Rackspace instead of Amazon

For now, Health IT related projects should use the Rackspace Cloud instead of the Amazon Cloud.

Some of us are concerned with the issue of Software Freedom. Essentially, you need to have control over what your computer is doing and unless you have software freedom, someone else (the copyright holder who has given you a proprietary license) is in control with proprietary software. Software that respects the freedom of its users, often called ‘Open Source’ software, should be used exclusively in the healthcare domain. This should be obvious if you think about it. It is unethical for clinicians to allow proprietary vendors to control their computers, because they should have custodianship of patient records. If you agree with this paragraph, you really need to join Liberty Health Software Foundation.

The difference between the ‘cloud’ and ‘virtualization’ technologies with regards to GNU/Linux instances is simple. It is simply a manner of having a structured API available for the provisioning and control of GNU/Linux instances.

It is possible to implement a “cloud” in your local data center using projects like Eucalyptus which essentially allows a large computer or set of computers to act like Amazons ec2 service.

Is the API that is used to deploy these clouds FOSS compatible or not? If they are not FOSS, then they can become a mechanism for proprietary lock-in of health information. It does not matter if you avoid lock-in by using an entirely FOSS stack if you host it at Amazon and you cannot leave that service easily.

Remember, that we need to be concerned with  the continuity of Health data for hundreds of years, which is a totally different perspective than most IT applications. You need to be looking forward to the day that Amazon shuts its doors. That day -will- come, and you (or your successors) need to be able to get instance out of that cloud easily. In the short term, having access to cloud API’s under FOSS licenses, helps address the basic concerns that people who respect software freedom have about the whole idea of cloud computing.

Others have discussed this before, but I want to point out that for the time being, if you want to safe from all proprietary nonsense in your health information application, you should be using Rackspace, since Rackspace has provided its API to the community under an open source license. That makes the Open Source Rackspace API a new option for those who, like me,  believe that software freedom is even more critical in healthcare applications.

I hope that Amazon will soon release its API under a FOSS license, but until it does… use Rackspace.

-FT

(updated 08-10-09 added ‘remember’ paragraph for clarity.)

Securing health applications with CACert.org

Still trying to recover from the conference last weekend.

OpenEMR was out in force at the conference and we had some interesting discussions about the best way to make php applications more secure. The following code is in php but the theory applies to any electronic health record. The wonderful thing about this method is that Apache does all of the heavy lifting for you.


Of course, none of this works without an apache configuration!!



# another fine way to enforce https only.

        ServerName example.com:80
        AddType application/x-httpd-php .php .phtml .php3
        DocumentRoot "/var/www/html/example/"

        
        #The following rewrite just forces everything to https!!!
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        




        ServerName example.com:443
        DocumentRoot /var/www/html/example

        # Standard stuff
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	# end standard stuff

 
	# the certificate that CACert.org has signed...
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
	# my super secret private key
        SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

	# not that I can use the directory command to protect a single file!!
        
                # requries a client certificate
                SSLVerifyClient require
                SSLVerifyDepth 2
                # in order to validate the client certificates I need to have 
                # a copy of the CAcert.org root certificate
                SSLCACertificateFile /etc/pki/tls/certs/cacert.crt
                SSLOptions +StdEnvVars
        
                                                                                                                                                                                   1,9           Top


Medspheres bus video released

I am happy to say that Medsphere has released its bus video. This is exactly the kind of irreverent and fun thing that makes FOSS addictive! We have a better way and its so obvious that its really not possible to make the points without also making a joke about it.

They included bits my interview in the film and I loved that they keep the EPIC equals tank reference.

Enjoy!

VistA moratorium

Lots of people have been asking for copies of the VistA moratorium, and rather than email it to ten people, I thought I should make my copy available in public. Obviously this is bad news if your job was to develop Class III code for the VA.

The VA has recently released a moratorium in the development of Class III code. For the uninitiated, Class III code is code developed at local VA hospitals. The VA has made the decision that VistA will no longer be developed by a group of collaborators, rather, it will be centrally developed, by a single controlling entity.

