Meeting Dr. Peel

Medsphere, and the Shreeve Tragedy have left me a little jaded. I have little patience for those who threaten the health FOSS community. Believe it or not, I rarely allow my aggression to turn public. I can think of at least 5 friendships with current FOSS community members, that began with rather nasty emails originating from me. Most of these useful harassments never make it into the public eye. The work that Dr. Peel has done with Microsoft around their HealthVault line has been a notable exception. Dr. Peels public endorsement of Microsoft originally shocked me so greatly that I felt I had to publicly respond.

So it was with great anticipation that I was able to hear Dr. Peel speak for the very first time today at HIMSS 08. In her talk, she indirectly addressed many of my criticisms. Lets review some of the “potshots” that I have taken at her, and detail what I heard in her talk about this issues.

Dr. Peel detailed her plans to create a new organization to perform privacy reviews of PHR sourcecode and privacy policies.

Apparently the new certifying organization will not certify PHR systems, without performing a sourcecode review.

Obviously, through the new certifying organization, the “endorsement” of Microsoft would become a formal matter. The endorsement would be withdrawn, if Microsoft started behaving badly.

I wish that I could believe that Dr. Peel started these initiatives in response to my criticisms (it would make me feel very important indeed to know that she was listening), however it is entirely possible that she may have had this plan in her organizations Skunk Works long before I was saying anything.

Here are some further snippets that I found comforting from her presentation.

  • She has claimed that she has not taken any money from Microsoft, she gets her funds from her own network of friends and supporters. (Transparency is good)
  • When I asked about the clause in Microsoft’s privacy policy that specifically gave permission for Microsoft to off-shore data storage, she immediately replied that she thought that was totally unacceptable.
  • While she listed Microsofts Healthvault as a “good” project, she also listed Microsoft on the pages of privacy violators, so she both endorsed and condemned them in the same talk.
  • She talked to me after her talk and was quite friendly

The only thing I could criticize about her talk specifically was her slide about the VA data thefts. She had put a WorldVistA logo on the top of the page, but the data breaches were a problem within the VA, and had nothing to do with WorldVistA. WorldVistA is a private organization that shares an interest in VistA with the VA, but otherwise is not connected with the VA at all, and certainly had nothing to do with the data breaches. In fact WorldVistA has and will continue to improve the overall privacy and security of private installations of VistA. Still, I am probably the only person in the crowd who even noticed this, and I doubt anyone thinks negatively about WorldVistA as the result of her talk.

In short, Dr. Peel is probably going to address the bulk of my complaints. She may have been planning to for months before I said anything.

So this is not a retraction of my attacks against her, but rather a reprieve. (When someone turns around like this a reprieve from criticism is popular within our community). If she continues on this path, I will fully retract my criticisms towards her personally.

Also note, that despite the fact that HealthVault has surprised me recently, it has NOT earned a reprieve yet. That may happen in a following post. There seem to be some changes in the privacy policy, and there has been some movement towards open-ness. HealthVault has invited me to engage them in person and I plan to do that before the conference is over. I am hopeful.

-FT

Dr. Janice Honeyman-Buck at HIMSS 08

For those that do not know, I am blogging HIMSS 08 for LinuxMedNews. I will be posting on anything that is relevant to FOSS that happens here. I did not have to wait long. One of the first talks covered the use of FOSS in medical imaging, something that I knew little about until Dr. Janice Honeyman-Buck clued me in.

Here is a shot of myself and the good doctor.

Fred Trotter and Janice Honeyman-Buck at HIMSS 08

HealthVault: becoming un-Microsoft?

What I have read this morning almost made me choke on my cheerios.

Neil Versel (one of the most in-the-loop Health IT journalist I know) turned me on to a blog post from Sean Nolan, that I obviously did not want to miss. The post, aptly titled Opening up the Vault revealed several important claims:

  • Microsoft is releasing a Java wrapper library under the OSI approved Microsoft Public License
  • Microsoft is releasing some .NET code under a read-only license (i.e. not open source)
  • Most importantly Microsoft is releasing the entire HealtVault XML interface specification under the Microsoft Open Specification Promise

I need to research the Microsoft Open Specification Promise, to say the least it appears that there is some confusion as to its legitimacy for FOSS developers. I have “call” into the Software Freedom Law Center, to see what their current evaluation of the promise is. Still the significance of this cannot be underestimated. Sean claims:

“With this information, developers will be able to reimplement the HealthVault service and run their own versions of the system.”

