HealthVault: Michael Zimmer digs deeper

Michael Zimmer, a new media commentator and blogger, that I had not heard of before now has gotten access to the HealthVault team. He just wrote a new post called “Designing for Privacy: Microsoft HealthVault” that is worth reading from start to finish.

There are several interesting things about his post. First, he details several specific technical measures that Microsoft claims that they will be undertaking in order to protect the privacy of its users. Here is a brief summary, and my impressions:

  • HealthVault will use HTTPS only : Pretty obvious first step.
  • “Bluntly targeted” ads : What does this mean? Whatever Microsoft wants it to.
  • HealthVault tracking cookie will expire with each session or 90 days : This is probably the most exciting point here, since we can test this.
  • HealthVault will destroy search history after 90 days : Bold Claim. It would be great if this was true.
  • HealthVault will submit to audits : By whom? Again, this means little without being able to gauge the neutrality of the auditors, or to what standard they would be auditing.
  • HealthVault will allow “apps” to access data, but will show users a log of exactly what apps or people accessed the data : This seems like a good idea, but I am dubious to see if this can remain useful. A potential deluge of access means that users will cease to pay attention.

Michael obviously has at least a clue about the concepts of privacy and security. At least he uses terms like “https” and “cookies” in relevant ways. It is ironic that Michael gives the following caveat

“I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented.”

That is the kind of thing technical people say when they know they do not have the full story. Compare this to the response that Dr. Deborah Peel has, to what was probably the similar technical information:

“Microsoft is setting an industry standard for privacy”

I like Michaels conservative approach to these kinds of claims. It should be noted that he has ties to Micorsoft, he is the Microsoft Fellow at the Information Society Project at Yale Law School. His association with Microsoft explains how he got access. I hope he continues to use that access to generate similarly good posts.

Probably the most important thing we have now is some objective technical standards that we can watch. If anyone feels like testing out the HealthVault cookie content and expiration to see if it squares with what Michael was told, give me a buzz. I would be happy to post or link to your results.

-FT

Defending VA-VistA

I was heavily quoted in a recent article in Government Health IT entitled VA’s health IT gamble. In it, I present the case that the current IT centralization efforts within the VA are damaging to VistA and therefore the VA’s ability to deliver quality care. From the article:

“Historically, each hospital hired programmers to solve that hospital’s needs,” Trotter said. “Other hospitals then adapted those solutions to their own needs. With the centralization process, all VistA programmers will be working for a central bureau. This could stop 30 years of innovation in which the best local innovations were taken national.”

Ironically the article cited a VA official as saying that they were taking a “Evolutionary approach”, despite the fact that they just bought a Cerner lab system rather than building the functionality into VistA. Strange.

-FT

Healthvault: In summary, so far.

Lets review the problems with HealthVault.

Most of my posts have been centered on the problem with Dr. Deborah Peels endorsement of Microsoft’s Healthvault.
In Medically, Legally, and Politically Savvy but Technically Uninformed. I discuss the fact that Dr. Deborah Peel has endorsed Healthvault, despite being totally unqualified to do so. I also note that no one from the organizations that Dr. Peel represents was both qualified to evaluate the privacy features in HealthVault and actually involved in the evaluation process. Although Dr. Peel had access to some of the top security minds in the industry, she failed to consult them when endorsing HealthVault.

In The Food critic never took a bite I discuss the basic impossibility of knowing if something respects privacy without reading the sourcecode. How can Dr. Peel’s organization endorse the privacy and security of HealthVault without having read the sourcecode?

In Privacy, a Complex Problem Underestimated (which has turned out to be my most popular post on the subject), I discuss the fact that the privacy of patient records is vastly more complex than is allowed by the simplified HealthVault privacy systems.

In Abusing vs Implementing Standards I discuss Microsoft’s history of abusing standards to their own advantage, and the implications this practice could have in the fragile domain of patient medical records.

In Failing the seven generation test, I argue that medical records need to archived for decades if not centuries. Information entrusted with HealthVault is not protected in any way that respects this future need.

