Tim.Churches wrote:
>
> I think that the key question is: what does certification involve? How
> is it done? Is the $25000 certification fee required in order to employ
> a team of High Priests who use magical incantations and crystal balls to
> determine whether a particular software product should be certified, or
> is there an objective list of criteria which products must meet or
> fulfil? Hopefully the latter. Clearly these criteria should be
I think in CCHIT's case it's the latter. They're very open about their
criteria. I haven't reviewed it all, but it seems reasonable. I don't
see how the fees can be gotten around in any case. It's really a matter
of a group's ability to financially absorb the cost.
Certification is not magic. Real work that involves cost is involved to
run tests and validate that an application conforms to specific
standards. There are legal implications by certification as well, which
I would not want to take on as a certification body without a sizeable
fee. So, I would say $25,000 is quite reasonable. They may have to
raise the rate though.
Software certification in some form is already done, BTW, in the U.S. by
JACHO. It's just that the USE of a system in a healthcare organization
is certified, but not the system itself. So, CCHIT's program could
lower the cost of JACHO compliance depending on the criteria.
For example, with OpenEMed, we're quickly running up against the
requirement to demonstrate that the product running out of the box is
HIPAA compliant. CCHIT's costs can be cheaper to demonstrate that than
going it alone.
Furthermore, I believe if a group is developing any kind of software for
the ENTIRE health care market and they havent' figured out how to recoup
enough money to cover CCHIT (or similar) certification, then perhaps the
development effort isn't meant produce software to manage real health
care data anyway.
I hate to be the antagonist on this point ... but the world doesn't
expect to get open source software for $0 total investment. And health
care Open Source development groups have a responsibility to ensure
their work lives up to some standard.
> published, and publishers of medical software should be encouraged to
> document how their product meets these criteria. The cost of certifying
> a product for which its vendor/publisher has done all the hard work for
> the certifying agency by documenting how it meets the certification
> criteria should cost a lot less to have certified than system without
> such documentation. The vendor/publisher-provided certification
> documentation might comprise things like reference to design documents,
> automated tests to demonstrate compliance with certain prescribed or
> proscribed behaviours, or reference to the source code for the product.
You bring up a good point. Certification of proprietary products is
also probably more costly than an open source certification.
Just using documentation only though to certify products assumes that
the documentation accurately and truthfully describes a product's
compliance. Defeats the purpose of an independent review, really. This
makes open source certification by a CCHIT-like organization that much
more attractive to me as a developer.
> Now, one can see why vendors of proprietary medical software would not
> want to make such certification documentation publicly available - it
> would reveal a great deal to their competitors about the engineering of
> their product and would probably require access to source code and a
> working copy of the product in order to be useful anyway - neither of
> which would be publicly available - so there would be little point.
I will allow that it's possible to validate the functioning of a
software product without looking at the source code, assuming there are
no "hidden features." But, certification of an open source product
could set a higher standard, too.
> Obviously there is still a high cost to certification for proprietary
> vendors and open source projects alike, but at least with the model
> described above, or variations on it, those costs can be distributed
> across a community of users and developers, and the certification can
> evolve and be maintained alongside the open source software itself,
> rather than having to be redone from scratch by behind-doors certifiers
> for each new release or version.
I agree, but the cost needs to be collected and paid for somehow... and,
(deep breath) an official certification needs to be sought by some
real entity with real money that can version lock a real product and
manage a real release - not just a nebulous group who doesn't expect to
get paid.
Certification is just one cost. Constantly updating applications of any
kind to meet changing regulations is another cost many open source
developers don't take into account. CCHIT, fees and all, can help
communicate to the public where an open source project complies with
government regulations.
Richard
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/openhealth/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
