source! He must consider several perspectives as he chooses a license.

Freedom loving Fredi 😉 wants to ensure that whenever possible software that he writes will not be used to allow someone to control another person. Fredi appreciates the value of coreware and writes a module for it called Fredis freely scanning module.

However Proprietary Pat also has scanning application that has far more functionality than Fredis module. She likes the idea of open source but, for whatever reason, is not in a position to release her own software under a FOSS license. It is important to note that if Pat did not have a functionally better scanning module than Fredi, there would be no reason for Ozzie to consider her interests. Ozzie knows that when an open option is available, functional and stable end users will always prefer it. This can be called the Open Source Sets the Floor effect.

Pat has software patents and proprietary software that she feels must be protected from the full GPL (a license popular with Fredi and his ilk). Certain provisions of the GPL can have the effect of devaluing software patents, or at least that is how patent owners often feel about it.

Then there is Indifferent Ingride who writes a printing application. She has no specific position on proprietary vs. FOSS. She just wants her printing software to be as useful to as many people as possible.

Ingrid, Fredi and Pat would all be willing to help Ozzie improve coreware assuming they are happy with the license. Ozzie knows that if everyone is not happy, someone will start a competing project with a license more to their liking. This would dilute the talent pool available to work on coreware!

Ozzie the Originator is a bind. He knows that he can chose a proprietary-friendly license like the Mozilla Public License or the Eclipse Public License that will make Pat happy. But Fredi will never agree to a license that would be incompatible with the licenses that ensure that he can keep his own software freedom respecting. For people like Fredi there is no substitute for two very popular keep-it-free licenses the GPLv3 and the AGPL. The Free Software Foundation keeps a list of licenses that are and are not compatible with the GPL.

What is Ozzie to do? How to keep both Fredi and Pat happy? The first place to look is the LGPL which stands for the Lesser General Public License. This license does two important things, first both Pat and Fredi can use coreware as the basis for the coreware + someothermodules under their preferred license. You can think of coreware + somemodules as a “rollup”.

From a licensing perspective some open source rollups are loosely coupled (like GNU/Linux distros) while other rollups are more tightly coupled (like the Linux kernel itself). Tightly coupled rollups must have identical or fully compatible licenses. Most thinking says that if one software package locally calls the functions exposed in another software package, then they are tightly coupled. (Any VA VistA -server- rollup is likely to be considered a tightly coupled rollup while the relationship between VistA clients and VistA servers would probably considered loosely coupled). It should be noted that these ideas are generally accepted as flowing from a consensus understanding by the Open Source community lawyers of the copyright rules of derivative works, not all of them look at this way.

Ingrid can release her printing component under the LGPL too; essentially adding it to the core… Both Pat and Fredi will then benefit from Ingrids code. Of course end users will have to chose between Pats code and Fredis code because their chosen licenses are incompatible. Each of them is creating a new rollup of coreware with a different family of licenses. While coreware can be included in each rollup, the two rollups are license incompatible.

Both Fredi and Pat can collaborate on coreware with a LGPL codebase because they know that in the end the license of their own module will determine how the LGPL acts for the their users. For Fredis users the LGPL upgrades to the GPL and the AGPL, but for Pat, the LGPL does not interfere with her proprietary license.

Everyone is happy. (or close)

Is the LGPL the only license that is intended to work in this way? No, but it is the license that is specifically designed to solve this problem. Another license that attempts to be compatible with GPL/AGPL projects is recent iterations of the Apache license. Apache is generally considered more proprietary friendly than the LGPL. If Ozzie uses the Apache license, Proprietary Pat could make changes to the internals of coreware, that she does not need re-distribute. Both Apache and the LGPL give here the right to “hoard” or “protect”, depending on your perspective on the matter 😉 her module. But Apache also allows her to horde/protect her changes to coreware itself.