I have written more articles, which you can find by clicking the HealthVault category on this website. But I feel that these posts specifically cover areas that Dr. Deborah Peel’s endorsement ignores. Dr. Peel has accepted Microsoft’s platitudes as fact. This is despite the fact that Microsoft is famous in the information security industry for giving assurances with regards to information security without providing comparable investments. Ironically Dr. Peel consistently views Payers, Drug companies and others who presume to profit from patient data as being evil, but Microsoft is given her highest endorsement. This is despite the fact that so many in the technical industry view Microsoft with distrust and apprehension similar to the distrust that those in the medical field often view payers and drug companies.

More troubling still is who Dr. Peel represents. Dr. Peel is the founder of and spokes person for the Patient Privacy Rights organization. Patient Privacy Rights claims to be the nation’s leading medical privacy watchdog organization. More troubling than this, (as if we were already not troubled enough) is the Coalition for Patient Privacy. This is a meta-organization that includes lots of very legitimate interests. Further, most of the activities that this coalition puts forward are pretty meaningful, for instance, they recently delivered a letter to congress, which asks for some pretty reasonable things. In fact if I was called before Congress and was asked to give that letter a thumbs up or down, I would endorse it. I would also point out that Microsoft as a signer is laughable. The problem is that in the same breath that it asks Congress to do good things, it gives a blank check to Microsoft to do bad things.

I will be contacting some members of the Coalition to see what can be done about this.

Regards,

Fred Trotter

On Patents…

Often I get phone calls, emails or other correspondence that begins. “We have this great patent pending idea and we want to use open source”. Hopefully I will take some time and write more about why software patents are a particular problem with medical software, but for now I am satisfied to link to a good summary article on why the Free and Open Source community generally has a problem with patents. If you feel like contacting me about using FOSS with your company and your company has patents, reading this first will save us some time.

-FT

Customizing Windows

At work, I often have to use a Windows machine. Despite my opinions regarding FOSS software, Windows is a fact of corporate life. Often, I cannot even dual boot. *sigh*

However, when I do have to use Windows, I do not like to go far without my *nix power tools. Here is a list of tools and tweaks that I use to make my Windows experience tolerable.

FOSS tools

gvim – the windows install lets you “edit with vim” from the right click, perfection.

winscp – because ftp uses plaintext

putty – does everything with terminals, telnet, ssh, everything…

emacs – is a little harder to install than vim, but if you use it, you use it.

wireshark – why even bother debugging a network without it?

proprietary tools

Google Toolbar – indispensable if you use gmail

Google Desktop – save time searching your own computer

Adobe Flash Player – because Youtube is just not the same without it

Adobe Reader – because you need to use pdf’s

lifehacker apps

I will update this post as I find things that are totally irreplaceable. However, there alot of ways to improve the Windows user experience, besides making it more like *nix. The best place that I have found for new and different ideas for Windows productivity tools is the LifeHacker: Featured Windows Download category.

Enjoy,

-FT

Health IT (HIT) in Houston

Houston has the largest medical center in the world. I am starting a new networking group in Houston called HIT in Houston

I plan to discuss current events, and Health IT trends as they apply to Houston, T.X. Soon I hope to begin holding monthly meetings through meetup.com and I already have a Linked In Group for HIT in Houston.
If you would like to be included, you can contact me through this site.

-FT

HealthVault Response: Lucid comments from Fred Fortin

The World Healthcare Blog recently had a post that quoted a portion of a post from my HealthVault series. In the post, titled, What Will Patients Expect in the Completeness of Their Electronic Medical Records? Fred Fortin extends upon my comments about the complexity of patient privacy with some lucid questions about the implications of trusting a meta-EHR system like HealthVault. Since he quoted me 🙂

Either by design, incompatibility, law, or systems failure, something will be missing (from the HealthVault record). Will it be important information? Who knows. But the public, as it has with banks, credit cards and other electronic dependencies, may believe it to be complete. They may, in fact, have a view of EMRs that is more in line with the industry’s marketing image than with the intricacies or record-keeping reality.

Worth a read! It is satisfying to know that I am making people think and comment.

FOSS Sin: Pointless Duplication of Effort

Duplication of effort is viewed as a sin in the Free and Open Source software (FOSS) development community. The whole ethos of FOSS dictates that developers should work together, sharing the improvements they make to software between them. For this reason forking, or starting a redundant project, is often viewed as an attack against the community.

