The latest articles on DEV Community by Nazmul Huda (@nazmulhd10). https://dev.to/nazmulhd10 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2050688%2Fc2d57611-6c70-4a57-9600-3f172335e7f3.jpg https://dev.to/nazmulhd10 en Nazmul Huda Mon, 15 Jun 2026 04:40:44 +0000 https://dev.to/nazmulhd10/what-production-ready-actually-means-for-healthcare-software-2ei3 https://dev.to/nazmulhd10/what-production-ready-actually-means-for-healthcare-software-2ei3 <p>In most apps, a small bug is an inconvenience. In healthcare software, the<br> same bug can mean a wrong dose, a missed warning, or a bill that's silently<br> off. So before we let BioMedixAI — an AI-native healthcare platform — anywhere<br> near a launch, we spent a full day doing nothing but trying to break it.</p> <p>Here's what that day actually looked like, and the bugs that taught us the most.</p> <h2> 1. Vital-sign thresholds, re-aligned to NEWS2 </h2> <p>Early on, our "normal vs abnormal" vital-sign bands were <em>reasonable</em> but not<br> <em>standard</em>. In clinical software, "reasonable" isn't good enough.</p> <p>We re-aligned every threshold to <strong>NEWS2</strong> (National Early Warning Score) — the<br> scoring system hospitals use worldwide to catch a deteriorating patient early.<br> Pulse, blood pressure, respiratory rate, SpO₂, temperature: each now sits in<br> the exact band that produces the correct early-warning flag.</p> <p>Lesson: in a regulated domain, don't invent your own constants. Find the<br> published standard and match it exactly — then write tests that assert the<br> boundaries (<code>spo2 === 91</code> should escalate, <code>92</code> should not).</p> <h2> 2. Timezones will betray you at midnight </h2> <p>Several of our "per day" features (bed-day billing accrual, daily reports,<br> sequence-number year prefixes) were quietly bucketing by <strong>UTC</strong>. For a<br> facility in UTC+6, that means a day "closes" six hours early — and a bill can<br> land on the wrong calendar day.</p> <p>We moved everything to roll over at each facility's <strong>local</strong> midnight, DST<br> included. The fix isn't hard; <em>noticing</em> it is. The only reliable way we found<br> to catch these is to run the logic with the clock pinned to an awkward time<br> (23:30 local, last day of the month) and watch what bucket the row lands in.</p> <h2> 3. Concurrency: the database is your last line of defense </h2> <p>Two requests admitting the same patient to the same bed at the same millisecond<br> shouldn't both succeed. App-level checks (<code>SELECT then INSERT</code>) lose this race.<br> The fix is a <strong>partial unique index</strong> that lets the DB reject the second write:</p> <blockquote> <p>one bed → at most one ACTIVE admission, enforced in Postgres, not in Node.</p> </blockquote> <p>Application guards are for friendly error messages. The database is for truth.</p> <h2> 4. Access control is correctness, not a feature </h2> <p>Part of the audit was purely adversarial: log in as role X, try to read role Y's<br> data, and confirm we get a hard stop. A few endpoints were returning data they<br> shouldn't have. We also standardized on returning <strong>404, not 403</strong>, for<br> cross-tenant IDs — a 403 quietly confirms the record <em>exists</em>, which is its own<br> small leak.</p> <h2> Takeaway </h2> <p>None of this makes a good screenshot. There's no "we did the security and<br> correctness properly" demo. But this is the work that earns a system the right<br> to stand next to someone's health data.</p> <p>We'd rather be slow and correct than fast and sorry.</p> <p><em>Building BioMedixAI in public. More notes as we go.</em></p> healthtech testing webdev typescript