Peter Bodtke taking a VistA tour

Peter Bodtke, the current vice president of WorldVistA, is doing a VistA tour. He is planning on touring Central and South America to raise awareness for VistA. Maybe they should make a shirt that says “It was an EHR before it was an Operating System”. They might be able to find a more pithy wording.

I donated a little money to his cause (WorldVistA) you should too.


Two standards approved for pharmacy billing

          For those who do not follow ancient history (more than 2 years on the Internet) of the Free and Open Source health software movement, I got my start with FreeB, which was the first GPL medical billing engine. It was designed to help address the medical bill formatting problem. If you are not sure what that means then you should read the interview I gave to LinuxMedNews called Fred Trotter on Medical Billing, much of it is still relevant.

So I got started with medical billing and I am still interested in it.

Joseph Conn (a reporter to follow if you are interested in Health IT) has just written an article detailing how HHS (who sets the billing standards in the U.S.) will allow two different standards for certain pharmacy billing systems.  This is the kind of thing that give me headaches, even though it is unlikely that I will need to support the new standards.

Part of the problem is that X12 is an old-school EDI transfer standard. It is hardly human readable, and it is pretty intimidating for the end-user. Much better would be an xml-based system.


Security in Medical Devices, implications

There are more and more examples of how standard hacking techniques apply in healthcare, with serious consequences. Recent issues include RFID hacking and interference issues.

Recently, a talk at BlackHat regarding hacking medical devices, including pacemakers, has begun appearing in popular blogs.

What is most dangerous about this is not actually the hack itself, but the fact that the hacks could become widespread. Think about it; there is no real benefit to a hacker to simply kill a person. It is a serious crime and unless there is something to gain by doing it, it is unlikely to generate new interest with blackhat hackers.

Now that the information regarding the vulnerability is in normal media channels, a Cracker (another name for a blackhat hacker) can blackmail a person with a pacemaker. “give me ten thousand dollars or I will remotely shut down your heart.” Before a victim would say “that’s impossible” and not worry about it. Now they go to Google and discover that it is possible. Both Victim and Cracker are aware that the only way for the Cracker to prove to the Victim that he has the ability to stop the Victims heart is for the Cracker to actually kill the Victim. Now the Victim is wondering “Can I afford to take this chance?”

If this even happens once in the real world, you will see a slew of social engineering attacks with this threat as the basis. A Cracker will simply threaten a hundred people with this attack and see how many will pay up. The Cracker would not even need to know how to make the hack work. All he would need is a list of people with pacemakers.

Now we get to the real implications. Where is the information about who has a pacemaker installed and who does not? Perhaps someday they will invent “pacemaker wardriving” but for the time being, the easiest way to get a list of people with pacemakers is to hack into someone’s Electronic Health Record system.

Currently, the Healthcare Industry under-invests in Information Technology. However, with these new vulnerabilities, the value of personal health information is steadily rising. Usually, a typical cracker strategy was to use identifying information inside PHI to steal someone’s identity, or to use healthcare information (like sexually transmitted diseases) to blackmail someone. These new vulnerabilities increase potential profit of hacking into an EHR, and hospitals, even large ones, do not typically have the kind of defence systems that banks usually invest in.

Have you ever considered why “the club” works? These devices are relatively easy for a determined thief to overcome. They work because when you park your BMW in a parking lot, and put the club on it, there is typically another BMW in the parking lot, without the club. The thief will take the car that is easier to take. The club works because of the “low-hanging fruit” principle of security. A person who has decided to take an unethical risk by stealing or cracking is basically saying; “I can tolerate this risk, because it is easier to do this then have a similar economic gain, by legitimate means”. Perhaps some are thrill-seekers, but typically people who break the rules for profit are lazy. The “low hanging fruit” principle might be phrased “A thief or cracker will always try the easiest way to profit unethically first”

As the number of ways to profit from PHI goes up, hospitals and practices will become the low-hanging fruit. This is a problem because your small country doctor is already being squeezed by third-party payers. He does not feel that he has the money to invest in proper electronic security measures, and he does not actually have the skills to tell what would be legitimate security measures in any case. Information technology mom-and-popism is rampant in healthcare. The “computer guy” for many doctors is the nephew of of the office manager; he might be the smartest kid in 9th grade, but he has no idea how to properly secure PHI. Healthcare institutions have always been easy to hack, but now they are becoming profitable to hack. They are becoming “low hanging fruit”.