The taboo against forking is well-documented. Eric Raymond (or esr) wrote about this is Homesteading the Noosphere specifically in a section from Promiscuous Theory, Puritan Practice. Here he is discussing three taboos of the FOSS culture, note the first one:

The taboos of a culture throw its norms into sharp relief. Therefore, it will be useful later on if we summarize some important ones here:

  • There is strong social pressure against forking projects. It does not happen except under plea of dire necessity, with much public self-justification, and requires a renaming.

I would like to make a specific case that starting a new project, depending on how it is done, can be as violent to the community as an unwelcome fork. I believe that new projects, without new advantages, are just as damaging to the community as forks are. If the community agrees with me on this, I will ask Eric to add “starting redundant projects” to his list of taboos. [section added 4-10-08]

Two separate projects, both doing essentially the same thing in the same way, fractures the community into two factions of programmers who can no longer work together. To fully understand this problem, one has to understand a little about how the Free and Open Source development community works. The first thing to understand is the licensing.

FOSS licensing allows anyone to download software sourcecode and modify it to their hearts content. While anyone can make modifications to FOSS licensed code, there is a community standard that there is one “official” person or group who controls the official version. For Linux this person is Linus Torvalds. There are many “versions” of Linux were code is developed and improved, but the community agrees that the version that everyone trusts is the version that Torvalds releases. Legitimate Linux development always aims to add features to Linux that will ultimately meet with Linus’ approval. But this is only because of community custom, the license does not require this at all. Eric entitled the chapter above Promiscuous Theory, Puritan Practice precisely because FOSS licenses allow forking while the FOSS community frowns on forking. There is nothing, other than cultural rules, stopping me from creating an operating system kernel based 100% on the code currently residing in the repository maintained by Torvalds, and call the project “Fredux”.

If I started “Fredux” either by forking the Linux codebase, or by starting a new kernel project from scratch and posted it to sourceforge, the Linux community would either mock me or ignore me. The reason is simple; I am not important in the operating system communities and Linux is very well established. However, it would not be difficult to really piss them off. My hypothetical “Fredux” project could easily anger the Linux community by doing any of the following.

  • Post something to public forums, especially the Linux Kernel mailing list, in an attempt to attract developers from the Linux community over to Fredux.
  • Pretend in public that my project is unique or innovative in way that distracted from Linux and its legitimate competitors.
  • Get investment capital, or grant funding, at the expense of competing Linux-based projects to develop my Fredux operating system.

What do these actions have in common? They all poach resources that could have legitimately gone to the Linux community. If I started an operating system from scratch the community would react… poorly. The core issue would be that I would be acquiring resources that should have gone to Linux or another legitimate operating system project.

Why? What is wrong with starting a new operating system project? There is no problem with starting a new legitimate operating system, and then competing for resources for it. The problem comes when you start an illegitimate new operating system and try to pawn it off as a legitimate. Of course this begs the question: What makes a new project or a fork legitimate?

Here are some guidelines for when a new project might be in order. (contact me if you feel I have missed something)

  • The project uses a different programming language, which has some advantage in the field of inquiry.
  • The project addresses a serious feature gap in current projects.
  • The project addresses a serious design limitation in current projects.
  • The project uses a new programming paradigm that has advantages over those currently in use.
  • The project uses a different development process that might have some advantages.
  • The project uses a more common and accepted FOSS license than alternative projects.

So lets see how this applies to Fredux! Here is a hypothetical Fredux release announcement version .1

Fredux is a new operating system kernel available under Freds Very Open Sourcey License. Fredux is coded entirely in C which means that it compiles to blazing fast machine code. Fredux is designed to provide a kernel for a POSIX compliant operating system. Fredux consistently uses a modular approach to software design, allowing it to be extended easily. Fredux will use a distributed development model, ensuring that everyone can see the code and allowing the “many eyeballs” effect to take place. Most importantly, Fredux is completely Open Source and Free Software!

