Friday, December 11, 2009

Double Standard?

I find it strange that John Halamka is willing to spend top-dollar for a Gortex suit because it has long term benefits that he sees will payout over time, while in the same blog telling the whole healthcare community that they should settle for a low grade solution even when that solution is known to be deficient in security,  determinism, versioning, reliability, flexibility, etc.

There have been many attacks on XDS/XDR as being overly complex including that they are SOAP based. These have also included questions of if HITSP should offer an alternative transaction that is RESTful.

The requirements that XDS/XDR satisfy are well documented in the IHE Technical Framework. I will highlight a few that are relevant to why the benefits of the SOAP stack are important:
  1. User Authentication supported by HTTP alone is inadequate for healthcare information. WS-Security includes support for many user authentication methods including Federated ID using SAML Assertions.
  2. URL representations of healthcare resources (e.g., Medical Record, Patient Chart, or provider ID, et cetera), can:
    • Expose PHI in web URLs (probably the most common security error made in web-based healthcare apps)
    • Create easily exploitable web pages (another very common security error). 
  3. Formal interface definition language in WSDL.  
  4. Support for end-to-end security while leveraging a flexible WS-Addressing and built in asynchronous support.
Although all of these are enabled by the SOAP stack, they are not mandatory and the minimal stack is profiled for XDS/XDR. The point is that adding the additional support from the SOAP stack is as simple as adding building blocks, where as one would need to code this into the application with a RESTful approach. Further point that is often lost in these discussions is that REST is an architecture, there is no standards that define REST. Where as SOAP is a standards based protocol.

We either clothe Healthcare in a ‘simple’ jumpsuit, or we build a long-term HIE architecture out of strong durable fabric.


  1. This comment has been removed by the author.

  2. There is an all-too-strident debate among people who favor either SOAP or REST. It is complicated by the fact that SOAP is a standard and REST is not. This is similar to the difference between a building code and Frank Lloyd Wright's school, where some people feel obligated to follow the code while others favor a style of buildings. It is not easy to have such a debate, especially among people of varying levels of technical knowledge, and it the value from it is tentative. Think of the messy process of settling on the plans for a house between a building inspector, a visionary architect, a contractor, and a budget-constrained homeowner.

  3. Some have decried this post as being way too ad hominem. I disagree. It is a nice metaphor. It also reveals the very center of the issue at hand.

    John H. made a post about a new technology he is trying for a specific use case. In this case it was an extremely expensive suit for riding his bike to business meetings in inclement weather. He didn't dictate that everybody get the same suit. He didn't even suggest it. He didn't even claim it was a proven technology nor did he suggest that the use case was appropriate to everyone. He just said that he had the bucks personally and was willing to try it. He certainly didn't say everyone should ride their bikes naked unless they shelled out for this expensive, unproven technology

    In his role as a national health IT leader (rather than an extreme bicyclist) he took a much more conservative tack. In adding support for a RESTful approach, he implied that there are use cases where jump suits are appropriate, and recognized the technology exists to mass-produce jumpsuits at reasonable cost.