Should CCHIT survive?

The incomparable Joseph Conn has an article up about the potential fate of CCHIT under the Obama administration.

I do not believe that it should be refunded under its current form. For several reasons.

Some quotes from Josephs article to support my position:

“I bet we’ve spent a quarter of a million dollars in development costs just to get around the functionality that is being forced into the system,” Oates (Randall Oates is a physician who is founder and president of SoapWare) said. He argues that more than half of the functionality CCHIT requires could be moved out of the core system requirements into extensions.

Oates said that to make EHR systems usable, they have to be tailored “to make them suitable to the various niches in healthcare,” Oates said. “You can’t have one-size-fits-all. Things that could be straightforward and easy have to be bloated and cumbersome. It really has hurt the progress for adoption.”

SoapWare is famous for a reasonably priced low-end EHR for small practices. I wish it were open source but it does target practices that are largely ignored by the big vendors.

I have documented the story of AcerMed, a CCHIT certified EHR that had to close its doors because of a lawsuit.  I should note that Dr. Valdes of LinuxMedNews, has also criticized CCHIT.

CCHIT, rather than creating a “seal of approval” is a millstone around the neck of the HIT industry. It is totally incompatible with the concept of low-cost/high-quality EHRs. Rather it increases costs and in some cases decreases quality.

Something needs to be done.


VA VistA is not “Old”

Recently ComputerWorld released an otherwise good article entitled: Old code proves key to modern IT at Midland Memorial Hospital.

The first paragraph reads in part:

For Midland Memorial Hospital, this came in the form of 1970s-era code unearthed via the Freedom of Information Act.

This is really frustrating. VistA is old. But it is not older than Unix which is the basis for Linux AND Windows.  It is not older than C which is the basis for C++, C#, Mono, .Net and to a lesser extent Java, PHP, Python, Ruby (in terms of syntax and overall structure).

The VA updates VistA every year. The version that Midland Memorial uses is the same version that has been recently improved by the VA.

This article makes it sound like it was literally dug up by an archeologist.  It paints a picture of David Whiles in his Indiana Jones hat with a shovel. Digging up the EHR artifact that an ancient advanced civilization used. As David wipes of the dirt he exclaims “Oh my… this is a little rusty… but it just might work!!. Then he takes the code back home to Midland, sprays it with WD-40 and gets it to run!!

This happens all the time. People hear that VistA has been in use since the 70’s and the cannot let go of how “old” it is. Hate to break it to you, but almost every core technology that you use on a daily basis has its roots in the 70’s.

Please do not tell me “Oh but HTML (or insert your technology here) came much later”. Yea but HTML does not work that well without HTTP, and for that you need a robust network. Guess when that started becoming available. Its not like VistA has been siting idle either. VistA has features that were developed in the 80’s. It has features that were new in the 90’s. It has features that are being developed now!

Meeting VistA for the first time is like visiting Australia for the first time. You see all of these marvelous creatures who have evolved in a different way, because they evolved independently. You see different “designs” or the application of the same “designs” in different ways. The one thing you should not say when seeing the strange lifeforms in Australia is “Wow, these animals must be very very old species”

No Rufus-brain. The species in Australia are not any “older” than any species in the rest of the world. What is exceptional is that this species evolved separately. Different? Yes. Backward? Maybe. Original? Definitely. But not “Old”.

VA VistA newbies constantly assume that VistA is a single instance of a program, rather than the latest instance of a program, in a long history of instances of that program. They see it as a single Tortoise that lived for forty years, rather than the latest bunny rabbit, in chain of forty one-year generations of bunny rabbits. But even this picture is inaccurate.

Another hallmark of the VistA-ignorant is to talk about VistA as though it were -one- thing. In reality it is a whole suite of technologies, that are evolving together in isolation. VA VistA is a lot more like the whole biological sphere of Australia, with lots of different species that are evolving together, all of them evolving differently than the species in the rest of the world.

Please do not call VA VistA “old” out of context. This is a mark of ignorance and is independant of whether you like VistA or not.


Announcing NPIdentify

A while ago I was contacted by the folks at Health IT Transition (Now defunct.) regarding some NPI development. We decided to collaborate. They turned me on to the intricacies of the NPI database, and I have been doing skunkworks on the NPI database ever since. Sadly, they have been waiting on me since then, hopefully when I come out of skunk works mode, they (and you) will be pleased with the results. But those guy have been far from idle, I am pleased to prompt their announcement of

The site already does some pretty amazing things. It has a mechanism for viewing NPI taxonomy statistics and a tool that allows you to search through the NPI records for your state.

Soon, it will be the most advanced way to manage National Provider Identifier information on the web. Also see the new button on my side menu!!

(updated Feb 18, 2011) Note that my NPI work is now available at You can still download the same applications from if you want that type of interface. If you want really powerful National Provider Identifier search capabilities, is the best available!