The reality of licensing is that at least two parties must be satisfied with the license. The end user and the most significant contributor. The GPLv2 made Torvalds happy, and his end users tolerate it. Everyone else in the Linux universe tolerates the GPL for Linux because the value of Torvalds original contribution and those contributions he was able to amass around that original contribution. Together these are too valuable to try and replicate. Companies that hate the GPL and everything it stands for, like Microsoft, contribute GPL code to the Linux kernel because Linux is too important for them to ignore. (P.S. If you hear someone talking about these issues in terms of viral or non-viral, you can bet that freedom is not a priority for them)

For VA VistA we have a conundrum, the originator of the code, the US government, has left the code basically licenseless. I believe this means that the choice if preferred license should be up to the most substantial third-party developers. I believe that the most substantial way to make VistA better is to make contributions that make further development easier. MUMPS is a great language but it makes VA VistA inaccessible to most programmers. Given that I believe the most significant third-party contributions to VA VistA are (in no particular order):

  • Medsphere’s OVID – because it lets you code for VistA in Java. (AGPLv3)
  • EWD from M/Gateway – because if you already code in MUMPS you should still be able to write web interfaces. (AGPLv3)
  • Astronaut VistA – because you want to be able to install… With all of the above development environments, in seconds…. Not months… (AGPLv3)
  • TMG-CPRS – because adding patients and correcting demographics should be easy. (GPL v2 or later as per the core WorldVistA EHR license)
  • OpenVistA CIS – because we want to be able to run VistA without Windows. (AGPLv3)
  • Timsons Fileman – VistA Fileman is an important core VistA component that has had many improvements since George Timson left the VA. (LGPL)

-all- of these applications do not just make VistA better, the are Platform Improvements. These improvements are designed to spur new innovation by making hard things easy or previously impossible things tractable.

-all- of these innovations (as far as I can tell) are available under either the GPL or AGPL.

I hope that it is now obvious why most of the VistA community believes that if there is to be collaboration between the Fredis and Pats of the VistA community it must be around a LGPL VistA core.

Soon DSS will be releasing a version of vxVistA under the Eclipse Public License. That license is not compatible with the GPL. If vxVistA is released under the EPL none of the above platform improvements would be available to vxVistA. However all of them are available to users of OpenVistA, WorldVistA and Astronaut VistA, all of which use GPL variants.

I have lauded the release of vxVistA but I fear that as a FOSS project, it will be stillborn because of the EPL. Users will be forced to choose between vxVistA and the considerable menu of proprietary partners whose patent and proprietary interests are satisfied by the EPL, and a projects where VA VistA is being improved -as a platform-

If we were talking about one or two minor improvements that might be available under the GPL variants the I would not take this position but practically, the most important member of any opencore community is not Fredi or Pat but Indifferent Ingrid. Ingrid wants to work with the best platform and contributes in such a way that it makes the platform itself better. Whoever wins the attention of Ingrid, wins.

These lessons are applied in the specific context of VistA, but I hope that is clear that these issues are generalizable to any Health Information Technology (HIT) platform.

(Update 10-13-09 Medsphere has released its server project under the LGPL)

(Update 10-16-09 Ben from Medsphere has responded to my post)

(Update 10-18-09 Thanks for Theodore Ruegsegger, who pointed out several serious errors… fixed)


Away from iphone and towards a better platform analogy

As many of you know, the CHIP/Indivo/Harvard guys (who I guess I should call the ITdotHealth guys) wrote an article in the NEJM saying that we needed something like the Iphone app store in Healthcare IT.

I wrote a rebuttal saying that, among other platforms, the Google android platform was a better fit. Frankly, I thought that would be the end of it. Most of the time I write a blog post, I get some hits, and maybe a comment if I am lucky. But mentioning the iphone is great for getting attention. Apparently, just saying the word iphone brought the readers out of the wood work. iphone iphone iphone <- (just to be sure…).

More than just getting some good comments I have just realized that Ben Adida (check out my blog roll) wrote a Knol that touched on my criticisms and argues convincingly that there needs to be some balance between openness and safety.

Though it is clear that Apple’s regulation of the iPhone apps market has gone far beyond malware prevention, the goalof malware prevention is certainly reasonable.

I think he is right on, and I look forward to talking about it with him in person tomorrow. I think now, the night before the conference, it might be a good time to drop my thoughts about what platform analogy would really be the best to reference as we move forward. I also take a moment towards the end of the post to concede some of the things that Apple really got right, since I do try to be fair.