Concern for these kinds of issues will do little but grow.


Update: Jon Bartels wrote to mention that Chinese researchers have pushed this concept further.

The Holy Grail

VistA is a robust and complete EHR system, but it relies on MUMPS. This makes VistA extremely expensive to configure and maintain.

The open source web-based EHR systems are easy to deploy but have underwhelming feature sets.

The holy grail of open source Health Informatics is a web-based CPRS (CPRS is the frontend for VistA).

It would be simple to install and configure like a web app, but it would have the sheer power elegance of VistA.

Apparently, ClearHealth has pulled this off. David Uhlman has just written to tell me that he has released screen shots for WebVistA. Granting that a screenshot is different from a working system, even seeing this much progress changes everything.  Frankly, this is almost too good to be true.

If you had asked me yesterday I would have said that it might be a good idea for Medsphere to buy ClearHealth. If you ask me today, I would say that it might be a good idea for ClearHealth to buy Medsphere.


The coming problem with the ASP-lock

Here is an interesting post about a person who was locked out of their google account.

Apparently, this person lost access to:

  • Google Docs
  • Gmail
  • Family photos in Picasa

If you read the updated post, you will find that he has already gotten back in.

But this person knew to write a blog post. And knew how to get it covered by the most popular blog on the planet.

What if this person had a PHR using Google Health?

I am not trying spread FUD here. Google Health and HealthVault are good ideas and I generally support them. But these kinds of issues are going to become more and more important as time goes on.  Both Google and Microsoft have relatively fair ways of dealing with these kinds of issues, but “relatively fair” means there will be ways to fall between the cracks. Once we have PHR usage begins to go up, these kinds of issues will become extremely important.

(Update 09/29/09:  I am not the first person to point out that ASP EHR systems are a threat to the freedom of healthcare providers.  This short post is just to say that it impacts patients too)




Meeting Mike Doyle

Apparently, the people at Medsphere still read my posts.

Mike Doyle noticed my comment that I had not meet him in my last post, and he made an appointment to have a phone call with me.

I just got off the phone with him and… I was impressed. He seemed willing to reach out to the community and he seems to understand and value the Open Source process and community. This call, in combination with Medsphere’s recent press release (see last article) and their change to the AGPL for their projects, is convincing me that maybe, this “new” Medsphere might be on the right track.


Medsphere advocates for the community. Bravo!!

I have been impressed lately with “the new team” at Medsphere. I have interacted with COO Rick Jung and CMO Dr. Edmund Billings. (I am disappointed that Mike Doyle and I have not met, but he is respected by some whom I respect.)

I am happy to see that Medsphere has finally taken a stand against the current political madness regarding “phasing out” VistA.

This press release from reads:

This week, the Military Health Service is expected to decide on whether to dismantle its proven electronic health record (EHR) system, called VistA. Research demonstrates that VistA has improved VA productivity by six percent each year since 1999 and that, in a time of ever-rising healthcare costs, VA care has become 32 percent more affordable than it was in 1996. The organization has also achieved an unprecedented and unmatched prescription accuracy rate of more than 99.997 percent, making it a model for healthcare organizations everywhere. In fact, as private hospitals across the country strive to achieve the holy grail of automated, paperless environments (none has reached the mark yet), it is striking to note that every public VA hospital is already there thanks to VistA. Despite all of this, the Department of Defense (DoD) appears determined to systematically dismantle VistA and replace it with a proprietary solution that is expensive, difficult to implement and has limited interoperability with other systems. VistA advocates say the move makes little sense, economically or strategically–it is not in the best interest of our veterans, our working service men and women, or taxpayers who would have to foot the exorbitant bill. 

