Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hope For FOSS In Electronic Health Records

Posted by kdawson on from the ray-of-light dept.

Fred Trotter writes "CCHIT is the dominant Electronic Health Record certification body in the US. It is also decidedly anti-FOSS and has been for years. Certification of one kind or another will be required for EHR systems to qualify for funding under the Stimulus Act. If CCHIT is chosen as the certification body, and the current certification strategies continue, it will not be possible to have a funded EHR that is both certified and truly FOSS. Now, however, CCHIT has agreed to meet the FOSS Health IT community at HIMSS 09 to address this issue." We discussed the shortcomings in the stimulus bill as it relates to FOSS a few days back.

12 of 92 comments (clear)

  1. Anti-FOSS? by FooGoo · · Score: 4, Interesting

    So let me get this strait...CCHIT is considered anti-FOSS because they charge fees that for certification that the FOSS folks cannot afford?

    Sounds like we need a welfare program for FOSS apps to be able to play in the big leagues. How do you think CCHIT gets their operating budget? Through fees I would expect.

    --
    People who bite the hand that feeds them usually lick the boot that kicks them
    1. Re:Anti-FOSS? by Compholio · · Score: 4, Insightful

      Sounds like we need a welfare program for FOSS apps to be able to play in the big leagues. How do you think CCHIT gets their operating budget? Through fees I would expect.

      Sounds to me like this organization should be getting funded a better way. It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.

    2. Re:Anti-FOSS? by sumdumass · · Score: 3, Interesting

      Outside of the entire Fees for OSS idea, I think it is preposterous to think that once you certify a program or application to do a certain thing, you have to continue paying them based on annual sale of your program or application to keep that certification.

      We don't need welfare for OSS, we need something different in place. A certification process shouldn't be dependent on future fees paid nor should it base any of the fees on the sales of the software. If you want to know why health care is so expensive, it's shit like this.

      Think about it, 25K can go into 25 copies sold $1000 at a time. That isn't so much when considering what the software brings to the table. But an annual $5000 on top of that based on sales means the same program that was certified at $1000 a pop is now not certified if more money isn't paid. The question is, is that 5k a version sold?, up to 25 licenses sold? or is it 5 licenses sold? Now licenses could be a misnomer too, Take MS servers for instance, you need a license for the server, a license for the workstation's MS operating system, a license for the network connections to the server, and a license for all the MS applications running on those systems. Lets say MS Office is a given and for shits and giggles, lets say MS dynamics CRM is installed. Now, that means 1 server license, 1 workstation, 1 connection, 1 office and 1 CRM, that's 5 licenses just to be up and running. OF course more workstations will need less licenses but in the certification ordeal with CCHIT, how many of those licenses count as sales? I mean the ERM software could have modular features and easily require 5 licenses, so with the 5k based on sales, if that is for every 5 licenses, then you might need to recover 5k per workstation on top of your profit and expenses for creating the damn thing.

      It's a racket that shouldn't be allowed. If we are going to require certification, then there should be some rules and guidelines and limits on costs instead of creating a get rich quick scheme that drives the cost of health care up so some damn politicians can fool the people when they claim to be fixing the problem. The opposite of that would be to open up the ability for other companies or organizations to become certifies and forbid lock ins to certain companies or organizations so competition can drive costs down to something more reasonable.

  2. To add some meat or beef or whatever... by davidsyes · · Score: 4, Informative

    Here are a few more links...

    List of open source healthcare software:
    http://en.wikipedia.org/wiki/List_of_open_source_healthcare_software

    Welcome to openEHR:
    http://www.openehr.org/home.html

    "openEHR is about enabling ICT to effectively support healthcare, medical research and related areas. Today ICT is used ubiquitously elsewhere, but is far from effective in Healthcare. The main problem in health is the lack of shareable and computable information.

    The principal challenge for health ICT is to represent the semantics of the sector, which are far more complex than in other industries. Doing this requires a knowledge-oriented computing framework that includes ontologies, terminology and a semantically enabled health computing platform in which complex meaning can be represented and shared. At the same time it must support the economically viable construction of maintainable and adaptable health computing systems and patient-centric electronic health records (EHRs).

    The openEHR endeavour is about creating specifications, open source software and tools in the technical space for such a platform. In the clinical space, it is about creating high-quality, re-usable clinical models of content and process - known as archetypes - along with formal interfaces to terminology."

    If the US has idiots in onbstructionist ways working in positions of power, then maybe, if other countries are technologically superior in such areas, offer help to them so they can grow and come back to haunt and compel the USA to "get with it, already!".

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  3. one of FOSS's problems. by MonoSynth · · Score: 4, Interesting

    If the law states that there should be a 'view but not save/copy/print' right (like here in the Netherlands), how could you enforce that *and* be truly open source? You have to certificate each and every release of the full software on a source code level (and provide authorization based on the (i.e.) md5 sum of the executable) to enforce such rights. One simple edit & recompile and you can save/print those x-ray pics, which is against the law.

