MUMPS is modern

NextGov has an article that implies that the VA and DOD should compile MUMPS code to Java code.

Before we get into this discussion I would like to point out the fundamental flaw with implying that MUMPS is not a modern system. People who say things like this are usually ignorant, arrogant, biased or a healthy mix of all three. MUMPS engines have evolved and improved just like other systems that were developed in the same time frame. No one would consider calling C, (which powers the iPhone as Objective C) SQL, (which underlies ORACLE, and MySQL) or Unix (which is the design paradigm for Linux) antiquated. Unless you can detail exactly what ‘modern things’ MUMPS cannot do you have no business calling it old or implying that it is not modern.

Doing so merely serves to show that you are purveyor of second-hand technical knowledge. If you do not like MUMPS and have some legitimate reasons to avoid it, please take a page from David Uhlmans playbook:

I do not in any way want to offer
a general commentary on why some people want to use MUMPS or don’t
want to, or X language is better than Y, I am not looking to instigate
a flame war or really say that what we are doing is a better or worse
approach from a technical standpoint than anything else. It is the
right approach for us.

There are good reasons to get away from MUMPS, and there are good reasons to stay with MUMPS. Please do not use propaganda to make it seem like it is obvious in either direction.

Now… on to the idea of compiling MUMPS:

That is a seriously problematic idea. But it is hardly original at this stage. This is similar to the strategy that ClearHealth Inc. is following with WebVistA. ClearHealth has described the WebVistA technology strategy here and discussed it briefly on Hardhats. However, the basic strategy that I have taken away from talking directly to David Uhlman is that they compile MUMPS to C code, and then the C code to PHP modules, which they then use to build a web interface to VistA.

This much better than the idea of compiling to Java, because:

  • It works now. Not after 2 years and millions of dollars.
  • It jumps all the way to a web-environment.

But there is one basic problems with any ‘compile MUMPS’ technical strategy.

It is not clear where or how you edit the code.

If you edit in MUMPS then, you are not really getting away from MUMPS at all. Further the compile times for ‘all of VistA’  take days or weeks. That does not work for the write, compile, test, debug, write… software development method. But the C code that results is essentially just a pre-cursor to machine code. You might as well just modify the assembly code directly. You cannot really edit at the PHP level, because you are dealing with binaries at that point. But it is even more problematic that you could code modifications in MUMPS -and- C, but what would that mean? In short, this seems like a recipe for unmaintainable code.

Be assured, ‘migrating’ or ‘converting’ from MUMPS to anything will result in a lose of meaning. The Java compile methods that are mentioned in the NextGov article are just as problematic as the ones ClearHealth is using with WebVistA, and for the same reasons.

This does not mean that the compilation method will not work. But it does mean that we should be dubious about any strategy that suggests this method until they have been proven to work. At least David Uhlman is basically saying, ‘hey look, this seems to be working for me, let me get the kinks out and I will show you’, rather than the arrogant position of: MUMPS is not modern, I have done this in the lab, please give me many millions of dollars and several years and I will be able to change this all to unreadable and unmaintanable Java. Please. It is hard to imagine how little I think of this idea. If this happens to be an idea that you support…. I hereby fart in your general direction.

-FT

CCHIT Feature bucket

A central problem with CCHIT is the feature bucket.

CCHIT certification represents compliance with a list of hundreds of functional requirements. This would be great if that list of features were 100% a good idea, but the reality is far from the truth. From the FOSS perspective we feel that there is a considerable dumbing-down effect that the certification brings. It prevents us from maintaining meritocracy.

I want to focus on one CCHIT issue that serves to illustrate this issue: Passwords.

Here is item SC 03.10

When passwords are used, the system shall support case-sensitive passwords that contain typeable alpha-numeric characters in support of ISO-646/ECMA-6 (aka US ASCII).

The problem, VistA supports three user ids, one that is equivalent to a username, and two that are similar to passwords. Without getting over my head on the details, there are two possible password types so that you can have one that your admin user can know and reset for you, and one that no one knows but you. There are all kind of administrator abuse scenarios that this addresses, but the VistA username/password/password system is not certifiable out of the box because it does not support case sensitivity. Which, as you can see, is a requirement. Most people are only aware of the CPRS client for VA VistA but in reality there are several clients, all of which support the username/password/password mechanism.