Over the past 30 years, a community of open source users has developed VistA into a successful health care technology solution that works with existing hardware and software and preserves legacy IT investments in more than 130 regional centers across the country. So why is the military fixing something that isn’t broken? Ironically, the military tried to do something similar by installing a proprietary EHR system, named the Armed Forces Health Longitudinal Technology Application (AHLTA), in 2005. The solution proved to be expensive, difficult to install and incapable of working well with other systems. Now, it seems the DoD is heading down the same path again towards a “vendor-locked” solution that will cost billions up front and after implementation. 

It is signed by CEO Mike Doyle, COO Rick Jung and CMO Dr. Edmund Billings.

I am relieved to see Medsphere taking a stand that benefits the whole VistA community. The long-term success of Medsphere is married to the success of VistA and the larger VistA community. Medsphere is in a great position to advocate in a way that VA employees cannot. Medsphere can reach and influence those who ignore me and the other revolutionaries who are already outspoken critics of the current VA/DOD boneheadedness. It is already getting some coverage, and it deserves more.

Bravo, Medsphere.



I must admit. I love the feeling of being proven right. Granted, it appeals to my egotistic streak. (which despite my attempts to suppress it, my wife remains keenly annoyed by).

A few weeks ago, at TEPR, I did my regular talk the Health of the Source, which is basically an update on the whole FOSS Health IT industry. In that talk I mentioned that OpenMRS, along with WorldVistA and ClearHealth, was a top EHR project.

Now, OpenMRS is covered by BBC News. I only wish that the article would also acknowledge that this kind of success is only possible because OpenMRS uses a license that respects the freedom of its users.

However, Doc Searls get it. He has heavily quoted my last post while discussing his recent experience with the medical system. He titled his post:  the patient as the platform. The great thing is, when Doc talks about things other people do to.

It does feel good to have people say nice things about me… but I hope this also might represent a tide turning towards awareness of the implications of software licensing in medicine.

I can hope.

In all Fairness

Its time to set the record straight on what are valid criticisms of HealthVault and Google Health and what are not. If you have ever read my posts, then you can be sure that when an organization needs criticizing I am the first to give it them with both barrels. But here both Google and Microsoft need defending.

  • Neither Google Health nor HealthVault are HIPAA covered.
  • This is a very good thing

But to understand why, I must beg the reader for patience.

My mother died of ovarian cancer. My Grandmother had a bout of cancer, but survived. Now she is battling Alzhiemers and it will probably kill her. I have talked about this before as the fundamental basis for the Seven Generation Test.

Now read the sentences above again… and ask yourself: “what has this writer just revealed?” Extremely sensitive personal medical information about himself. Note that I did not say “information about my mother or grandmother”, though I did reveal information about them too (obviously).

I have two people in my direct line of parentage that have both had cancer. Statistically, that makes me substantially more likely to get cancer. Further, alzheimers also has a genetic component. So I just revealed to you critical information about my personal health, specifically something that would go into the “family history” section of my health record. It is exactly the kind of information that a Health Insurance company would love to be able to use when setting my premium. It is exactly that kind of information that HIPAA was designed to keep my healthcare providers from telling insurance companies without my knowledge.

Just because HIPAA protects me from my doctors making this type of disclosure does not, and should not, mean that I should not be able to make that disclosure myself. There are many reasons why I might want to make this disclosure: I might want to make a point on my blog. I might want to explicitly tell my insurance company about this, in writing, so that they could adjust my insurance premiums accordingly. This way I would be well-armed in the event that they should try and deny me coverage for cancer treatment.

