A truly open VistA

Image credits: UW Digital Collections |
submit to reddit
(6 votes)

The VA has released a draft RFP to create a new open source project around their electronic health record system, VistA. This is a landmark event for both the VA and the open source community. The need for cheap and robust EHR systems is clear, and the VA has one of the leading platforms.

VistA’s a challenge, though. The community is notoriously fragmented as a result of regular FOIA requests for the VistA source code. The project is based on MUMPS, which a relatively unpopular platform, so developers for VistA are in short supply. Since there’s no clear mainstream for the project, the VA VistA project competes against this fragmented community for a shallow pool of developer talent. There’s the for-profit Medsphere, which has built its own offering called OpenVistA. There’s also the WorldVistA community and http://www.hardhats.org/. FOIA requests for VistA source code are so common that VistA appears on VA’s FOIA FAQ page, but few (if any) of the contributions from any private-sector VistA communities feed back into the VA VistA project.

"VA believes that VistA’s rate of innovation and improvement has slowed substantially, and the codebase is unnecessarily isolated from private sector components, technology, and outcome-improving impact. To address this issue, VA is establishing a mechanism that will open the aperture to broader-based public and private sector contributions."

This RFP changes the VA’s game profoundly. They’ll create an independent body, the “Custodial Authority”, to hold the VA’s VistA code. The CA will then act as a kind of coordinator and authority for the project, allowing anyone to submit improvements which are “certified” by the CA and fed to downstream projects, like VA’s VistA and (presumably) projects like OpenVistA and WorldVistA.

This is a worst-case scenario for government-sponsored open source projects. The technology is obscure, the internal community of developers is likely anxious about opening their code to outsiders, and the external communities will go out of their way to protect the businesses they’ve fought so hard to create. This makes VistA a fascinating case study for creating open source projects from inside government.

Convincing these communities to come together will take a lot of courage. It’s as much about political will and persuasion as it is technical hurdles. This CA model is a clear attempt by the VA to balance control and predictability with agility and innovation.

It's obvious from the goals and incredibly aggressive timeline for the project that the VA is in a hurry to build from scratch the kind of community that usually grows organically over time. The open source approach here is similar to the pattern of letting pathways across a common greenspace form by the humans living there rather than the hands of an architect. It's easy to see what works in existing open source communities, but applying this brand-new way of working on to an existing community of developers, vendors, and system integrators will be a different story.

This is most obvious in the RFP’s notion of “certification” for new ideas, which makes it more difficult for developers to participate. The CA clearly wants to attract developers, but at the same time will have to provide assurances to its internal customers that this newly open code is stable and thoroughly reviewed. That's not uncommon in open source projects, but if building community around this code is a goal, a rigorous certification will make this much harder. A successful certification regime relies on the Authority having a natural... well, authority. This comes from unambiguous and transparent rules that have the community's consent. Given the diversity of this particular community, consensus will be difficult. There's also the matter of procedural friction: certification could be a huge bottleneck, since a finite QA staff must review a potentially unlimited amount of community input. Of course, the certification could just mean plain-old open source patch review. However this shakes out, it will be an interesting study in the tension between control and collaboration that will always exist in government-sponsored open source projects.

A diagram of the VistA Certification Workflow

Strangely, the VA seems to be planning for certified code that doesn't go into the upstream repository. The use case for this isn't clear, if the goal is to pull the disparate VistA communities into the fold. If the CA is busy certifying code that won't end up in the upstream, that's a lot of overhead with no clear benefit. We suspect that we just misunderstand the intent here.

We're also unsure of the stated goal of creating "a custodial agent based on well-understood open source business models." Is it telling that they are focusing on establishing a business model instead of creating an open source community that can be the wellspring for many business models? It's difficult to discern community goals for participants who are outside of the recognized pool of system integrators, vendors, and academia. Is there room in the vision for the users, such as health care providers, to participate in improving the upstream? Is the barrier low enough for them to succeed?

We don’t want to leave the impression that this RFP is flawed. We think it’s an excellent model for future agency open source projects, and it's clear significant and smart thinking went in to this. The VA has avoided a number of common mistakes in community-building. They’ve gone out of their way to socialize this change with the internal and external communities. You can see evidence of this on the Medsphere Community site, which has an excellent tick-tock account of the initiative. They also recognize that it needs a neutral third party, in this case the CA, to act as the catalyst for all these competing interests. Even though the implementation doesn't seem quite right, they're clearly making an effort to invite amateur participation, rather than restricting control to a handful of incumbent developers. In this plan, you can see aspects of the Eclipse, Apache, and Fedora models for governance, with a government twist.

This may be the largest single code-drop in the history of the US government. That makes it significant to open source in general, not just the VA. It’s in our best interest to make sure this effort succeeds. So what else have we missed? Is this plan workable, or is it profoundly flawed?

[This article was co-authored by Gunnar Hellekson and Karsten Wade.]

Creative Commons License


lorimehen's picture
Open Source Champion

It's important to note that the VA has repeatedly come under attack by those who want to lock the VA into their proprietary systems. Most recently some members of the Wisconsin congressional delegation wrote a letter suggesting the VA and Defense departments use a single commercial system. They declined, so kudos!

gunnar's picture
Open Source Evangelist

That's yet another tension built into this project. More detail here:


Thanks for the reminder, Lori!

jhibbets's picture

Interesting read: Open Healthcare. Or Not. by Mike Milinkovich.