So when any VistA-based EHR goes and gets CCHIT certified it has to make the password system -act- dumber (in compliance with SC 03.09), and add case sensitivity.

Then lets look at the ClearHealth Inc. projects opinion on the value of hashing passwords. They believe, essentially that it give a false sense of security and an admin overhead that should be avoided. I disagree with them, but I can see where they are coming from. This however is in contradiction with the following rule: SC 03.11

When passwords are used, the system shall use either  standards-based encryption, e.g., 3DES, AES, or standards-based hashing, e.g., SHA1 to store or transport passwords.

So one simple issue, we have considerable debate in FOSS systems about whether this is actually the right design at all. But CCHIT takes the position that their way is the ‘right’ way and will not certify a system designed in a different way.

I hope that this is helpful in understanding why the ‘feature bucket’ is a problem for FOSS. It is directly contradictory to the notion of meritocracy that rules our culture. The -best- ideas win, not the ideas that come from a vote of the committee.

What we need from CCHIT is to identify the boundaries of an EHR system, not the contents. This is an idea that I have heard so many times and from so many different people, the only thing I can be sure of is that it is not mine:

There are three obvious edges to an EHR system:

  • The ability to report on quality metrics
  • The ability to interoperate with other HIT systems
  • The ability to monitor and track access (security)

There are published standards available for all of these that can be tested in an automated way. That defines what an EHR needs to be able to show the world, but not define -how- it needs to provide those services. Frankly, if a system is capable of improving the quality of the delivery of healthcare, sharing its data, and can limit access to private data, the implementation details are not as important.

While those details are still important and should still be subject to scrutiny and respect the freedom of users, they can become the subject of debate of people like me who obsess about these kinds of issues.

What are the advantages of this model?

  • We do not need expensive juries, instead we can fully automate testing and make the certification cheaper for everyone.
  • We allow for freedom to implement ideas differently as long as the results are the same.
  • It is not biases against FOSS, proprietary or (for that matter) paper or other low-tech systems.

Just some thoughts.

Towards fair EHR certification

The meeting with CCHIT worked. The FOSS community, to the degree that such a thing is possible, had authorized me to go nuclear on the issue before the meeting. I had been given assurance that the community has been so frustrated with dealing with CCHIT that if they did not work with us that if I started an alternative certification program that I would be backed up with the dollars and brains from the community needed to make an alternative certification go.

At this time it appears that such dramatic actions will be unnecessary. Mark Leavitt and Dennis Wilson were willing to consider the profound practical and cultural implications of the ‘rules’ of the FOSS. These implications are difficult enough for FOSS insiders like me to fully grasp that I realized during the meeting that there is still work for me to do make these problems accessible.

CCHIT has recorded the talk and published it here on their website. I have converted the file to an ogg, for those who care about patent issues in audio files. Contact me if you would like a copy. (its too big to host from this server)

So let’s take a 10,000 foot view of FOSS + Health IT + Certification of any kind.

The first thing to understand is that ‘ownership’ of FOSS projects is spread across all of the users and developers of a FOSS system. The true owner of the copyright involved is usually irrelevant and often impossible to calculate. ClearHealth for instance is a high level LAMP (Linux Apache MySQL PHP) application. Besides needing the considerable portions of LAMP, ClearHealth also makes use of tens or hundreds of sub-projects like smarty, phpgacl, scriptalicious, and adodb.

More importantly ClearHealth contains contributions from probably hundreds of people who have contributed bug fixes, clinical templates or modules. In the case of ClearHealth one company, which wisely has chosen the same name as the project, produces 99% of the core. While ClearHealth Inc. produces the vast majority of the code, there are several other companies, (including my own <- shameless plug) that support the same codebase.

It is not really possible to determine in any consistent way who is responsible for a codebase. Often ClearHealth Inc. employees will take code that I and others contribute on the forums and copy into the code repository in such a way that it appears that a ClearHealth developer wrote the code. The contributors do not care and ClearHealth Inc. does not care. My contributions are meaningless outside of what the ClearHealth Inc. team has given to me, and the license requires that my contribution falls under the GPL. There is no way to determine who truly responsible for a codebase, only to make good guesses.