-FT

Why so many non-profits?

When I get a good question from a conference or email, I like to answer it in a blog post so that I can just link it in when others ask me the same thing in the future.

One of the good questions I got was:

Why are there so many “Open Source Health Care” non-profits, yet few seem to have much activity?  I see OpenVista, OpenHealthTools, WorldVista, and yours (Liberty Health) just to name a few.  Just to ask the awkward question, are the differences between them worth it?  What Apache and Mozilla prove is that there is power in scale even in non-profits – to be able to talk as one really helped people figure out who to pay attention to. We wouldn’t have really been able to negotiate with Sun over the open sourcing of Java, for example, if we were speaking as a bunch of separate orgs.  Thoughts?

So here is the downlow on the organizations issue.

There is no OpenVistA non-profit (that I know of) but if there is one, it would be exclusively focused on the Medsphere version of VistA called OpenVistA. In fact there are several projects that have non-profits focused exclusively on that particular project. FreeMED and OpenEMR (oemr.org) both have their own foundations. WorldVistA also has a project, called WorldVistA EHR, but its mission is more generally supportive of different versions of VistA. WorldVistA balances between being both a single project and focused on supporting VistA generally as a meta-project organization. With that said, WorldVistA is exclusively focused on VistA, it certainly cares about certain other projects, like Mirth, but only because Mirth can be used to make VistA better. Probably the most successful accomplishment of WorldVistA is that they were the first FOSS licensed project to achieve CCHIT certification and they have regular, well-attended meetings that have good attendance from almost all of the VistA community. In terms of numbers of bodies in the real-world, WorldVistA has the largest and most active community.

There is also an group representing the VistA vendors called the VistA Software Alliance. The are not formally associated with WorldVistA and also support VistA vendors who choose to make VistA into a proprietary product (DSS, for instance, still does this in some cases). So there are organization who support VistA without explicitly endorsing Open Source or Freedom.

Open Health Tools is another story altogether, it historically, has been focused on interoperability tools: from its FAQ

….to create a common health interoperability framework, exemplary tools and reference applications to support health information interoperability.

Given this it came as a surprise that Open Health Tools worked with DSS on the release of portions of vxVistA under the EPL. While that release was significant, bringing the number of major rollups of VistA at the time to 3 (now there are 4), Open Health Tools counseled DSS into using the EPL, which is relatively unpopular with the VistA community, which have generally settled on the FSF licenses (all three of the other rollups use a GPL variant). If Open Health Tools had used the LGPL, or even Apache which strives for GPL compatibility, it might have been possible to have cross pollination between all of the major development instances of VistA. So there is a small licensing debate that is going on between the traditional VistA crowd and the Open Health Tools (there some are indications that this might be resolved soon)

In any case, Open Health Tools is designed to be a Forge site, attracting developers and providing collaboration facilities for several major projects at once. It has major industry backing and is an important force in our community. If you want to see where Open Health Tools shine, you should attend a connectathon, where many vendors, including proprietary ones, use OHT toolkits to achieve phenomenal scores. If connectathon was a competition, OHT would be winning, by a large margin. Although DSS has gotten lots of attention as an OHT contributor, the most significant contributor is actually Misys Open Source Solutions (MOSS). MOSS uses the OHT forge for development and is releasing their considerable tool set through OHT. Laika (the CCHIT interoperability compliance tool) uses OHT hosted MOSS components in its tool chain. Even if CCHIT is not chosen as the certifying body for ARRA, Laika will likely form the basis of interoperability testing in the US for the foreseeable future.

