Featured Post

Hacking Health in Hamilton Ontario - Let's hear that pitch!

What compelled me to register for a weekend Health Hackathon? Anyway, I could soon be up to my ears in it. A pubmed search on Health Hack...

Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Tuesday, October 3, 2017

Blockchain & eHealth: Towards Provable Privacy & Security in Data intensive Health Research




CALL FOR ABSTRACTS 
------------------ 

The First Workshop on "Blockchain & eHealth: Towards Provable Privacy & Security in Data intensive Health Research" will be held on: 

November 7, 2017, Markham (Greater Toronto area), Ontario 
https://www-01.ibm.com/ibm/cas/cascon/workshop.jsp 

The workshop is co-located with CASCON 2017: The Cognitive Era: Data, Systems and Society conference 
https://www-01.ibm.com/ibm/cas/cascon/ 

The registration for the conference and its workshops is free. 

The goal of this workshop is to bring together security, privacy and eHealth experts from academia, healthcare institutions, industry and public policy to focus on the challenges and opportunities of developing a blockchain enabled infrastructure that promotes trust between different stakeholders in health research and enables a provable privacy-aware path to real time access to patients data. 

We invite interested researchers to submit an abstract (limit of 500 words) reporting the state of their research relevant to the workshop objectives. Accepted abstract submissions will be invited to present in the workshop. Both research and application papers are solicited.  The submitted abstracts will be reviewed on the basis of technical quality, relevance, significance and clarity. We particularly encourage PhD students in the early stage of their research on blockchain and R&D managers who are planning the application of blockchain technology to submit an abstract to this workshop. 

Topics of this workshop include (but not limited to) the following: 

• Decentralized platforms for health information exchange 
• Public vs. private Blockchain for health research 
• Access control, anonymity and privacy issues among blockchain participants 
• Blockchain scalability issues and its solutions 
• Blockchain threat models, attacks, defenses and countermeasures 
• Network forensics in Blockchain 
• Blockchain trust verification models 
• Legal, ethical, and societal aspects of using blockchain in health research 
• Case studies (for adoption, attacks, etc.) 


WORKSHOP CHAIRS: 
- Reza Samavi, Department of Computing and Software, eHealth Program, McMaster University, Hamilton, Canada 
- Thomas Doyle, Department of Electrical and Computer Engineering, eHealth Program, McMaster University, Hamilton, Canada 
- Thodoros Topaloglou, Scarborough and Rouge Hospital, Toronto, Canada 

DEADLINES: 
- Oct. 23, 2017 Submission Deadline 
- Oct. 30, 2017 Acceptance Notification 
- Nov.   7, 2017 Presentation 

SUBMISSION: 
Please send your submissions, inquiries and correspondence on this workshop to (email to: samavir@mcmaster.ca) with the subject starting with "Workshop on Blockchain & eHealth:" 

Thursday, October 2, 2014

National Institutes of Health Informatics - Education Series Fall 2014

National Institutes of Health Informatics

Announcing eSafety Series: Ensuring the Safety of our eHealth Systems and Programs
eSafety Series
Ensuring the Safety of our eHealth Systems and Programs

November 19 & 26, 2014
Live, Interactive, Online Sessions - 12:00 -1:30 PM ET
A Joint COACH and NIHI Program
Click Here for More Information

Special Rates for COACH Members and NIHI Colleagues
Patient safety has become a major concern in health care. Key Institute of Medicine and Canadian reports starting as early as 1999, underscore the importance of being safety conscious and proactive in identifying safety risks in healthcare. Today’s eHealth systems are increasingly important in enabling improvements in patient safety, but they can also inadvertently introduce new risks into the healthcare environment.

This online program introduces the COACH eSafety Guidelines: a comprehensive resource for health information professionals and others with a responsibility to ensure that eHealth systems are built and operated in a manner that reduces the risk to patient safety. The Guidelines provide a sound basis for implementing an eSafety Management Program including the assessment of risks using the eHealth Safety Case.
Session 1: Introduction to eSafety & the eSafety Management Program - November 19, 2014
This session will provide a foundation for understanding the issues and opportunities for addressing safety issues in eHealth systems and cover the main steps in setting up an eSafety management program .