Under the current certification model I could wait for ClearHealth Inc. to figure out how to pass the current CCHIT tests, and then republish the changes to the current ClearHealth codebase required to pass CCHIT. ThenI could apply for CCHIT certification with my friendly fork of ClearHealth. The real cost of doing the certification is the preparation, which is essentially an annual cost (You do not have to do it annually, but your are at a competitive disadvantage if you do not) of about 300k and which will probably be going up.

So I would be getting a certification for about 1/10th the price that ClearHealth pays.

The problem that is that while we collaborate extensively, ClearHealth Inc. and I still compete for customers. If I can offer support for my certified, re-branded version of ClearHealth without participating in the practical price of certification I would be able consistently undercut the support rates of ClearHealth Inc. This represents a disincentive for ClearHealth Inc. to pursue CCHIT certification.

Now consider the OpenEMR project. This project is made up of about 10 major contributors who all share the development duties. There is no single benevolent dictator and there are several companies with developer commit access. Like WorldVista there is a central non-profit that serves as a focal point for community issues for that project. Both of these non-profits will have trouble coming up with 200k a year for continued re-certification and no participating company is large enough to easily take that role.

The lesson here is that in the FOSS community everyone benefits from good code, not just the original developers. If the ‘Tax’ of certification falls to any one party in the community usually it becomes too great a burden for that party.

Practically, it is also impossible to allow a costless download of a CCHIT certified open source EHR. CCHIT requires CPT codes, (which it should not) and CPT codes are owned by the AMA. It is not possible to distribute CPT codes for no cost without violating AMA copyright.

Take away lessons:

  • Under the current model it is difficult to have the cost and benefit of the certification evenly distributed.
  • There is no way to easily ‘share’ the certification
  • There is no maintainable benefit to being the organization that sacrifices to get a certification for a particular FOSS codebase.
  • It is not possible to prevent other organizations to certify a system that has already been certified.
  • proprietary ontologies, like CPT, are a problem for the distribution of FOSS EHR systems.

Most of these issues were brought up in the meeting, and CCHIT is listening to everyone. I just wanted to put down these issues all in one place for reference. Feel free to comment on this post with other issues that you feel are central to the problem with certifying FOSS EHR projects.

-FT

Medsphere bus

This is simply the -best- publicity stunt that any FOSS EHR vendor has done yet.

Last year Cerner decided not to return to the HIMSS show-room floor. Instead they decided to subversively bring in thier massive traveling booth. This is a converted semi truck that obviously cost a small fortune. It is obvious that the pricetag on this thing has got to be into the hundreds of thousands, if not millions. Anyone who has been to the showroom floor at HIMSS can quickly recognize that this is merely another chapter in the book of excess that is the proprietary EHR vendor community. This kind of spending speaks to one thing: massive profit margins sustained by vendor lock-in.

Medsphere heard about this, and decided to pull a little stunt. They found an old VW bus and turned into a symbol of their company and to a great extent our community as a whole! They spent a modest sum refurbishing their bus, which was already a symbol of everyman freedom! Then they drove it to HIMSS and tried to find a place that they could show thier bus next to the Cerner bus.

The pictures that result are a fitting visual analogy between the basic mindset and philosophy of the FOSS commercial EHR community and the proprietary EHR vendors.

Enough preface… have a look!!

A lesson in visual philosophy
A lesson in visual philosophy

CCHIT vs FOSS pre-meeting issues

I am preparing for the meeting tomorrow with CCHIT and FOSS. I had previously used Google Moderator to get a feel for what my communities position on this issue is. Moderator allows for the same question to get posted again and again, so often the same idea was represented twice. So ignoring duplicates and ideas that got less than 12 votes (arbitrary), here are the positions that garnered the most support:

“To avoid data lock-in (FOSS or proprietary) CCHIT should provide a focus on interoperability.”
Tim Cook, Brazil/US

“CCHIT should drastically lower the costs for the certification of FOSS Health IT systems in recognition of their status as a public good.”
Fred Trotter, Houston

“CCHIT must find a way to protect the interests of the “original developer”. If an individual contributes/creates a FOSS EHR, and then a second party gets that codebase CCHIT certified, under the current system, only the second party benefits.”
Fred Trotter, Houston

“CCHIT should certify FOSS projects. Multiple companies could pool resources for certification purposes, and all the users of the project would benefit from the certified status, as long as they used the tested codebase.”
Fred Trotter, Houston