Ok, what are the problems with this announcement? First of all the “usual suspects” of FOSS operating systems (GNU/Linux, FreeBSD, OpenBSD, Hurd, etc) all use the programming language C. So there is no language benefit to Fredux. Linux and several other projects strive for POSIX compliance, so Fredux has not addressed a feature gap. Because Linux is modular there is no design advantage. Fredux is developed in the same way Linux is, ergo there is no development style advantage. Lastly, Fredux is NOT open source! You will find that Freds Very Open Sourcey license does not appear as an OSI approved license. You will also not find the license on the list of FSF approved licenses. So the license is neither “Free” nor “Open Source”. It is shame how many companies continue to market themselves as Open Source without actually stepping up and meeting the licensing requirements.

On the other hand lets look at the description of a legitimate operating system project.

Hurd is a collection of services that run on the Mach micro-kernel. The Hurd implementation is aggressively multi-threaded so that it runs efficiently on both single processors and symmetric multiprocessors. It is possible to develop and test new Hurd kernel components without rebooting the machine (not even accidentally). Running your own kernel components doesn’t interfere with other users, and so no special system privileges are required. Unlike other popular kernel software, the Hurd has an object-oriented structure that allows it to evolve without compromising its design.

This collection of sentences are taken verbatim from the Hurd main page. These sentences were re-arranged to make a point. The paragraph above details supposed advantages of using a micro-kernel design; Linux and other free operating systems usually use a macro-kernel design. The Hurd people think this is a design improvement on Linux. This description lists features (modify the kernel without rebooting) and architecture advantages. One can debate issues like macro-kernel vs. micro-kernel for days on end (and people do), what I am trying to clarify here is that because Linux is so well-established and capable, the Hurd project differentiates itself and clarifies why it is also a legitimate project right on the projects home page.

On the project home page for the OpenBSD project we find.

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

Again taken verbatim from the openBSD home page. Again, note the emphasis on things that differentiate the project from the dominant Linux project. OpenBSD is famous for its focus on security, on the main page, it covers this advantage. It is also famous for supporting lots of architectures, again right on the main page. I hope that I am demonstrating, very explicitly, what it means to establish legitimacy in the context of a currently dominant project or projects. OpenBSD even goes so far as to list the projects and products that it competes with.

When multiple projects are legitimate it is reasonable for each project to compete for developers. Want to work with the most popular OS project? Choose Linux. What to work with a bunch of people obsessed with security? That would be OpenBSD. What to work on a micro-kernel? Work with Hurd.

But you should not work on Fredux. It has no advantages over any of these projects. The competition between legitimate projects is… well… legitimate. But the FOSS community will instantly attack anyone who pouches resources for a project that has no discernible advantage over an existing project.

In the medical FOSS community, we are particularly sensitive about it. We have a small community, and dividing it is a real problem. It happens too much already, for “legitimate” reasons. The holy grail in FOSS Health IT is the creation of a Electronic Health Record (EHR). We have several legitimate projects in this space. All of the legitimate projects are starving for resources like developers, documentation writers, clinical experts, funding sources and users.

What are the “legitimate” projects competing to build the best FOSS EHR? Sorry, but this post is already too long. That question merits a whole article on its own.

For now I want to talk about three projects in particular that together illustrate the problem of duplication of effort. Tolven, OpenMRS and ExampleProject [update 4-10-08 to protect the guilty, the name of the offending project has been removed]. Tolven and OpenMRS both have reputations for being mature, Java-based projects. Here is the description of Tolven.

Tolven EHR and PHR products are a suit of Java based technologies that use the latest in Open Source Java application toolkits to create a heavily Object Oriented, MVC EHR application. In short the Tolven strategy is to a very clean java-based EHR using solid OOP design with the latest tools.

Here is a description of OpenMRS.

OpenMRS is a community-developed, open-source, enterprise electronic medical record system framework intended to aid resource-constrained healthcare environments.

OpenMRS is currently implemented in Kenya, Rwanda, South Africa, Uganda, Tanzania, Zimbabwe, and Peru. Many of the developers are MIT trained and the design of OpenMRS is based on work done at the Regenstrief Institute. 2008 will mark its second year participating in the Google Summer of Code. The design of OpenMRS is carefully thought out to support a rural deployment model. OpenMRS is a very mature project. [added OpenMRS 4-10-08 to acknowledge the tremendous things the project has done]

A bit of downlow information about Tolven: At the time of the writing Tolven is going live in several installations. Tolven has a tremendously talented development team. Tolven has received substantial funding. They have an EHR and PHR already working.

