I think the collective awe of health care aficionados at the Open Source Convention came to a focal point during our evening Birds of a Feather session, when open source advocate Fred Trotter, informally stepping in as session leader, pointed out that the leaders of key open source projects in the health care field were in the room, including two VistA implementors (Medsphere and WorldVistA), Tolven, and openEMR--and not to forget two other leading health care software initiatives from the U.S. government, CONNECT and NHIN Direct.

This meeting, which drew about 40 doctors, project leaders, programmers, activist patients, and others, was the culmination of a full day of presentations in the first track on health care at an O'Reilly conference. The day's sessions unveiled the potential of open source in health care and how dedicated implementors were making it a reality, starting with an scene-setting talk by Tim O'Reilly that attracted over 75 people and continuing through the next seven hours until a dwindling hard core delayed drinks and hors d'oeuvres for half an hour to hear a final late talk by Melanie Swan on DIYgenomics.

Nine talks representing the breadth of a vital programming area can't be summarized in one sentence, but for me the theme of the day was open source advocates reaching out to solve pressing problems that proprietary vendors will not or cannot address.

Tim O'Reilly's talk laid out key elements of the health care revolution: electronic records, the quantified self (measuring one's bodily activities), and the Internet of things that allows one to track behavior such as whether a patient has taken his medicine.

Talk to me

We were honored to have key leaders from Health and Human Services speak at today's conferences about its chief open source projects. David Riley and Brian Behlendorf (known best for his work on Apache) came from the Office of the National Coordinator along with lead contractor Arien Malec to show us the current status and--most exciting--the future plans for CONNECT and NHIN Direct, which are key pieces of the Administration's health care policy because they allow different health care providers to exchange patient information securely.

I have written recently about "meaningful use" for health care records. Malec provided a homespun and compelling vision of the problems with the current health care system: in contrast to the old days where doctors knew every patient personally, modern health care is delivered as episodic interventions. As Fred Trotter said in his talk, we've reached the limit of what we can achieve through clinical efforts. Doctors can do miracles compared to former times, but the problems we suffer from increasingly call for long-range plans. Malec said that health care systems need to remember us. That's what electronic health records can do, combined with the data exchange protocols provided by NHIN.

Riley, in what is likely to be one of the most revisited talks of the conference--yes, we recorded the sessions and will put them online--rapidly laid out the architecture of CONNECT and what's planned for upcoming releases. Requests between agencies for health care data have gone from months to minutes with CONNECT. Currently based on SOAP, it is being refactored so that in the future it can run over REST, XMPP, and SMTP.

NHIN Direct, the newer and more lightweight protocol, is also based on digital certificates and uses S/MIME with SMTP over TLS. Parties can do key exchange themselves or work through a trusted third party. It seems to me, therefore, that CONNECT and NHIN Direct will eventually merge. It is as if the NHIN Direct project was started to take a big step back from CONNECT, look at what it achieved for the government agencies that produce or consume health care and how the same benefits could be provided to health care providers all over the country, and to formalize an architecture that would become the new CONNECT.

NHIN Direct is an even more impressive case of open government and collaborative development than CONNECT. The public was involved from the earliest design stage. Some people complained that established vendors bent the process to preserve their advantages, but they probably had less success this way than if HHS followed normal government procedures. NHIN already has reference implementations in Java and C#. If you're inspired to help bring health records to the public, you can read the wikis and attend some training and contribute reference implementations in your language of choice.

In addition to supporting the NHIN Direct protocol, some of the upcoming features in CONNECT include:

• Identity management services. This will probably be based on a voluntary patient identifier.
• Support for meaningful use criteria.
• Support for structured data, allowing the system to accept input in standards such as the CCR or CCD and populate documents. One feature enabled by this enhancement will be the ability to recognize sensitive health data and remove it before sending a record. (CONNECT can be used for all health-related data, not just personal medical records.)
• Moving to the Spring Framework.

Riley has done some pretty rigorous cost analysis and determines that careful management--which includes holding costs down and bringing multiple agencies together to work on CONNECT--has reduced development costs from over 200 million dollars to about 13 million dollars. Recent code sprints drew heavily from community volunteers: 4 or 5 volunteers along with 12 contractors.

In an overview talk, Deborah Bryant of OSU Open Source Lab raised the issue continuity in relation to NHIN and CONNECT. Every open source project has to figure out how to keep a community of volunteers interested so that the project continues to evolve and adapt to changing circumstances. Government-backed projects, she admitted, provide funding over a sustained period of time, but this does not obviate the need for community management.