“CCHIT should move towards higher level certification mechanisms that do not focus on black-box certification.”
Fred Trotter, Houston

“FOSS licenses provide a “right to modify” to the end user. This is fundamentally incompatible with the idea that a certain codebase is “certified” in the way that CCHIT currently understands it.”
Fred Trotter, Houston

“Create a separate-but-equal CCHIT certification for FOSS Health IT software. It should be much cheaper and recognize the differences in the FOSS model. It should be much less expensive.”
Fred Trotter, Houston

“CCHIT charges should be based on an ability to pay. Smaller companies &/or community projects (i.e OS) should not disadvantaged and innovation should not be discouraged because of cost.”
Tim Elwell, New York

“Under the current model, CCHIT certification cannot jump vendors, so if a FOSS EHR user uses the “right to fire” implied in a FOSS license, they would lose CCHIT certification during that process. Thus certification is currently a lock-in mechanism.”
Fred Trotter, Houston

“CCHIT should re-publish the software licenses of the CCHIT software. Proprietary or otherwise. Further, the practice of removing bankrupt EHR companies from the list must be halted, they should be listed with a license status of defunct.”
Fred Trotter, Houston

“CCHIT should certify application modules. If it can be proven that the certified module’s software code base has not changed, others may incorporate the certified component in their application – license permitting – without recertification.”
Tim Elwell, New York

“CCHIT should consider releasing the certification criteria themselves under Creative Commons or GNU Documentation license. This would allow the FOSS community to develop our own certification methods and systems based on CCHIT standards”
Fred Trotter, Houston

“CCHIT should allow for automated testing of FOSS codebases. For instance a mechanism to prevent the re-testing of FOSS EHRs whose sourcecode had not changed, when the relevant criteria had not changed.”
Fred Trotter, Houston

“Successful FOSS projects share revenue with 3rd party companies who resell the software More companies make for a better supported and longer lasting product. CCHIT should charge each a smaller % of cert fees to support this business model.”
Greg Caulton , Boston

HIMSS09 day 2: Interview with Vish Sankaran

Today I meet with Vish Sankaran, whose official title is ‘Program Director Federal Health Architecture’ from what I can tell, that post is just as important as it sounds. Vish was, along with representatives of several major federal agencies, presenting the new NHIN open source infrastructure project called Connect. We have been waiting patiently to see code drop, and according to Vish, that should happen at connectopensource.org tomorrow!

I first heard about this project when Harris Corporation announced that they had won the NHIN contract. Harris is a big government contract shop and had apparently little experience with either FOSS or Health IT. I was please to be later proven wrong when they found that they did have considerable VistA talent on-board.

I was befuddled about how a company could announce that a product would be both public domain AND open source, seeing as how those terms have very different meanings. After my initial contact with them, it was obvious that they did not really understand the FOSS culture or community, (they actually asked a FOSS development group to sign an NDA to reveal more details of the project) and after hearing my less-than-flattering comments regarding their announcement, they made it clear that they would simply put their heads down and code until they had a product… then they would let the Office of National Coordinator sort out how to interface with the community.

I am not sure when or how Sun became involved in the project. But I was relieved to hear it. Sun has much more experience with the FOSS community, and from what I can tell Sun has bet the farm on FOSS. I have already had a conversation with some representatives from the Sun team about the release, but they were necessarily tight lipped about important details like licensing and project structure ahead of the official announcement. I hope to arrange a podcast with them soon, now that they can speak more freely.

Which brings us to today. Today Vish and his panel were discussing what they had working and what they had planned with regards to both the NHIN and Connect projects. More importantly, Vish was willing to do a brief podcast with me. My audio seemed pretty broken up… but keep listening because he sounds fine.

Vish Sankaran Interview (in ogg)

Vish Sankaran Interview (in mp3)

P.S. I am not the first person to record Vish

CCHIT to meet with FOSS community

Recently, I was asked by several community members to begin ‘activating’ the community at large against certain threats to FOSS in healthcare. Dr. Valdes and I have been planning on doing this for years, and, in our own ways, have both begun to attempt to make the public aware of the issues that our community (FOSS Health IT) faces. Dr. Ignacio Valdes has been publishing several articles on the subject at LinuxMedNews , which have meet with considerable success. One of his posts on the subject have been slashdotted.
While Ignacio has been taking a hard-line Free (as in freedom) Software approach, I have been (in a twist for me) taking an ‘Open Source’ approach. The people who approached me at DOHCS were unanimous in their belief that what FOSS needed from the government was merely a level playing field, so that we could compete, and win, on our own merits.