[fixed link]

gunnar's picture
Open Source Evangelist

Jason, thanks for the link! It wasn't working for me, but this one does:


Sortova's picture
Open Minded

Just a note that Medsphere is a cautionary tale for all of us who work in open source.

Not to pimp my blog, but I feel strongly about this, so if you care to read on how the founders of Medsphere lost their company, please visit.

bmehling's picture
Community Member


It is incredibly frustrating for the community to continue to be harassed by your commentary from 2006. Very discouraging for the people who are actually working on these projects.

Your past opinion is valid and justified, but you're talking about events that occurred over 4 years ago. None of the executives involved are with the company any longer, many of the board members are gone. The Shreeves settled years ago, even endorsing the current CEO.

The most important fact here is that the community releases have been numerous, consistent and valuable. We have seen adopters of our technology in the commercial space, within federal agencies, research organizations and foreign countries.

Thank you, Ben

Sortova's picture
Open Minded

Ben - I truly would like to believe your words, but when you say "many of the board members are gone" and everything is rosy now, I have to look at the facts.

When I wrote about this back in 2009, there were seven Board members of Medsphere. Now it appears there are six, five of whom were on the Board in 2009.

That's not "many" in term of turnover.

Please understand that I don't have a problem with you personally, but I am by nature a skeptic and suspicious of people in open source software who tout "community releases". Truly open source projects shouldn't be holding code back and doling it out piecemeal.

How do you respond to Gunnar's comment that "but few (if any) of the contributions from any private-sector VistA communities feed back into the VA VistA project." ?

Prove me wrong. Make this new CA initiative a success. Open source the rest of your code. *Show* me and the rest of the world that Medsphere has truly changed, and I'll be the first to celebrate.

bmehling's picture
Community Member


Your issue seems to be two pronged. (1) you feel Medsphere, the corporation, was wrong for its actions against the founders. A dispute that was settled before you wrote your blog entry. (2) OpenVista, the open source project doesn't constitute a true open source effort (in your past post, you say "It is the prime example of a company using the term “open source” to market proprietary software.").

Again, what happened in mid-2006 is long ago settled by the parties involved. The terms are not known except between the two parties. Steve Shreeve (Scott was not a board member) interviewed the current CEO, publicly endorsed the choice, then settled the lawsuit -- all before the post you linked to... I won't defend either parties actions as it has very little to do with day-to-day management of the company (where I work).

My real frustration is with your opinion of the open source projects. To my knowledge you've never participated in this community, nor have any knowledge of the projects. I can't imagine what you take issue with in regards to the projects or how you can confidently say it's all just marketing.

In regards to Gunnar's comment -- Something that's readily apparent to those who have been involved with open source VistA is that the VA doesn't accept contributions to their software. They never have. Further, they don't even release all their software (let alone design documents, specs, documentation, etc.). I've personally spent 8+ years lobbying them to do so -- many, many others have been saying the same thing.

The recent announcement is the culmination of the community's efforts in pushing for a true open source VistA and the current VA leadership laying the foundation for such a project. In other words, Gunnar's comment is accurate, but not because the community isn't trying to contribute back, it's quite the opposite -- the VA will not accept anything back.

You ask us to "prove you wrong" -- if you looked, I think you'd see that's already been done. If you asked others in the community (WorldVistA, DSS, Hardhats, etc.) I suspect you would hear that many do appreciate the projects we sponsor and knowledge we share (just as we appreciate their efforts and knowledge).

You mention the CA project -- yes, of course we're anxious for the project to kickoff (the RFP hasn't been officially released yet, so we're a ways off). It is a matter of public record that we've participated in a CMU study of the existing community, the IAC report recommending open source as a model, as well as private and public meetings with the VA leadership -- all with this goal in mind.

I do hope you consider my perspective. The frustration is because a group of people's good efforts is being called "marketing" and not open source by someone who doesn't appear to have much knowledge of the projects or even participate in the community.

Sortova's picture
Open Minded

You're right. I am not a member of the Vista open source community. In fact, much of what I know about it I read on this site. I am sorry to even tried comment from my position of woeful ignorance.

Apparently I misunderstood Gunnar, the author of this article. He seemed to indicate that open healthcare is still an ongoing process, with the new CA project a good next step. In my previous comment I was looking toward Medsphere to take a leadership role in that project to insure it was a success, because I have my doubts about Medsphere's motives.

See, I can't seem to let go of what happened to the Shreeves. From my viewpoint, it seems that they started an open source company, open sourced some code, and were promptly sued for it (read Fred Trotter's interview about it).

The founders. Were sued. For publishing open source code.

I have a copy of the lawsuit, which attempted to pursue the Shreeves under RICO (Superior Court of California, Orange County, Case 06CC07475). The Racketeer Influenced and Corrupt Organizations Act enables a court to pretty much take everything from a defendant if found guilty. So if I were in the same position as the Shreeves, I would have settled as well.

Settled does not mean "fairly resolved". You make it sound like their parting was amiable. To me it is a completely different sound. It is a story I think about whenever I think about taking external investment for my own company.

To you, this is water under the bridge. Ignore the man behind the current. Forgive and forget. Everything is different now.

To me it is a cautionary tale for anyone who would chose to follow the open source way.

bmehling's picture
Community Member

Apologies for pointing out that you may want to get to know the participants and projects for whom you're claiming their contributions are merely "marketing".

I appreciate your perspective, I hope you can see mine.

Unidentified's picture

It would be intresting to survey MedSphere customers on their statisfaction with the product sold to them by MedSphere and the support.