The iphone, a poor HIT platform analogy

Recently, a NEJM perspective article titled No Small Change for the Health Information Economy advocates that a Health IT platform should be created in imitation of some of the successful technology platforms in other areas. Specifically the iphone was mentioned. The relevant paragraph:

The Apple iPhone, for example, uses a software platform with a published interface that allows software developers outside Apple to create applications; there are now nearly 10,000 applications that consumers can download and use with the common phone interface. The platform separates the system from the functionality provided by the applications. And the applications are substitutable: a consumer can download a calendar reminder system, reject it, and then download another one. The consumer is committed to the platform, but the applications compete on value and cost.

The whole article is worth a read, there are some pretty invaluable fundamental insights that are provided here that are right on. However, there are problems with the iphone app universe. Imitating that universe will require that those problems find new solutions. The NEJM article recognizes some of these implicit difficulties, and suggests that the solution is for the government to step in and evaluate individual applications.

Here is a quick list of things that are true about the iphone that really should not be true in a HIT platform:

  • Apple plays favorites. Alot. Google was given special access to forbidden APIs for a voice application. Nike is another great example of company that created an application that has special privileges. It gets to have device integration that no one else gets. From Apples perspective these kind of things are acceptable because they create a user experience that is excellent. But it is not fair to developers. Developers who do not have the clout of Google or Nike know that they might be blown out of the water by a special deal that Apple might make with a bigger partner. It creates risk to developers and alot of resentment. Playing favorites gives Apple a short term advantage but ultimimately prevents a true meritocracy from developing. A Health IT plaform has to be truly open, and not play favorites.
  • Apple protects its cash cows at the expense of innovation. Google Voice could have broken the back of the AT&T price for SMS messages, which can cost about $5000 per megabyte . It was rejected by Apple because it hit them in the cashflow. But Google Voice is probably one of the most fundamentally innovative technologies to appear in a long time. A Health IT platform will need to find a way for this kind of blatant incentive problem from occuring. Its harder then you might think.
  • Apples approval process is inscrutable. Sometimes applications are rejected for content, even though that content is already available through Apple elsewhere. The approval process is slow, painful and does not make sense most importantly people hate it. The problem is that you have to have an approval process, and the reason that Apple is so closed about the process, probably has to do with the unpleasantness of watching sausage get made. It is not trivial to have an approval process that is fair and open, while also ensuring that developers do not abuse users. It takes time, which means money and it is not clear where that money will come from in a Health IT platform.
  • Apple is a locked-in provider of software. This can easily be fixed by jail-breaking your iphone, so that you can easily download apps from other sources. Apple limits the source of downloads for a reason, you can download anything with an jail-broken iphone… even things that will make your iphone much less stable. How do you ensure that applications are trustworthy, without having an exclusive source? Tough one.
  • Apple forbids creating applications that replicate core functionality. Which is exactly the opposite of what you want to do with a Health IT application. But no one will use the system unless you provide high-quality initial applications.

So is the iphone system, as an ideal, is fine to emulate. But you can see where your problems might be with such a platform by looking carefully at the problems that Apple is dealing with.

This is not really a criticism of the authors of the NEJM article… who, for instance, already see that the platform needs to be open source, addressing many of the problems that Apple is having by default… this is just to point out that all is not well in Apple land… analogies have their limits.

(update 9-01-09 I should talk about the iphone more often, this article has generated more comments, faster than anything I have written in years. One comment particularly stands out. Piyush Daiya over at androidmedapps.com has provided a very careful analysis that shows that Andriod is a better embodiment of the ten principles, that the NEJM authors endorsed. He is 100% right-on about that, and I wish I had thought to point that out myself. Thanks for reminding me, Piyush…)

-FT

Multiple Merged Monitors the nightmare

I use GNU/Linux on the desktop. This is for both ideological and practical reasons. I develop FOSS Health Software, and my preferred languages work best on GNU/Linux.

I also believe in Software Freedom.

Sometimes I will use proprietary software, if it is obvious that I need to do that in order to 1) further the overall FOSS in Healthcare movement or 2) put food on the table.