Session 2: The eSafety Case - November 26, 2014
This session will introduce the eHealth safety case. The safety case is the safety equivalent of the privacy impact assessment and threat and risk assessment.

Register for eSafety and get 25% off of the coilbound edition COACH eSafety Guidelines. Email Cheryl, ccornelio @ coachorg.com to arrange this discount.  Available only to eSafety session registrants until November 18.
COACH
Canada's Health Informatics Association
NIHI
National Institutes of Health Informatics

Fall 2014 eHealth Education Line-Up
eHealth Future Trends
October 23, 30 & November 6, 2014
Usability Testing Essentials
November 13, 2014

 

National Institutes of Health Informatics
Website:
www.nihi.ca
Contact Us: info@nihi.ca; 1-800-860-7901

Unsubscribe

Thursday, December 5, 2013

Data in Electronic Health Records for Medical Research

The Institute for Ethics and Emerging Technology had an excellent article by Donna Hanrahan entitled "Data Mining, Meaningful Use, Secondary Use, & Potential Misuse of Electronic Health Records". It has an excellent synopsis of what many clinical researchers, ethicists, and privacy experts have been saying for many years, about how data in the EHR can be used for medical research purposes.

There are ways to do that, like consent management, audit record logs, and increasingly better means to de-identify data and prevent it from being re-identifed. This latter work is really being pioneered by Dr. Khalid El-Emam. That is, before one would be able donate the data in the EHR to science, post-mortem.

I will copy in here just the section on how data in EHR can be used for medical research:

Beneficence of Electronic Data in Medical Research
Despite the ethical concerns addressed above, the use of electronic health data is critical to ensuring patient health, improving our healthcare system, and making new scientific discoveries in this technological age. Critics may question whether EHRs are truly meaningful or whether it is an “excessive bureaucratic requirement to spend public dollars on doctors’ computer systems.”xxxii This answer to this question can be discussed through the principle of justice. It is ethical, one could argue, to expend public funds for EHR systems that provides for the greater good and benefits for the public as a whole. Having data that is structured and easily retrievable benefits clinicians, patients, and the greater population. These benefits include safer prescribing, prevention of medication errors, epidemiological tracking to protect population health, and public medical error reporting. Furthermore, there is a clear need to switch from outdated, burdensome, and inefficient clinical charting traditions to electronic format.
EHR adoption aims to reduce cost, which is a primary goal of health reform in the United States. The increase in information available to clinicians can help prevent redundant or unnecessary tests and imaging. Furthermore, EHRs can provide point-of-care clinical decision support (CDS) as doctors prescribe tests, medications, and imaging requests, which can also help reduce costs. Lastly, “shared savings,” or “gain-sharing,” allows hospitals and healthcare providers to collaborate to reach quality metrics.xxxiiiAccordingly, EHRs enable users to measure desired outcomes and report this data more quickly and easily, saving both time and money. With regard to the costs associated with EHRs, studies have documented the strong return on financial investment that may be achieved following EHR implementation.xxxiv Other financial benefits include increased revenues due to improved care coordination, averted costs of paperwork, chart pulls, and billing errors, and fee-for-service savings including the rate of new procedures and charge capture. Furthermore, the secondary use of health record information is anticipated to become one of the healthcare industry’s greatest assets and the key to greater quality and cost savings over the next five years.xxxv In fact, a recent report by the McKinsey Global Institute, estimates the potential annual value to the healthcare industry at over 300 billion dollars.xxxvi These savings in cost benefit both the patient and provider.
There are also several patient-centered benefits that result from the “meaningful use” EHR data. Perhaps one of the most promising results of EHR data mining is the use of predictive modeling techniques to identify medical conditions and promote interventions before the onset of symptoms. Furthermore, retrospective analysis of the health data mined from EHRs could expedite scientific discovery in medicine by providing valuable information for research. In addition, physicians’ access to data and analysis could demonstrate the efficacy of different treatment options across large populations, which could help treat and prevent chronic conditions. Lastly, such data can be used to identify evidence-based best practices, identify potential patients for clinical trials, and monitor patient compliance and drug safety. These measures show beneficence towards the patient by providing better more individualized care.



