[Openid-specs-heart] Please VOTE before Election Day: What’s hindering adoption of HEART?

John Moehrke johnmoehrke at gmail.com
Wed Nov 1 16:22:37 UTC 2017


I am okay with your interpretation of B, C, and A... BUT my point is more
that there simply has not yet been enough time for us to know if will
succeed or not.

I also agree with Nuno, that until FHIR matures there should be no
expectation that HEART will even start to be born. Yes, there is some
deployment of DSTU2, but it is very experimental (as it should be since it
is not normative).  Further emphasis that these implementations are on
DSTU2, even though STU3 has released a year ago. Thus should we state that
FHIR is a failure given that STU3 has not been adopted?

So, overall vote is.... give it some time...

John Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and
Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
M +1 920-564-2067
JohnMoehrke at gmail.com
https://www.linkedin.com/in/johnmoehrke
https://healthcaresecprivacy.blogspot.com
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Wed, Nov 1, 2017 at 11:11 AM, Adrian Gropper <agropper at healthurl.com>
wrote:

> John,
>
> It’s interesting to read your perspective on the same day as the Senate
> information blocking hearing: https://www.politico.
> com/tipsheets/morning-ehealth/2017/11/01/analysis-of-helps-
> health-it-hearing-223116
>
> In terms of the vote, it seems you’re saying B and C with a hint of A for
> the security reasons you cite. I agree that my phrasing of C is less PC
> than yours, but your point about how HEART would benefit the sicker
> patients before others suggests that we’re talking about the same thing.
>
> John, if you would like us to score your vote as “other” please be clearer
> as to what that is.
>
> I’m at a loss to interpret Eve’s perspective other than maybe A. This vote
> is not about OAUth2 or UMA, it’s about HEART. If we’re unable to get either
> medical data holders (especially the federales) or the health information
> exchanges to the HEART meetings, then maybe we need to focus our attention
> on UMA instead.
>
> A few more votes have come in. The longer we talk about this, the likelier
> we are to reach a consensus for what to do next.
>
> Adrian
>
> On Wed, Nov 1, 2017 at 7:47 AM Eve Maler <eve.maler at forgerock.com> wrote:
>
>> Great thoughts.
>>
>> I would never have bothered working on SAML starting in late 2000 (or any
>> other standards :-) ) if I didn't think it had differentiating value. When
>> we published a finished 1.0 two years later, I thought "Great, everyone,
>> start using it!" Real adoption took much longer, not just because
>> technology refresh rates were at least three years at the time, but because
>> it challenged business models. SAML went through a 1.1 and then a 2.0. Ten
>> years later, something like 90% of broadly used business SaaS services
>> supported SAML 2.0 as SPs because so many enterprises already served as
>> IdPs. Adoption wasn't guaranteed to happen, but while code is really really
>> important, solving the right problem is king.
>>
>> It does seem there are challenges with the US healthcare business
>> environment that erect barriers. At the same time, I am
>> having conversations with US-connected businesses, especially involving
>> IoT, interested in HEART (particularly involving UMA because it's the
>> patient-centric piece). And organizations from around the world are also
>> reaching out with interest.
>>
>> Perhaps it's unnecessary to assume that adoption is unusually hindered
>> when considering that a standard like this affects a whole BLT sandwich
>> (business, legal, technical). A question might be: What do you intend to do
>> differently with the answer? (Along the lines of Why perform this
>> diagnostic test? :-) ) I intend to keep doing the work, collecting use
>> cases and spec feedback, and getting the word out.
>>
>>
>> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
>> Technology
>> Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter:
>> @xmlgrrl
>>
>> On Wed, Nov 1, 2017 at 5:59 AM, John Moehrke <johnmoehrke at gmail.com>
>> wrote:
>>
>>> Adrian,
>>>
>>> I think you are very quick to place others names on the list of reasons
>>> HEART has failed...
>>>
>>> The fastest standards get implemented within 5 years, most take longer.
>>> I could be that we haven't waited long enough.
>>>
>>> I really like the idea of HEART, but I am not sure it will get
>>> implemented, because it presents more complexity, while not solving a
>>> problem that the data holders believe they have. I will put the word
>>> 'believe' in that sentence, but I am more on the side that they do not have
>>> a problem that HEART solves.  I am not saying that the vision of HEART is
>>> false, it is a fantastic vision. There are just no obvious stepping-stones
>>> from where we are today to this nirvana.
>>>
>>> For HEART to exist a large number of HEART authorities must exist. They
>>> must convince custodians that they are trustworthy, and do represent the
>>> patient. They must convince the patient that they are trustworthy and will
>>> accurately represent the patient.  There must be many, so that the patient
>>> has choice. There must be some mechanism where this trust is developed and
>>> maintained  There must be blunt discussions of what happens when
>>> failure-modes happen. This is a case where these must be built and prove
>>> themselves before the system will work, yet they can't prove themselves
>>> until the system is working. Too risky for everyone.
>>>