Lets consider the current paradigm of personal health information management. To facilitate this lets imagine that I was allergic to anticonvulsants (which is common). I have been to about fifteen or twenty doctors, each of whom has extensive records regarding my healthcare. I had knee surgery, and somewhere I have a orthoscopic video of the inside of my knee during the surgery (in VHS format). I have pages and pages of immunization and dental records from my in-processing during bootcamp for the USMC. I did not have a seizure in bootcamp, and if I had they would have sent me packing. But lets imagine that I did, and that the navy docs discovered that I was allergic to anticonvulsants. They would have promptly added it to my record.

I have all of my Marine Corps records in my file cabinet. But, these are just the records that I have in the house. I probably have about 1/10th of the medical information that is available, somewhere, regarding my healthcare.

Lets imagine that I had some kind of life event that would require me to gather those records together. To do that, I would need to call every doctor I have ever visited, and request a copy of my records. Healthcare providers are mandated by HIPAA to give me this information, and many of them, as a professional courtesy, would waive the costs of transferring my record to me. All of the providers I might contact would prefer to fax me my records. Faxing is simple, easy and well-understood by the medical practices. Faxing over phone lines is the de facto “health exchange network”  in the United States. (Unless you are lucky enough to be a Veteran, and have a record in VA VistA)

If my Marine Corps comrades understood the implications of this, they would say “that sucks salty balls”. Or something even more uncouth, but just as disturbing. Why does that suck? Because the resulting documents are largely valueless.

After making all of the requests and getting all of the faxes. I would have a briefcase full of documents of my healthcare. 95% of it would be redundant, showing my slowly rising cholesterol and blood pressure scores. The 5% that was really critical, like my imaginary allergy, would be buried so deep in my briefcase of papers that it would never be seen.

Given current primary care reimbursements, my doctor is incented do everything in his power to spend under 10 minutes talking to me. If he actually had to read through my briefcase of papers, then he would spend an hour doing nothing but shuffling papers. It is a much better use of his time just to ask “are you allergic to anything?”. I would of course say “not that I know of” in response. (Marine Corps boot camp is largely spent fluctuating between extreme emotions of hate, anguish and triumph. While you are guaranteed to learn some things, obscure allergies are not one of them. For all I know, I really am allergic to anticonvulsants)

I will not belabor my point. If I am lucky I will not convulse. If I do, they would give me an injection which will probably kill me. Why would I be dead? It is not because I had an allergy, that is only the proximate cause, the ultimate cause was very different.

The ultimate cause would have been: our ability to generate medical information has vastly outpaced our methods for handling that information.

That sentence should explain why we need storehouses of health data, that we can use to effectively deal with our own health information. HIPAA is designed to cover healthcare providers and those who come into contact with patient data, serving the business needs of those healthcare providers. Assuming that the same kinds of rules are a good idea for “data about me that me providers hold” as for “data that I hold” is silly once you see that they are very different circumstances.

Now lets imagine a world in which my various doctors medical records professionals all understood how to connect with HealthVault and Google Health. When I called them for my records, they would enter my email address instead of my fax number and press “send”. On their side, Google, Microsoft or Dossia (based on open source) would sift that information and allow me to transfer the resulting summary to anyone I wanted to, including my family, my friends, and my future healthcare providers. I could also forward the information to my insurance company, if I felt like that was a good idea. All three system would recognize the significance of an allergy and would prominently display the information.

HIPAA covers healthcare providers. Healthcare providers are the only people who know your health information, without you giving them permission to know it. Here are some of the things that HIPAA prevents your healthcare provider from doing:

  • They cannot tell your aunt Sue about your health conditions
  • They cannot tell cousin Joe, Rick, or uncle Eddie about your health conditions.
  • They cannot tell your insurance company about your health conditions.
  • They cannot post your name and information to their blog
  • They cannot tell the press about your health conditions, even if you are famous.

Here is what HIPAA does not cover.