On Being Threatened

Express Scripts, one of the nations largest pharmacy benefit management companies, is being blackmailed with the release of private health information. The blackmailer proved that he/she has access to the data by providing information on 75 Express Scripts customers.

The company has done a fine job of swallowing this bitter pill. They have done exactly the right thing by making a public announcement. This is not their fault and by choosing not to hide it they are demonstrating strong ethics in a tough situation.

I would much rather have my PHI with a company that will tell me when something like this happens rather than one that makes me “feel safe” by telling me nothing. I am a big fan of “the devil that you know”.

It bears mentioning that this is a real threat, rather than the dubious “lost laptop” problem. I have had a laptop with patient data stolen, but thanks to gpg, I have nothing to worry about. Laptops are easy to steal and easy to fence. Thankfully, there is no way for the average criminal to even know that there is potentially valuable PHI on a laptop when they steal it out of the back of a car. It is much more likely that the operating system will be reinstalled from scratch by a fence to ensure that there is no way that the laptop can be traced back to the original owner.

That means that when a laptop containing PHI is stolen, 99 times out of 100, there is nothing to worry about.

The 1 out of 100 times is when the thief already knows the PHI is on the laptop. Which is to say that a healthcare organization is the subject of a focused attack. Other security researchers are already guessing at how the blackmailer got the data. Here is my guess:

  • 65% chance this is an inside job. A rouge former or current employee is getting revenge.
  • 25% chance this is a foreign hacker. Siciliano (from the link about) correctly points out that only a foreigner would think that a US company would not go straight to the FBI after being blackmailed. A US hacker would have just sold the social security numbers to identity thieves.
  • 5% chance its a US hacker.
  • 3% chance it was a stolen laptop.
  • 2% chance something else happened.

It will be interesting to see how this plays out. If they catch the blackmailer or otherwise discover the attack vector, it will be informative for people like me, who obsess over the best way to protect health information.

If this happened because a laptop was stolen, I will eat my shorts.


Medsphere Growing in the right direction?

An important part of the reason why (some) people respect what I have to say with regards to FOSS Healthcare IT is that I do not pull punches. I also do not hesitate to admit when I am wrong.

Recently, Mike Doyle from Medsphere called me. I have a lot of respect for Mike, just about everything Medsphere has done since his arrival has been right-on. He has empowered other people at Medsphere that I have respect for. He was calling to let me know that some of the information in my recent post about Medspheres layoffs, was incorrect.

Most significantly, he said that the layoffs were part of the whole company moving away from proprietary land and towards open source. He maintained that Medsphere has been commiting more and more employees to, thier new community portal. I must admit, it is one of the best portals available. Matched only by the OpenMRS portal in my opinion. According to Mike, the sum total of “new hires for open source” vs. “retiring proprietary efforts” is a positive net gain of employees for open source.

The only difference between growth and decay is which parts change, and which parts stay the same.  If Medsphere is truly “retooling” its employees towards open source community members then much of my previous criticism is invalid.

It is not hard to tell that Medsphere is making an investment in the FOSS community. This is especially true in the mono community. They have hired several mono engineers and they are spending bug reports and sponsoring work. They have also been supportive of Dr. Valdes efforts to cross the streams between WorldVista and Medsphere CIS.

Doyle argues that, rather than decay, I should interpret the layoffs as growing pains. He made a good case, and so I am now forced to eat a little crow (at least it is still warm).


Trust but Verify and Trust but Fork

I have enjoyed participating in the National Dialogue about Health IT. One of the challenges put forward to my suggestion that decision makers should insist on FOSS in Health IT, was the following comment:

 in terms of privacy, there’s nothing inherent in FOSS that makes it superior to all proprietary products.

I have discussed this issue before, mostly when discussing HealthVault, but my comments have been spread out over several articles.

There is an inherent benefit to privacy, confidentiality and security for FOSS health IT systems.

There is another idea on the National Dialogue site that I thought was useful. It separates the concepts of privacy and confidentiality. Most people blur the concepts of privacy, security and confidentiality and talk about them in the same mouthful. For now I will consider that “privacy” is the ability to control who gets to see your data. Although my points apply to confidentiality and security as well.

FOSS Health IT  are inherently better ways to respect privacy because they support “trust-but-verify”, while proprietary systems just support trust.

The only way to know what a program is doing is to read the most human-readable version of that program, which is typically called sourcecode. There are countless examples of programs doing things other than what they appear to be doing. Viruses, Spyware, Monitoring features and Bugs are classic examples of this.

When a proprietary Health IT program says it respects your privacy, there is no way to know for a user to know if this is true directly, he must trust the proprietary vendor. The fact that most proprietary vendors are honest is irrelevant. The trouble with dishonest people is that you cannot tell the difference between them and honest people. We cannot know which proprietary Health IT vendors are respecting privacy and which are not. Also, the same large organizations who you might normally “trust” have in fact a very poor history of abusing privacy; Microsoft being the best example.

