Fred Trotter

Still trying to recover from the conference last weekend.

OpenEMR was out in force at the conference and we had some interesting discussions about the best way to make php applications more secure. The following code is in php but the theory applies to any electronic health record. The wonderful thing about this method is that Apache does all of the heavy lifting for you.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

<?php
	//first we force ssl, which is required for x509 certificates.
        // you do not have to use self signed server certificates either, since cacert.org will also provide cheap
	//server certs....
	//another promising configuration that I have tried is to use is to have port 80 forward to a file that does nothing but link to
	// the cacert.org root certificate, and set a cookie. So it forces you to install the root cert in firefox and then autoforwards you to https
	// the rest of the time, ensuring that you never get a https error... I might post code for that later.
 
	if($_SERVER['SERVER_PORT'] == '80'){
		$new_url = 'https://'. $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
		header("refresh: 0; url=$new_url");
		die();
	}
 
	// now we can access the SSL client variables provided to us by apache:
	if(
		isset($_SERVER['SSL_CLIENT_VERIFY']) &&
		isset($_SERVER['SSL_CLIENT_S_DN_Email'])
	){
		// here we know that client certs have been enabled and that
		// we the client has attempted to submit one.
 
		if($_SERVER['SSL_CLIENT_VERIFY'] == 'SUCCESS'){
 
			// here we know that the client cert if valid.
 
			$full_name = $_SERVER['SSL_CLIENT_S_DN_CN'];
			list($cert_first_name,$cert_last_name) = split(' ',strtolower($full_name));
			$cert_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
			// echo "cert first = $cert_first_name and cert_last = $cert_last_name email = $email";
			// a test echo here that shows that we know the first and last name and the email from the valid cacert certificate.
 
			// magic happens
 
			// here you can put code to do whatever you want, and be sure that you have a connection with a browser that has a private key from someone who has been
			// assured by the CACert.org web of trust process.
			// this should be combined with a password to be sure that someone has not hijacked a browser.
			// You could do signing using a standard hash here, along with username and certificate data and be sure that you are at the valid end of a x509 process for that purpose.
 
		}else{// end SSL_CLIENT_VERIFY = SUCCESS if statement
 
			// you had a certificate but it was not valid... make an error..
 
		}
 
	}else{// end SSL_CLIENT_VERIFY isset
 
		// apache is not properly configured to require certificates and/or one was not supplied make an error..
 
	}
 
 
	//this script could be re-written to either be a class or globally included file
 
?>

Of course, none of this works without an apache configuration!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

<VirtualHost 10.10.10.10:80>
 
# another fine way to enforce https only.
 
        ServerName example.com:80
        AddType application/x-httpd-php .php .phtml .php3
        DocumentRoot "/var/www/html/example/"
 
        <Directory "/var/www/html/example/">
        #The following rewrite just forces everything to https!!!
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        </Directory>
</VirtualHost>
 
 
<VirtualHost 10.10.10.10:443>
        ServerName example.com:443
        DocumentRoot /var/www/html/example
 
        # Standard stuff
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
	# end standard stuff
 
 
	# the certificate that CACert.org has signed...
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
	# my super secret private key
        SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
 
	# not that I can use the directory command to protect a single file!!
        <Directory "/var/www/html/example/protected_file.php">
                # requries a client certificate
                SSLVerifyClient require
                SSLVerifyDepth 2
                # in order to validate the client certificates I need to have 
                # a copy of the CAcert.org root certificate
                SSLCACertificateFile /etc/pki/tls/certs/cacert.crt
                SSLOptions +StdEnvVars
        </Directory>
                                                                                                                                                                                   1,9           Top
</VirtualHost>

At this years HIMSS the Connect project kind of stole the spotlight. However, I think it is also important to remember the work of the Open eHealth Foundation which has been steadily progressing since it was announced a HIMSS 08.

One of the most important members of the eHealth Foundation group is ICW, who sent me a summary of the current Open eHealth progress. Here is another link to regarding the new eHealth Framework.

-FT

MOSS (Misys Open Source Solutions) has come into it’s own as a force both within FOSS and within it’s chosen domain of interoperability.

