Shifting left and DOWN: Healthcare by design and by default
Read (or skip) to the end for a description of the highlighted online event featuring representatives from the US FDA, healthcare service providers and technology innovators on the topic of Good Machine Learning Practices.
This post proposes a second Dev/DevOps axis, UP/Down, that would be “perpendicular” to the ever-so-popular left/right axis. Also included is an invitation to what I think will be a thought-provoking (and related) online event hosted by the Connected Health Initiative (CHI).
Why a “vertical” axis for AppDev and DevSecOps?
Put simply, I think there’s an argument to be made that vertically-centered changes to dev and devops mindset and processes (akin to those stemming from shifting left) will help essential verticals like healthcare safely and efficiently continue to innovate on transformative technologies like machine learning and IoT. Shifting left on its own, while important, does not guarantee the kind of agility required.
“Shifting left” is about moving development processes (like testing and in particular security testing) earlier in the development lifecycle to as close to the developers as possible. Shifting left is a big deal because it represents both a change in process and also a shift in mindset.
“Security by design” is a flavor of shift left that integrates security considerations into software development practices, infrastructure design, controls, and compliance efforts. “By design” connotes a shift to the far left and, as such, also requires process changes and a shift in mindset.
The issue at hand is that, even as organizations strive to interpret and embrace these fundamental shifts in how technology is built and managed, regulatory and legislative bodies are pushing ahead and encoding these concepts inside increasingly technology-aware and prescriptive regulations and obligations. GDPR Article 25 calls for data protection by design and by default, The PCI Council, NIST, and OWASP each stress the importance of incorporating security and privacy by design. The more sensitive the domain, the more visible and urgent these kinds of adjustments become.
General purpose standards and guidelines are important, but they cannot help but fall short as the stakes get higher and higher because general purpose frameworks are what they purport to be - general. Healthcare, financial services, power grids, automobiles, and medical devices (to name just a few) each come with material and substantial added risks, requirements, and liabilities. These vertical industries are not one-off applications nor are they even aligned with one another – they each come fully loaded with their own cadre of technical, societal, ethical, and commercial concerns.
This is no revelation to vertical stakeholders who have appreciated these issues for a very long time. See ISO IEC/DES 62304.2, an ISO standard that specifies life cycle requirements for the development of medical software and software within medical devices. Industry standards like 62304 are developed and positioned as discrete layers on top of general-purpose standards. The committees take what they are given in the underlying frameworks and then work diligently to bridge what are often substantial gaps between the general frameworks and their specialized vertical priorities (keeping in mind that medical device stakeholders have different concerns than their financial services counterparts).
The problem with this traditional “discreet layer” mindset and the subsequent processes that follow – and why a Up Down axis helps – is that when transformational technologies like machine learning come along, general-purpose and vertical frameworks are forced to work in parallel rather than together - increasing the potential for unnecessary delays and hampering innovation.
Your Invitation: Hear from the FDA, healthcare providers, and technologists
A real-world example of both the challenges and the opportunities presented here are being navigated in real-time as the FDA is working to accommodate machine learning’s increasingly important role in medical device development and innovation.
On 10/6/2020 2PM ET, the Connected Health Initiative (CHI) will be hosting a “fireside chat” with Bakul Patel, Director, Digital Health Center of Excellence - US FDA, followed by a panel that will include Morgan Reed (CHI), Brian Scarpelli (CHI), Christina Silcox Duke Margolis Center for Health Policy, Mark Liber Kaia Health, and yours truly (me).
You can have a front row seat by registering here for Connected Health Initiative Good Machine Learning Practices Discussion & Feedback Session
Wait, there’s more! As a part of this event, the CHI will be releasing a draft of CHI’s good machine learning practices (GMLPs). GMLPs are intended to serve as a baseline development and governance resource for the FDA, and other governmental and non-governmental stakeholders. As a draft, you will also have an opportunity to provide feedback on the GMLPs before the final version is released to the public.
I think CHI’s work here is important as it strives to bridge the gap between patients, practitioners, regulators, and innovators and a part of that work, in my opinion, will be finding ways to shift down – to push medical device priorities deeper into core, general purpose quality and development lifecycles (even as we also shift left). I hope to see you there.