Presented at 3rd Annual Open Source EHR Summit - Key Takeaways:
* Outcomes driven care (vs. fees for service or volume driven care) is in our future
* Because outcomes now matter more than ever, open source digital health solutions are even more important
* There are new realities of patient populations driving open source even faster
* How to use open source reliably and and securely in a safety-critical environment like medical devices
Marketing Management Business Plan_My Sweet Creations
How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software
1. How to Use Open Source Technologies in
Safety-critical Health Applications
3rd Annual OSEHRA Summit
Shahid N. Shah
Chairman of OSEHRA Advisory Board
2. NETSPECTIVE
Who is Shahid?
• Chairman, OSEHRA Board of Advisors
• 20+ years of software engineering and
multi-discipline complex IT implementations
(Gov., defense, health, finance, insurance)
• 12+ years of healthcare IT and medical
devices experience (blog at
http://healthcareguy.com)
• 15+ years of technology management
experience (government, non-profit,
commercial)
Author of Chapter 13, “You’re
the CIO of your Own Office”
www.netspective.com 2
4. NETSPECTIVE
Open source software (OSS) is in our future
• You’re moving from standalone boxes to fully integrated
systems
• mHealth demands more interoperability
• Your customers demand flexible workflows with enhanced
functionality
• Your customer demand data integration with their systems
• Security of medical devices is under great scrutiny and
excuses aren’t going to be accepted
www.netspective.com 4
5. NETSPECTIVE
The new realities of patient populations
Prevention Management
• Obesity Management
• Wellness Management
• Assessment – HRA
• Stratification
• Dietary
• Physical Activity
• Physician Coordination
• Social Network
• Behavior Modification
• Education
• Health Promotions
• Healthy Lifestyle Choices
• Health Risk Assessment
• Diabetes
• COPD
• CHF
• Stratification & Enrollment
• Disease Management
• Care Coordination
• MD Pay-for-Performance
• Patient Coaching
• Physicians Office
• Hospital
• Other sites
• Pharmacology
• Catastrophic Case
Management
• Utilization Management
• Care Coordination
• Co-morbidities
26 % of Population
4 % of Medical Costs
35 % of Population
22 % of Medical Costs
35 % of Population
37 % of Medical Costs
4% of Population
36 % of Medical Costs
Source: Amir Jafri, PrescribeWell
www.netspective.com 5
6. NETSPECTIVE
Customers are struggling with Accountable Tech
Everything your app/device does to help answer important questions below means more sales and better margins
Cost per patient per
procedure / treatment
going up but without
ability to explain why
Cost for same
procedure / treatment
plan highly variable
across localities
Unable to compare
drug efficacy across
patient populations
Unable to compare
health treatment
effectiveness across
patients
Variability in fees and
treatments promotes
fraud
Lack of visibility of
entire patient record
causes medical errors
www.netspective.com 6
7. NETSPECTIVE
Opportunities for incremental or new revenue
Fill clinical
documentation
into EHRs
Improve alarm
notification
Review and
perform complex
event processing
Add signal/data
processing for new
parameters
Remotely upgrade
and service
equipment
Automate clinical
workflows
Remote
surveillance
Gateways and
interoperability
appliances
www.netspective.com 7
9. NETSPECTIVE
Data is getting more sophisticated, analysis even more so
It’s hard today but will be even harder tomorrow
Economics Phenotypics Behavioral Biochemical Genomics Proteomics
Administrative IOT sensors
www.netspective.com 9
10. NETSPECTIVE
Implications of healthcare trends
PPACA ACO
MU PCMH
Health
Home
mHealth
Software
Regulated IT and Systems
Integration Services
DATA
Evidence Based Medicine
Comparative Effectiveness
www.netspective.com 10
11. NETSPECTIVE
What users want vs. what they’re offered
Data visualization requires integration and aggregation
What’s being offered to users What users really want
www.netspective.com 11
12. NETSPECTIVE
Evolving Healthcare IT Enterprise Architecture
You need to fit into a complex environment
Cloud
Services
BaaS Gateway
(DDS, XMPP, ESB)
Management
Dashboards
Device
Data
Data Transformation (ESB, HL7)
Enterprise Data
RCM, Financials,
EHRs
Device
Report Management
Generation
Device Inventory
Self-Management
Platforms
Cross Device
App Workflows
SSL VPN
Device Utilization
Device profitability
Alarm
Notifications
Device
Teaming
Patient Context
Monitoring
HIT
Integration
Remote
Surveillance
Patient
Device reimbursement
www.netspective.com 12
13. • Should medical device and health IT vendors
be using open source to implement their
safety-critical requirements?