If I had to pick one thing that best embodies the 10 principles that are being targeted here, I would pick yum. Yum is the update manager for Red Hat based operating systems. Here’s why:

  1. Like the iphone app store, it is “substitutable (first of the ten points). You can download like 10 different web browsers on the current Fedora.
  2.  It built its own protocol. RPM was a lower-level standard, and yum was born as a meta-tool on that standard.
  3. Yum allows for multiple platforms. It forms the basis for the software packaging for just about every Red Hat/Fedora based operating systems, of which there are several.
  4. The API for yum is open, which is what lets things like yumex happen.
  5. The programs installed by yum never have direct control over yum (unless that is the point of the program, and that is what the user wants to do).
  6. Application install is as pointy-clicky and as user friendly as it gets BUT you do not lose the power of command line script-ability. Talk about walking the fine line!!
  7. Separation between the copyright/patent/trademark of applications and the platform is totally there! You can point your yum to a proprietary repository, for instance to download Adobe flash… no problem.
  8. Unfortunately it does not make any sense to say that you can remove everything from yum and still have a platform. So I guess it strikes out on that one. Of course, I am not sure why the platform itself should -not- be considered a package on the platform… Ill have to ask about that tomorrow…
  9. Yum is really really efficient. You can update applications very quickly, and you can even install a special yum module that will find the fastest download servers, ensuring the best experience for downloads.
  10. The certification is as minimal as can be. The packages -can- (not required to be) signed by the people who set up a repository, and you simply do or do no trust that signature.

Someone will point out, someday, in comments that apt-get is just as good and does all the same things. To that future commenter I fully admit that you are 100% correct. I am a long time Red Hat guy and I am letting my colors show, for the record I am trying Ubuntu on my desktop for now….

Now let me point out a couple of cool things about yum that are not on the “big ten” but that I think are worth emulating:

  1. Yum is actually an upgrade to a previous platform, Yup. Yup was good, but users forked it and made it much better… then the original yup developers adopted yum. That’s the virtuous cycle of Open Source in action if I have ever seen it.
  2. Yum handles “trust” in the system, by getting out of the way. A “default” repository is trusted to get the system off the ground. But you can “trust” other repositories to get upgrade versions of the software you are currently using, to get substitutionsfor the programs you were currently using, or to get new software that is found nowhere else. It automatically find the balance betwen openness and security. Users make the decision about how to trust, and the system does not auto-branch beyond those decisions.
  3. Although yum violates principle 8,  you get the benefits of being able to use the platform to upgrade the platform. You can upgrade a late-generation yum operating system while it is running.
  4. The yum platform was central making a larger community effort. Remember when Red Hat stopped doing Red Hat Linux, instead creating the Fedora project and RHEL? Fedora existed before that, as a high-quality repository of Red Hat packages! yum was an important new feature of Fedora Core 1. The yum platform helped move the whole community forward.

So I think the yum project and the way that Red Hat made into a software distribution network is a pretty good model to follow.

Even I, however, get why they original authors chose to use the iphone as an analogy. Not assuming that these points are original, I want to point out some things that Apple did right, that other systems have failed at.

  1. Apple enforced simplicity. They refused to allow programs to run in the background. They refused to allow many other things that a developer for Windows CE might have expected. They made the core interface as simple as possible. They even excluded cut and paste initially to make the system simpler. Apple put these restraints in place because by making the applications simpler, they made the user experience vastly more intuitive.  I have used countless “modular” or “substitutable” platforms that miss this.  It is the platforms responsibility to protect the overall user experience, -not- the application developers. That means knowing when to say no. Ignore this one at your peril.
  2. Apple built a meritocracy at the level of the end user. When you see an application on the iphone that has been used by 5000 users, and they have all rated it 5 stars, you can be pretty sure it is good. That rating stands front and center in the platform, and more importantly, the platform itself constantly promotes and rewards its star performers. On other modular systems, I usually spend a lot of time trying to sort out what modules are reliable. The Firefox module system has also done a good job of this.
  3. Despite its habit of blessing particular development groups with special privileges, Apple also made it easy for the individual developer to become a super star on the platform. It did that by giving people pretty substantial development tools and a robust development environment.  If you want to get rock star developers you have to give them their version of the red carpet. That means awesome documentation, video tutorials and lots and lots of working examples.

I figured I would jot down these thoughts before the conference, so that I can have the most fun while there. Apparently, some of these people are actually reading this… so its a very efficient way of making points as opposed to taking the whole conference to dinner with a Fred-monologue.