Don’t get me wrong, I trust Microsoft about as far as I can throw them (all of them… at once), but this is definitely a step in the right direction. It will take me some time to sort out just how meaningful a step.

This is a smart time to do this too. There is like a 90% probability that Google will be officially announcing its PHR effort at HIMSS. (Heck its been leaked already) By releasing an API, Microsoft is essentially challenging Google to do the same, and that could mean that hacktivists like myself could build arbitrary bridges between the two (now this is hopeful…) which would mean that Google and Microsoft’s systems would compete on merit rather than most-effective-lock-in.

-FT

HealthVault: Michael Zimmer digs deeper

Michael Zimmer, a new media commentator and blogger, that I had not heard of before now has gotten access to the HealthVault team. He just wrote a new post called “Designing for Privacy: Microsoft HealthVault” that is worth reading from start to finish.

There are several interesting things about his post. First, he details several specific technical measures that Microsoft claims that they will be undertaking in order to protect the privacy of its users. Here is a brief summary, and my impressions:

  • HealthVault will use HTTPS only : Pretty obvious first step.
  • “Bluntly targeted” ads : What does this mean? Whatever Microsoft wants it to.
  • HealthVault tracking cookie will expire with each session or 90 days : This is probably the most exciting point here, since we can test this.
  • HealthVault will destroy search history after 90 days : Bold Claim. It would be great if this was true.
  • HealthVault will submit to audits : By whom? Again, this means little without being able to gauge the neutrality of the auditors, or to what standard they would be auditing.
  • HealthVault will allow “apps” to access data, but will show users a log of exactly what apps or people accessed the data : This seems like a good idea, but I am dubious to see if this can remain useful. A potential deluge of access means that users will cease to pay attention.

Michael obviously has at least a clue about the concepts of privacy and security. At least he uses terms like “https” and “cookies” in relevant ways. It is ironic that Michael gives the following caveat

“I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented.”

That is the kind of thing technical people say when they know they do not have the full story. Compare this to the response that Dr. Deborah Peel has, to what was probably the similar technical information:

“Microsoft is setting an industry standard for privacy”

I like Michaels conservative approach to these kinds of claims. It should be noted that he has ties to Micorsoft, he is the Microsoft Fellow at the Information Society Project at Yale Law School. His association with Microsoft explains how he got access. I hope he continues to use that access to generate similarly good posts.

Probably the most important thing we have now is some objective technical standards that we can watch. If anyone feels like testing out the HealthVault cookie content and expiration to see if it squares with what Michael was told, give me a buzz. I would be happy to post or link to your results.

-FT

Defending VA-VistA

I was heavily quoted in a recent article in Government Health IT entitled VA’s health IT gamble. In it, I present the case that the current IT centralization efforts within the VA are damaging to VistA and therefore the VA’s ability to deliver quality care. From the article:

“Historically, each hospital hired programmers to solve that hospital’s needs,” Trotter said. “Other hospitals then adapted those solutions to their own needs. With the centralization process, all VistA programmers will be working for a central bureau. This could stop 30 years of innovation in which the best local innovations were taken national.”

Ironically the article cited a VA official as saying that they were taking a “Evolutionary approach”, despite the fact that they just bought a Cerner lab system rather than building the functionality into VistA. Strange.

-FT

Healthvault: In summary, so far.

Lets review the problems with HealthVault.

Most of my posts have been centered on the problem with Dr. Deborah Peels endorsement of Microsoft’s Healthvault.
In Medically, Legally, and Politically Savvy but Technically Uninformed. I discuss the fact that Dr. Deborah Peel has endorsed Healthvault, despite being totally unqualified to do so. I also note that no one from the organizations that Dr. Peel represents was both qualified to evaluate the privacy features in HealthVault and actually involved in the evaluation process. Although Dr. Peel had access to some of the top security minds in the industry, she failed to consult them when endorsing HealthVault.

In The Food critic never took a bite I discuss the basic impossibility of knowing if something respects privacy without reading the sourcecode. How can Dr. Peel’s organization endorse the privacy and security of HealthVault without having read the sourcecode?

In Privacy, a Complex Problem Underestimated (which has turned out to be my most popular post on the subject), I discuss the fact that the privacy of patient records is vastly more complex than is allowed by the simplified HealthVault privacy systems.

