Securing health applications with CACert.org

Still trying to recover from the conference last weekend.

OpenEMR was out in force at the conference and we had some interesting discussions about the best way to make php applications more secure. The following code is in php but the theory applies to any electronic health record. The wonderful thing about this method is that Apache does all of the heavy lifting for you.


Of course, none of this works without an apache configuration!!



# another fine way to enforce https only.

        ServerName example.com:80
        AddType application/x-httpd-php .php .phtml .php3
        DocumentRoot "/var/www/html/example/"

        
        #The following rewrite just forces everything to https!!!
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        




        ServerName example.com:443
        DocumentRoot /var/www/html/example

        # Standard stuff
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	# end standard stuff

 
	# the certificate that CACert.org has signed...
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
	# my super secret private key
        SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

	# not that I can use the directory command to protect a single file!!
        
                # requries a client certificate
                SSLVerifyClient require
                SSLVerifyDepth 2
                # in order to validate the client certificates I need to have 
                # a copy of the CAcert.org root certificate
                SSLCACertificateFile /etc/pki/tls/certs/cacert.crt
                SSLOptions +StdEnvVars
        
                                                                                                                                                                                   1,9           Top


Medspheres bus video released

I am happy to say that Medsphere has released its bus video. This is exactly the kind of irreverent and fun thing that makes FOSS addictive! We have a better way and its so obvious that its really not possible to make the points without also making a joke about it.

They included bits my interview in the film and I loved that they keep the EPIC equals tank reference.

Enjoy!

Embracing the new CCHIT certifications

A few months ago, CCHIT suffered from what I like to call “angry letter round 1”.

This is were I send a very pointed, ultimatum letter to an organization of the general form “your are hurting my community, stop it or else”. Personally I find that about %50 of organizations respond positively and about %50 do not.

I am happy to say that Mark, Dennis and the other members of the CCHIT team have won my respect and appreciation with how they have taken a 90 degree turn from being an organization that was largely ignorant regarding the health FOSS movement to one that listened and engaged carefully, and has now come back with a plan for certification that I personally, and from what I can tell the FOSS community generally, can embrace.

This post is me doing that. At this stage I am comfortable recommending (to whoever is making the decision) that CCHIT be allowed to be one organization allowed to certify for ARRA funding, under their new EHR-C/EHR-M/EHR-S certification model.

Specifically, I am talking about the new site level certification program. Here is a cut and paste from the CCHIT townhall pdf regarding EHR-S site certification.

Certification Program Concepts for EHR Sites (EHR-S)

  • Definition: Certified EHR-S sites have developed or assembled EHR technologies that comply with Federal standards and enable them to meet all Meaningful Use Objectives.
  • Provider applicability: Any physician office, clinic, hospital, other facility or network that has self-developed or assembled an EHR from various sources and wishes to apply to ARRA incentives.
  • Certification requirements: Functionality available (regardless of deployment model) that enables providers to comply with applicable Federal standards, implement adequate security practices, and meet Meaningful Use Objectives.
  • Inspection methods: Virtual Site Visit technology with offline inspector review and follow-up correspondence.
  • Cost range: ~$150 – 300 per licensed provider (ambulatory); hospital pricing model TBD. Scholarships for eligible providers (FQHC, underserved population, critical access, etc) if grants can be obtained.

This along with the fact that all of the new certification programs will not require re-certification for minor software revisions, means that there is a clear path for FOSS adoption along with ARRA funding assuming CCHIT certification is endorsed.

Of course, as Dr. Billings points out, there are a lot of details to work out. However, unlike other critics of CCHIT, I have never felt CCHIT to  be duplicitous, rather they were one of the many groups who were trapped in a way of thinking that I disagree with.  Now that CCHIT understands how our community frames the EHR problem, they have done a good job creating a certification that can work for us.

This is a huge relief. I was afraid that our small community 501c3 Liberty Health Software Foundation, (LibertyHSF)was going to need to learn how to certify, create a standard to certify against and then get ourselves approved by the ARRA powers before the end of the year. Not good.

