How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

Transcript

1. How to Use Open Source Technologies in Safety-critical Health Applications

   3rd Annual OSEHRA Summit Shahid N. Shah Chairman of OSEHRA Advisory Board

2. NETSPECTIVE www.netspective.com 2 Who is Shahid? • Chairman, OSEHRA Board

   of Advisors • 20+ years of software engineering and multi-discipline complex IT implementations (Gov., defense, health, finance, insurance) • 12+ years of healthcare IT and medical devices experience (blog at http://healthcareguy.com) • 15+ years of technology management experience (government, non-profit, commercial) Author of Chapter 13, “You’re the CIO of your Own Office”

3. NETSPECTIVE www.netspective.com 3 Outcomes driven care is in our future

4. NETSPECTIVE www.netspective.com 4 Open source software (OSS) is in our

   future • You’re moving from standalone boxes to fully integrated systems • mHealth demands more interoperability • Your customers demand flexible workflows with enhanced functionality • Your customer demand data integration with their systems • Security of medical devices is under great scrutiny and excuses aren’t going to be accepted

5. NETSPECTIVE www.netspective.com 5 The new realities of patient populations •

   Obesity Management • Wellness Management • Assessment – HRA • Stratification • Dietary • Physical Activity • Physician Coordination • Social Network • Behavior Modification • Education • Health Promotions • Healthy Lifestyle Choices • Health Risk Assessment • Diabetes • COPD • CHF • Stratification & Enrollment • Disease Management • Care Coordination • MD Pay-for-Performance • Patient Coaching • Physicians Office • Hospital • Other sites • Pharmacology • Catastrophic Case Management • Utilization Management • Care Coordination • Co-morbidities Prevention Management 26 % of Population 4 % of Medical Costs 35 % of Population 22 % of Medical Costs 35 % of Population 37 % of Medical Costs 4% of Population 36 % of Medical Costs Source: Amir Jafri, PrescribeWell

6. NETSPECTIVE www.netspective.com 6 Customers are struggling with Accountable Tech Cost

   per patient per procedure / treatment going up but without ability to explain why Cost for same procedure / treatment plan highly variable across localities Unable to compare drug efficacy across patient populations Unable to compare health treatment effectiveness across patients Variability in fees and treatments promotes fraud Lack of visibility of entire patient record causes medical errors Everything your app/device does to help answer important questions below means more sales and better margins

7. NETSPECTIVE www.netspective.com 7 Opportunities for incremental or new revenue Fill

   clinical documentation into EHRs Improve alarm notification Review and perform complex event processing Add signal/data processing for new parameters Remotely upgrade and service equipment Automate clinical workflows Remote surveillance Gateways and interoperability appliances

8. NETSPECTIVE www.netspective.com 8 Wireless BAN Ecosystem is complex without OSS

   Source: Qualcomm

9. NETSPECTIVE www.netspective.com 9 Data is getting more sophisticated, analysis even

   more so Proteomics Genomics Biochemical Behavioral Phenotypics Economics It’s hard today but will be even harder tomorrow IOT sensors Administrative

10. NETSPECTIVE www.netspective.com 10 Implications of healthcare trends PPACA ACO MU

    PCMH Health Home mHealth DATA Evidence Based Medicine Comparative Effectiveness Software Regulated IT and Systems Integration Services

11. NETSPECTIVE www.netspective.com 11 What’s being offered to users What users

    really want What users want vs. what they’re offered Data visualization requires integration and aggregation

12. NETSPECTIVE www.netspective.com 12 Evolving Healthcare IT Enterprise Architecture You need

    to fit into a complex environment Cloud Services Management Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability

13. www.netspective.com 13 • Should medical device and health IT vendors

    be using open source to implement their safety-critical requirements? • How about contributing to open source projects? • How about creating their own open source projects?

14. www.netspective.com 14 Yes! • If you’re not using open source

    projects in your own devices then you’re doing far more engineering work than is necessary. • If you’re not contributing to open source then you’re not making code you rely on better. • If you’re not creating open source then you’re missing a valuable marketing opportunity.