In Abusing vs Implementing Standards I discuss Microsoft’s history of abusing standards to their own advantage, and the implications this practice could have in the fragile domain of patient medical records.

In Failing the seven generation test, I argue that medical records need to archived for decades if not centuries. Information entrusted with HealthVault is not protected in any way that respects this future need.

I have written more articles, which you can find by clicking the HealthVault category on this website. But I feel that these posts specifically cover areas that Dr. Deborah Peel’s endorsement ignores. Dr. Peel has accepted Microsoft’s platitudes as fact. This is despite the fact that Microsoft is famous in the information security industry for giving assurances with regards to information security without providing comparable investments. Ironically Dr. Peel consistently views Payers, Drug companies and others who presume to profit from patient data as being evil, but Microsoft is given her highest endorsement. This is despite the fact that so many in the technical industry view Microsoft with distrust and apprehension similar to the distrust that those in the medical field often view payers and drug companies.

More troubling still is who Dr. Peel represents. Dr. Peel is the founder of and spokes person for the Patient Privacy Rights organization. Patient Privacy Rights claims to be the nation’s leading medical privacy watchdog organization. More troubling than this, (as if we were already not troubled enough) is the Coalition for Patient Privacy. This is a meta-organization that includes lots of very legitimate interests. Further, most of the activities that this coalition puts forward are pretty meaningful, for instance, they recently delivered a letter to congress, which asks for some pretty reasonable things. In fact if I was called before Congress and was asked to give that letter a thumbs up or down, I would endorse it. I would also point out that Microsoft as a signer is laughable. The problem is that in the same breath that it asks Congress to do good things, it gives a blank check to Microsoft to do bad things.

I will be contacting some members of the Coalition to see what can be done about this.

Regards,

Fred Trotter

On Patents…

Often I get phone calls, emails or other correspondence that begins. “We have this great patent pending idea and we want to use open source”. Hopefully I will take some time and write more about why software patents are a particular problem with medical software, but for now I am satisfied to link to a good summary article on why the Free and Open Source community generally has a problem with patents. If you feel like contacting me about using FOSS with your company and your company has patents, reading this first will save us some time.

-FT

Customizing Windows

At work, I often have to use a Windows machine. Despite my opinions regarding FOSS software, Windows is a fact of corporate life. Often, I cannot even dual boot. *sigh*

However, when I do have to use Windows, I do not like to go far without my *nix power tools. Here is a list of tools and tweaks that I use to make my Windows experience tolerable.

FOSS tools

gvim – the windows install lets you “edit with vim” from the right click, perfection.

winscp – because ftp uses plaintext

putty – does everything with terminals, telnet, ssh, everything…

emacs – is a little harder to install than vim, but if you use it, you use it.

wireshark – why even bother debugging a network without it?

proprietary tools

Google Toolbar – indispensable if you use gmail

Google Desktop – save time searching your own computer

Adobe Flash Player – because Youtube is just not the same without it

Adobe Reader – because you need to use pdf’s

lifehacker apps

I will update this post as I find things that are totally irreplaceable. However, there alot of ways to improve the Windows user experience, besides making it more like *nix. The best place that I have found for new and different ideas for Windows productivity tools is the LifeHacker: Featured Windows Download category.

Enjoy,

-FT

Health IT (HIT) in Houston

Houston has the largest medical center in the world. I am starting a new networking group in Houston called HIT in Houston

I plan to discuss current events, and Health IT trends as they apply to Houston, T.X. Soon I hope to begin holding monthly meetings through meetup.com and I already have a Linked In Group for HIT in Houston.
If you would like to be included, you can contact me through this site.

-FT

HealthVault Response: Lucid comments from Fred Fortin

The World Healthcare Blog recently had a post that quoted a portion of a post from my HealthVault series. In the post, titled, What Will Patients Expect in the Completeness of Their Electronic Medical Records? Fred Fortin extends upon my comments about the complexity of patient privacy with some lucid questions about the implications of trusting a meta-EHR system like HealthVault. Since he quoted me :)

Either by design, incompatibility, law, or systems failure, something will be missing (from the HealthVault record). Will it be important information? Who knows. But the public, as it has with banks, credit cards and other electronic dependencies, may believe it to be complete. They may, in fact, have a view of EMRs that is more in line with the industry’s marketing image than with the intricacies or record-keeping reality.

Worth a read! It is satisfying to know that I am making people think and comment.