I would like to thank the FOSS community members who helped make this possible, especially Dennis Wilson, who served as a bridge between us and CCHIT. Thanks to Mark and everyone else at CCHIT who made such drastic rethinking of your core business in such a short time, we appreciate it!

I am now serving in the role as the director of LibertyHSF, and I need to start being careful to note that this is my personal opinion, and not the official opinion of LibertyHSF. I think LibertyHSF will probably have the same position, but I need to have a community vote on that before we will put something up on libertyhsf.org. That process takes a little more time to arrange. Still I personally have been one of the most vocal critics of CCHIT on this blog and I thought it appropriate to note that I approve of CCHIT’s most recent actions. (UPDATE 7-13-09 CCHIT has blogged about this post)

Regards,

-FT

Can CCHIT move beyond PROBLEM EHR certification?

Recently CCHIT has come under fire for being too focused on large proprietary vendors and specifically, its association with HIMSS.

These attacks have gotten so bad that Mark Leavitt has posted a rebuttal, which has generated a tremendous amount of attention over at THCB ( a blog well worth adding to your RSS feed)

Mark raises several good points in defence of his organization, including:

  • There is currently no financial relationship between HIMSS and CCHIT
  • Vendors who are involved at CCHIT are limited in what seats that can hold and what votes they can make
  • CCHIT takes great pains to ensure that it is not biased by vendor ties.
  • There is a strict conflict of interest policy in place

Mark is right to point these out, but this misses the heart of the criticisms coming from FOSS and other places.

The problem is not that there ‘sneaky’ influences from HIMSS and Vendors, but rather a simple self-selection bias.

CCHIT is and always has been a monolithic check-list for a Proprietary, Rigid, Overweight, Bloated, Loaded, Expensive, and Massive  (or PROBLEM for short) EHR products that allowed out-patient doctors to effectively track and monitor the healthcare of their patients. Most of the ‘founding fathers’ of CCHIT were either vendors with a PROBLEM EHRs or EHR users who had already bought in to the PROBLEM EHR model.

The CCHIT process -is- open to all, it -is- democratic and it does seek to balance the interests of vendor and non-vendor participants. Everything Mark is claiming is right on and it does not matter at all. The participants in CCHIT have all bought into the PROBLEM model. Those of us who have always thought differently than CCHIT have stayed away because it was obvious from the get-go that the certification model put forward by CCHIT was incompatible with our goals.

Right now, CCHIT is taking it from all sides because there are so many people who disagree with some aspect of the PROBLEM model. Practice Fusion wants to see really cheap EHR services like the one that they offer be certified. The ‘Clinical Groupware‘ people want to see the certification of a suite of technologies that may or may not add up to a traditional EHR. The EMR-lite people want to see faster and lighter tools. The PHR people and consumer advocates want EHR systems that empower the patient instead of the provider. The Health 2.0 people want to see completely different models of finance and care become possible. Of course, the FOSS people (like me) want FOSS EHRs to get equal footing.

In defense of CCHIT, Mark and the other members of CCHIT that I have met have bent over backwards to try and see things from the FOSS perspective. They have truly listened and they are starting to understand how different our community really is. I would encourage the members of the other communities to consider working with CCHIT before discounting them. CCHIT needs to be given the opportunity to re-invent itself before it is discounted. The recent press release from CCHIT indicates that it will be establishing town hall meetings for the FOSS community. I am not confident that this will work, but it is an indication that CCHIT is willing to try and see things from a different vantage point.

However, it may be difficult for CCHIT to reinvent itself. Realistically, the PROBLEM EHR vendors and users do not want to see CCHIT supporting very different models then their own. If CCHIT appeases the crazies like me too much, it stands to loose its ‘base’. This is why I believe it is critical that ONC leave the door open to sources of certification other than CCHIT. Doing so keeps the pressure on CCHIT to broaden its certification systems to include very different philophies of Health IT. Without that extra pressure, there is no way for CCHIT to act in a way that is not in the direct interests of its current PROBLEM membership.

