The Healthcare IT Guy

Joe Paduda, Matthew Holt, and others have started the Healthcare Policy, Business, Technology & “Non-clinical” Issues Carnival called Health Wonk Review. Here’s how Matthew described the new Carnival:

Inspired by the Nick doing Grand Rounds, Joe Paduda at Managed Care Matters has put together the first bi-weekly edition of a compendium of the best of blogging about health care policy, business, technology and anything that isn’t really clinical in nature. We’re hoping that it’s going to be a companion to the main Grand Rounds and that it’ll be a place to find some of the best insight into our evolving health care system. And while Joe kindly calls me a co-founder, and I will be hosting in two weeks, this is all his work and he gets the plaudits.

The EMR and HIPAA blog has posted additional information on “pod slurping”: Securing Your Desktops - Pod Slurping. He’s started a good discussion out there and we should join in to see if we can talk about policies health IT shops should put into place.

Wheelybop, A HIStalk reader, recently posed a question:

Can you or your blogger network describe to me what vendors have to do to make their legacy products CCOW compliant and why some refuse to do so, what are pros/cons, etc. Would love a CCOW primer or be pointed to such.

First, lets tackle the primer. The acronym CCOW stands for “Clinical Context Object Workgroup”, a reference to the standards committee within the HL7 group that developed the standard. CCOW is a standard designed to allow information sharing between clinical and health IT applications. It uses a basic technique called “context sharing” that allows multiple clinical applications to “switch contexts” simultaneously. A “context” is a computer science term that could mean a patient’s data screen or an encounter form. Multiple CCOW compliant applications can simultaneously change their screens to see the same patient’s data when any of the other participating applications do so. For example, if a hospital can get their labs, EMR, and CPOE vendors to become CCOW compliant they can share to share patient context instead of the user having to log in and out of each application separately.

Ok, that’s the intro. There’s more at CCOW vendor (like NeoTool, Sentillion, etc) websites you can read but the above is pretty much what you’ll get there as well.

Now, to answer the reader’s original question: why don’t legacy vendors support it? The simple answer is that CCOW provides no real value to them. Legacy vendors rarely benefit from migrating and supporting new standards, regardless of what it is. CCOW is good for new entrants into the health IT field — for example, if I’m a startup and I write a new app I would definitely want to be CCOW compliant because CIOs won’t like me unless I’m interoperable with their legacy systems. However, legacy vendors have neither the inclination nor the customer outcry necessary to become interoperable with new software. They are already in the customer’s shop and don’t need to support the new standard to make more sales. The larger you are, the more entreanched you are in your customers’ shops, the less you need to “play nice” with other vendors.

Of course, there are many benefits to becoming CCOW compliant. However, none of those benefits apply to the vendor itslef. The benefits are all for the user and for the IT shop that can help users streamline their work.

So, don’t expect CCOW compliance from the legacy vendors anytime soon.

I got an email from a reader recently, asking:

I have a quick question - I was wondering if there is a programming language that is viewed as ‘more secure’ for patient data compared with others? I am building a program to collect patient health info, and am in the very early stages of planning. I used Java previously that worked well for a very sophisticated algorithm to mine data, but this new application is very simple (basically a questionairre) and I have heard .NET would be best.

Given that the question is quite common based on all the startups I advise and speak with, I thought answering here might be helpful to you.

When it comes to .NET versus Java (or really any language) neither is “more secure” than the other with respect to patient data. They are pretty much equal if your engineers are highly qualified and your architecture and design is sound. If you have good software developers, they will almost always create a solid architecture and good design which will make the language selection play a small role in the general quality of your product.

It boils down to what your developers know best and what will make the fewest defects with – for example, if your guys know C# very they will make less errors and therefore fewer security holes. If they know Java better, then of course they’ll make fewer errors in that language. There is no “best choice” for everyone, it’s really dependent on experience, tools, and platforms.

If you want to run on different platforms and don’t have very rich UI needs, Java is a good choice. If it only needs to run best on Windows and has rich UI requirements, .NET is a good choice. That’s a simplistic view but pretty applicable in the general case. Also, give Ruby and Rails a try (see my earlier article about that).

One mistake that I see people making over and over again is choosing a language first then deciding what to build and going out to hire engineers. What you really should do is to be sure you know what you’re building, who your customer is, how your application will be used by them, and all the other “soft” issues related to the utility of what you’re creating. Then, get a good software architect to lay out a proper architecture, get some good designs and algorithms in place, and finally choose a language. Once you have done the up front work your choice of lanugage becomes clearer because you really, really want to choose people and architecture first then choose a language. It’s not easy to find bright architects and engineers who can really build things — once you have the right folks the language isn’t as important.