MOSS is led by Tim Elwell and Alesha Adamson, they could often be found at the interoperability showcase where they performed as one of the few PIX/PDQ services.

At this conference especially Tim was instrumental in helping the FOSS community communicate it’s concerns to CCHIT. This speaks volumes about the transition of Misys as an suspect outsider to not merely acceptance as a legitimate FOSS community member but a leadership role within health IT FOSS. .

The MOSS implementation is probably the most mature available under a FOSS license, and will soon be in the running for the title of best under any license. I can say that if they are overtaken it will only be another FOSS project that could catch them and there are several good projects who might.

Probably the most significant evidence of this dominate role was the muted announcement by the CCHIT Laika project that the MOSS project, along with Mirth, was selected as one of the testing tools for coming interoperability tests.

MOSS is also formalizing it’s offering for those organizations who are attempting to do serious clinical data interchange. I regularly use Alesha for informal sanity checks for my own HIE ideas, and every time I do I regret that we do not have the budget to bring MOSS in to provide a more formal structure. Compared to other HIEs I usually feel efficient but when I hear about the MOSS offerings I feel like I am doing all of the right things but flying by the seat of my pants.

Hopefully I will get Tim to let me replicate some of the graphics from his handout about the MOSS CobIT-based offering..  and here it is!! MOSS HIMSS 09 handout…

In the meantime here is a shot of Alesha at the Allscripts booth at the interoperability showcase.

Dr. Robert Kolodner is not only the outgoing National Coordinator but a card carrying member of the underground railroad. He is a founding father of VA VistA. He intimately understands what VistA is and where it came from and the implications thereof.

His talk is generally about how he plans on extending the VA quality. Some stream of consciousness notes follow (thank goodness that bloggers can do without content editors. No editor I have ever worked with would tolerate this complete lack of transition)

In is view the stimulus act serves as “seed” for health it bird tossers.The idea is that throwing a bird in the direction you want to go does not work very well, instead you have to let them go… and seed where you want them to end up. (Does anyone have a good link explaining this analogy?)

What is “meaningful use”? There will be political pressure for the government to make this as low a bar as possible.

His insight is that Health IT needs an “apache” to enable a health it revolution the same way the “apache” project enabled the web revolution.

That is his implied vision for the connect project. The connect project will be a major FOSS development here at HIMSS09. More on that soon.

For now enjoy the snapshot of Kolodner starting to be swarmed after his talk…

The incomparable Joseph Conn has an article up about the potential fate of CCHIT under the Obama administration.

I do not believe that it should be refunded under its current form. For several reasons.

• First, CCHIT favours proprietary EHR business models vs FOSS EHR business models.
• CCHIT favours kitchen sink EHRs vs. niche EHR models.
• CCHIT favours expensive EHRs over inexpensive EHRs.
• CCHIT has no bearing on company stablity.
• While CCHIT celebrates its success at becoming a requirement on many bids, all this has done is box out inexpensive, freedom-respecting solutions.
• WorldVista EHR is CCHIT certified, indicating that the technical challenges in CCHIT are not really a barrier.

Some quotes from Josephs article to support my position:

“I bet we’ve spent a quarter of a million dollars in development costs just to get around the functionality that is being forced into the system,” Oates (Randall Oates is a physician who is founder and president of SoapWare) said. He argues that more than half of the functionality CCHIT requires could be moved out of the core system requirements into extensions.

Oates said that to make EHR systems usable, they have to be tailored “to make them suitable to the various niches in healthcare,” Oates said. “You can’t have one-size-fits-all. Things that could be straightforward and easy have to be bloated and cumbersome. It really has hurt the progress for adoption.”

SoapWare is famous for a reasonably priced low-end EHR for small practices. I wish it were open source but it does target practices that are largely ignored by the big vendors.

I have documented the story of AcerMed, a CCHIT certified EHR that had to close its doors because of a lawsuit.  I should note that Dr. Valdes of LinuxMedNews, has also criticized CCHIT.

CCHIT, rather than creating a “seal of approval” is a millstone around the neck of the HIT industry. It is totally incompatible with the concept of low-cost/high-quality EHRs. Rather it increases costs and in some cases decreases quality.

Something needs to be done.

