Featured Post

Hacking Health in Hamilton Ontario - Let's hear that pitch!

What compelled me to register for a weekend Health Hackathon? Anyway, I could soon be up to my ears in it. A pubmed search on Health Hack...

Showing posts with label Data security. Show all posts
Showing posts with label Data security. Show all posts

Wednesday, November 21, 2012

Ethical hacking to prevent health records held for ransom




A story about hacking that had a different angle was of interest to our privacy and security group. In this scenario, the hackers did not maliciously penetrate a system to cause chaos and destruction, but to virtually hold for a ransom a huge store of health records and personal health information.



Hacker holds patient health information for ransom

A Virginia hacker is asking for $10 million in exchange for the safe return of the personal health and prescription drug information of 8.3 million patients, HealthLeaders Media reported on May 5.

The hacker allegedly stole the information from the Virginia Prescription Monitoring Program’s (VPMP) Web site, which tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees’ personal information, including names, social security numbers, and addresses.

The hacker, who replaced the VPMP site with a ransom note, claims to have deleted the original back-up file for the information and created a new password-protected back-up file.

The VPMP site and the Virginia Department of Health Professions site are both temporarily disabled and the incident is under federal investigation.

This is when I realized that healthcare institutions need certified ethical hackers. These are the "white hat" hackers, who have a code of ethics, who know how to find the flaws in system security and work to prevent the "black hat" hackers from gaining admission.  In fact one in our group who works in healthcare said "oh, we do that." It is good to know there are ethical hackers in healthcare.  One of my earlier posts on this blog was about a computer security expert who hacked his way into an insulin pump, which fortunately was his own.

The White Hat Ethical Hacker Code of Ethics:


This CODE OF ETHICS expresses the consensus of the profession on ethical issues and is a means to educate both the public and those who are entering the field about the ethical obligations of all e-commerce consultants. By joining EC-Council each member agrees to:
Privacy:
Keep private any confidential information gained in her/his professional work, (in particular as it pertains to client lists and client personal information). Not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or other unique identifier) to a third party without client prior consent.
Intellectual Property:
Protect the intellectual property of others by relying on her/his own innovation and efforts, thus ensuring that all benefits vest with its originator.
Disclosure:
Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that she/he reasonably believes to be associated with a particular set or type of electronic transactions or related software or hardware.
Areas of Expertise:
Provide service in their areas of competence, being honest and forthright about any limitations of her/his experience and education. Ensure that she/he is qualified for any project on which he/she works or proposes to work by an appropriate combination of education, training, and experience.
Unauthorized Usage:
Never knowingly use software or process that is obtained or retained either illegally or unethically.
Illegal Activities:
Not engage in deceptive financial practices such as bribery, double billing, or other improper financial practices.
Authorization:
Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent.
Disclosure:
Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped.
Management:
Ensure good management for any project he/she leads, including effective procedures for promotion of quality and full disclosure of risk. 
Knowledge Sharing:
Add to the knowledge of the e-commerce profession by constant study, share the lessons of her/his experience with fellow EC-Council members, and promote public awareness of benefits of electronic commerce.
Confidence:
Conduct herself/himself in the most ethical and competent manner when soliciting professional service or seeking employment, thus meriting confidence in her/his knowledge and integrity.
Extreme Care:
Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.
Malicious Activities:
Not associate with malicious hackers nor engage in any malicious activities.
No Compromise:
Not purposefully compromise or cause to be compromised the client organization’s systems in the course of your professional dealings.
Legal Limits:
Ensure all penetration testing activities are authorized and within legal limits.

Involvement:
Not partake in any black hat activity or be associated with any black hat community that serves to endanger networks.
Underground Communities:
Not be part of any underground hacking community for purposes of preaching and expanding black hat activities.

Monday, September 24, 2012

Quantum Computing and eHealth

If you want a glimpse of the future, subscribing to IEET is probably the best way to go, though I think many writers tend to be overly optimistic.  This article on Quantum Computing and the future of health in 20 years might be one such, but who knows. I didn't know that a Canadian company D-Wave, developed the first QC machine.  Their website has an interesting article on how QC programming is different from regular programming, which reminds me a little about Bell's theorum.


