How to Use Open Source Technologies in Safety-critical Health Applications 3rd Annual OSEHRA Summit Shahid N. Shah Chairman of OSEHRA Advisory Board

NETSPECTIVE www.netspective.com 2 Who is Shahid? • Chairman, OSEHRA Board of Advisors • 20+ years of software engineering and multi-discipline complex IT implementations (Gov., defense, health, finance, insurance) • 12+ years of healthcare IT and medical devices experience (blog at http://healthcareguy.com) • 15+ years of technology management experience (government, non-profit, commercial) Author of Chapter 13, “You’re the CIO of your Own Office”

NETSPECTIVE www.netspective.com 3 Outcomes driven care is in our future

NETSPECTIVE www.netspective.com 4 Open source software (OSS) is in our future • You’re moving from standalone boxes to fully integrated systems • mHealth demands more interoperability • Your customers demand flexible workflows with enhanced functionality • Your customer demand data integration with their systems • Security of medical devices is under great scrutiny and excuses aren’t going to be accepted

NETSPECTIVE www.netspective.com 5 The new realities of patient populations • Obesity Management • Wellness Management • Assessment – HRA • Stratification • Dietary • Physical Activity • Physician Coordination • Social Network • Behavior Modification • Education • Health Promotions • Healthy Lifestyle Choices • Health Risk Assessment • Diabetes • COPD • CHF • Stratification & Enrollment • Disease Management • Care Coordination • MD Pay-for-Performance • Patient Coaching • Physicians Office • Hospital • Other sites • Pharmacology • Catastrophic Case Management • Utilization Management • Care Coordination • Co-morbidities Prevention Management 26 % of Population 4 % of Medical Costs 35 % of Population 22 % of Medical Costs 35 % of Population 37 % of Medical Costs 4% of Population 36 % of Medical Costs Source: Amir Jafri, PrescribeWell

NETSPECTIVE www.netspective.com 6 Customers are struggling with Accountable Tech Cost per patient per procedure / treatment going up but without ability to explain why Cost for same procedure / treatment plan highly variable across localities Unable to compare drug efficacy across patient populations Unable to compare health treatment effectiveness across patients Variability in fees and treatments promotes fraud Lack of visibility of entire patient record causes medical errors Everything your app/device does to help answer important questions below means more sales and better margins

NETSPECTIVE www.netspective.com 7 Opportunities for incremental or new revenue Fill clinical documentation into EHRs Improve alarm notification Review and perform complex event processing Add signal/data processing for new parameters Remotely upgrade and service equipment Automate clinical workflows Remote surveillance Gateways and interoperability appliances

NETSPECTIVE www.netspective.com 8 Wireless BAN Ecosystem is complex without OSS Source: Qualcomm

NETSPECTIVE www.netspective.com 9 Data is getting more sophisticated, analysis even more so Proteomics Genomics Biochemical Behavioral Phenotypics Economics It’s hard today but will be even harder tomorrow IOT sensors Administrative

NETSPECTIVE www.netspective.com 10 Implications of healthcare trends PPACA ACO MU PCMH Health Home mHealth DATA Evidence Based Medicine Comparative Effectiveness Software Regulated IT and Systems Integration Services

NETSPECTIVE www.netspective.com 11 What’s being offered to users What users really want What users want vs. what they’re offered Data visualization requires integration and aggregation

NETSPECTIVE www.netspective.com 12 Evolving Healthcare IT Enterprise Architecture You need to fit into a complex environment Cloud Services Management Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability

www.netspective.com 13 • Should medical device and health IT vendors be using open source to implement their safety-critical requirements? • How about contributing to open source projects? • How about creating their own open source projects?

www.netspective.com 14 Yes! • If you’re not using open source projects in your own devices then you’re doing far more engineering work than is necessary. • If you’re not contributing to open source then you’re not making code you rely on better. • If you’re not creating open source then you’re missing a valuable marketing opportunity.