By the way, “just outsource it to India” is not the right approach either .

I wrote about “pod slurping” a few weeks ago but cNet News.com did a better job.

CIOs of hospitals and healthcare IT managers need to pay attention to what they said:

A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.

Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data. At a rate of about 100MB every couple minutes, it can scan and download the files onto the portable storage units in a process dubbed “pod slurping.”

To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively, the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine.

There are no reports yet of pod slurping harming healthcare data yet but with the growing number of interns, nurses, patients, and doctors with iPods it’s only a matter of time.

When I worked for the Red Cross a couple of years ago we did a study of how donors could get data out of networked Red Cross blood collection computers and we concluded it would have been easy with wireless connections or wired connections with USB thumb drives.

iPods will make it even easier because they are full computing devices held invisbly in pockets.

Do yourself a favor and make sure you set appropriate policy about the use and connectivity of iPods in your health IT environments.

Walking around the exhibits with my customers and fellow bloggers at HIMSS this year I found that harmonization and iteroperability were two themes that most vendors were touting. Ubiquity of networks (through wireless technologies) will allow excellent location-based awareness and medical devices will be more and more connected. Given the connected nature of hundreds, perhaps thousands of network-centric devices in our hospitals, we’ll need to make sure that data can interoperate and that it’s harmonized (semantically as well as structurally). Companies like NeoTool and InterfaceWare were providing some very nice HL7 messaging and brokering engine SDKs. Pervasive Software showed off it’s latest general-purpose ETL tool that provides HL7 connectivity as well. Check them all out, they each have the capability of transforming the way your healthcare data is managed within and around devices and other HIT systems.

TheServerSide discusses The J2EE Architecture of Brazilian Healthcare:

In Brazil, every citizen has the right to full healthcare, from primary care to complex procedures as heart transplants, for free, any place in the country. With a population of 180 million people, information is the key to better distribute resources and provide better healthcare.

Taking advantage of the Java based infrastructure of the Brazilian National Health Card, in 2003 a huge project was started aiming to build an integrated web based application to collect patient encounter information, to regulate complex procedures authorizations and to build an integrated patient scheduling system that would allow to schedule consultations and medical procedures in any health provider. This reduces the waiting time, organizes the flow of patients, and greatly improves the quality of care.

The challenge was to build a quality application in a short time frame. This presentation on The J2EE Architecture of the Brazilian Healthcare will focus on how J2EE technology was extensively used to build this mission-critical application and to achieve the level of integration needed. Using J2EE technologies such as EJB, Servlets, JSP, JMS, JTA, and JAAS, it was possible to create a robust and high performance application, with a high level of reuse and flexibility.

I just wanted to thank all of you that attended the meetup last night in San Diego. We had dozens of people coming in and out and everyone I talked to said they had a great time. Special thanks go to Will Wieder (CandidCIO) for coming up with the idea and to Tim Gee (Mr. Connectologist) and Neil Versel for making the venue arrangements.

We had bloggers and readers from the healthcare policy, provider, financial, IT, infrastructure, media, and vendor communities represented. Our little gathering even had bloggers from forward-looking companies like Sun and Microsoft (who has a great healthcare blog of their own) attending so suffice it to say our Healthcare blogosphere is gaining the attention it deserves. If we pool our resources like this in the future we’ll soon be able to affect policy.

Some of our east coast readers and bloggers were unable to make it because they were shoveling out from many inches (and in some cases feet!) of snow so we send our sympathies. I myself came early so I got to miss the snow in my hometown of Silver Spring, MD which got 9 inches. We especially missed Jack Mason who is trying to put together a “blogposium” where we can have real in-depth discussions on issues important to all of us. I hope he’s able to make it in today so we can get together again.

I hope to setup another blogger meetup at TEPR coming up in Baltimore. If you think you’re interested, drop me a note here.

If you attended the meetup, let me know what you thought and how we could improve it in the future. I’m going to put up a “guestbook” database soon so we can all capture our thoughts for the next go-around.

This week’s Grand Rounds is now available at Science & Politics.

If you’re working on federated security for multiple health IT systems, take a look at the new NIH caBIG (Cancer Grid) Security Architecture White Paper. I was one of the reviewers on the paper and it is quite well done. It demonstrates the complexity of securing a computing grid, multiple services & systems, and various organizations. And, it provides an evaluation report on various techniques so that you don’t have to do the work all over again in your own project.