Quantum Computers: Headband Telepathy, Medical Advances, and more!


Dick Pelletier
Dick Pelletier
Positive Futurist

Posted: Sep 22, 2012
Quick: without grabbing your cell phone, tablet or PC, when did Earth population reach 7 billion? In the near future, the answer might be immediately whispered into your ear, “October 31, 2011.”
Any query you can think of will soon be answered with a headband that gathers data from the Internet and feeds it directly into your brain, say Peter Schwartz and Rita Koselka in this Fortune Magazine article
Stuart Wolf, Nanostar director at University of Virginia predicts an even more Earth-shaking change. Within 20 years, he says, instead of cell phone conversations, we will have “network-enabled telepathy;” communicating directly to another person’s headband, using just our thoughts.   
Recognizing thoughts instead of ‘voice-speak’ may be confusing at first, experts say, but with training, “thought-talking” could one day become the preferred way for humans to communicate with each other.   
How do quantum computers think? This 5 minute video explains. The world’s first QC, D-Wave One, was made and sold by D-Wave Systems to Lockheed Martin, to solve security issues. The 7-minute video below offers more details on this groundbreaking project:
  
QCs will accelerate advances in medical technologies. In a paper published recently in Nature Scientific Reports, Harvard researcher Alan Aspuru-Guzik presented results of the largest protein folding problem solved to date using a quantum computer. QCs will accelerate advances in many areas of life sciences, including drug and vaccine design, Aspuru-Guzik says.   
The following scenario imagines what life could be like in tomorrow’s quantum computer future:   
“It’s the year 2030, and as I glance around my bedroom, I feel secure knowing that microscopic sensors embedded throughout the house constantly monitor my breathing, heart rate, brain activity and other vital health issues. For example, blood extracted last night by the bathroom sink checked for free-radicals and precancerous cells, and then ordered all the necessary preventative drugs from the home nano-replicator. 

  
As I step into the shower, wall tiles display the day’s top headlines: ‘Mars mission launches ahead of schedule;’ ‘Military drones destroy another terrorist training camp using ‘smart dust;’ and ‘today is the 20th anniversary of the first quantum computer.’
Glancing in the mirror, I find it hard to believe that I will celebrate my 100th birthday later this year. Having recently opted for total body rejuvenation, my reflection displays the image of a healthy twenty-something, with wrinkle-free skin, perfect sight, original hair color, strong muscles and bones; and an enhanced brain that, although it took some getting used to, has greatly increased my intelligence.
Getting ready to fly to a conference, my auto-drive electric car rolls its top down on this warm day. I manually drive to the electronic roadway on-ramp, and then relinquish the wheel to the vehicle. Arriving at the airport, my ‘smart’ car drops me off at the terminal, and then returns home. An ‘intelligent cam’ scans my mind and gives an instant approval, no waiting for ticket-check or security.
While boarding the plane, I see a familiar face. My headband immediately flashes his identity data and displays it on my eyes. Dr. Jones, I call out. It’s so nice to see you again. How was the conference? Only a slight flicker of Jones’ eyes betrays that he is Googling my details too. Hi Dick; the conference was great; and congratulations on your Estonia presentation.”
Welcome to the future! Headbands, because they can access all of the information on the Internet, enables us to think of any issue; then immediately receive data pertinent to that issue in our eyes or ears.
In another application for the technology, the necessity to learn languages would disappear. This would allow more friendships to develop; and if the devices were cheap enough, which experts claim will be a certainty with nano-replicators expected in this future time, headbands would be affordable for everyone.
These techno-wonders hold great promise to improve relationships. No more forgetting names and details, plus increased intimacy generated by thought-talking could bring people around the world closer together, creating a Global Village; a society acting as one voice to advance peace. Comments welcome.