    At the very least, forking, maintaining your own version and fixing bugs for your (employer's) own use is either impossible or very expensive.

    1. Re:one of FOSS's problems. by DragonWriter · · Score: 3, Insightful

      If the law states that there should be a 'view but not save/copy/print' right (like here in the Netherlands), how could you enforce that *and* be truly open source?

      The same way you would do that for commercial programs.

      Being open source doesn't mean that there is an absence of government regulations that restrict your ability to distribute and/or use modified versions.

      You have to certificate each and every release of the full software on a source code level (and provide authorization based on the (i.e.) md5 sum of the executable) to enforce such rights. One simple edit & recompile and you can save/print those x-ray pics, which is against the law.

      And...so, what? Its always possible for the user to modify either the software, the software environment in which the application software runs, or the hardware platform on which the software runs to avoid such restrictions. Certification of software only provides assurance for the software in the form it is sold, not anything that is done by the purchaser after they have received it. Other enforcement measures, like on-site audits, are necessary, whether or not the software is open source, to assure that the user uses the software in a manner which complies with the law.

      At the very least, forking, maintaining your own version and fixing bugs for your (employer's) own use is either impossible or very expensive.

      It doesn't add any cost that isn't added to purchased software, even if the certification requirement is on software used and not software sold for a purpose, since you are going to be paying the cost of certification for any software you purchase, as well. OTOH, since the modification and use of software in house is part of the internal practices, it makes more sense to include those in whatever regulation and certification requirements exist for internal practices, rather than in the kind of certification requirements that are imposed on software sold for a regulated purpose.

    2. Re:one of FOSS's problems. by sumdumass · · Score: 4, Insightful

      Opensource is about the code in question and the freedom to adapt it to your needs.

      That being said, the ability to give the code away again is still there even with certification is the certification is assigned like a patent or copyright. In this case, the assignment of the certification would be a specific implementation by a specific company or person or person representing the company.

      To walk through this just so we are clear, if I create an open source product called "Little Dog" and I get it certified, if the certification is assigned to me for version 1.0, then version 1.2 or 1.45 or whatever would need a new certification. And because the certification is assigned to me, if you decided to take the code and offer your own product or even improve it, you wouldn't be able to claim it was certified because only the person assigned the certification could do that. Technically, the code would have been certified so you could get a certification in your name without fear of failing but you couldn't lay claim to my certification.

      Now, I believe this follows along with the open source model and principle because you can get the code, you can distribute the code, you can modify it, you can still do anything you want with it. The only thing you couldn't do is make claims or representations over a certification for use that was assigned to me. Think of it like this, if Time magazine said you were the hero of the month because of some open source program you created, I couldn't accurately take the code, distribute it, and claim Time Magazine called me the hero of the month even though I would be using the same code you created that caused them to notice you.

      I hope I didn't just write in circles and confuse my point.

  4. Bigger Issue by hax0r_this · · Score: 5, Insightful

    I see a bigger issue here than the scam this particular group is running.

    As I understand it, the stimulus bill allocates $17B to help hospitals across the country pay for medical record systems. Think about that number, $17 Billion.

    There is absolutely no reason to distribute $17 Billion to a long list of organizations to individually license an EMRS. For far less than $17B the Federal government could buy any medical record system in the world to be deployed wherever and whenever they want at a fraction of the cost. Or, alternatively, for a lot less than $17B they could sponsor development of a standard, open source EMRS that could, again, be deployed by anyone who wants to at a fraction of what it would otherwise cost.

    Obviously there are costs associated with deploying these systems, but the current "plan" amounts to a giveaway of $17B to Semens, GE and whatever other companies produce "certified" EMRS.

  5. Re:To add some meat or beef or whatever... Alterna by jkx · · Score: 3, Informative

    For a discussion of FOSS medical records systems, circa 2005, see http://www.ssrc.org/wiki/posa/index.php/F/OSS_Opportunities_in_the_Health_Care_Sector

  6. Re:This article says a lot about FOSS... by sumdumass · · Score: 5, Insightful

    The problem is that the model breaks when the software environment breaks because of fees to make the software useful.

    Requiring a certification isn't part of the normal software process or model. It's actually an add on that isn't necessarily needed but has advantages. If the model was changed and the vendor certified the software in house to pass a third party review and the customer had to cover the expense from a third party verification service, it would be the same model and nothing would be broke. But no where else in software, do you have to pay someone in order for your software to be used unless your licensing someone else' product. Of course if your licensing someone else' product and they don't want it open sourced, you can't open source your product that contains theirs.