It was with some reservation that I have used the nvidia proprietary drivers in order to get three monitors working. I have used Red Hat for years and I usually like to use the latest version of Fedora for my desktop. However, I do not like upgrading as often as Fedora releases. I often get two or three versions behind. I had three monitors working as a single merged desktop on Fedora 9. Almost immediately after Fedora 9 went unsupported, (1 month after two higher versions existed with Fedora 11) an yum update of the livna rpms crashed my desktop.

Since then I have been scrambling to get a working multiple monitor, with merged desktop working.

This has been a painful, brutal process. I have tried two generations of 4 different major distros. I have bought and entirely new computer. In the end I ordered two huge Dell monitors because I could only get two monitors to work at one time.

I will spare you the minuta of what did and did not work. Here is what I discovered during my three month ordeal:

  • Multiple Monitor, merged desktop, and Multi-head support is one of GNU/Linux’s greatest weaknesses.
  • Multiple Monitor almost never works out of the box.
  • Debugging Multiple Merged Monitors is a nightmare.
  • Searching for solutions is painful. Almost infinite software and hardware version differences makes what you find almost always useless.
  • While x.org is advancing, it is a very poorly managed project.
  • Nvidia is making development so painful with proprietary licenses that they should be boycotted.
  • By using nvidia’s drivers, rather than participating in efforts to replace them I have been making the problem worse.

I should know better. If I can help it, I will never use a proprietary GNU/Linux module again.

-FT

DocOliver

I have convinced my good friend and partner in healthcare reform, Dr. Cari Oliver, to start a blog.

She will now be talking about her ideas regarding patient engagement/empowerment/involvement/safety at docoliver.com

Whenever someone asks me “how do you do it” for blogging, I always tell that the secret is to have something to say about something specific.

For instance, here on FredTrotter.com you will get a steady stream of information about Open Source Software in Healthcare, and all things related to it. Thats a pretty broad brush that lets me talk about politics, healthcare, and healthcare IT along with Open Source in Healthcare. My readers know that if they visit or subscribe to my feed, they will generally get information about what is going on in the FOSS Healthcare world, with a generous dose of helpful bias.

At DocOliver.com you can expect to hear about how a patient -should- engage in their own healthcare, and -how- they can use Health Information tools to do it. If I had written the tagline of Doctor Olivers site, it would be “Making PHRs actually do something useful for you”, but she tends be a little more disciplined and careful with her prose than I am.

-FT

Rackspace instead of Amazon

For now, Health IT related projects should use the Rackspace Cloud instead of the Amazon Cloud.

Some of us are concerned with the issue of Software Freedom. Essentially, you need to have control over what your computer is doing and unless you have software freedom, someone else (the copyright holder who has given you a proprietary license) is in control with proprietary software. Software that respects the freedom of its users, often called ‘Open Source’ software, should be used exclusively in the healthcare domain. This should be obvious if you think about it. It is unethical for clinicians to allow proprietary vendors to control their computers, because they should have custodianship of patient records. If you agree with this paragraph, you really need to join Liberty Health Software Foundation.

The difference between the ‘cloud’ and ‘virtualization’ technologies with regards to GNU/Linux instances is simple. It is simply a manner of having a structured API available for the provisioning and control of GNU/Linux instances.

It is possible to implement a “cloud” in your local data center using projects like Eucalyptus which essentially allows a large computer or set of computers to act like Amazons ec2 service.

Is the API that is used to deploy these clouds FOSS compatible or not? If they are not FOSS, then they can become a mechanism for proprietary lock-in of health information. It does not matter if you avoid lock-in by using an entirely FOSS stack if you host it at Amazon and you cannot leave that service easily.

Remember, that we need to be concerned with  the continuity of Health data for hundreds of years, which is a totally different perspective than most IT applications. You need to be looking forward to the day that Amazon shuts its doors. That day -will- come, and you (or your successors) need to be able to get instance out of that cloud easily. In the short term, having access to cloud API’s under FOSS licenses, helps address the basic concerns that people who respect software freedom have about the whole idea of cloud computing.

Others have discussed this before, but I want to point out that for the time being, if you want to safe from all proprietary nonsense in your health information application, you should be using Rackspace, since Rackspace has provided its API to the community under an open source license. That makes the Open Source Rackspace API a new option for those who, like me,  believe that software freedom is even more critical in healthcare applications.