• How about contributing to open source
projects?
• How about creating their own open source
projects?
www.netspective.com 13
14. Yes!
• If you’re not using open source projects in your
own devices then you’re doing far more
engineering work than is necessary.
• If you’re not contributing to open source then
you’re not making code you rely on better.
• If you’re not creating open source then you’re
missing a valuable marketing opportunity.
www.netspective.com 14
15. NETSPECTIVE
Connectivity is a must, OSS is answer
Most obvious benefit Least attention
Most promising
capability
This talk focuses on
connected devices
www.netspective.com 15
16. NETSPECTIVE
Smart buyers looking for poly-connectivity
Option 1 (no cellular access or hospital IT integration required)
Device
Hospital
Network
Corporate
Gateway
MPEG-21
External
Cloud
Hospital
Systems
Could be a Home
Network, too
Wired
Wireless
Bluetooth,
WiFi, Zibee, etc.
Option 2 (cellular access and no hospital IT integration required)
Device
REST
DDS
HL7
X.12
External
Cloud
DDS REST
MPEG-21
Wireless, Cellular
www.netspective.com 16
17. NETSPECTIVE
Appreciate tradeoffs
Integration-friendliness
The more connection-friendly
a device, the
harder it is to validate it
Ease of
validation
Lesson: Demand Testability
www.netspective.com 17
18. NETSPECTIVE
Regulatory Strategy
“The Device”
510(k) PMA,
Class 3, Class 2,
etc.
Class 1
“Data Bridges”
Unregulated
EHR or others
510(k)
Class 2
“Everything else”
Customer registry
Patient registry
Patient profile
Study Management
Billing
MDDS
www.netspective.com 18
19. NETSPECTIVE
What are we afraid of when it comes to OSS?
Compliance
Will the FDA and other
regulators accept open
source code in safety-critical
systems?
Reliability
Is open source code safe
enough for medical
devices?
www.netspective.com 19
20. Yes, of course.
Proof: we did it at American Red Cross in 1996 for a Class 3
device built on a modern enterprise IT ecosystem
Lesson: Risk managers and quality leadership often use
regulators as an excuse to prevent OSS use because of OSS
illiteracy, not legitimate strategy or actual evidence of harm.
Reality: Regulators don’t care about your use of open source,
they care about safe systems that meet intended use.
www.netspective.com 20
21. NETSPECTIVE
Code you write is not necessarily safer
There is significantly more and better
testing of large open source projects
than you could ever do
In an integrated ecosystem, you have to
learn how to rely on others and do so
safely and effectively
Modern IT systems’ custom
components
www.netspective.com 21
22. NETSPECTIVE
It’s not as hard as we think…
• Modern real-time operating systems (open source and
commercial) are reliable for safety-critical medical-grade
requirements.
• Open standards such as TCP/IP, DDS, HTTP, and XMPP can
pull vendors out of the 1980’s and into the 1990’s.
• Open source and open standards that promote enterprise IT
connectivity can pull vendors into the 2010’s and beyond.
www.netspective.com 22
24. NETSPECTIVE
Remove OSS illiteracy from decision making
Understand open
source licensing,
remove the fear of
IP loss
Understand where
code is coming
from and what test
harnesses included
Get in touch with
the open source
developers to find
out the current
utilization
www.netspective.com 24
25. NETSPECTIVE
Choose the right OSS projects
Requirements
traceability
possible?
Code reviews
conducted by OSS
code authors?
Unit testing
conducted by
authors?
Continuous
integration system
employed?
Integration testing
conducted?
Performance
testing
conducted?
Safety testing
conducted?
