Slashdot Mirror
Hope For FOSS In Electronic Health Records
Fred Trotter writes "CCHIT is the dominant Electronic Health Record certification body in the US. It is also decidedly anti-FOSS and has been for years. Certification of one kind or another will be required for EHR systems to qualify for funding under the Stimulus Act. If CCHIT is chosen as the certification body, and the current certification strategies continue, it will not be possible to have a funded EHR that is both certified and truly FOSS. Now, however, CCHIT has agreed to meet the FOSS Health IT community at HIMSS 09 to address this issue." We discussed the shortcomings in the stimulus bill as it relates to FOSS a few days back.
Sounds to me like this organization should be getting funded a better way. It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.
tively...
Screenshot of OpenEMR:
http://sourceforge.net/projects/openemr/#item3rd-2
The resources that already exist in the USA can be brought to bear by offering these to as MANY doctors as possible. It will first requiring conducting info gathering on providers, their electronic systems, having some insiders in the many types of medical offices to come in and user-test/kick the tires on these apps, and get THEIR opinions as to whether the software is worthy of being supported. It appears that some of the open source software might be qualified to pass the end-user-suitability-test (for lack of a better description). If ANY of these apps are found to be half-baked, like many apps written BY developers FOR developers (rather than BY developers FOR end-users), then they should by all means be shunned so they are forced to be upgraded to suitability for the office. After all, if medical, dental, and other offices reject the software, why should regulatory and office personnel even *listen*?
But, again, some/most of these apps *seem* to have what it takes; they seem to be the survivors of the past few years that i've noticed their names (since, oh, ~2001/2003).
Beyond that, the biggest hurdle will be lobbyists/SIGs (Special Interest Groups) that could be working on behalf of defense contractor-named companies (your Lockheed/GE/ and others-- who, incidentally have their hands in ship passenger reservation/assignment software, too...) who want NO competition that would undermine their self-anointed positions of high income.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
From TFA (well, not exactly an article):
Which is a pretty expensive "field trip". The Physician's guide seems to imply that the ONLY thing CCHIT really does is to watch this "carefully scripted product demonstration". And write up their results on the web site. W00t! Deep, thorough analysis here.... Then they wander off to claim that they are the "Underwriter's Laboratory" of the EMR world.
Surprisingly enough, the Guide is heavy on "why you need to buy an EHR now". I'm sorry, I am just not impressed with this. Aside from the obvious conflict of interest, it doesn't sound like it's any more rigorous then a couple of folks with a clipboard.
Faster! Faster! Faster would be better!
I see a bigger issue here than the scam this particular group is running.
As I understand it, the stimulus bill allocates $17B to help hospitals across the country pay for medical record systems. Think about that number, $17 Billion.
There is absolutely no reason to distribute $17 Billion to a long list of organizations to individually license an EMRS. For far less than $17B the Federal government could buy any medical record system in the world to be deployed wherever and whenever they want at a fraction of the cost. Or, alternatively, for a lot less than $17B they could sponsor development of a standard, open source EMRS that could, again, be deployed by anyone who wants to at a fraction of what it would otherwise cost.
Obviously there are costs associated with deploying these systems, but the current "plan" amounts to a giveaway of $17B to Semens, GE and whatever other companies produce "certified" EMRS.
That's actually the point of such certification groups; they serve their paying clients by creating a competitive advantage for the existing big players that any new competitor has trouble meeting. That's even moreso, often, the point of such groups when certification through them is required by government regulation, as such regulations are shaped often crafted to serve the interests of the existing major players in the industry, and its more effective of a barrier to competition when those who can't afford the certification don't just have more trouble selling their product, but are outright banned from doing so.
No...it says a lot about requiring certification fees and that in all likely hood and little about commercializing FOSS. In fact, it has pretty much nothing to do with commercializing FOSS unless you are talking about a market that has a government mandated certification process and a certification board dumb enough to let someone take the source code of a certified FOSS project and reeuse that code without forcing that organization to get their individual product certified. So...really what we are talking about here is insane certification requirements and behaviors brought on by government mandate...not FOSS commercialization. Nice try though.
The only change I can believe in is what I find in my couch cushions.
The problem is that the model breaks when the software environment breaks because of fees to make the software useful.
Requiring a certification isn't part of the normal software process or model. It's actually an add on that isn't necessarily needed but has advantages. If the model was changed and the vendor certified the software in house to pass a third party review and the customer had to cover the expense from a third party verification service, it would be the same model and nothing would be broke. But no where else in software, do you have to pay someone in order for your software to be used unless your licensing someone else' product. Of course if your licensing someone else' product and they don't want it open sourced, you can't open source your product that contains theirs.
And something you should note, it's only a problem currently because of the outrageous costs associated with certification. If the costs were lower and more reasonable, the problem disappears. It's disingenuous to associate the problems with the FOSS model or commercializing FOSS software without pointing to what broke it. It isn't like many other software packages ever require third party certifications that require large sums of money either. And of those that might, the sums generally aren't as outrageous and ongoing like this.
Something the poster didn't mention that could negate most all of his fears and black out the point you raised is that they could certify the software under a trademark name and do the releases with the normal name. This would lock the certification into something only he could use. For instance, he likes the program MirrorMed. Now he can create a company called Trotter inc. and certify MirrorMed as "Trotter's certified MirrorMed" software. He then distributes it under that name "Trotter's Certified MirrorMed" and distribute his code as MirrorMed. No one else could claim MirrorMed was certified under his certification because they couldn't use his trademark "Trotter's certified" in the name of the product even though he distributed the code and the certification is in his trademarked name.