NETSPECTIVE www.netspective.com 15 Connectivity is a must, OSS is answer Most obvious benefit Least attention Most promising capability This talk focuses on connected devices

NETSPECTIVE www.netspective.com 16 Smart buyers looking for poly-connectivity Device Hospital Network Corporate Gateway External Cloud Hospital Systems Option 1 (no cellular access or hospital IT integration required) Device External Cloud Option 2 (cellular access and no hospital IT integration required) DDS REST HL7 X.12 DDS REST MPEG-21 MPEG-21 Could be a Home Network, too Wired Wireless Bluetooth, WiFi, Zibee, etc. Wireless, Cellular

NETSPECTIVE www.netspective.com 17 Appreciate tradeoffs Integration- friendliness Ease of validation The more connection- friendly a device, the harder it is to validate it Lesson: Demand Testability

NETSPECTIVE www.netspective.com 18 Regulatory Strategy 510(k) PMA, Class 3, Class 2, etc. Unregulated EHR or others 510(k) Class 2 “Data Bridges” “Everything else” Customer registry Patient registry Patient profile Study Management Billing “The Device” Class 1 MDDS

NETSPECTIVE www.netspective.com 19 What are we afraid of when it comes to OSS? Compliance Will the FDA and other regulators accept open source code in safety- critical systems? Reliability Is open source code safe enough for medical devices?

www.netspective.com 20 Yes, of course. Proof: we did it at American Red Cross in 1996 for a Class 3 device built on a modern enterprise IT ecosystem Lesson: Risk managers and quality leadership often use regulators as an excuse to prevent OSS use because of OSS illiteracy, not legitimate strategy or actual evidence of harm. Reality: Regulators don’t care about your use of open source, they care about safe systems that meet intended use.

NETSPECTIVE www.netspective.com 21 Code you write is not necessarily safer Modern IT systems’ custom components There is significantly more and better testing of large open source projects than you could ever do In an integrated ecosystem, you have to learn how to rely on others and do so safely and effectively

NETSPECTIVE www.netspective.com 22 It’s not as hard as we think… • Modern real-time operating systems (open source and commercial) are reliable for safety-critical medical-grade requirements. • Open standards such as TCP/IP , DDS, HTTP , and XMPP can pull vendors out of the 1980’s and into the 1990’s.  • Open source and open standards that promote enterprise IT connectivity can pull vendors into the 2010’s and beyond.

How to start using OSS immediately

NETSPECTIVE www.netspective.com 24 Remove OSS illiteracy from decision making Understand open source licensing, remove the fear of IP loss Understand where code is coming from and what test harnesses included Get in touch with the open source developers to find out the current utilization

NETSPECTIVE www.netspective.com 25 Choose the right OSS projects Requirements traceability possible? Code reviews conducted by OSS code authors? Unit testing conducted by authors? Continuous integration system employed? Integration testing conducted? Performance testing conducted? Safety testing conducted? Security testing conducted?

NETSPECTIVE www.netspective.com 26 Engender trust in the code’s provenance Connect to the revision control system of the open source project Create your own binaries Create a process to securely sign the binaries Create your own deployment packages

NETSPECTIVE www.netspective.com 27 Integrate OSS into your QSR process Employ continuous integration (CI) for your own and OSS project components Create a process to test the binaries using code coverage tools Conduct continuous hazard and risk analysis of outside code Keep an eye on changes coming in from the source and retest regularly Review your process with the compliance officers and get their regular buy in

NETSPECTIVE www.netspective.com 28 But it’s not easy either…we need Risk Assessments Hazard Analysis Design for Testability Design for Simulations Documentation Traceability Mathematical Proofs Determinism Instrumentation Theoretical foundations

NETSPECTIVE www.netspective.com 29 OSS hazard and risk assessment • What is the intended use for the device or system? • How will the OSS product you’re planning to use going to be tied to your intended use? • What is the risk associated with the OSS product for that particular intended use? R = Sh x Ph

NETSPECTIVE www.netspective.com 30 Risk is related to severity and harm R = Sh x Ph R = risk Sh = severity of harm Ph = probability of harm • Harm is damage done to a person • Severity is the degree of harm done • Probability is the frequency and duration of exposure