I hope that Amazon will soon release its API under a FOSS license, but until it does… use Rackspace.

-FT

(updated 08-10-09 added ‘remember’ paragraph for clarity.)

Securing health applications with CACert.org

Still trying to recover from the conference last weekend.

OpenEMR was out in force at the conference and we had some interesting discussions about the best way to make php applications more secure. The following code is in php but the theory applies to any electronic health record. The wonderful thing about this method is that Apache does all of the heavy lifting for you.


Of course, none of this works without an apache configuration!!



# another fine way to enforce https only.

        ServerName example.com:80
        AddType application/x-httpd-php .php .phtml .php3
        DocumentRoot "/var/www/html/example/"

        
        #The following rewrite just forces everything to https!!!
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        




        ServerName example.com:443
        DocumentRoot /var/www/html/example

        # Standard stuff
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	# end standard stuff

 
	# the certificate that CACert.org has signed...
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
	# my super secret private key
        SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

	# not that I can use the directory command to protect a single file!!
        
                # requries a client certificate
                SSLVerifyClient require
                SSLVerifyDepth 2
                # in order to validate the client certificates I need to have 
                # a copy of the CAcert.org root certificate
                SSLCACertificateFile /etc/pki/tls/certs/cacert.crt
                SSLOptions +StdEnvVars
        
                                                                                                                                                                                   1,9           Top


Medspheres bus video released

I am happy to say that Medsphere has released its bus video. This is exactly the kind of irreverent and fun thing that makes FOSS addictive! We have a better way and its so obvious that its really not possible to make the points without also making a joke about it.

They included bits my interview in the film and I loved that they keep the EPIC equals tank reference.

Enjoy!

Embracing the new CCHIT certifications

A few months ago, CCHIT suffered from what I like to call “angry letter round 1”.

This is were I send a very pointed, ultimatum letter to an organization of the general form “your are hurting my community, stop it or else”. Personally I find that about %50 of organizations respond positively and about %50 do not.

I am happy to say that Mark, Dennis and the other members of the CCHIT team have won my respect and appreciation with how they have taken a 90 degree turn from being an organization that was largely ignorant regarding the health FOSS movement to one that listened and engaged carefully, and has now come back with a plan for certification that I personally, and from what I can tell the FOSS community generally, can embrace.

This post is me doing that. At this stage I am comfortable recommending (to whoever is making the decision) that CCHIT be allowed to be one organization allowed to certify for ARRA funding, under their new EHR-C/EHR-M/EHR-S certification model.

Specifically, I am talking about the new site level certification program. Here is a cut and paste from the CCHIT townhall pdf regarding EHR-S site certification.

Certification Program Concepts for EHR Sites (EHR-S)

  • Definition: Certified EHR-S sites have developed or assembled EHR technologies that comply with Federal standards and enable them to meet all Meaningful Use Objectives.
  • Provider applicability: Any physician office, clinic, hospital, other facility or network that has self-developed or assembled an EHR from various sources and wishes to apply to ARRA incentives.
  • Certification requirements: Functionality available (regardless of deployment model) that enables providers to comply with applicable Federal standards, implement adequate security practices, and meet Meaningful Use Objectives.
  • Inspection methods: Virtual Site Visit technology with offline inspector review and follow-up correspondence.
  • Cost range: ~$150 – 300 per licensed provider (ambulatory); hospital pricing model TBD. Scholarships for eligible providers (FQHC, underserved population, critical access, etc) if grants can be obtained.

This along with the fact that all of the new certification programs will not require re-certification for minor software revisions, means that there is a clear path for FOSS adoption along with ARRA funding assuming CCHIT certification is endorsed.

Of course, as Dr. Billings points out, there are a lot of details to work out. However, unlike other critics of CCHIT, I have never felt CCHIT to  be duplicitous, rather they were one of the many groups who were trapped in a way of thinking that I disagree with.  Now that CCHIT understands how our community frames the EHR problem, they have done a good job creating a certification that can work for us.

This is a huge relief. I was afraid that our small community 501c3 Liberty Health Software Foundation, (LibertyHSF)was going to need to learn how to certify, create a standard to certify against and then get ourselves approved by the ARRA powers before the end of the year. Not good.