-FT

Today, I recieved a letter in my mailbox regarding HIMSS take on the recent legislation proposed by Stark.

HIMSS Stephen Lieber and Charles E. Christian, president and chairman of HIMSS respectively, write:

 However, HIMSS believes the legislation has negative consequences, including discounting the current efforts of “AHIC 2.0” and the development of an open source “health information technology system” by the federal government.  Specifically, HIMSS has concerns with the following provisions in this legislation:

(other stuff)

Development of an open-source “health information technology system” through the auspices of the ONC: The legislation directs the National Coordinator to provide for coordinating the development, routine updating, and provision of an open source “health information technology system” that is either new or based on an open source health information technology system, such as open source VistA. The system is to be made available to providers for a nominal fee.

The private sector makes significant investments in research and development for healthcare IT products. Healthcare IT is available via a competitive market in which vendors compete on the basis of price, quality, and functionality of a product. The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government and such product development should remain in the private sector.

First of all, I do not think the Federal Government should support just *one* open source EHR system, and you really cannot guarentee a fee for Libre/Open Source software.

But the spirit of Starks proposal is right-on and it is time to do something about HIMSS.

HIMSS is anti-Open Source and pro-propretary software. They allow us “Open Source” guys to give talks and even have working groups because they would be violating their charter if they did not. But they do not like us. They are terrified of us, and they should be. HIMSS lives off of the fat in Healthcare IT. Mature proprietary EHR systems have been around for decades, and they still have 5%-15% penetration. Why? They are too expensive and too risky. The doctors recognized that the vendor lock-in that they painfully experienced with Practice/Hospital  Management systems would be much worse with EHRs, and they have no intention of taking out extra mortages to make that happen.

HIMSS charges proprietary vendors obscene amounts of money for space at the their conferences. Open Source vendors cannot afford it to go, because they are service companies who cannot charge for products. Medsphere is the only all-FOSS company that had a booth last year, and they only reason why they can do this is because they have VC funding. The other top vendor, ClearHealth, has so-far not seen the value in buying a booth.

Even if they did see the value. There is no way that Medsphere, or ClearHealth or any other FOSS vendor is ever going to buy a half-acre plot at HIMSS. To afford that you need to be able to lock-in your customers.

Ahh.. but you want facts to back up my accusation. Ill give you two.

• First, lets deal with ‘The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government ‘. The Federal government already releases a “open source compatible” EHR: the VA VistA. VistA is really, really good. So good in fact that WorldVistA was able to achieve CCHIT ceritification using it, and a Medsphere client (Midland) is one of only nine HIMSS Stage 6 healthcare facilities in the United States. (yes…. the same HIMSS) The cool thing about the Midland accomplishment? It cost less than any of the other nine stage 6 winners. So apparently, the federal goverment is just as capable of doing this, as anyone else. The private sector is supposed to be competing on “price, quality and functionality” yet VistA is cheaper, better and more functional. Nonetheless, HIMSS is writing letters.
• Second, the HIMSS EHR vendor association is proprietary-only. Take a look at the requirements to join EHRVA. For those who do not want to read a pdf, I will record the relevant section here:

The HIMSS Electronic Health Record (EHR) Association chartered this effort to ensure equal, fair and consistent criteria for Membership into the EHR Association. The EHR Definitional Model includes an operational EHR definition, key attributes, essential requirements to meet attributes, and measures used to assess the extent to which companies design, develop and market their own proprietary Electronic Health Record software application.

HIMSS is not interested in seeing vendor lock-in and the other fundemental problems with proprietary health applications go away, rather they exist solely to perpetuate these problems. HIMSS defines itself as “HIMSS is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare IT and management systems for the betterment of healthcare.”

In reality, HIMSS in in current form, is just a lobby for the very proprietary vendors who have failed move our nation into the age of digital healthcare information.

For those that do not know, I am blogging HIMSS 08 for LinuxMedNews. I will be posting on anything that is relevant to FOSS that happens here. I did not have to wait long. One of the first talks covered the use of FOSS in medical imaging, something that I knew little about until Dr. Janice Honeyman-Buck clued me in.

Here is a shot of myself and the good doctor.