15. NETSPECTIVE www.netspective.com 15 Connectivity is a must, OSS is answer

    Most obvious benefit Least attention Most promising capability This talk focuses on connected devices

16. NETSPECTIVE www.netspective.com 16 Smart buyers looking for poly-connectivity Device Hospital

    Network Corporate Gateway External Cloud Hospital Systems Option 1 (no cellular access or hospital IT integration required) Device External Cloud Option 2 (cellular access and no hospital IT integration required) DDS REST HL7 X.12 DDS REST MPEG-21 MPEG-21 Could be a Home Network, too Wired Wireless Bluetooth, WiFi, Zibee, etc. Wireless, Cellular

17. NETSPECTIVE www.netspective.com 17 Appreciate tradeoffs Integration- friendliness Ease of validation

    The more connection- friendly a device, the harder it is to validate it Lesson: Demand Testability

18. NETSPECTIVE www.netspective.com 18 Regulatory Strategy 510(k) PMA, Class 3, Class

    2, etc. Unregulated EHR or others 510(k) Class 2 “Data Bridges” “Everything else” Customer registry Patient registry Patient profile Study Management Billing “The Device” Class 1 MDDS

19. NETSPECTIVE www.netspective.com 19 What are we afraid of when it

    comes to OSS? Compliance Will the FDA and other regulators accept open source code in safety- critical systems? Reliability Is open source code safe enough for medical devices?

20. www.netspective.com 20 Yes, of course. Proof: we did it at

    American Red Cross in 1996 for a Class 3 device built on a modern enterprise IT ecosystem Lesson: Risk managers and quality leadership often use regulators as an excuse to prevent OSS use because of OSS illiteracy, not legitimate strategy or actual evidence of harm. Reality: Regulators don’t care about your use of open source, they care about safe systems that meet intended use.

21. NETSPECTIVE www.netspective.com 21 Code you write is not necessarily safer

    Modern IT systems’ custom components There is significantly more and better testing of large open source projects than you could ever do In an integrated ecosystem, you have to learn how to rely on others and do so safely and effectively

22. NETSPECTIVE www.netspective.com 22 It’s not as hard as we think…

    • Modern real-time operating systems (open source and commercial) are reliable for safety-critical medical-grade requirements. • Open standards such as TCP/IP , DDS, HTTP , and XMPP can pull vendors out of the 1980’s and into the 1990’s.  • Open source and open standards that promote enterprise IT connectivity can pull vendors into the 2010’s and beyond.

23. How to start using OSS immediately

24. NETSPECTIVE www.netspective.com 24 Remove OSS illiteracy from decision making Understand

    open source licensing, remove the fear of IP loss Understand where code is coming from and what test harnesses included Get in touch with the open source developers to find out the current utilization

25. NETSPECTIVE www.netspective.com 25 Choose the right OSS projects Requirements traceability

    possible? Code reviews conducted by OSS code authors? Unit testing conducted by authors? Continuous integration system employed? Integration testing conducted? Performance testing conducted? Safety testing conducted? Security testing conducted?

26. NETSPECTIVE www.netspective.com 26 Engender trust in the code’s provenance Connect

    to the revision control system of the open source project Create your own binaries Create a process to securely sign the binaries Create your own deployment packages

27. NETSPECTIVE www.netspective.com 27 Integrate OSS into your QSR process Employ

    continuous integration (CI) for your own and OSS project components Create a process to test the binaries using code coverage tools Conduct continuous hazard and risk analysis of outside code Keep an eye on changes coming in from the source and retest regularly Review your process with the compliance officers and get their regular buy in

28. NETSPECTIVE www.netspective.com 28 But it’s not easy either…we need Risk

    Assessments Hazard Analysis Design for Testability Design for Simulations Documentation Traceability Mathematical Proofs Determinism Instrumentation Theoretical foundations

29. NETSPECTIVE www.netspective.com 29 OSS hazard and risk assessment • What

    is the intended use for the device or system? • How will the OSS product you’re planning to use going to be tied to your intended use? • What is the risk associated with the OSS product for that particular intended use? R = Sh x Ph

30. NETSPECTIVE www.netspective.com 30 Risk is related to severity and harm

    R = Sh x Ph R = risk Sh = severity of harm Ph = probability of harm • Harm is damage done to a person • Severity is the degree of harm done • Probability is the frequency and duration of exposure