>>> There is a subset of the population that would benefit from HEART, those
>>> that frequent many different and unconnected healthcare providers. I don't
>>> know how big this group is. I 'think' that subset is small relative to the
>>> whole population. I 'think' that subset is generally not the technically
>>> engaged, or technically adventuresome. Yes, there is a couple dozen that
>>> are, but most are not.
>>>
>>> Many healthcare providers have fully functional interactions with their
>>> patient population. This includes a user identity. That user identity has
>>> Privacy controls. That user identity has access to a Portal where that
>>> patient can obtain their patient data. That identity is being enabled to be
>>> able to use the FHIR API in many cases.  Note that there is  little
>>> interest in moving to a federated identity, because of the risk of exposing
>>> metadata and patterns of behavior to that third-party. Although we are
>>> encouraging OAuth be used with FHIR, everyone has placed the OAuth
>>> authority within the same walls as their FHIR Server. Thus, it isn't really
>>> a federation, it is just using the technology so that apps can be enabled
>>> and managed using OAuth. This is a win, but not a full identity federation
>>> win. Time might solve this one.
>>>
>>> I realize that some healthcare providers are still blocking data. I have
>>> had fantastic access to my data for a decade. The VHA provides full access
>>> for veterans to their data.  In all cases I know of through my family they
>>> have access. And ALL of us are on the eHEX nationwide health information
>>> exchange.  I don't know who these data blockers are, and it is sick that we
>>> keep abusing the whole industry because of these abusive healthcare
>>> providers. I don't understand why we are not yet naming and shaming these
>>> organizations.  We should be abusing THOSE organizations, not the whole of
>>> healthcare.
>>>
>>> Thus, HEART is a great idea but it is too difficult: technically,
>>> legally, human, risk...
>>>
>>> john
>>>
>>> John Moehrke
>>> Principal Engineering Architect: Standards - Interoperability, Privacy,
>>> and Security
>>> CyberPrivacy – Enabling authorized communications while respecting
>>> Privacy
>>> M +1 920-564-2067 <(920)%20564-2067>
>>> JohnMoehrke at gmail.com
>>> https://www.linkedin.com/in/johnmoehrke
>>> https://healthcaresecprivacy.blogspot.com
>>> "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
>>>
>>> On Tue, Oct 31, 2017 at 8:24 PM, Danny van Leeuwen <
>>> danny at health-hats.com> wrote:
>>>
>>>> J other people don’t know about it and don’t understand it’s balue
>>>>
>>>> All 3 votes
>>>>
>>>> On Tue, Oct 31, 2017 at 8:55 PM Adrian Gropper <agropper at healthurl.com>
>>>> wrote:
>>>>
>>>>> Only one vote so far.
>>>>>
>>>>> Adrian
>>>>>
>>>>> On Fri, Oct 27, 2017 at 11:46 PM Adrian Gropper <
>>>>> agropper at healthurl.com> wrote:
>>>>>
>>>>>> A - Our standards work is incomplete
>>>>>> B - Implementation of our profiles is too expensive
>>>>>> C - Why would a hospital want to make patient-directed access easier?
>>>>>> D - HEART distracts the patient from the hospital’s portal experience
>>>>>> E - US regulations are inadequate from a patient rights perspective
>>>>>> F - NATE and other HIE groups don’t see the value of HEART to their
>>>>>> business or mission
>>>>>> G - Patient-directed exchange does not allow the patient to pay for
>>>>>> API access
>>>>>> H - CMS and VA have not endorsed HEART or put it on their road map
>>>>>> I - We have not done enough PR and promotion
>>>>>> J - Other ___________________________________
>>>>>>
>>>>>> Please vote on the list above. Each person has 3 votes to cast on one
>>>>>> or more of the options.
>>>>>>
>>>>>> If you want your vote to be “secret” just send it to me and I promise
>>>>>> I won’t share or even save your name. I will simply report the total count
>>>>>> of people who voted as it grows and then tally the totals *before
>>>>>> the Nov 6 call.*
>>>>>>
>>>>>> Please share this email with anyone you know that has any idea of
>>>>>> what we’re doing with UMA or HEART.
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> Adrian
>>>>>> --
>>>>>>
>>>>>> Adrian Gropper MD
>>>>>>
>>>>>> PROTECT YOUR FUTURE - RESTORE Health Privacy!
>>>>>> HELP us fight for the right to control personal health data.
>>>>>> DONATE: https://patientprivacyrights.org/donate-3/
>>>>>>
>>>>> --
>>>>>
>>>>> Adrian Gropper MD
>>>>>
>>>>> PROTECT YOUR FUTURE - RESTORE Health Privacy!
>>>>> HELP us fight for the right to control personal health data.
>>>>> DONATE: https://patientprivacyrights.org/donate-3/
>>>>> _______________________________________________
>>>>> Openid-specs-heart mailing list
>>>>> Openid-specs-heart at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>>
>>>> --
>>>> Danny van Leeuwen
>>>> Danny at health-Hats.com
>>>> 617-304-4681 <(617)%20304-4681>
>>>> Blog: www.health-hats.com
>>>> Twitter: @healthhats
>>>>
>>>> _______________________________________________
>>>> Openid-specs-heart mailing list
>>>> Openid-specs-heart at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>>>
>> _______________________________________________
>> Openid-specs-heart mailing list
>> Openid-specs-heart at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>
> --
>
> Adrian Gropper MD
>
> PROTECT YOUR FUTURE - RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: https://patientprivacyrights.org/donate-3/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20171101/e85b5506/attachment-0001.html>


More information about the Openid-specs-heart mailing list