On my short list of legitimate FOSS EHR systems (and believe me it is short), Tolven and OpenMRS are currently battling for the title of top Java-based project. To review; Tolven is funded, going live now, 12 full-time developers, working software = legitimate. OpenMRS is funded, deployed all-over-the-place, and backed by some of the top minds in Medical Informatics = legitimate.

ExampleProject is a Java-based EHR system using strict OOP principles and the latest Java software stack.

ExampleProject is in alpha. ExampleProject is primarily developed by one guy, who is working part-time. ExampleProject plans to have a release that can be used in a live environment by October of 2008 ( a little less than a year away from the writing) . ExampleProject is not legitimate.

In short, ExampleProject appears to be a Fredux. What is worse, ExampleProject is constantly put forward as a legitimate project on LinuxMedNews, EMRupdate and the openhealth mailing list. Those forums are intended to be open and so censoring ExampleProject news would be unethical. The problem is that it appears to the un-initiated as though ExampleProject is important, when in fact it is exactly the opposite, an illegitimate project. ExampleProject has attracted at least two other part-time developers, and seems to be succeeding in acquiring attention and resources that properly should go to Tolven, OpenMRS or some other project. ExampleProject is guilty of the sin of duplication of effort. Everything they are doing has already been done, and well, by another project in the same programming language. Every developer that works with ExampleProject instead of working with Tolven or OpenMRS, is accidentally wasting their time. The same is true of beta testers, investors, and others who might be interested in working with a project. Because Tolven and OpenMRS continue to improve, and a greater rate than ExampleProject, it is very unlikely that ExampleProject will ever catch up. While it is fine for the project manager of ExampleProject to waste his time, it is not OK for him to trick others in the community into wasting time with him.

I have discussed this issue with the ExampleProject project manager. Before I mentioned it to him, he had never heard of Tolven. After spending about ten minutes on the Tolven site he said that the big difference between Tolven’s efforts and his own was that ExampleProject was using Swing, where Tolven was using AJAX. This seems like it might be a real legitimate technical difference, except that Tolven would likely be very happy for someone from the community to step up and create a thick-client using Swing. They would probably say something like “We do not have time to work on both AJAX and Swing interfaces. But our software design should allow any ‘viewer’ type. If you feel Swing interfaces would be better, and were willing to write it yourself, we would be happy to modify our interfaces enough to make that possible.” Even if Tolven were unwilling, the great thing about open source is that you can prove your technical points without the permission of the project manager. If Tolven or OpenMRS were shown that a Swing interface was better than an AJAX interface, they would probably adopt Swing.

A great example of a project that has spawned a sub-project specifically to address differences of opinion regarding user interfaces is the Kubuntu project, which is Ubuntu, only with KDE instead of Gnome.

When a separate project is justified is a complex issue. In fact, I gave Neil Cowles of the Tolven project a stern lecture about why he should be working through the OSCAR project, which was the dominate Java based EHR project before Tolven came on the scene. Since that lecture Tolven has proven to me and the community generally that they are legitimate. It is possible that ExampleProject, despite its small beginning, will grow into a mature open source EHR. They could prove me wrong.

Right now I would guess that ExampleProject is about one year and a million dollars of development behind Tolven or OpenMRS. If you are a developer, clinician, investor, entrepreneur, or administrator you should probably work with Tolven or OpenMRS if you want a Java-based FOSS EHR. (I will update this article if this ever changes).

I hope I have accomplished two things at this point. I hope I have shown, through a hypothetical example and a real one, examples of when duplication of effort is a problem. I also hope that I have said enough about ExampleProject to steer those who might want to work with a Java-based EHR to Tolven or OpenMRS.

-FT

(updated to clarify content and remove offending project name in April 10, 2008 if you care, just go read an archived version to find out who ExampleProject was)

(updated for readability Feb 27, 2008)

Why is VistA good? the VistA open source development model

Recently, VA VistA has been getting a tremendous amount of attention. Lets take a look at the recent events that highlight what VistA is and why it is important.

The question I would like to ask is “how did this happen?”. Lets get the story straight. Federal employees developed what appears to be the EHR at the backbone of the highest quality medical system in the United States. That makes no sense.