  • If you tell aunt Sue about your health conditions she can tell uncle Eddie.
  • If you tell your health information to cousin Joe, he can tell cousin Rick.
  • You can post any medical information to your blog that you want.
  • If you post to your blog, that does not mean that wordpress needs to be HIPAA compliant.
  • You can tell your insurance company whatever you want.
  • You can do an interview about how rehab went for you.

Google and Microsoft are not healthcare providers. To have accurate data in those PHR systems your healthcare providers, at your request, must send them your data. Then Google and Microsoft help you to sort out the information. Compared to the way it works today, both systems are an improvement. Both of them help you organize your health information and both of them will help you to transmit that information where it needs to go.

Are they useful? Not really, and they will not be until your medical practices understand them as well as they do the fax machine. Will they be useful when that happens? Yes and very.

HIPAA stands for Health Insurance Portability and Accountability Act. It is not an accident that HIPAA does not include Google or Microsoft. The whole point was to make healthcare providers accountable for certain issues, while generally encouraging data to move around. Sadly, paranoia about HIPAA has caused data moving to grind to an almost standstill. Everyone is paranoid about it and to data transfer does not happen. Or worse, as Dr. Peel suggests, they transfer the data anyway, but in secret.

Under HIPPA the patient has a right to force data transfer to themselves. Currently providers do this with faxes which is ends up creating a massive problem. If they used Google Health, HealthVault or Dossia instead, the patient would actually be able to exercise those records!!

Saying that Google “should be covered” by HIPAA means that somehow, the person on the other end of the fax machine should be covered by HIPAA too! That means that if you faxed your records to aunt Sally, and then she showed them to uncle Bob, she could go to jail for a HIPAA violation? Or if you actually faxed them to yourself and then accidentally left them on the table at your local burger joint that the burger boy who cleans the tables needs to be sure to not just throw your records away, and instead have a policy for maintaining those records? Perhaps you had them faxed to Kinkos; should they have to maintain a separate safe for holding your faxes?

People who are shocked that Google and Microsoft are not covered by HIPAA, never actually understood the point of the law at all. Instead they generalized HIPAA into a kind of “patient right to privacy” umbrella that is just not there. You do have the right to privacy for those with whom you must share your secrets with; your healthcare providers. You do not have a right to privacy that covers your own stupidity, your gossiping family or your tendency to leave papers in the grocery store.

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No. The law does not work that well for your healthcare providers anyway.

The whole point of a PHR is to allow a patient to control who gets to see their data. HIPAA works at “limiting” who can see your data. Because of HIPAA medical provider typically never share your data without written consent for every data sharing instance. Think about that. Suppose I have a chronic condition and I want everyone in my family to get regular updates on my lab results. Do I need to sign a document, for each family member and for each test? It does not take much time for me to get sick of the process. Also, my doctor might get sick of it too. He has the right to charge me a nominal fee for access to my record, and after a while he would probably feel he had to use that right. On the other hand, if there were an automated way to share the same information…

A PHR is all about balancing the ability to share and the ability to limit access. If a PHR were HIPAA covered, then it would lean strongly towards limiting and sharing would be impaired.

Everyone who talks about Google Health and HealthVault needs to stop harping on the HIPAA issue. HIPAA was not meant to cover the services that Google and Microsoft are offering. Here are some examples:

Quoting from Nathan McFeters at ZDnet:

Hawhhhaaaaattttt??? So Google doesn’t have to respect HIPPA laws?!

Thats HIPAA with two AAs man… Google respects HIPAA just fine. Google is probably relieved to find that the law makes some sense here, as opposed to the typical knee jerk legislation.

It feels like, and this is just a gut reaction here, law should have a strong and violent reaction to Google skirting around HIPPA concerns.

Again. There is no skirting. Google is not “slipping” out of responsibility. It is not covered, and that is a good thing.

The article linked to above also details that Google does not typically follow standard procedures for publicly disclosing flaws. That is a big problem and one that deserves attention, but it is not a HIPAA problem.

Quoting from Robert “RSnake” Hansen:

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does.