Fard Johnmar, founder of Envision Solutions (a healthcare marketing communications consultancy) published my Pharma: Have No Fear Of The Blogosphere on his blog this morning.

It’s another step in my continuing effort to get medical device manufacturers, big Pharma, and other “regulated products” providers to start corporate blogging. Lets see if it gets any discussions going.

Tim’s got an excellent article describing his Thoughts on the Future of Medical Devices at the Point of Care.

I’ve commented numerous times on my general fear of conflict of interest between doctors and pharma firms so it was great to be interviewed on a related subject by Modern Healthcare. Andis interviewed me for his piece HIMSS exec denies conflict in role on RMD board.

I told Andis that Davis’ appointment to the board of advisors at a for-profit health IT firm while he’s currently serving as a HIMSS executive is nothing new or terribly worrisome so long as it’s public and transparent. It wasn’t something I liked but I could live with it because the chance of real harm is limited.

What I real trouble with are cases where care providers like physicians are on secret or at least little-publicized pharma advisory boards. Health IT executives that serve in associations or vice-versa can’t really do too much harm. Doctors prescribing drugs for which there may be a conflict of interest is, of course, another matter. I personally don’t know any docs that have such conflicts of interest but some of them know other docs that might.

Podslurping is getting to be a problem in corporate environments so it’s going to be a problem in hospitals and doctors offices, too. This is an “insider theft” issue when a large memory/disk device like an iPod is connected to a computer and it “slurps” data from behind a firewall into a portable system and data theft occurs.

My fellow CXOs please be sure you have policies in place as to whether or not you allow USB devices to be installed at clinical or financial workstations. This should be a major concern for data centers that have stations connected to servers or easily accessible servers that don’t require logging of physical access.

As most of us who follow the database world know, MySQL is the “little database that could”. For years it has been running millions of transactions across hundreds of thousands of websites supporting millions of online customers. MySQL AB, a tiny Swedish company with only about $20 million in revenue last year, now has so many customers and users that the Big 3 players have had to respond by releasing free editions of their software just to make sure they are still relevant for new or small projects. MySQL and other open source databases are often used in pilot or prototype projects at no cost but once the systems are developed people stay on them. Even the U.S. Federal Government’s GSA is standardizing on MySQL due to cost savings.

IBM, Oracle and Microsoft each generate billions per year in revenues from their database offerings but need to find a way to respond in a market redefined by open source competitors (which includes Postgres). So, how have they responded? Microsoft, IBM, and Oracle are all now offering “starter”, “lite”, or “express” versions of their databases for free. Of course, they are not being altruistic — they want to lock in developers of new (small) applications for low or no cost and when you build or purchase applications whose needs grow beyond their original expectations you’ll get slammed with some pretty big bills. The free embedded database model is great for Oracle/IBM/Microsoft, great for developers, but potentially a problem for customers due to lock-in. But, I digress. The Big 3 need to do this to remain relevant and they’ll do whatever is necessary to compete against open source competitors or each other.

What’s the lesson here? This month I’ve published several articles on how smaller players in health IT (or even larger players that want to enter the field entreached with competitors) can use the open source model to get access to markets that have been dominated by mega-firms. If a small company like MySQL can make Microsoft, Oracle, and IBM shake, rattle, and roll then the lessons can be applied to health IT by firms who do the same thing. Want to compete against Cerner, McKesson, Misys, and others? Try open source — it works for horizontal and infrastructure software, it will work for verticals as well. The lessons are clear from other parts of the computer industry; companies that ignore what’s going on will miss out on some great opportunities.

The Call for Paticipation for the 2006 Government Health IT Conference & Exhibition has gone out. This year the conference is being held on June 15 and 16 at the Ronald Reagan Building in Washington, DC. Here’s how the organizers describe the event:

The Conference will bring together government health care professionals to discuss their experiences and share strategies for success using information technology to improve quality, enhance patient safety, and increase efficiency in health care services. The program is designed to address the current needs of government health care professionals and those interested in government health IT, in their efforts to improve delivery and management of health services in accordance with the President’s call for Americans to be covered by interoperable electronic health records within the next ten years.

I live in DC and work as a consultant for the Feds so I’ll probably be attending and will likely try to setup another blogger meetup here. Anyone else interested in a meetup in DC? If I get enough comments I’ll setup a registration database for this conference as well as TEPR in Baltimore.