So does HealthVault respect privacy? Probably. But there is no way to be sure without reading the code.

Does Dossia respect privacy? Probably. But we can check by auditing the sourcecode of Indivo, because Dossia is based the FOSS Indivo project. Suppose that you believe that Indivo does not do a sufficient job of respecting privacy, or you find a back door (unlikely). You can fork the code, remove or change the offending portions of Indivo, and then run your own Indivo server with the privacy features that you want.

FOSS supports both trust-but-verify and trust-but-fork which is the only way to absolutely certain that privacy is maintained.

Therefore FOSS does have a fundamental advantage over proprietary software with regards to privacy concerns.


A National Dialogue is a site for proposing and commenting on ideas in Health IT created by the National Academy of Public Administration. (among others) The site is only open for a few days, and I have put forward my basic thesis:  Insist on Open Source in Health IT that my readers are used to seeing.

If you are fond of my arguments, then please rate this idea up and post friendly comments on it. We need to get this idea in front of the government decision makers and this is a great opportunity.


Medsphere Layoffs

I have been hearing rumors that Medsphere has been laying people off. A few days ago, the rumors bubbled to Histalk, which they always do eventually.

This is a big problem. The main advantage that Medsphere has over its number one competitor, ClearHealth Inc, was its capitalization.

The idea of a funded open source medical startup is that you sell most of the company to VC’s or angels and, in exchange, you get a massive chunk of change to play with. (I have toyed with the idea of doing this myself for many years, but seeing with the Shreeves went through has always made me hesitate.)

Then with cash in hand you do three important things:

  • Build a sales force; you will need to float your sales team as they ensure the long Health IT sales cycle.
  • Invest in your technical support; supporting VistA is non-trivial, it is enterprise software and requires multiple high-payed experts to keep it running.
  • Invest in your R&D; You need to have new shiny toys that give you competitive advantages.

In a software company, all of these investments are into employees.

If Medsphere is laying off anyone it means that they are running out of capital. This makes sense. They spent  enormous amounts of money attacking the Shreeves. Money that should have gone into one of the three buckets above.

I have taken to calling the “new” Medsphere Medsphere 2.0

Medsphere 2.0, lead by solid people in the CEO, COO and CMO roles, has made some pretty smart moves. These moves have lead me, and others within the community to start giving the new company some slack. But smart moves does not undo the stupidity of the past. Most of these good moves are exactly the things the Shreeves were sued for proposing.

While I am glad to see the company come to it senses, that does not undo the harm in the past. There are two important connections with the past that Medsphere 2.0 cannot undo: The same board and the same money.

The BOD of the “new” Medsphere is the same as the old Medsphere. That BOD has done some colossally stupid things. Larry Augustine is supposed to be the money guy who understands Open Source. But he utterly failed to serve either the interests of the community or the investors with Medsphere. It was his job to explain to the BOD that the Shreeves were not a threat to Medsphere. It was his job to keep the BOD from suing the Shreeves and gutting the original company. I, along with Eric Raymond, made an offer to him personally to help him in this role. He never replied to either myself or Eric. As far as I know he never reached out to anyone in the community. In his silence he failed the community at large too.

What does all of this have to do with the “new” Medsphere? Larry is still on the BOD. That means that no matter how much Mike Doyle impresses me, I cannot fully trust Medsphere. But Mike Doyle is an position to succeed with community trust where Larry has failed. The new and releasing valuable software under the AGPL are evidence that the new leadership, if not the BOD, is trustworthy.

The other thing holding Medsphere back is the money. Medsphere spent a tremendous amount of money suing the Shreeves. This is money that Medsphere cannot afford. As an Open Source company, you cannot trap your customers using a proprietary license. That means you need to trap your customers with golden handcuffs, you need to make the service so reliable that they would never be able to consider the hassle of finding another vendor. Good service translates to “Good Employees” for an EHR company.

Now you see why Layoffs are such a bad sign. If Medsphere is laying off employees that means that it is running out of capital. But good employees are the only thing that Medsphere has as a competitive advantage. Any layoffs have to hurt their ability to do one of the three core functions above.

If Medsphere is laying off employees then it means that the ghost of Steve and Scott Shreeve (as employees of course… they remain very much alive) are coming back to haunt the company.

Normally when a company like Medsphere needs more capital it can go for more further funding rounds, it can sell to a larger company (like IBM or EDS) or it can make a public offering. The current market state renders going public impossible. For a sale or a new round of funding, the new money will come with the simple question “What are we buying?”. For Medsphere, here is the current answer:

  • An infant community on that the Shreeves wanted to start years ago.
  • Lingering Mistrust from the larger VistA community
  • A technical support and R&D team (valuable employees)
  • A sales team (more valuable employees)
  • Several important clients
  • A massive lawsuit expense

Notice what is not on the list! Software! All of the really valuable software is already open source. The first two essentially mean that they have no community, although they will if they keep doing the same things they are now, and are given more time to earn back the trust of the community.

