<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Nazmul Huda</title>
    <description>The latest articles on DEV Community by Nazmul Huda (@nazmulhd10).</description>
    <link>https://dev.to/nazmulhd10</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2050688%2Fc2d57611-6c70-4a57-9600-3f172335e7f3.jpg</url>
      <title>DEV Community: Nazmul Huda</title>
      <link>https://dev.to/nazmulhd10</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/nazmulhd10"/>
    <language>en</language>
    <item>
      <title>Building a 447-system healthcare OS in one codebase — the architecture behind BioMedixAI</title>
      <dc:creator>Nazmul Huda</dc:creator>
      <pubDate>Sun, 28 Jun 2026 04:30:20 +0000</pubDate>
      <link>https://dev.to/nazmulhd10/building-a-447-system-healthcare-os-in-one-codebase-the-architecture-behind-biomedixai-3h46</link>
      <guid>https://dev.to/nazmulhd10/building-a-447-system-healthcare-os-in-one-codebase-the-architecture-behind-biomedixai-3h46</guid>
      <description>&lt;p&gt;It started with a failed ambulance call at 2 AM and turned into a question I couldn't shake: why does every healthcare facility run 8 disconnected tools instead of one nervous system?&lt;/p&gt;

&lt;p&gt;Over the last cycle we shipped BioMedixAI — an AI-native healthcare operating system unifying 447+ management systems on a single multi-tenant platform. Here's the engineering reality behind that sentence.&lt;/p&gt;

&lt;p&gt;The stack&lt;/p&gt;

&lt;p&gt;Backend: NestJS (TypeScript) — 103 modules, 151 Prisma models, 132 migrations&lt;br&gt;
Frontend: Next.js 15 (App Router / RSC), Tailwind + shadcn/ui, PWA-installable&lt;br&gt;
Data: PostgreSQL 16 — shared-schema multi-tenancy, every query scoped by facilityId, with Row-Level-Security as a DB-level backstop&lt;br&gt;
Standards: FHIR R4 (read), HL7 v2 ADT/ORU, ICD-10 with ICD-11 crosswalk, SNOMED + LOINC&lt;br&gt;
Three hard problems we had to solve&lt;/p&gt;

&lt;p&gt;One person, many roles. A doctor who also owns a diagnostic center is one identity with stacked roles — never duplicate accounts. Roles attach to a Person, modules activate per facility.&lt;br&gt;
Cross-facility patient identity. A portable Universal Health ID (UHID) the patient can claim and carry across any facility — their data follows them, not the institution.&lt;br&gt;
Tenant isolation at scale. Application-layer scoping on every query, plus flag-gated Postgres RLS so a bug in one layer can't leak across tenants.&lt;br&gt;
The full series — multi-tenancy patterns, the "modality-aware status set" trick, surgical live-DB migrations without dropping 40 FKs — is coming. Follow along.&lt;/p&gt;

&lt;p&gt;👉 Live platform: &lt;a href="https://www.biomedixai.com/" rel="noopener noreferrer"&gt;https://www.biomedixai.com/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;What's the most fragmented part of healthcare software you've had to integrate? I'd love war stories in the comments.&lt;/p&gt;

</description>
      <category>healthcare</category>
      <category>architecture</category>
      <category>typescript</category>
      <category>ai</category>
    </item>
    <item>
      <title>How do you build one platform for 20+ healthcare verticals across 140 countries?</title>
      <dc:creator>Nazmul Huda</dc:creator>
      <pubDate>Sun, 21 Jun 2026 04:16:42 +0000</pubDate>
      <link>https://dev.to/nazmulhd10/how-do-you-build-one-platform-for-20-healthcare-verticals-across-140-countries-3pg7</link>
      <guid>https://dev.to/nazmulhd10/how-do-you-build-one-platform-for-20-healthcare-verticals-across-140-countries-3pg7</guid>
      <description>&lt;p&gt;We just made BioMedixAI launch-ready: a single platform covering doctors,&lt;br&gt;
hospitals, diagnostics, pharmacies, ambulance, OT, ICU/CCU/NICU, blood bank,&lt;br&gt;
telemedicine, teleradiology, HR, accounting and more — designed to run in 140&lt;br&gt;
countries at once.&lt;/p&gt;

&lt;p&gt;That sentence hides a lot of hard architecture decisions. A few we made early:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Shared-schema multi-tenancy&lt;/strong&gt; scoped by &lt;code&gt;facilityId&lt;/code&gt; on every query — one
codebase, many facilities, isolation enforced at the data layer.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Country &amp;amp; facility as first-class config&lt;/strong&gt;, not hardcoded assumptions:
currency, timezone, locale, phone/NID/license formats all resolve per
facility — so "go live in another country" is data, not a rewrite.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Per-facility local time everywhere&lt;/strong&gt; — billing accruals, daily reports and
sequence numbers roll over at each facility's local midnight (DST included),
never UTC.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Additive-only schema discipline&lt;/strong&gt; — every new vertical ships as new tables,
never breaking the ones already in production.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Building broad &lt;em&gt;and&lt;/em&gt; correct at the same time is the real challenge. More&lt;br&gt;
engineering notes to come.&lt;/p&gt;

