{"slug": "what-production-ready-actually-means-for-healthcare-software", "title": "What \"production-ready\" actually means for healthcare software", "summary": "BioMedixAI, an AI-native healthcare platform, underwent a full-day adversarial audit to ensure production readiness. The team aligned vital-sign thresholds with the NEWS2 standard, fixed timezone issues by using local midnight, and implemented database-level constraints to prevent race conditions. They also hardened security by returning 404 instead of 403 for cross-tenant IDs.", "body_md": "In most apps, a small bug is an inconvenience. In healthcare software, the\n\nsame bug can mean a wrong dose, a missed warning, or a bill that's silently\n\noff. So before we let BioMedixAI — an AI-native healthcare platform — anywhere\n\nnear a launch, we spent a full day doing nothing but trying to break it.\n\nHere's what that day actually looked like, and the bugs that taught us the most.\n\nEarly on, our \"normal vs abnormal\" vital-sign bands were *reasonable* but not\n\n*standard*. In clinical software, \"reasonable\" isn't good enough.\n\nWe re-aligned every threshold to **NEWS2** (National Early Warning Score) — the\n\nscoring system hospitals use worldwide to catch a deteriorating patient early.\n\nPulse, blood pressure, respiratory rate, SpO₂, temperature: each now sits in\n\nthe exact band that produces the correct early-warning flag.\n\nLesson: in a regulated domain, don't invent your own constants. Find the\n\npublished standard and match it exactly — then write tests that assert the\n\nboundaries (`spo2 === 91`\n\nshould escalate, `92`\n\nshould not).\n\nSeveral of our \"per day\" features (bed-day billing accrual, daily reports,\n\nsequence-number year prefixes) were quietly bucketing by **UTC**. For a\n\nfacility in UTC+6, that means a day \"closes\" six hours early — and a bill can\n\nland on the wrong calendar day.\n\nWe moved everything to roll over at each facility's **local** midnight, DST\n\nincluded. The fix isn't hard; *noticing* it is. The only reliable way we found\n\nto catch these is to run the logic with the clock pinned to an awkward time\n\n(23:30 local, last day of the month) and watch what bucket the row lands in.\n\nTwo requests admitting the same patient to the same bed at the same millisecond\n\nshouldn't both succeed. App-level checks (`SELECT then INSERT`\n\n) lose this race.\n\nThe fix is a **partial unique index** that lets the DB reject the second write:\n\none bed → at most one ACTIVE admission, enforced in Postgres, not in Node.\n\nApplication guards are for friendly error messages. The database is for truth.\n\nPart of the audit was purely adversarial: log in as role X, try to read role Y's\n\ndata, and confirm we get a hard stop. A few endpoints were returning data they\n\nshouldn't have. We also standardized on returning **404, not 403**, for\n\ncross-tenant IDs — a 403 quietly confirms the record *exists*, which is its own\n\nsmall leak.\n\nNone of this makes a good screenshot. There's no \"we did the security and\n\ncorrectness properly\" demo. But this is the work that earns a system the right\n\nto stand next to someone's health data.\n\nWe'd rather be slow and correct than fast and sorry.\n\n*Building BioMedixAI in public. More notes as we go.*", "url": "https://wpnews.pro/news/what-production-ready-actually-means-for-healthcare-software", "canonical_source": "https://dev.to/nazmulhd10/what-production-ready-actually-means-for-healthcare-software-2ei3", "published_at": "2026-06-15 04:40:44+00:00", "updated_at": "2026-06-15 05:11:21.043632+00:00", "lang": "en", "topics": ["ai-products", "ai-safety", "developer-tools"], "entities": ["BioMedixAI", "NEWS2", "Postgres", "Node"], "alternates": {"html": "https://wpnews.pro/news/what-production-ready-actually-means-for-healthcare-software", "markdown": "https://wpnews.pro/news/what-production-ready-actually-means-for-healthcare-software.md", "text": "https://wpnews.pro/news/what-production-ready-actually-means-for-healthcare-software.txt", "jsonld": "https://wpnews.pro/news/what-production-ready-actually-means-for-healthcare-software.jsonld"}}