    And something you should note, it's only a problem currently because of the outrageous costs associated with certification. If the costs were lower and more reasonable, the problem disappears. It's disingenuous to associate the problems with the FOSS model or commercializing FOSS software without pointing to what broke it. It isn't like many other software packages ever require third party certifications that require large sums of money either. And of those that might, the sums generally aren't as outrageous and ongoing like this.

    Something the poster didn't mention that could negate most all of his fears and black out the point you raised is that they could certify the software under a trademark name and do the releases with the normal name. This would lock the certification into something only he could use. For instance, he likes the program MirrorMed. Now he can create a company called Trotter inc. and certify MirrorMed as "Trotter's certified MirrorMed" software. He then distributes it under that name "Trotter's Certified MirrorMed" and distribute his code as MirrorMed. No one else could claim MirrorMed was certified under his certification because they couldn't use his trademark "Trotter's certified" in the name of the product even though he distributed the code and the certification is in his trademarked name.

    In short, the certification would be locked to the "trotter's certified" which is the over package he provides instead of just the software MirrorMed. He could control this because MirrorMed itself as a name wouldn't have been certified. Now the code would have technically been certified so everyone else wanting to do the same could certify it themselves without fear of it failing, and most likely they would certify it under their own trademarked name too.

  7. Get out of your mother's basement by nacturation · · Score: 4, Insightful

    Speaking of cost... 25 to 35K one time fee and 5k a year? What kind of *scam* is that? One gurenteed to make it possible only for those with a huge finantial interest (and thus low OSS interest) to gain entry. Total bullshit. Who made these yahoos incharge?

    I assume you have some basis for your outrage? Do you know how many hours of work goes into the one-time certification process? What sort of legal review is required? How much money in third party disbursements are involved?

    Seriously, if you don't have $30K to pony up for the certification, what are the odds that you've spent the necessary money to ensure full compliance with all aspects of relevant legislation? Have you gone over your application with a team of lawyers to ensure full compliance? Have you hired UI designers to come up with a sane user interface and paid for a panel of doctors from various professions to perform UI testing and implement any suggested changes? Do you also have professional liability insurance to cover any errors and omissions that you might have made? How large is your support department, what's your SLA for support turnaround times, and what's the SLA for any bug fixes or feature improvements? What kind of physical and network-based authentication and permission policies do you employ in your office? If someone were to break into your office during the night and you've been examining data from my systems to track down a bug, can you guarantee that the data won't get compromised because proper information handling procedures have been followed? What's your two year roadmap for the product so that people comparing it against offerings can see where you're headed?

    What it boils down to is that the $25K - $35K in fees is partly to cover the actual costs of the certification and partly a statement that "if you can't afford these costs, don't waste our time because odds are good you won't be in business in a year from now". Seriously, that's the salary and overhead cost of a half decent developer for a few months let alone all the other support staff you'll need to maintain a viable business.

    Also from the article:

    The "seal of approval" model is also problematic. Suppose I pay the fee to have MirrorMed (my project of choice) certified. There is no way for me to guarentee[sic] that only I benifit[sic] from the "seal". My competitors which have full access to the code that I would have certified would be able to correctly claim that the code had been certified, and would benifit[sic] with me. As with the original pricing there is no way to fairly spread these kinds of costs across a community.

    Waah... cry him a river. He's complaining that because he's choosing to make his code available for everybody at no cost, that he's putting himself at a disadvantage because others can use his code at no cost? What the FUCK, dude? Choosing to use the GPL means that you've also chosen all the consequences of that particular license. If you don't like the consequences, then don't ask for special treatment because you think the GPL automatically gives you some kind of entitlement. Change your license!

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  8. CCHIT? by Anonymous Coward · · Score: 5, Informative

    Disclaimer: I work in this industry.

    To be blunt, CCHIT is among the least significant and cheapest of the regulatory considerations in healthcare software, particularly when you're talking hospital-caliber systems. Far more onerous are the FDA regulations and oversight (at this level, healthcare software is regulated as a medical device), and similar bodies in other countries. Software bugs can also create enormous legal risks; malpractice or wrongful death claims are never cheap, and bad code or human error does not get you off the hook. All of this means enormous testing and documentation costs, shared by both the software companies and the hospitals. (The VA, as an arm of the federal government, enjoys some legal advantages over other hospitals in this regard.)

    Combine this with the enormous complexity and the domain expertise required to model what can occur in a hospital, and you have a market with a very high cost to enter - not the best opportunity for open source. Indeed, there's been several highly-capitalized and failed attempts to enter the market by tech giants ...

    That said, most modern healthcare software contains and uses healthy quantities of open-source code, but generally not of the GPL variety. We regularly contribute to the projects we use, inasmuch as our employment contracts permit. However, generally speaking, these projects are not specifically healthcare oriented (though there are exceptions - hapi is a personal favorite.)