</description>
      <category>architecture</category>
      <category>multitenancy</category>
      <category>healthtech</category>
      <category>webdev</category>
    </item>
    <item>
      <title>What "production-ready" actually means for healthcare software</title>
      <dc:creator>Nazmul Huda</dc:creator>
      <pubDate>Mon, 15 Jun 2026 04:40:44 +0000</pubDate>
      <link>https://dev.to/nazmulhd10/what-production-ready-actually-means-for-healthcare-software-2ei3</link>
      <guid>https://dev.to/nazmulhd10/what-production-ready-actually-means-for-healthcare-software-2ei3</guid>
      <description>&lt;p&gt;In most apps, a small bug is an inconvenience. In healthcare software, the&lt;br&gt;
same bug can mean a wrong dose, a missed warning, or a bill that's silently&lt;br&gt;
off. So before we let BioMedixAI — an AI-native healthcare platform — anywhere&lt;br&gt;
near a launch, we spent a full day doing nothing but trying to break it.&lt;/p&gt;

&lt;p&gt;Here's what that day actually looked like, and the bugs that taught us the most.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. Vital-sign thresholds, re-aligned to NEWS2
&lt;/h2&gt;

&lt;p&gt;Early on, our "normal vs abnormal" vital-sign bands were &lt;em&gt;reasonable&lt;/em&gt; but not&lt;br&gt;
&lt;em&gt;standard&lt;/em&gt;. In clinical software, "reasonable" isn't good enough.&lt;/p&gt;

&lt;p&gt;We re-aligned every threshold to &lt;strong&gt;NEWS2&lt;/strong&gt; (National Early Warning Score) — the&lt;br&gt;
scoring system hospitals use worldwide to catch a deteriorating patient early.&lt;br&gt;
Pulse, blood pressure, respiratory rate, SpO₂, temperature: each now sits in&lt;br&gt;
the exact band that produces the correct early-warning flag.&lt;/p&gt;

&lt;p&gt;Lesson: in a regulated domain, don't invent your own constants. Find the&lt;br&gt;
published standard and match it exactly — then write tests that assert the&lt;br&gt;
boundaries (&lt;code&gt;spo2 === 91&lt;/code&gt; should escalate, &lt;code&gt;92&lt;/code&gt; should not).&lt;/p&gt;

&lt;h2&gt;
  
  
  2. Timezones will betray you at midnight
&lt;/h2&gt;

&lt;p&gt;Several of our "per day" features (bed-day billing accrual, daily reports,&lt;br&gt;
sequence-number year prefixes) were quietly bucketing by &lt;strong&gt;UTC&lt;/strong&gt;. For a&lt;br&gt;
facility in UTC+6, that means a day "closes" six hours early — and a bill can&lt;br&gt;
land on the wrong calendar day.&lt;/p&gt;

&lt;p&gt;We moved everything to roll over at each facility's &lt;strong&gt;local&lt;/strong&gt; midnight, DST&lt;br&gt;
included. The fix isn't hard; &lt;em&gt;noticing&lt;/em&gt; it is. The only reliable way we found&lt;br&gt;
to catch these is to run the logic with the clock pinned to an awkward time&lt;br&gt;
(23:30 local, last day of the month) and watch what bucket the row lands in.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. Concurrency: the database is your last line of defense
&lt;/h2&gt;

&lt;p&gt;Two requests admitting the same patient to the same bed at the same millisecond&lt;br&gt;
shouldn't both succeed. App-level checks (&lt;code&gt;SELECT then INSERT&lt;/code&gt;) lose this race.&lt;br&gt;
The fix is a &lt;strong&gt;partial unique index&lt;/strong&gt; that lets the DB reject the second write:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;one bed → at most one ACTIVE admission, enforced in Postgres, not in Node.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Application guards are for friendly error messages. The database is for truth.&lt;/p&gt;

&lt;h2&gt;
  
  
  4. Access control is correctness, not a feature
&lt;/h2&gt;

&lt;p&gt;Part of the audit was purely adversarial: log in as role X, try to read role Y's&lt;br&gt;
data, and confirm we get a hard stop. A few endpoints were returning data they&lt;br&gt;
shouldn't have. We also standardized on returning &lt;strong&gt;404, not 403&lt;/strong&gt;, for&lt;br&gt;
cross-tenant IDs — a 403 quietly confirms the record &lt;em&gt;exists&lt;/em&gt;, which is its own&lt;br&gt;
small leak.&lt;/p&gt;

&lt;h2&gt;
  
  
  Takeaway
&lt;/h2&gt;

&lt;p&gt;None of this makes a good screenshot. There's no "we did the security and&lt;br&gt;
correctness properly" demo. But this is the work that earns a system the right&lt;br&gt;
to stand next to someone's health data.&lt;/p&gt;

&lt;p&gt;We'd rather be slow and correct than fast and sorry.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Building BioMedixAI in public. More notes as we go.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>healthtech</category>
      <category>testing</category>
      <category>webdev</category>
      <category>typescript</category>
    </item>
  </channel>
</rss>