Dick Pelletier is a weekly columnist who writes about future science and technologies for numerous publications. He's also appeared on various TV shows, and he blogs at Positive Futurist.

Sunday, May 27, 2012

Hacking an insulin pump - no good unless it is your own

www.kslaw.com/library/publication/HH051412_Bulletin.pdf

Here is another reason why separate channels for health data is a good idea - if we can only get the encryption right.  A man was able to hack into an insulin pump and turn it off.  Mind you, the hacker was just doing a demo and was a computer security  expert, as well as a diabetic:

During an August 2011 Black Hat conference, a security researcher demonstrated how an outside actor can shut off or alter the settings of an insulin pump without the user’s knowledge. The demonstration was given to show the audience that the pump’s cyber vulnerabilities could lead to severe consequences. The researcher that provided the demonstration is a diabetic and personally aware of the implications of this activity. The researcher also found that a malicious actor can eavesdrop on a continuous glucose monitor’s (CGM) transmission by using an oscilloscope, but device settings could not be reprogrammed. The researcher acknowledged that he was not able to completely assume remote control or modify the programming of the CGM, but he was able to disrupt and jam the device
Story also found < here >

Thursday, May 3, 2012

Universal Health IDs?

This is a brilliant article by John Moehrke on his healthcare privacy and security blog.  It made me wonder if the Ontario healthcard ID could be used more universally.  I learned a few years ago that the healthcard number was ruled available for health record identification.  If anyone can confirm that, please let me know.

Sunday, April 29, 2012

White Coat Black Art eHealth

I saw Dr. Brian Goldman give a keynote address at eHealth 2011 in Toronto.  I missed getting a signed copy of his book - The Night Shift - but I took it out of the library later that week and enjoyed reading it.  His CBC radio program - White Coat Black Art -  is excellent.  I remember him saying at the conference that his pet peeve about ehealth technologies was too many usernames and passwords.  After all, he is an ER doctor, where every second counts, so having to remember dozens of usernames and passwords under time pressure, would be frustrating.  I don't know a solution off hand to that.  I know there is Open ID, but from my limited experience with hospital IT systems, and their privacy and security requirements, I can't see them using that.  There does have to be more privacy by design put into systems, for security reasons, but designers also need to think about patient safety - and I would argue that usernames and passwords is possibly an encumbrance to that in the ER.  

Thursday, March 15, 2012

Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities

I like to follow the Information & Privacy Commissioner for Ontario, because of the insights into leading edge healthcare technology, of course in the context of privacy and security. The topic of this paper, co-written with the Infoway President is quite good. What struck me in the article was the reference to "Big Data". Is this going to become a common way of calling research using regression analysis and evidence-based medicine? "Big Data" goes far beyond just healthcare: http://www.ipc.on.ca/images/Resources/pbd-ehr-e.pdf
"As we move into an era of “Big Data,” PbD offers a holistic, proactive approach to privacy protection that can help to anticipate and address the “big harms” to privacy that are a foreseeable danger of Big Data. At the same time, PbD recognizes and aims to facilitate the benefits of harnessing Big Data for socially useful applications. In the context of designing and implementing EHR systems, PbD seeks to protect the privacy of individuals whose personal health information is contained in EHRs while enabling multiple goals – privacy and security, individual and societal benefits, confidentiality and data quality. In this way, PbD facilitates access to health information for secondary purposes while at the same time protecting the privacy and confidentiality of health information held in the EHR. This is accomplished by embedding privacy and security directly into EHR systems, through the routine de-identification of personal health information for secondary purposes, end-to-end security, and other mechanisms discussed elsewhere in this paper. PbD offers a means of elevating privacy in the Big Data world to an effective countervailing force that we are calling “Big Privacy” – a method of ensuring that privacy is embedded as a first consideration in all Big Data transactions. Consistent with PbD, the Pan-Canadian Health Information Privacy Group proactively considered the privacy implications of secondary use in its paper outlining general principles for information governance in the EHR environment."
http://www.ipc.on.ca/english/Home-Page/