-FT

(update 6-03-09 Dr. Kibbe pointed out to me that the proper term was ‘clinical groupware’ and not health groupware. He also pointed me to an excellent post by Adam Bosworth defending exactly that perspective, so I linked it in. Also correct some spelling errors)

Incentive to Innovate: Giving Health Reform a Rocket Boost

I am participating in the health X-Prize blog rally. If the post below sounds a little reptitive, it is only because you might have read a version of it on several other sites.

-FT

We are entering an unprecedented season of change for the United States health care system. Americans are united by their desire to fundamentally reform our current system into one that delivers on the promise of freedom, equity, and best outcomes for best value. In this season of reform, we will see all kinds of ideas presented from all across the political spectrum. Many of these ideas will be prescriptive, and don’t harness the power of innovation to create the dramatic breakthroughs required to create a next generation health system.

We believe there is a better way.

This belief is founded in the idea that aligned incentives can be a powerful way to spur innovation and seek breakthrough ideas from the most unlikely sources. Many of the reform ideas being put forward may not include some of the best thinking, the collective experience, and the most meaningful ways to truly implement change. To address this issue, the X PRIZE Foundation, along with WellPoint Inc and WellPoint Foundation as sponsor, has introduced a $10MM prize for health care innovators to implement a new model of health. The focus of the prize is to increase health care value by 50% in a 10,000 person community over a three year period.

The Healthcare X PRIZE team has released an Initial Prize Design and is actively seeking public comment. We are hoping, and encouraging everyone at every opportunity, to engage in this effort to help design a system of care that can produce dramatic breakthroughs at both an individual vitality and community health level.

Here is your opportunity to contribute:

  1. Download the Initial Prize Design
  2. Share you comments regarding the prize concept, the measurement framework, and the likelihood of this prize to impact health and health care reform.
  3. Share the Initial Prize Design document with as many of your health, innovation, design, technology, academic, business, political, and patient friends as you can to provide an opportunity for their participation

We hope this blog rally amplifyies our efforts to solicit feedback from every source possible as we understand that innovation does not always have a corporate address. We hope your engagement starts a viral movement of interest driven by individual people who realize their voice can and must be included. Let’s ensure that all of us – and the people we love – can have a health system that aligns health finance, care delivery, and individual incentives in a way that optimizes individual vitality and community health. Together, we can ensure the best ideas are able to come forward in a transparent competition designed to accelerate health innovation. We look forward to your participation.

This post was written by Scott Shreeve, MD in behalf of the X PRIZE Foundation. Special thanks to Paul Levy for both demonstrating the value of collaborative effort and suggesting we utilize a blog rally for this crowdsourcing effort.

Can somebody look at Medscribbler

Hi,

A few days ago, medscribbler decided to do an Open Source release. The release appears legit. They have the sourcecode available from the sourceforge medscribbler svn repository. The license is clearly labeled as GPL v3.

Sadly, I do not have the time to download this and see if it is worthwhile. However, theoretically, it should be a tablet-oriented EHR interface system that could be quite valuable code.

Not so found of the .NET server, but the tablet-side code could be important.

Can somebody download this and do a write-up? Let me know.

-FT

A geek in the ER

Recently someone turned me on to a post by data expert Joe Bugajski entitled the Data Model that Nearly Killed Me.

The article is marvelously written, and meticiously detailed. He actually has a chart where he chronicals his pain level, repeated histories, medications and location.

I am always impressed by the level of analysis that the average geek can bring to a healthcare IT situation.

The problem is that while Joe is familiar with Data Models, he is not familiar with Healthcare IT. I can tell you that none of his recommendations are actually practical. Mostly because they are top-down oriented, which is the right way to view a data model, but the wrong way to think about Health IT.

Joe has not yet familiar with the under-water portion of the iceburg that he has run into. I have been trying to fix the problems he is experiencing for years and I can assure you, they are much harder than even he thinks. However, most of the problems are not technical, but political in nature.

Joes take makes a good read.

-FT