In short, the certification would be locked to the "trotter's certified" which is the over package he provides instead of just the software MirrorMed. He could control this because MirrorMed itself as a name wouldn't have been certified. Now the code would have technically been certified so everyone else wanting to do the same could certify it themselves without fear of it failing, and most likely they would certify it under their own trademarked name too.
The same way you would do that for commercial programs.
Being open source doesn't mean that there is an absence of government regulations that restrict your ability to distribute and/or use modified versions.
And...so, what? Its always possible for the user to modify either the software, the software environment in which the application software runs, or the hardware platform on which the software runs to avoid such restrictions. Certification of software only provides assurance for the software in the form it is sold, not anything that is done by the purchaser after they have received it. Other enforcement measures, like on-site audits, are necessary, whether or not the software is open source, to assure that the user uses the software in a manner which complies with the law.
It doesn't add any cost that isn't added to purchased software, even if the certification requirement is on software used and not software sold for a purpose, since you are going to be paying the cost of certification for any software you purchase, as well. OTOH, since the modification and use of software in house is part of the internal practices, it makes more sense to include those in whatever regulation and certification requirements exist for internal practices, rather than in the kind of certification requirements that are imposed on software sold for a regulated purpose.
Certification requirements are a government-imposed market distortion that, if imposed in a way which attaches the cost to the developer systematically disadvantages FOSS software. Of course, since certification requirements, however loudly they are trumpeted as serving a public interests, are almost invariably crafted with the cooperation of the major commercial vendors in the field with the primary intent of reinforcing their position against any possible upstart competitors, this isn't exactly an unintended feature.
Opensource is about the code in question and the freedom to adapt it to your needs.
That being said, the ability to give the code away again is still there even with certification is the certification is assigned like a patent or copyright. In this case, the assignment of the certification would be a specific implementation by a specific company or person or person representing the company.
To walk through this just so we are clear, if I create an open source product called "Little Dog" and I get it certified, if the certification is assigned to me for version 1.0, then version 1.2 or 1.45 or whatever would need a new certification. And because the certification is assigned to me, if you decided to take the code and offer your own product or even improve it, you wouldn't be able to claim it was certified because only the person assigned the certification could do that. Technically, the code would have been certified so you could get a certification in your name without fear of failing but you couldn't lay claim to my certification.
Now, I believe this follows along with the open source model and principle because you can get the code, you can distribute the code, you can modify it, you can still do anything you want with it. The only thing you couldn't do is make claims or representations over a certification for use that was assigned to me. Think of it like this, if Time magazine said you were the hero of the month because of some open source program you created, I couldn't accurately take the code, distribute it, and claim Time Magazine called me the hero of the month even though I would be using the same code you created that caused them to notice you.
I hope I didn't just write in circles and confuse my point.
Speaking of cost... 25 to 35K one time fee and 5k a year? What kind of *scam* is that? One gurenteed to make it possible only for those with a huge finantial interest (and thus low OSS interest) to gain entry. Total bullshit. Who made these yahoos incharge?
I assume you have some basis for your outrage? Do you know how many hours of work goes into the one-time certification process? What sort of legal review is required? How much money in third party disbursements are involved?
Seriously, if you don't have $30K to pony up for the certification, what are the odds that you've spent the necessary money to ensure full compliance with all aspects of relevant legislation? Have you gone over your application with a team of lawyers to ensure full compliance? Have you hired UI designers to come up with a sane user interface and paid for a panel of doctors from various professions to perform UI testing and implement any suggested changes? Do you also have professional liability insurance to cover any errors and omissions that you might have made? How large is your support department, what's your SLA for support turnaround times, and what's the SLA for any bug fixes or feature improvements? What kind of physical and network-based authentication and permission policies do you employ in your office? If someone were to break into your office during the night and you've been examining data from my systems to track down a bug, can you guarantee that the data won't get compromised because proper information handling procedures have been followed? What's your two year roadmap for the product so that people comparing it against offerings can see where you're headed?
What it boils down to is that the $25K - $35K in fees is partly to cover the actual costs of the certification and partly a statement that "if you can't afford these costs, don't waste our time because odds are good you won't be in business in a year from now". Seriously, that's the salary and overhead cost of a half decent developer for a few months let alone all the other support staff you'll need to maintain a viable business.
Also from the article:
The "seal of approval" model is also problematic. Suppose I pay the fee to have MirrorMed (my project of choice) certified. There is no way for me to guarentee[sic] that only I benifit[sic] from the "seal". My competitors which have full access to the code that I would have certified would be able to correctly claim that the code had been certified, and would benifit[sic] with me. As with the original pricing there is no way to fairly spread these kinds of costs across a community.
Waah... cry him a river. He's complaining that because he's choosing to make his code available for everybody at no cost, that he's putting himself at a disadvantage because others can use his code at no cost? What the FUCK, dude? Choosing to use the GPL means that you've also chosen all the consequences of that particular license. If you don't like the consequences, then don't ask for special treatment because you think the GPL automatically gives you some kind of entitlement. Change your license!
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
The medical records system has to get it right the first time. The cert is not going to be easy to get. It is not going to be cheap.
Now the code would have technically been certified so everyone else wanting to do the same could certify it themselves without fear of it failing
This sounds --- simplistic.
Is it the code that that is being certified here - or is it the implementation of a turn-key medical records system?
Isn't it responsible to demand that you demonstrate a deep understanding of how the thing works?
That you have the resources to maintain your system, upgrade it, provide service and support?
the open source movement needs to be active on standards bodies. Standards selection is vendor selection.