Probably one of the oldest organizations in the FOSS healthcare space is OSCHA (as of the writing, the website looks down) . OSCHA was active about a decade ago and then went dormant. It was rehabilitated by an international group and has now started having conferences again. This group has largely been tainted by the relelation that the project pushed by the founding president of OSCHA was not actually available to anyone under a FOSS license. The current OSCHA organization might be rehabilitated and the international focus of the new group is admirable, but for now the organizations future is in question. (OSCHA section added July 10 2009 in reponse to a comment)

Finally, Liberty Health Software Foundation, which I helped start and which I am currently serving as the director of, is devoted to the general advancement of FOSS in healthcare. Personally I view the organization as a kind of cleanup organization, taking those roles that require a non-profit, but that have and cannot be addressed by other non-profits. Here are several points of our strategy that set us apart.

  • We are project neutral, VistA is important but there are many other solid EHR projects out there that deserve support.
  • We are license neutral. We will support any FOSS license, and generally want to avoid getting into the ‘Free’ vs. ‘Open Source’ licensing debate.
  • We are not concerned with the ‘category’ of software, but rather its relevance. If something does not fit neatly into the current terminology of EHR, PHR, Integration and other, we will still happily work to advance the project if it might make an impact.
  • We will try to focus our development on: the boring (like documentation) that for-profit companies view as a last-priority, and development that could spawn new development. We will not be a Forge project, instead relying on other projects (like Open Health Tools) to provide a collaboration platforms.
  • We will be supporting smaller projects by providing them space at conferences.
  • We will be promoting FOSS conferences, like SCALE, and creating our own, like FOSShealth.
  • We will do -very- limited lobbying in support of FOSS.
  • We will provide an industry trade group made up of FOSS vendors, hybrid vendors, and proprietary-but-FOSS-friendly vendors.
  • Where possible to promote obviously legitimate projects as alternatives to proprietary systems, to whoever will listen.

Obviously Liberty has lots of overlap with the other meta-project groups like WorldVista and Open Health Tools especially, but we are the first organization designed intentionally to embrace everyone in the Healthcare FOSS community. I hope that by creating a central organization, that seeks support not from companies like Oracle and Microsoft, but by companies like Mirth, ClearHealth, Misys, Medsphere, DSS and Akaza Research (not a comprehensive list by any means). Companies that obviously have a significant financial interest in our movement as a whole succeeding. Also we want support from the project or multi-project specific non-profits like Open Health Tools, WorldVistA and the OpenEMR Foundation.

It is worth noting that our community is simply never going to organize itself exactly the same as the wider FOSS movement. Liberty will typically be taking roles that normally, OSI, EFF or FSF might fill in the broader space. Open Health Tools will typically be operating more like the Apache, Eclipse or Mozilla foundations with a specific development focus. However, I hope and expect that we will get frequent role reversals and overlap. Why? Because we are still a very very small community in terms of devoted developers. I would expect that there are less than 1000 people who are devoted to developing FOSS licensed healthcare applications full time. There is way more activating, advocating and forging to get done than any organization could accomplish. Unless Liberty, WorldVistA and Open Health Tools each continue to fulfill their ‘part’, we are in trouble! It would take years for another non-profit to step in the gap left by any of these three meta-project organizations.

So, for today, that is how the non-profit space in FOSS healthcare breaks down.

HTH

-FT

Embracing the new CCHIT certifications

A few months ago, CCHIT suffered from what I like to call “angry letter round 1”.

This is were I send a very pointed, ultimatum letter to an organization of the general form “your are hurting my community, stop it or else”. Personally I find that about %50 of organizations respond positively and about %50 do not.

I am happy to say that Mark, Dennis and the other members of the CCHIT team have won my respect and appreciation with how they have taken a 90 degree turn from being an organization that was largely ignorant regarding the health FOSS movement to one that listened and engaged carefully, and has now come back with a plan for certification that I personally, and from what I can tell the FOSS community generally, can embrace.

This post is me doing that. At this stage I am comfortable recommending (to whoever is making the decision) that CCHIT be allowed to be one organization allowed to certify for ARRA funding, under their new EHR-C/EHR-M/EHR-S certification model.

Specifically, I am talking about the new site level certification program. Here is a cut and paste from the CCHIT townhall pdf regarding EHR-S site certification.