NETSPECTIVE www.netspective.com 31 Examples of Severity & Probability Severity • multiple fatalities • fatalities • severe injury (non-reversible, requires hospitalization) • moderate injury (reversible, requires hospitalization) • minor (reversible, requires first aid) • very minor (no first aid) Probability • Constant exposure • Hourly • Daily • Weekly • Monthly • Yearly • Never

NETSPECTIVE www.netspective.com 32 Formal risk assessment methods What-if analysis Preliminary hazard analysis (PHA) Failure modes and effects analysis (FMEA) Fault tree analysis (FTA) Hazard and operability studies

NETSPECTIVE www.netspective.com 33 OSS Risk analysis steps - FMEA • Define the function of the OSS product being analyzed. • Identify potential failures of the OSS. • Determine the causes of each failure types. • Determine the effects of potential failures. • Assign a risk index to each of the failure types. • Determine the most appropriate corrective/preventive actions. • Monitor the implementation of the corrective/preventive to ensure that it is having the desired effect.

NETSPECTIVE www.netspective.com 34 Good summary of FMEA • http://en.wikipedia.org/wiki/ Failure_mode_and_effects_analysis

NETSPECTIVE www.netspective.com 35 Sampling of OSS / open standards Project / Standard Subject area D G Comments Linux or Android Operating system   OMG DDS (data distribution service) Publish and subscribe messaging   Open standard with open source implementations AppWeb, Apache Web/app server   OpenTSDB Time series database  Open source project Mirth HL7 messaging engine  Built on Mule ESB Alembic Aurion HIE, message exchange  Successor to CONNECT HTML5, XMPP , JSON Various areas   Don’t reinvent the wheel SAML, XACML Security and privacy   DynObj, OSGi, JPF Plugin frameworks   Build for extensibility

NETSPECTIVE www.netspective.com 36 OSS applicability to connectivity Physical • Wired, wireless (WiFi, cellular, etc.) Logical • Device  Gateway  Data Routers  Systems Structural • Security, Numbers, Units of Measure, etc. Semantic • Presence, Vitals, Glucose, Heartbeats, etc.

NETSPECTIVE www.netspective.com 37 OSS applicability to manageability Security • Is the device authorized? Inventory • Where is the device? Presence • Is a device connected? Teaming • Device grouping

NETSPECTIVE www.netspective.com 38 OSS enables extensible devices Legacy Devices Future Devices

NETSPECTIVE www.netspective.com 39 Device Components 3rd Party Plugins App #1 App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Cloud Services Management Dashboards Data Transformation (ESB, HL7) Device Gateway (DDS, ESB) Healthcare Enterprise Enterprise Data Shahid’s “Ultimate Connectivity Architecture” Plugin Container Event Architecture Inventory Workflow Notifications Patient Context Location Aware 1 2 3 4 5 6 7 8 9 SSL VPN

NETSPECTIVE www.netspective.com 40 OSS in Ultimate Architecture Core Device Components Security and Management Layer Device OS (QNX, Linux, Windows) Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Don’t create your own OS! Security isn’t added later Think about Plugins from day 1 Connectivity is built-in, not added Build on Open Source Create code as a last resort

NETSPECTIVE www.netspective.com 41 OSS enables plugin architecture Device Components 3rd Party Plugins App #1 App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Plugins Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Event Architecture Location Aware

NETSPECTIVE www.netspective.com 42 OSS in connectivity components Device Components Security and Management Layer Device OS (QNX, Linux, Windows) Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Plugin Container Surveillance & “remote display” Remote Access Alarms Event Viewer Design all functions as plugins

NETSPECTIVE www.netspective.com 43 OSS in device components Device Components 3rd Party Plugins Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (HTTP, XMPP) Plugin Container Event Architecture Location Aware Virtualize! “On Device” Workflow Patient Context, too

NETSPECTIVE www.netspective.com 44 OSS enables enterprise integration Cloud Services Management Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability

Thank You Visit http://www.netspective.com http://www.healthcareguy.com E-mail [email protected] Follow @ShahidNShah Call 202-713-5409