The largest single threat to the future of FOSS in healthcare in the US is the certification process mandated by the stimulus act. The language provides funding for -certified- EHR systems and eventually penalties for not using -certified- EHR systems.

The best established certification body is CCHIT. They have not been named as the certification body, but they are likely lobbying for that role. However, CCHIT has had an anti-FOSS stance for years. For years, I and other activists in the community have chosen
to largely ignore this bias. Simply because CCHIT was an optional certification. Now, things have changed. It is possible that the government will mandate a certification program that is either CCHIT or similarly unfriendly to FOSS.

Recently I submitted my complaints to Dennis Wilson (associated with both the FOSS Laika project and employed by CCHIT) who put me in touch with Mark Leavitt. As a main result of that discussion, Mark has agreed to have a meeting with the community-at-large about this issue at HIMSS (please see the forwarded message from the CCHIT e-newsletter below).

Granted, this is like offering to meet with the Rebel Alliance at the annual Death Star conference. Even more overtly than CCHIT, HIMSS is decidedly anti-FOSS. HIMSS has actively attacked and defamed the FOSS movement. For example, HIMSS EHR Vendor association continues to limit membership to vendors who “design, develop and market its own proprietary Electronic Health Record (EHR) software application.” Further HIMSS has specially advocated against the US government funding of FOSS EHR solutions, which implicitly includes VA development of VistA. There is also great concern about the ties between CCHIT and HIMSS/EHRVA. Leavitt himself was employed by HIMSS immediately before his current position and is currently a fellow of HIMSS. CCHIT maintains that the two organizations are independent, everyone else seems to understand the dangerous familiarity between the two organizations. (update 3-30: Dennis Wilson has noted that this meeting will be held ‘with’ but not ‘at’ HIMSS… You do not need a HIMSS badge to attend)

However, Mark has also agreed to provide some kind of remote access capability for those of us who cannot afford the time, cost or moral compromise required to attend HIMSS. For this reason, and because of their willingness to meet at all, I am asking the community to attend the CCHIT/FOSS meeting. In person if at all possible, by remote access if not.

The meeting will be held at HIMSS on  Monday, April 6, Room 10d, Session #2  2:00  – 3:00 PM

I have heard from several of the HIMSS ‘regulars’ in our community that they will be going. However, it is critical that we have a show of force within the community from precisely those people who have the most to lose with regards to the certification issue: small support companies and individual consultants.

We are becoming more ‘organized’ as we speak. Please watch this space for more announcements on how you can participate to keep the US government from making anti-FOSS blunders now and in the future.

Best,
-Fred Trotter
http://www.fredtrotter.com

———- Forwarded message ———-
From: Sue Reber <sreber@cchit.org>
Date: Fri, Mar 13, 2009 at 3:07 PM
Subject: FW: CCHIT eNews: Seeking volunteers, Expansion,
Interoperability and Open Source
To: fred trotter <fred.trotter@gmail.com>
Cc: Dennis Wilson <dwilson@cchit.org>

Fred – see below “Commission Hosts Interoperability and Open Source
Roundtables on Certification” in our regular electronic newsletter.

C Sue Reber

Marketing Director, CCHIT

Certification Commission for Healthcare Information Technology

503.288.5876 office | 503.703.0813 cell | 503.287.4613 fax

sreber@cchit.org

— majority of newsletter removed for brevity —

Commission Hosts Interoperability and Open Source Roundtables on Certification

In addition to its annual Town Hall at the upcoming  HIMSS09 Annual
Conference in Chicago, the Certification Commission will be  hosting
two technical roundtables, co-located with the conference, for health
IT vendors and developers. The first, “Interoperability 09 and Beyond:
a look  at CCHIT’s roadmap for the future”, will present the
Commission’s  interoperability roadmap and explore the standards and
testing tools with  which developers need to be familiar.

The second, “Open Source  Forum: a dialogue on certification for open
source EHRs”, is designed to  continue the discussion with open source
developers with an interest in  certifying EHRs. This session will
allow an open exchange of the challenges  and opportunities for making
certified open source EHRs available to  providers.

