Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

Shahid N. Shah
September 05, 2014

How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

Presented at 3rd Annual Open Source EHR Summit - Key Takeaways:

* Outcomes driven care (vs. fees for service or volume driven care) is in our future
* Because outcomes now matter more than ever, open source digital health solutions are even more important
* There are new realities of patient populations driving open source even faster
* How to use open source reliably and and securely in a safety-critical environment like medical devices

Shahid N. Shah

September 05, 2014
Tweet

More Decks by Shahid N. Shah

Other Decks in Business

Transcript

  1. How to Use Open Source Technologies in
    Safety-critical Health Applications
    3rd Annual OSEHRA Summit
    Shahid N. Shah
    Chairman of OSEHRA Advisory Board

    View full-size slide

  2. NETSPECTIVE
    www.netspective.com 2
    Who is Shahid?
    • Chairman, OSEHRA Board of Advisors
    • 20+ years of software engineering and
    multi-discipline complex IT implementations
    (Gov., defense, health, finance, insurance)
    • 12+ years of healthcare IT and medical
    devices experience (blog at
    http://healthcareguy.com)
    • 15+ years of technology management
    experience (government, non-profit,
    commercial)
    Author of Chapter 13, “You’re
    the CIO of your Own Office”

    View full-size slide

  3. NETSPECTIVE
    www.netspective.com 3
    Outcomes driven care is in our future

    View full-size slide

  4. NETSPECTIVE
    www.netspective.com 4
    Open source software (OSS) is in our future
    • You’re moving from standalone boxes to fully integrated
    systems
    • mHealth demands more interoperability
    • Your customers demand flexible workflows with enhanced
    functionality
    • Your customer demand data integration with their systems
    • Security of medical devices is under great scrutiny and
    excuses aren’t going to be accepted

    View full-size slide

  5. NETSPECTIVE
    www.netspective.com 5
    The new realities of patient populations
    • Obesity Management
    • Wellness Management
    • Assessment – HRA
    • Stratification
    • Dietary
    • Physical Activity
    • Physician Coordination
    • Social Network
    • Behavior Modification
    • Education
    • Health Promotions
    • Healthy Lifestyle Choices
    • Health Risk Assessment
    • Diabetes
    • COPD
    • CHF
    • Stratification & Enrollment
    • Disease Management
    • Care Coordination
    • MD Pay-for-Performance
    • Patient Coaching
    • Physicians Office
    • Hospital
    • Other sites
    • Pharmacology
    • Catastrophic Case
    Management
    • Utilization Management
    • Care Coordination
    • Co-morbidities
    Prevention Management
    26 % of Population
    4 % of Medical Costs
    35 % of Population
    22 % of Medical Costs
    35 % of Population
    37 % of Medical Costs
    4% of Population
    36 % of Medical Costs
    Source: Amir Jafri, PrescribeWell

    View full-size slide

  6. NETSPECTIVE
    www.netspective.com 6
    Customers are struggling with Accountable Tech
    Cost per patient per
    procedure / treatment
    going up but without
    ability to explain why
    Cost for same
    procedure / treatment
    plan highly variable
    across localities
    Unable to compare
    drug efficacy across
    patient populations
    Unable to compare
    health treatment
    effectiveness across
    patients
    Variability in fees and
    treatments promotes
    fraud
    Lack of visibility of
    entire patient record
    causes medical errors
    Everything your app/device does to help answer important questions below means more sales and better margins

    View full-size slide

  7. NETSPECTIVE
    www.netspective.com 7
    Opportunities for incremental or new revenue
    Fill clinical
    documentation
    into EHRs
    Improve alarm
    notification
    Review and
    perform complex
    event processing
    Add signal/data
    processing for new
    parameters
    Remotely upgrade
    and service
    equipment
    Automate clinical
    workflows
    Remote
    surveillance
    Gateways and
    interoperability
    appliances

    View full-size slide

  8. NETSPECTIVE
    www.netspective.com 8
    Wireless BAN Ecosystem is complex without OSS
    Source: Qualcomm

    View full-size slide

  9. NETSPECTIVE
    www.netspective.com 9
    Data is getting more sophisticated, analysis even more so
    Proteomics
    Genomics
    Biochemical
    Behavioral
    Phenotypics
    Economics
    It’s hard today but will be even harder tomorrow
    IOT sensors
    Administrative

    View full-size slide

  10. NETSPECTIVE
    www.netspective.com 10
    Implications of healthcare trends
    PPACA ACO
    MU PCMH
    Health
    Home
    mHealth
    DATA
    Evidence Based Medicine
    Comparative Effectiveness
    Software
    Regulated IT and Systems
    Integration Services