That means that the only really valuable things on the list are the clients and the ability to service those clients (translation: employees).

See why Layoffs are so concerning? If Medsphere is laying off people it means that it is reducing one of its few valuable assets in order to save capital. The only way that Medsphere could fully justify layoffs is if the company was profitable as a result. Otherwise they are just slowing the bleeding that will eventually kill the company.  Now the questions becomes what cards can Medsphere play, before the bleeding becomes fatal?

In any case, layoffs are not good news for Medsphere.

Please contact me through if you can confirm or deny the Medsphere layoffs.


HIMSS a lobby for proprietary Health IT vendors

Today, I recieved a letter in my mailbox regarding HIMSS take on the recent legislation proposed by Stark.

HIMSS Stephen Lieber and Charles E. Christian, president and chairman of HIMSS respectively, write:

 However, HIMSS believes the legislation has negative consequences, including discounting the current efforts of “AHIC 2.0” and the development of an open source “health information technology system” by the federal government.  Specifically, HIMSS has concerns with the following provisions in this legislation:

(other stuff)

Development of an open-source “health information technology system” through the auspices of the ONC: The legislation directs the National Coordinator to provide for coordinating the development, routine updating, and provision of an open source “health information technology system” that is either new or based on an open source health information technology system, such as open source VistA. The system is to be made available to providers for a nominal fee.

The private sector makes significant investments in research and development for healthcare IT products. Healthcare IT is available via a competitive market in which vendors compete on the basis of price, quality, and functionality of a product. The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government and such product development should remain in the private sector.

First of all, I do not think the Federal Government should support just *one* open source EHR system, and you really cannot guarentee a fee for Libre/Open Source software.

But the spirit of Starks proposal is right-on and it is time to do something about HIMSS.

HIMSS is anti-Open Source and pro-propretary software. They allow us “Open Source” guys to give talks and even have working groups because they would be violating their charter if they did not. But they do not like us. They are terrified of us, and they should be. HIMSS lives off of the fat in Healthcare IT. Mature proprietary EHR systems have been around for decades, and they still have 5%-15% penetration. Why? They are too expensive and too risky. The doctors recognized that the vendor lock-in that they painfully experienced with Practice/Hospital  Management systems would be much worse with EHRs, and they have no intention of taking out extra mortages to make that happen.

HIMSS charges proprietary vendors obscene amounts of money for space at the their conferences. Open Source vendors cannot afford it to go, because they are service companies who cannot charge for products. Medsphere is the only all-FOSS company that had a booth last year, and they only reason why they can do this is because they have VC funding. The other top vendor, ClearHealth, has so-far not seen the value in buying a booth.

Even if they did see the value. There is no way that Medsphere, or ClearHealth or any other FOSS vendor is ever going to buy a half-acre plot at HIMSS. To afford that you need to be able to lock-in your customers.

Ahh.. but you want facts to back up my accusation. Ill give you two.

  • First, lets deal with ‘The development, routine updating, and provision of an open source “healthcare information system” is not the role of the federal government ‘. The Federal government already releases a “open source compatible” EHR: the VA VistA. VistA is really, really good. So good in fact that WorldVistA was able to achieve CCHIT ceritification using it, and a Medsphere client (Midland) is one of only nine HIMSS Stage 6 healthcare facilities in the United States. (yes…. the same HIMSS) The cool thing about the Midland accomplishment? It cost less than any of the other nine stage 6 winners. So apparently, the federal goverment is just as capable of doing this, as anyone else. The private sector is supposed to be competing on “price, quality and functionality” yet VistA is cheaper, better and more functional. Nonetheless, HIMSS is writing letters.
  • Second, the HIMSS EHR vendor association is proprietary-only. Take a look at the requirements to join EHRVA. For those who do not want to read a pdf, I will record the relevant section here:

The HIMSS Electronic Health Record (EHR) Association chartered this effort to ensure equal, fair and consistent criteria for Membership into the EHR Association. The EHR Definitional Model includes an operational EHR definition, key attributes, essential requirements to meet attributes, and measures used to assess the extent to which companies design, develop and market their own proprietary Electronic Health Record software application.

HIMSS is not interested in seeing vendor lock-in and the other fundemental problems with proprietary health applications go away, rather they exist solely to perpetuate these problems. HIMSS defines itself as “HIMSS is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare IT and management systems for the betterment of healthcare.”

In reality, HIMSS in in current form, is just a lobby for the very proprietary vendors who have failed move our nation into the age of digital healthcare information.