Certification Program Concepts for EHR Sites (EHR-S)

  • Definition: Certified EHR-S sites have developed or assembled EHR technologies that comply with Federal standards and enable them to meet all Meaningful Use Objectives.
  • Provider applicability: Any physician office, clinic, hospital, other facility or network that has self-developed or assembled an EHR from various sources and wishes to apply to ARRA incentives.
  • Certification requirements: Functionality available (regardless of deployment model) that enables providers to comply with applicable Federal standards, implement adequate security practices, and meet Meaningful Use Objectives.
  • Inspection methods: Virtual Site Visit technology with offline inspector review and follow-up correspondence.
  • Cost range: ~$150 – 300 per licensed provider (ambulatory); hospital pricing model TBD. Scholarships for eligible providers (FQHC, underserved population, critical access, etc) if grants can be obtained.

This along with the fact that all of the new certification programs will not require re-certification for minor software revisions, means that there is a clear path for FOSS adoption along with ARRA funding assuming CCHIT certification is endorsed.

Of course, as Dr. Billings points out, there are a lot of details to work out. However, unlike other critics of CCHIT, I have never felt CCHIT to  be duplicitous, rather they were one of the many groups who were trapped in a way of thinking that I disagree with.  Now that CCHIT understands how our community frames the EHR problem, they have done a good job creating a certification that can work for us.

This is a huge relief. I was afraid that our small community 501c3 Liberty Health Software Foundation, (LibertyHSF)was going to need to learn how to certify, create a standard to certify against and then get ourselves approved by the ARRA powers before the end of the year. Not good.

I would like to thank the FOSS community members who helped make this possible, especially Dennis Wilson, who served as a bridge between us and CCHIT. Thanks to Mark and everyone else at CCHIT who made such drastic rethinking of your core business in such a short time, we appreciate it!

I am now serving in the role as the director of LibertyHSF, and I need to start being careful to note that this is my personal opinion, and not the official opinion of LibertyHSF. I think LibertyHSF will probably have the same position, but I need to have a community vote on that before we will put something up on libertyhsf.org. That process takes a little more time to arrange. Still I personally have been one of the most vocal critics of CCHIT on this blog and I thought it appropriate to note that I approve of CCHIT’s most recent actions. (UPDATE 7-13-09 CCHIT has blogged about this post)

Regards,

-FT

Hack the Road

If you have not heard of Paul Levy yet, then you are obviously new to the world of Health IT blogging. This is a CEO of a major Boston hospital that has commited to blog about his day to day dealings as the top administrator of a hospital. I have already gained many fundamental insights from reading his regular blog. He also sometimes blogs at THCB, which I follow.

Recently, he blogged about something off-topic for his typical subject. He blogged about infrastructure, specifically his efforts to get a road fixed. Here is the original post, but I am borrowing the relevant parts here.

A faculty member had complained to him that a bridge she used to get to work was covered in potholes:

Actually, I knew that I could do nothing, at least within a normal human lifespan. That bridge is a jurisdictional nightmare. It is at the border of two municipalities (Boston and Brookline), spans a transit line (MBTA), and also goes over a state park (owned at that time by the Metropolitan District Commission). Just figuring out who would be responsible for the road paving would take decades, much less getting the right person to order a repair.

So, I called Rick Shea, who was the President of MASCO, our non-profit planning and service entity for the schools and hospitals in the Longwood Area. The next day, Connie called to thank me for getting the potholes filled and a new, smooth surface on the bridge. “My pleasure,” I replied, wondering what happened.

I called Rick and he said, “I knew it would be impossible to find someone of authority to make this repair, so I just hired an asphalt firm and had the work done. Each jurisdiction — if they noticed — probably thought it was the responsibility of another. Therefore, no complaints. Job accomplished. Happy to help.”

This is ironic because this exactly what I believe Open Source software can do for Healthcare generally. By providing low-cost, excellent software, we can ‘just fix’ major problems in Healthcare that are intractable otherwise. Not that this ‘hack’ has two components: It was a technological/deployment issue of actually paving the road, along with the political insight that the mere deployment of the technology would work in the given political environment.