    View full-size slide

  11. NETSPECTIVE
    www.netspective.com 11
    What’s being offered to users What users really want
    What users want vs. what they’re offered
    Data visualization requires integration and aggregation

    View full-size slide

  12. NETSPECTIVE
    www.netspective.com 12
    Evolving Healthcare IT Enterprise Architecture
    You need to fit into a complex environment
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    BaaS Gateway
    (DDS, XMPP
    , ESB)
    Enterprise Data
    RCM, Financials,
    EHRs
    Device Inventory
    Cross Device
    App Workflows
    Alarm
    Notifications
    Patient Context
    Monitoring
    Device
    Teaming
    Device
    Management
    Report
    Generation
    HIT
    Integration
    Remote
    Surveillance
    Device
    Data
    SSL VPN
    Patient
    Self-Management
    Platforms
    Device Utilization
    Device reimbursement
    Device profitability

    View full-size slide

  13. www.netspective.com 13
    • Should medical device and health IT vendors
    be using open source to implement their
    safety-critical requirements?
    • How about contributing to open source
    projects?
    • How about creating their own open source
    projects?

    View full-size slide

  14. www.netspective.com 14
    Yes!
    • If you’re not using open source projects in your
    own devices then you’re doing far more
    engineering work than is necessary.
    • If you’re not contributing to open source then
    you’re not making code you rely on better.
    • If you’re not creating open source then you’re
    missing a valuable marketing opportunity.

    View full-size slide

  15. NETSPECTIVE
    www.netspective.com 15
    Connectivity is a must, OSS is answer
    Most obvious benefit Least attention
    Most promising
    capability
    This talk focuses on
    connected devices

    View full-size slide

  16. NETSPECTIVE
    www.netspective.com 16
    Smart buyers looking for poly-connectivity
    Device
    Hospital
    Network
    Corporate
    Gateway
    External
    Cloud
    Hospital
    Systems
    Option 1 (no cellular access or hospital IT integration required)
    Device
    External
    Cloud
    Option 2 (cellular access and no hospital IT integration required)
    DDS
    REST
    HL7
    X.12
    DDS REST
    MPEG-21
    MPEG-21
    Could be a Home
    Network, too
    Wired
    Wireless
    Bluetooth,
    WiFi, Zibee, etc.
    Wireless, Cellular

    View full-size slide

  17. NETSPECTIVE
    www.netspective.com 17
    Appreciate tradeoffs
    Integration-
    friendliness Ease of
    validation
    The more connection-
    friendly a device, the
    harder it is to validate it
    Lesson: Demand Testability

    View full-size slide

  18. NETSPECTIVE
    www.netspective.com 18
    Regulatory Strategy
    510(k) PMA,
    Class 3, Class 2,
    etc.
    Unregulated
    EHR or others
    510(k)
    Class 2
    “Data Bridges”
    “Everything else”
    Customer registry
    Patient registry
    Patient profile
    Study Management
    Billing
    “The Device”
    Class 1
    MDDS

    View full-size slide

  19. NETSPECTIVE
    www.netspective.com 19
    What are we afraid of when it comes to OSS?
    Compliance
    Will the FDA and other
    regulators accept open
    source code in safety-
    critical systems?
    Reliability
    Is open source code safe
    enough for medical
    devices?

    View full-size slide

  20. www.netspective.com 20
    Yes, of course.
    Proof: we did it at American Red Cross in 1996 for a Class 3
    device built on a modern enterprise IT ecosystem
    Lesson: Risk managers and quality leadership often use
    regulators as an excuse to prevent OSS use because of OSS
    illiteracy, not legitimate strategy or actual evidence of harm.
    Reality: Regulators don’t care about your use of open source,
    they care about safe systems that meet intended use.

    View full-size slide

  21. NETSPECTIVE
    www.netspective.com 21
    Code you write is not necessarily safer
    Modern IT systems’ custom
    components
    There is significantly more and better
    testing of large open source projects
    than you could ever do
    In an integrated ecosystem, you have to
    learn how to rely on others and do so
    safely and effectively

    View full-size slide

  22. NETSPECTIVE
    www.netspective.com 22
    It’s not as hard as we think…
    • Modern real-time operating systems (open source and
    commercial) are reliable for safety-critical medical-grade
    requirements.
    • Open standards such as TCP/IP
    , DDS, HTTP
    , and XMPP can
    pull vendors out of the 1980’s and into the 1990’s. 
    • Open source and open standards that promote enterprise IT
    connectivity can pull vendors into the 2010’s and beyond.