I defy my readers to give me legitimate examples of something that any government creates, programs, or manufactures internally that is provably superior than commercial alternatives. The only thing I have thought of is money. Various governments might be considered experts at manufacturing currency.

Despite the inability of governments to “make” for themselves the US government seems to have some cool stuff. Air craft carriers? corporation-built. Jet plane? corporation-built. Bridges? corporation-built. Now for the madness: World class Electronic Health Record (EHR)? government-built.

As the Federal Government considers how to further improve VistA it makes terrible decisions because it does not actually understand why VistA is good in the first place. At the heart of this problem is the fact that some of these Federal administrators are no longer in awe of the “miracle of VistA”.

The “miracle of VistA” is that a branch of the US Government, which has no primary expertise in software development, was able to create one of the most highly regarded electronic health records in the world.

VistA is good because it, like typical open source projects, evolved. In fact, the evolution of VistA is an alternative open source development model that is comparable in scope and significance to those found in the most popular open source projects. The best run FOSS projects evolve, but in slightly different fashions. The Linux kernel is famous for the “benevolent dictator” model now enabled by git. The Apache project has succeeded with the “wise council” model, that has in turn been successfully applied to other projects besides the core web server. Like Linux, the Apache project has developed tools specifically designed to enable the model that they use. You can easily find studies about what makes the development of Apache and Linux tick. Here is a short description of the elements of VistA development that made it successful.

VA VistA is developed in a pair programming paradigm, not two coders working side by side, but one coder and one clinician. Each VA hospital was free to develop software that meet local needs. Local hospital administrators paired one clinician, intimately familiar with a given clinical need, and one advanced MUMPS programmer, who together encoded clinical knowledge into VistA. Each local VistA programmer answered to the needs of the local hospital administration. This helped to ensure that the hospitals needs were never overlooked by a “centralized” software architect. The best software, after initial development and testing at one hospital, was quickly distributed throughout the system for hospitals hungry for similar functionality. The methods for sharing software between hospitals has become more and more formalized, and like Apache and Linux programmers, VistA programmers developed collaboration tools designed specifically to meet the needs of this distributed development environment. The hospital from which a feature originated became the de facto program manager for that feature, coordinating future improvements. Poor code was criticized and systematically abandoned in favor of good code. VistA is not actually one program, rather it is hundreds of small programs, each of which evolved and improved separately and together. No one person can “understand” what VistA is, instead VistA experts usually are familiar with a few of the VistA programs, and know which other VistA experts are familiar with the other programs. VistA is one of the oldest software projects to rely on a distributed, collaborative development model, from its inception.

Obviously, the process is more complex than can be described in a simple blog post. There is enough here to demonstrate several important points.

  • VistA was not “designed” by anyone, it evolved in a collaborative fashion similar to modern open source products
  • Because the “clinical pair programming” has been happening for more than twenty years, VistA encodes a tremendous amount of clinical expertise that is impossible to “recode” via a traditional design process.
  • VistA was made in a fashion that makes it more like an organism and less like a house or a car.
  • Replacing portions of VistA with proprietary systems is similar to, and works as well as, amputating human limbs and replacing them with prosthetics.
  • Centralizing VistA development is foolish and will never improve the EHR software. The right way to improve VistA is to encourage the evolution of the software in a process similar to the way that one would breed animals.
  • The current VA reorganization, which has local VistA programmers reporting to and paid by a centralized office in Washington, has destroyed the control and influence of local VA hospital administrators over the direction of VistA
  • Frustrated VistA progammer’s are flocking to private corporations like Medsphere or to non-profit organizations like WorldVistA in order to ensure that VistA continues to thrive. This brain-drain will ultimately damage the VA’s ability to improve VistA.
  • Something needs to be done to ensure that VistA continues to evolve.

Decisions like the recent one use Cerner’s lab system in the VA are made by administrators who do not understand what VistA is. I hope that this article will help you to understand why those familiar with VistA and Open Source software (like WordVistA’s Joseph Dal Molin and Doctors Steve Shreeve and Ignacio Valdes) are so put off by the Cerner announcement. Further this is why the typically technical HardHat’s mailing list is boiling with posts which expose the problems within the current VA thinking far more exactly that I have done here.

Now if I could just convince my congressman.

-FT