Here are a few things that are mired in power struggles just like this bridge.

  • Quality – how to measure if a doctor is doing a good job, and to help him/her to be a better doctor.
  • Patient empowerment – how to make a reactive patient into a proactive patient.
  • Interoperability – how to get healthcare data to usefully move.
  • Continuity of care – how to ensure that the ‘ball is not dropped’ as the patient moves around in the healthcare system.

-FT

Can CCHIT move beyond PROBLEM EHR certification?

Recently CCHIT has come under fire for being too focused on large proprietary vendors and specifically, its association with HIMSS.

These attacks have gotten so bad that Mark Leavitt has posted a rebuttal, which has generated a tremendous amount of attention over at THCB ( a blog well worth adding to your RSS feed)

Mark raises several good points in defence of his organization, including:

  • There is currently no financial relationship between HIMSS and CCHIT
  • Vendors who are involved at CCHIT are limited in what seats that can hold and what votes they can make
  • CCHIT takes great pains to ensure that it is not biased by vendor ties.
  • There is a strict conflict of interest policy in place

Mark is right to point these out, but this misses the heart of the criticisms coming from FOSS and other places.

The problem is not that there ‘sneaky’ influences from HIMSS and Vendors, but rather a simple self-selection bias.

CCHIT is and always has been a monolithic check-list for a Proprietary, Rigid, Overweight, Bloated, Loaded, Expensive, and Massive  (or PROBLEM for short) EHR products that allowed out-patient doctors to effectively track and monitor the healthcare of their patients. Most of the ‘founding fathers’ of CCHIT were either vendors with a PROBLEM EHRs or EHR users who had already bought in to the PROBLEM EHR model.

The CCHIT process -is- open to all, it -is- democratic and it does seek to balance the interests of vendor and non-vendor participants. Everything Mark is claiming is right on and it does not matter at all. The participants in CCHIT have all bought into the PROBLEM model. Those of us who have always thought differently than CCHIT have stayed away because it was obvious from the get-go that the certification model put forward by CCHIT was incompatible with our goals.

Right now, CCHIT is taking it from all sides because there are so many people who disagree with some aspect of the PROBLEM model. Practice Fusion wants to see really cheap EHR services like the one that they offer be certified. The ‘Clinical Groupware‘ people want to see the certification of a suite of technologies that may or may not add up to a traditional EHR. The EMR-lite people want to see faster and lighter tools. The PHR people and consumer advocates want EHR systems that empower the patient instead of the provider. The Health 2.0 people want to see completely different models of finance and care become possible. Of course, the FOSS people (like me) want FOSS EHRs to get equal footing.

In defense of CCHIT, Mark and the other members of CCHIT that I have met have bent over backwards to try and see things from the FOSS perspective. They have truly listened and they are starting to understand how different our community really is. I would encourage the members of the other communities to consider working with CCHIT before discounting them. CCHIT needs to be given the opportunity to re-invent itself before it is discounted. The recent press release from CCHIT indicates that it will be establishing town hall meetings for the FOSS community. I am not confident that this will work, but it is an indication that CCHIT is willing to try and see things from a different vantage point.

However, it may be difficult for CCHIT to reinvent itself. Realistically, the PROBLEM EHR vendors and users do not want to see CCHIT supporting very different models then their own. If CCHIT appeases the crazies like me too much, it stands to loose its ‘base’. This is why I believe it is critical that ONC leave the door open to sources of certification other than CCHIT. Doing so keeps the pressure on CCHIT to broaden its certification systems to include very different philophies of Health IT. Without that extra pressure, there is no way for CCHIT to act in a way that is not in the direct interests of its current PROBLEM membership.

-FT

(update 6-03-09 Dr. Kibbe pointed out to me that the proper term was ‘clinical groupware’ and not health groupware. He also pointed me to an excellent post by Adam Bosworth defending exactly that perspective, so I linked it in. Also correct some spelling errors)