    View full-size slide

  23. How to start using OSS immediately

    View full-size slide

  24. NETSPECTIVE
    www.netspective.com 24
    Remove OSS illiteracy from decision making
    Understand open
    source licensing,
    remove the fear of
    IP loss
    Understand where
    code is coming
    from and what test
    harnesses included
    Get in touch with
    the open source
    developers to find
    out the current
    utilization

    View full-size slide

  25. NETSPECTIVE
    www.netspective.com 25
    Choose the right OSS projects
    Requirements
    traceability
    possible?
    Code reviews
    conducted by OSS
    code authors?
    Unit testing
    conducted by
    authors?
    Continuous
    integration system
    employed?
    Integration testing
    conducted?
    Performance
    testing
    conducted?
    Safety testing
    conducted?
    Security testing
    conducted?

    View full-size slide

  26. NETSPECTIVE
    www.netspective.com 26
    Engender trust in the code’s provenance
    Connect to
    the revision
    control
    system of the
    open source
    project
    Create your
    own binaries
    Create a
    process to
    securely sign
    the binaries
    Create your
    own
    deployment
    packages

    View full-size slide

  27. NETSPECTIVE
    www.netspective.com 27
    Integrate OSS into your QSR process
    Employ continuous
    integration (CI) for
    your own and OSS
    project components
    Create a process to
    test the binaries
    using code
    coverage tools
    Conduct continuous
    hazard and risk
    analysis of outside
    code
    Keep an eye on
    changes coming in
    from the source and
    retest regularly
    Review your process
    with the compliance
    officers and get
    their regular buy in

    View full-size slide

  28. NETSPECTIVE
    www.netspective.com 28
    But it’s not easy either…we need
    Risk
    Assessments
    Hazard Analysis
    Design for
    Testability
    Design for
    Simulations
    Documentation Traceability
    Mathematical
    Proofs
    Determinism
    Instrumentation
    Theoretical
    foundations

    View full-size slide

  29. NETSPECTIVE
    www.netspective.com 29
    OSS hazard and risk assessment
    • What is the intended use for the device or system?
    • How will the OSS product you’re planning to use going to be
    tied to your intended use?
    • What is the risk associated with the OSS product for that
    particular intended use?
    R = Sh
    x Ph

    View full-size slide

  30. NETSPECTIVE
    www.netspective.com 30
    Risk is related to severity and harm
    R = Sh
    x Ph
    R = risk
    Sh
    = severity of harm
    Ph
    = probability of harm
    • Harm is damage done to a person
    • Severity is the degree of harm done
    • Probability is the frequency and duration of exposure

    View full-size slide

  31. NETSPECTIVE
    www.netspective.com 31
    Examples of Severity & Probability
    Severity
    • multiple fatalities
    • fatalities
    • severe injury (non-reversible, requires
    hospitalization)
    • moderate injury (reversible, requires
    hospitalization)
    • minor (reversible, requires first aid)
    • very minor (no first aid)
    Probability
    • Constant exposure
    • Hourly
    • Daily
    • Weekly
    • Monthly
    • Yearly
    • Never

    View full-size slide

  32. NETSPECTIVE
    www.netspective.com 32
    Formal risk assessment methods
    What-if analysis
    Preliminary
    hazard analysis
    (PHA)
    Failure modes
    and effects
    analysis (FMEA)
    Fault tree
    analysis (FTA)
    Hazard and
    operability
    studies

    View full-size slide

  33. NETSPECTIVE
    www.netspective.com 33
    OSS Risk analysis steps - FMEA
    • Define the function of the OSS product being analyzed.
    • Identify potential failures of the OSS.
    • Determine the causes of each failure types.
    • Determine the effects of potential failures.
    • Assign a risk index to each of the failure types.
    • Determine the most appropriate corrective/preventive
    actions.
    • Monitor the implementation of the corrective/preventive to
    ensure that it is having the desired effect.