Here we have two problems. First the assumption that Google should be covered by HIPAA, which I hope I have shown is not true. Second, the assumption that Google would invest more technical security if they had HIPAA liability. Perhaps Google is not doing enough for security, but its not like security programmers code better when lawyers stand over them. They might code “differently”, but not “better”.

If there is a structural flaw in Google or Microsoft’s architecture, that is something that they should both fix and take public responsibility for but that does not mean that they should be covered by HIPAA.

Frankly these two bloggers, who have been featured on slashdot are only the start of the problem. I had the privilege of covering HIMSS as a blogger, and as a result I got to ask one question to Google CEO Dr. Eric Schmidt, upon his announcement of Google Health, as did every other reporter in the room.

Three different reporters asked “Is Google covered by HIPAA?”. Each one got the same answer: “No we are not”. All three of them asked these questions in such a way that it was obvious that they had read to many “tough reporter” novels. A little hint: perhaps the first time a really good question is asked it might trip up the executive at the massive fortune 500 company. But the second and third times the question is asked in a press conference is waste of time for everyone.

This kind of useless heckling is not just a problem for Google. I just came from TEPR where a Microsoft guy was talking on HealthVault. It was the same “HealthVault is a platform” story that you can read about in the brochure, but at the end, there was time for only one question. Guess what it was? “Is HealthVault covered by HIPAA?”

I really really wish we could stop talking about this issue and talk about real problems. Real issues include:

  • Google does not typically disclose vulnerabilities.
  • Microsoft still has terms that indicate that it can host your HealthVault data in China.
  • How are we going to make connecting to HealthVault or Google Health simple enough for small medical office personnel to handle? Do you know how many “HIPAA violations” we have every year because people do not understand how to dial 9 before getting an outside line when faxing?

Critics also have silly notions about how people who are covered under HIPAA are behaving. Most of the healthcare in the United States are delivered by practice with under 5 physicians. I cannot tell you how many practices I have seen that have a locked closet for paper records but have the EHR server sitting under the receptionists desk. If you want to illegally access my medical records which do you honestly think is easier:

A: walk into my doctors office at three in the afternoon with a shirt with “IBM” written on it and just grab the server and walk out.


B: hacking Google or HealthVault, who both have extensive Firewalls and Intrusion Detection systems, along with well-educated network security personnel on duty 24-7.

If you really felt that Hacking was the way to go, then you would have a much easier time hacking through the average clinics firewall than Microsoft’s or Google’s. Most of the doctors I know do not even know what a firewall is, much less the steps to lock one down. (that is not a criticism, I have no idea how to remove an appendix.)

I am not making the case that Google Health or HealthVault are secure. I am not saying that they are respecting privacy. Those are discussions that we need to have.

But HIPAA is not the answer.


Health of the Source

I pretty regularly give a talk entitled “The health of the source”. The subject of the talk is everything that has happened in health FOSS, since the last time I gave the talk. Thankfully things move along fast enough that I am never short of content. You will find this article dripping with useful bias and opinion. This is not merely a list of projects but also what I think of the projects. I might be omitting your favorite project intentionally, because I think it is irrelevant, OR out of ignorance, OR because I am limiting the scope. For instance this time I did not include much on clinical research (openclinica) or imaging, since my TEPR audience might not be interested in those.

This intended to reference Larry Walls regular summary of the perl community typically entitled “state of the onion“. (I am suffering from pun envy here… if you have something better… let me know) As I was writing yet another throw-away Open Office presentation, I was lamenting the fact that I had not posted anything really meaty on my blog lately, and I thought I should post my presentation. Then I was thinking how each page of my presentation would really serve as a blog post by itself. Then I realized that I could write one blog post, and if I kept each page short enough to fit above the fold on my little laptop, I could make a postentation. ( <- just invented this word)

So if you would like, you can now read my latest presentation just by clicking on the page numbers on this post. Hopefully it is coherent enough to read without me talking about each slide. But if not, leave me a comment and I will try and fix things.