Security testing
conducted?
www.netspective.com 25
26. NETSPECTIVE
Engender trust in the code’s provenance
Connect to
the revision
control
system of the
open source
project
Create your
own binaries
Create a
process to
securely sign
the binaries
Create your
own
deployment
packages
www.netspective.com 26
27. NETSPECTIVE
Integrate OSS into your QSR process
Employ continuous
integration (CI) for
your own and OSS
project components
Create a process to
test the binaries
using code
coverage tools
Conduct continuous
hazard and risk
analysis of outside
code
Keep an eye on
changes coming in
from the source and
retest regularly
Review your process
with the compliance
officers and get
their regular buy in
www.netspective.com 27
28. NETSPECTIVE
But it’s not easy either…we need
Risk
Assessments
Hazard Analysis
Design for
Testability
Design for
Simulations
Documentation Traceability
Mathematical
Proofs
Determinism
Instrumentation
Theoretical
foundations
www.netspective.com 28
29. NETSPECTIVE
OSS hazard and risk assessment
• What is the intended use for the device or system?
• How will the OSS product you’re planning to use going to be
tied to your intended use?
• What is the risk associated with the OSS product for that
particular intended use?
R = Sh x Ph
www.netspective.com 29
30. NETSPECTIVE
Risk is related to severity and harm
R = Sh x Ph
R = risk
Sh = severity of harm
Ph = probability of harm
• Harm is damage done to a person
• Severity is the degree of harm done
• Probability is the frequency and duration of exposure
www.netspective.com 30
31. NETSPECTIVE
Examples of Severity & Probability
Severity
• multiple fatalities
• fatalities
• severe injury (non-reversible, requires
hospitalization)
• moderate injury (reversible, requires
hospitalization)
• minor (reversible, requires first aid)
• very minor (no first aid)
Probability
• Constant exposure
• Hourly
• Daily
• Weekly
• Monthly
• Yearly
• Never
www.netspective.com 31
32. NETSPECTIVE
Formal risk assessment methods
What-if analysis
Preliminary
hazard analysis
(PHA)
Failure modes
and effects
analysis (FMEA)
Fault tree
analysis (FTA)
Hazard and
operability
studies
www.netspective.com 32
33. NETSPECTIVE
OSS Risk analysis steps - FMEA
• Define the function of the OSS product being analyzed.
• Identify potential failures of the OSS.
• Determine the causes of each failure types.
• Determine the effects of potential failures.
• Assign a risk index to each of the failure types.
• Determine the most appropriate corrective/preventive
actions.
• Monitor the implementation of the corrective/preventive to
ensure that it is having the desired effect.
www.netspective.com 33
34. NETSPECTIVE
Good summary of FMEA
• http://en.wikipedia.org/wiki/
Failure_mode_and_effects_analysis
www.netspective.com 34
35. NETSPECTIVE
Sampling of OSS / open standards
Project / Standard Subject area D G Comments
Linux or Android Operating system
OMG DDS (data
Publish and subscribe
distribution service)
messaging
Open standard with open
source implementations
AppWeb, Apache Web/app server
OpenTSDB Time series database Open source project
Mirth HL7 messaging engine Built on Mule ESB
Alembic Aurion HIE, message exchange Successor to CONNECT
HTML5, XMPP, JSON Various areas Don’t reinvent the wheel
SAML, XACML Security and privacy
DynObj, OSGi, JPF Plugin frameworks Build for extensibility
www.netspective.com 35
36. NETSPECTIVE
OSS applicability to connectivity
Physical
• Wired, wireless (WiFi, cellular, etc.)
Logical
• Device Gateway Data Routers Systems
Structural
• Security, Numbers, Units of Measure, etc.
Semantic
• Presence, Vitals, Glucose, Heartbeats, etc.
www.netspective.com 36
37. NETSPECTIVE
OSS applicability to manageability
Security
• Is the device
authorized?
Inventory
• Where is the device?
Teaming
• Device grouping
Presence
• Is a device connected?
www.netspective.com 37
40. NETSPECTIVE
OSS in Ultimate Architecture Core
Device Components
Connectivity is
built-in, not added
Connectivity Layer (DDS, HTTP, XMPP)
Plugin Container
Think about
Plugins from day 1
Device OS Security and Management Layer
(QNX, Linux, Windows)
Don’t create
your own OS!
Security isn’t
added later
Build on
Open Source
Create code as
a last resort
www.netspective.com 40