31. NETSPECTIVE www.netspective.com 31 Examples of Severity & Probability Severity •

    multiple fatalities • fatalities • severe injury (non-reversible, requires hospitalization) • moderate injury (reversible, requires hospitalization) • minor (reversible, requires first aid) • very minor (no first aid) Probability • Constant exposure • Hourly • Daily • Weekly • Monthly • Yearly • Never

32. NETSPECTIVE www.netspective.com 32 Formal risk assessment methods What-if analysis Preliminary

    hazard analysis (PHA) Failure modes and effects analysis (FMEA) Fault tree analysis (FTA) Hazard and operability studies

33. NETSPECTIVE www.netspective.com 33 OSS Risk analysis steps - FMEA •

    Define the function of the OSS product being analyzed. • Identify potential failures of the OSS. • Determine the causes of each failure types. • Determine the effects of potential failures. • Assign a risk index to each of the failure types. • Determine the most appropriate corrective/preventive actions. • Monitor the implementation of the corrective/preventive to ensure that it is having the desired effect.

34. NETSPECTIVE www.netspective.com 34 Good summary of FMEA • http://en.wikipedia.org/wiki/ Failure_mode_and_effects_analysis

35. NETSPECTIVE www.netspective.com 35 Sampling of OSS / open standards Project

    / Standard Subject area D G Comments Linux or Android Operating system   OMG DDS (data distribution service) Publish and subscribe messaging   Open standard with open source implementations AppWeb, Apache Web/app server   OpenTSDB Time series database  Open source project Mirth HL7 messaging engine  Built on Mule ESB Alembic Aurion HIE, message exchange  Successor to CONNECT HTML5, XMPP , JSON Various areas   Don’t reinvent the wheel SAML, XACML Security and privacy   DynObj, OSGi, JPF Plugin frameworks   Build for extensibility

36. NETSPECTIVE www.netspective.com 36 OSS applicability to connectivity Physical • Wired,

    wireless (WiFi, cellular, etc.) Logical • Device  Gateway  Data Routers  Systems Structural • Security, Numbers, Units of Measure, etc. Semantic • Presence, Vitals, Glucose, Heartbeats, etc.

37. NETSPECTIVE www.netspective.com 37 OSS applicability to manageability Security • Is

    the device authorized? Inventory • Where is the device? Presence • Is a device connected? Teaming • Device grouping

38. NETSPECTIVE www.netspective.com 38 OSS enables extensible devices Legacy Devices Future

    Devices

39. NETSPECTIVE www.netspective.com 39 Device Components 3rd Party Plugins App #1

    App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Cloud Services Management Dashboards Data Transformation (ESB, HL7) Device Gateway (DDS, ESB) Healthcare Enterprise Enterprise Data Shahid’s “Ultimate Connectivity Architecture” Plugin Container Event Architecture Inventory Workflow Notifications Patient Context Location Aware 1 2 3 4 5 6 7 8 9 SSL VPN

40. NETSPECTIVE www.netspective.com 40 OSS in Ultimate Architecture Core Device Components

    Security and Management Layer Device OS (QNX, Linux, Windows) Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Don’t create your own OS! Security isn’t added later Think about Plugins from day 1 Connectivity is built-in, not added Build on Open Source Create code as a last resort

41. NETSPECTIVE www.netspective.com 41 OSS enables plugin architecture Device Components 3rd

    Party Plugins App #1 App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Plugins Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Event Architecture Location Aware

42. NETSPECTIVE www.netspective.com 42 OSS in connectivity components Device Components Security

    and Management Layer Device OS (QNX, Linux, Windows) Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Plugin Container Surveillance & “remote display” Remote Access Alarms Event Viewer Design all functions as plugins

43. NETSPECTIVE www.netspective.com 43 OSS in device components Device Components 3rd

    Party Plugins Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (HTTP, XMPP) Plugin Container Event Architecture Location Aware Virtualize! “On Device” Workflow Patient Context, too

44. NETSPECTIVE www.netspective.com 44 OSS enables enterprise integration Cloud Services Management

    Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability

45. Thank You Visit http://www.netspective.com http://www.healthcareguy.com E-mail [email protected] Follow @ShahidNShah Call

    202-713-5409