The National Quality Forum (NQF) is a not-for-profit membership organization created to develop and implement a national strategy for health care quality measurement and reporting.

One of NQF's more important activities has been to identify what are called medical Never Events, which are defined as "adverse events that are serious, largely preventable, and of concern to both the public and healthcare providers for the purpose of public accountability."

NQFs has defined 28 never events, such as:

â¿¢ Unintended retention of a foreign object in a patient after surgery or other procedure

â¿¢ Patient death or serious disability associated with a medication error (e.g., errors involving the wrong drug, wrong dose, wrong patient, wrong time, wrong rate, wrong preparation or wrong route of administration)

â¿¢ Patient death or serious disability associated with a fall while being cared for in a healthcare facility

â¿¢ Surgery performed on the wrong body part

â¿¢ Surgery performed on the wrong patient

This past year, Medicare in the US stopped reimbursing healthcare facilities, hospitals and doctors for a number of these never events, and some larger insurance providers are now doing the same.

I bring never events up because I have been privately advocating for something similar for a number of years in regard to software. I haven't made much headway because it was hard to get agreement from colleagues in academia or in industry on what was a "Software Never Event."

Maybe there is a ray of hope in this regard.

Earlier this week, a coalition of more than 30 US and international cyber security organizations, led by MITRE and the SANS Institute, "jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime."

The full list of those making up the coalition can be found here.

As noted by the press release on the Top 25 Errors Initiative (as it is being called):

"The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The release also notes that, "most of these [25] errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale."

There are three categories of errors defined:

* Insecure Interaction Between Components (9 errors)

* Risky Resource Management (9 errors)

* Category: Porous Defenses (7 errors)

The complete list of the 25 errors can be found here.

The IT community should rally around these 25 errors and deem them our never events. And the government - and private enterprise - should start to refuse to pay for software that contain them. Some of the programming errors listed are in the same league as a doctor removing the wrong limb.

I also urge the standards bodies, IEEE and ISO at the very least, to create a new IT standard defining software never events that go beyond security issues alone.

It is long past time that the IT industry takes some responsibility for the known, unnecessary and preventable risks and problems it creates.