    View full-size slide

  34. NETSPECTIVE
    www.netspective.com 34
    Good summary of FMEA
    • http://en.wikipedia.org/wiki/
    Failure_mode_and_effects_analysis

    View full-size slide

  35. NETSPECTIVE
    www.netspective.com 35
    Sampling of OSS / open standards
    Project / Standard Subject area D G Comments
    Linux or Android Operating system  
    OMG DDS (data
    distribution service)
    Publish and subscribe
    messaging
      Open standard with open
    source implementations
    AppWeb, Apache Web/app server  
    OpenTSDB Time series database  Open source project
    Mirth HL7 messaging engine  Built on Mule ESB
    Alembic Aurion HIE, message exchange  Successor to CONNECT
    HTML5, XMPP
    , JSON Various areas   Don’t reinvent the wheel
    SAML, XACML Security and privacy  
    DynObj, OSGi, JPF Plugin frameworks   Build for extensibility

    View full-size slide

  36. NETSPECTIVE
    www.netspective.com 36
    OSS applicability to connectivity
    Physical
    • Wired, wireless (WiFi, cellular, etc.)
    Logical
    • Device  Gateway  Data Routers  Systems
    Structural
    • Security, Numbers, Units of Measure, etc.
    Semantic
    • Presence, Vitals, Glucose, Heartbeats, etc.

    View full-size slide

  37. NETSPECTIVE
    www.netspective.com 37
    OSS applicability to manageability
    Security
    • Is the device
    authorized?
    Inventory
    • Where is the device?
    Presence
    • Is a device connected?
    Teaming
    • Device grouping

    View full-size slide

  38. NETSPECTIVE
    www.netspective.com 38
    OSS enables extensible devices
    Legacy
    Devices
    Future
    Devices

    View full-size slide

  39. NETSPECTIVE
    www.netspective.com 39
    Device Components 3rd Party Plugins
    App
    #1
    App
    #2
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Sensors Storage Display Plugins
    Web Server, IM Client
    Connectivity Layer (DDS, HTTP, XMPP)
    • Presence
    • Messaging
    • Registration
    • JDBC, Query
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    Device Gateway (DDS, ESB)
    Healthcare Enterprise
    Enterprise
    Data
    Shahid’s “Ultimate Connectivity Architecture”
    Plugin Container
    Event Architecture
    Inventory
    Workflow
    Notifications
    Patient Context
    Location
    Aware
    1 2
    3
    4
    5
    6
    7
    8
    9
    SSL VPN

    View full-size slide

  40. NETSPECTIVE
    www.netspective.com 40
    OSS in Ultimate Architecture Core
    Device Components
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Connectivity Layer (DDS, HTTP, XMPP)
    Plugin Container
    Don’t create
    your own OS!
    Security isn’t
    added later
    Think about
    Plugins from day 1
    Connectivity is
    built-in, not added
    Build on
    Open Source
    Create code as
    a last resort

    View full-size slide

  41. NETSPECTIVE
    www.netspective.com 41
    OSS enables plugin architecture
    Device Components 3rd Party Plugins
    App
    #1
    App
    #2
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Plugins
    Connectivity Layer (DDS, HTTP, XMPP)
    Plugin Container
    Event Architecture
    Location
    Aware

    View full-size slide

  42. NETSPECTIVE
    www.netspective.com 42
    OSS in connectivity components
    Device Components
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Web Server, IM Client
    Connectivity Layer (DDS, HTTP, XMPP)
    • Presence
    • Messaging
    • Registration
    • JDBC, Query
    Plugin Container
    Surveillance &
    “remote display”
    Remote Access
    Alarms
    Event Viewer
    Design all functions
    as plugins

    View full-size slide

  43. NETSPECTIVE
    www.netspective.com 43
    OSS in device components
    Device Components 3rd Party Plugins
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Sensors Storage Display Plugins
    Web Server, IM Client
    Connectivity Layer (HTTP, XMPP)
    Plugin Container
    Event Architecture
    Location
    Aware
    Virtualize!
    “On Device”
    Workflow
    Patient
    Context, too

    View full-size slide

  44. NETSPECTIVE
    www.netspective.com 44
    OSS enables enterprise integration
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    BaaS Gateway
    (DDS, XMPP
    , ESB)
    Enterprise Data
    RCM, Financials,
    EHRs
    Device Inventory
    Cross Device
    App Workflows
    Alarm
    Notifications
    Patient Context
    Monitoring
    Device
    Teaming
    Device
    Management
    Report
    Generation
    HIT
    Integration
    Remote
    Surveillance
    Device
    Data
    SSL VPN
    Patient
    Self-Management
    Platforms
    Device Utilization
    Device reimbursement
    Device profitability

    View full-size slide

  45. Thank You
    Visit
    http://www.netspective.com
    http://www.healthcareguy.com
    E-mail [email protected]
    Follow @ShahidNShah
    Call 202-713-5409

    View full-size slide