The times and locations of sessions are below. Both Health IT
Technical Roundtables will also be available via free remote access.
Details will be available at cchit.org prior to the date.

CCHIT Town Hall at HIMSS09 Annual Conference
Sunday,  April 5
Room W192b, McCormick Convention Center, Chicago
9:45 – 11:15  AM

Health IT Technical Roundtables at Hyatt McCormick Conference Center
Monday, April 6
Room 10d, Hyatt McCormick Conference  Center, Chicago

Session #1  1:00 – 2:00 PM
Interoperability 09  and Beyond: a look at CCHIT’s roadmap for the future

Session #2  2:00  – 3:00 PM
Open Source Forum: a dialogue on certification for open source  EHRs

— sections removed for brevity —-

Contact : eNews@cchit.org | www.cchit.org

Copyright © 2005-2009 Certification Commission for Healthcare
Information Technology
Privacy Policy   |   Terms of Use   |   Contact

______________________________

__

If you no longer wish to receive these emails, please reply to this
message with “Unsubscribe” in the subject line or simply click on the
following link: Unsubscribe

________________________________

Certification Commission for Healthcare Information Technology
200 S Wacker Dr
Suite 3100
Chicago, Illinois 60606
US

My wife attends the University of Houston.

Normally, I reserve this space for discussing Health IT matters, but in this case I must make an exception. UH is one of the most frustrating institutions I know of. I believe, that UH has one of the most ineffective Information Infrastructures I have ever seen. So I am devoting a new topic in my blog to discussing my frustrations with it. My wife (Laura) and I have been having multiple, serious frustrations for some time, and each time I imagine that I should write something about it. But I do not want to start yet another blog, so I am going to use a category of this blog for now.  Perhaps I will use RSS etc to turn this into a separate blog. If you are interested in my Health IT posts… please skip this.

Today vnet.uh.edu is down. Vnet is the portal for students to receive course materials from their professors. Why? As best I can tell, it is down because it is test-time. The university education website is down… when it is needed most. It is probably down because it is being flooded with users. It is being flooded with users since so many students have a test tomorrow.

In short, vnet is exactly the sort of tool that breaks when you need it most.

There is little that vnet does, that Moodle does not do. Moodle, because it runs on Linux, can happily sit in the cloud at Amazon or Rackspace, which means that it can scale (in an automated fashion) to the point that entire countries could hit the website at the same time.

But instead it is being hosted either by the school or by vnet. In either case, it breaks constantly. According to this video vnet “leverages open source”. However, the vnet website has no mention of downloads, community or license. That usually means that the application is 100% proprietary. Further, it is easy enough to conclude that VNET was primarily developed by UH.

I am sure that VNET has some features that Moodle does not. But instead of adding to Moodle, and using a known-good platform, UH has decided to use a platform that they built themselves.

Now my wife cannot get to her documents. And I am sitting here pressing “refresh” in the hopes that I will be able to get onto the site, so that my wife can pass her Genetics class.

-FT

Health of the Source

I pretty regularly give a talk entitled “The health of the source”. The subject of the talk is everything that has happened in health FOSS, since the last time I gave the talk. Thankfully things move along fast enough that I am never short of content. You will find this article dripping with useful bias and opinion. This is not merely a list of projects but also what I think of the projects. I might be omitting your favorite project intentionally, because I think it is irrelevant, OR out of ignorance, OR because I am limiting the scope. For instance this time I did not include much on clinical research (openclinica) or imaging, since my TEPR audience might not be interested in those.

This intended to reference Larry Walls regular summary of the perl community typically entitled “state of the onion“. (I am suffering from pun envy here… if you have something better… let me know) As I was writing yet another throw-away Open Office presentation, I was lamenting the fact that I had not posted anything really meaty on my blog lately, and I thought I should post my presentation. Then I was thinking how each page of my presentation would really serve as a blog post by itself. Then I realized that I could write one blog post, and if I kept each page short enough to fit above the fold on my little laptop, I could make a postentation. ( <- just invented this word)

So if you would like, you can now read my latest presentation just by clicking on the page numbers on this post. Hopefully it is coherent enough to read without me talking about each slide. But if not, leave me a comment and I will try and fix things.