I would like to thank the FOSS community members who helped make this possible, especially Dennis Wilson, who served as a bridge between us and CCHIT. Thanks to Mark and everyone else at CCHIT who made such drastic rethinking of your core business in such a short time, we appreciate it!

I am now serving in the role as the director of LibertyHSF, and I need to start being careful to note that this is my personal opinion, and not the official opinion of LibertyHSF. I think LibertyHSF will probably have the same position, but I need to have a community vote on that before we will put something up on libertyhsf.org. That process takes a little more time to arrange. Still I personally have been one of the most vocal critics of CCHIT on this blog and I thought it appropriate to note that I approve of CCHIT’s most recent actions. (UPDATE 7-13-09 CCHIT has blogged about this post)

Regards,

-FT

Can CCHIT move beyond PROBLEM EHR certification?

Recently CCHIT has come under fire for being too focused on large proprietary vendors and specifically, its association with HIMSS.

These attacks have gotten so bad that Mark Leavitt has posted a rebuttal, which has generated a tremendous amount of attention over at THCB ( a blog well worth adding to your RSS feed)

Mark raises several good points in defence of his organization, including:

  • There is currently no financial relationship between HIMSS and CCHIT
  • Vendors who are involved at CCHIT are limited in what seats that can hold and what votes they can make
  • CCHIT takes great pains to ensure that it is not biased by vendor ties.
  • There is a strict conflict of interest policy in place

Mark is right to point these out, but this misses the heart of the criticisms coming from FOSS and other places.

The problem is not that there ‘sneaky’ influences from HIMSS and Vendors, but rather a simple self-selection bias.

CCHIT is and always has been a monolithic check-list for a Proprietary, Rigid, Overweight, Bloated, Loaded, Expensive, and Massive  (or PROBLEM for short) EHR products that allowed out-patient doctors to effectively track and monitor the healthcare of their patients. Most of the ‘founding fathers’ of CCHIT were either vendors with a PROBLEM EHRs or EHR users who had already bought in to the PROBLEM EHR model.

The CCHIT process -is- open to all, it -is- democratic and it does seek to balance the interests of vendor and non-vendor participants. Everything Mark is claiming is right on and it does not matter at all. The participants in CCHIT have all bought into the PROBLEM model. Those of us who have always thought differently than CCHIT have stayed away because it was obvious from the get-go that the certification model put forward by CCHIT was incompatible with our goals.

Right now, CCHIT is taking it from all sides because there are so many people who disagree with some aspect of the PROBLEM model. Practice Fusion wants to see really cheap EHR services like the one that they offer be certified. The ‘Clinical Groupware‘ people want to see the certification of a suite of technologies that may or may not add up to a traditional EHR. The EMR-lite people want to see faster and lighter tools. The PHR people and consumer advocates want EHR systems that empower the patient instead of the provider. The Health 2.0 people want to see completely different models of finance and care become possible. Of course, the FOSS people (like me) want FOSS EHRs to get equal footing.

In defense of CCHIT, Mark and the other members of CCHIT that I have met have bent over backwards to try and see things from the FOSS perspective. They have truly listened and they are starting to understand how different our community really is. I would encourage the members of the other communities to consider working with CCHIT before discounting them. CCHIT needs to be given the opportunity to re-invent itself before it is discounted. The recent press release from CCHIT indicates that it will be establishing town hall meetings for the FOSS community. I am not confident that this will work, but it is an indication that CCHIT is willing to try and see things from a different vantage point.

However, it may be difficult for CCHIT to reinvent itself. Realistically, the PROBLEM EHR vendors and users do not want to see CCHIT supporting very different models then their own. If CCHIT appeases the crazies like me too much, it stands to loose its ‘base’. This is why I believe it is critical that ONC leave the door open to sources of certification other than CCHIT. Doing so keeps the pressure on CCHIT to broaden its certification systems to include very different philophies of Health IT. Without that extra pressure, there is no way for CCHIT to act in a way that is not in the direct interests of its current PROBLEM membership.

-FT

(update 6-03-09 Dr. Kibbe pointed out to me that the proper term was ‘clinical groupware’ and not health groupware. He also pointed me to an excellent post by Adam Bosworth defending exactly that perspective, so I linked it in. Also correct some spelling errors)