In addition, CONNECT is run by a consulting firm with paid contractors who have to learn how to accept community input and communicate with outsiders. Behlendorf said that simple things like putting all code in Subversion and all documentation on a wiki helps. Consultants are also encouraged to request feedback on designs and to talk about the goals of sprints as far as possible in advance. IntraHealth International manages the basic health care resource: people

The problems of the developing world were represented most directly by the open source human resource information system IntraHealth International, presented by Carl Leitner. IntraHealth International helps many Sub-Saharan and South Asian countries manage one of their most precious and dwindling resources: health care professionals. The system, called iHRIS lets individual hospitals as well as whole nations determine where their most pressing staffing needs lie, break down staff by demographic information such as age and gender (even language can be tracked), and track their locations.

Training is one of the resources that must be managed carefully. If you know there's a big gap between the professionals you need and ones you have, you can direct scarce funding to training new ones. When iHRIS records expenditures, what do countries often find? Some administrator has splurged on sending himself to the same training program over and over, just to get the per diem. Good information can expose graft.

Open source is critical for a system like iHRIS, not just because funds are scarce, but because localization is critical. Lots of languages whose very existence is hidden from proprietary vendors need to be supported. Each country also has different regulations and conditions. IntraHealth International holds regular unconferences, mentoring, and other forms of training in its target countries in the hope of (in Leitner's words) putting themselves out of business. Of course, trained IT staff tend to drift into higher-paying jobs, so the organization tries to spread the training over many people.

OpenEMR and Tolven

The overarching challenge for any electronic health record system, if its developers hope it to be taken seriously over the next couple years in the United States, is support for meaningful use criteria. Proprietary systems have, for several decades, met the needs of large institutions with wads of cash to throw at them. And they will gain certification to support meaningful use as well. But smaller providers have been unable to afford these systems.

The need for an open source solution with meaningful use certification is pressing, and two project leaders of OpenEMR devoted their talk to their push to make their system ready. They estimate that they have implemented about 80% of the required functionality, but more slowly than expected. Extraordinary measures were required on many fronts:

• Medical experts had to read thousands of pages of specifications as they came out, and follow comments and debates to determine which requirements would likely be dropped or postponed, so as not to waste development time.
• Contractors were hired to speed up the coding. Interestingly, the spike in productivity created by the contractors attracted a huge number of new volunteers. At one point openEMR became number 37 on SourceForge in terms of activity, and it is still up around 190. The project leaders had to upgrade some of their infrastructure to handle an increased number of commits. They also discovered that lack of documentation was a hindrance. Like the CONNECT team, they found that maintaining a community required--well, maintenance.
• Project leaders had to go to Washington and argue with government bureaucrats to change requirements that would have essentially made it impossible for open source projects to meet the meaningful use requirements. They succeeded in removing the offending clauses, and believe they were also responsible for winning such accomplishments as allowing sites to certify modules instead of entire stand-alone systems. Nevertheless, some aspects of certification require contracts with proprietary vendors, such as lab interface, which is done through a proprietary company, and drug-to-drug and drug-to-allergy interactions, which require interaction with expensive databases.

Tony McCormick pointed out that the goal of meaningful use certification provided a focus that most open source projects lack. In addition, the government provided tests (called scripts) that served as a QA plan.

Meaningful use, as much as it represents an advance over today's health information silos, does not yet involve the patient. The patient came to the fore in two other talks, one by Melanie Swan on her company DIYgenomics and the other by Tom Jones on Tolven.

Swan summarized the first two generations of DNA sequencing (which went a bit above my head) and said we were on the verge of a third generation that could bring full genome sequencing down to a cost that consumers could afford. A part of the open science movement, DIYgenomics helps patients combine with others to do research, a process that is certainly less rigorous than controlled experiments but can provide preliminary data that suggests future research. For many rare conditions, the crowdsourced approach can fill a gap that professional researchers won't fill.

In addition to providing access to studies and some other useful apps--such as one that helps you evaluate your response to drugs--DIYgenomics conducts its own longitudinal studies. One current study checks for people who do not absorb vitamin B12 (folic acid) properly, a condition to which up to half the population is vulnerable. Another study, for which they are seeking 10,000 participants, covers aging.

Jones's talk centered on privacy, but spread its tent to include the broader issues of patient-centered medicine. Tolven simultaneously supports records held by the doctor (clinical health records) and by the patient (personal health records).

In a system designed especially for the Netherlands--where privacy laws are much stricter and better specified than in the United States--Tolven stores medical records in large, centralized repositories because it's easier to ensure security that way. However, strict boundaries between doctors prevent them from viewing each other's data. Even more significantly, data is encrypted during both transmission and storage, and only the patient has the key to unlock it. Audit trails add another layer of protection.

In this architecture, there are no release forms. Instead, the patient explicitly approves every data transfer. (Patients can designate special repositories to which their relatives have access, in case of emergencies when they're not competent to make the transfer.)

That was one day of health care at OSCon--two more are coming up. We started our evening BOF with introductions, but more and more people kept coming in the room, and everyone was so interesting that the introductions ended up taking the entire hour allocated for the BOF. The sense that our health care system needs to change radically, and the zeal expressed to take part in that change, brought energy into the room. This was a great place to meet like-minded people.