Sunday, December 1, 2013

Is US Homeland Security Accessing Canadian Personal Health Information?

There is a disturbing story about how more than several Canadians have been denied entry to the United States by Homeland Security because of the information they held on their medical condition. You can read an instance of the story < here >. Ontario Privacy Commission Dr. Ann Cavoukian says it is a "matter of grave concern". I find it quite shocking too. Actual facts may point to Homeland Security receiving the medical condition information through 911 call records, and not somehow directly accessing medical records (as the story might suppose), but still...

Wednesday, November 21, 2012

Ethical hacking to prevent health records held for ransom




A story about hacking that had a different angle was of interest to our privacy and security group. In this scenario, the hackers did not maliciously penetrate a system to cause chaos and destruction, but to virtually hold for a ransom a huge store of health records and personal health information.



Hacker holds patient health information for ransom

A Virginia hacker is asking for $10 million in exchange for the safe return of the personal health and prescription drug information of 8.3 million patients, HealthLeaders Media reported on May 5.

The hacker allegedly stole the information from the Virginia Prescription Monitoring Program’s (VPMP) Web site, which tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees’ personal information, including names, social security numbers, and addresses.

The hacker, who replaced the VPMP site with a ransom note, claims to have deleted the original back-up file for the information and created a new password-protected back-up file.

The VPMP site and the Virginia Department of Health Professions site are both temporarily disabled and the incident is under federal investigation.

This is when I realized that healthcare institutions need certified ethical hackers. These are the "white hat" hackers, who have a code of ethics, who know how to find the flaws in system security and work to prevent the "black hat" hackers from gaining admission.  In fact one in our group who works in healthcare said "oh, we do that." It is good to know there are ethical hackers in healthcare.  One of my earlier posts on this blog was about a computer security expert who hacked his way into an insulin pump, which fortunately was his own.

The White Hat Ethical Hacker Code of Ethics:


This CODE OF ETHICS expresses the consensus of the profession on ethical issues and is a means to educate both the public and those who are entering the field about the ethical obligations of all e-commerce consultants. By joining EC-Council each member agrees to:
Privacy:
Keep private any confidential information gained in her/his professional work, (in particular as it pertains to client lists and client personal information). Not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or other unique identifier) to a third party without client prior consent.
Intellectual Property:
Protect the intellectual property of others by relying on her/his own innovation and efforts, thus ensuring that all benefits vest with its originator.
Disclosure:
Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that she/he reasonably believes to be associated with a particular set or type of electronic transactions or related software or hardware.
Areas of Expertise:
Provide service in their areas of competence, being honest and forthright about any limitations of her/his experience and education. Ensure that she/he is qualified for any project on which he/she works or proposes to work by an appropriate combination of education, training, and experience.
Unauthorized Usage:
Never knowingly use software or process that is obtained or retained either illegally or unethically.
Illegal Activities:
Not engage in deceptive financial practices such as bribery, double billing, or other improper financial practices.
Authorization:
Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent.
Disclosure:
Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped.
Management:
Ensure good management for any project he/she leads, including effective procedures for promotion of quality and full disclosure of risk. 
Knowledge Sharing:
Add to the knowledge of the e-commerce profession by constant study, share the lessons of her/his experience with fellow EC-Council members, and promote public awareness of benefits of electronic commerce.
Confidence:
Conduct herself/himself in the most ethical and competent manner when soliciting professional service or seeking employment, thus meriting confidence in her/his knowledge and integrity.
Extreme Care:
Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.
Malicious Activities:
Not associate with malicious hackers nor engage in any malicious activities.
No Compromise:
Not purposefully compromise or cause to be compromised the client organization’s systems in the course of your professional dealings.
Legal Limits:
Ensure all penetration testing activities are authorized and within legal limits.

Involvement:
Not partake in any black hat activity or be associated with any black hat community that serves to endanger networks.
Underground Communities:
Not be part of any underground hacking community for purposes of preaching and expanding black hat activities.

Saturday, November 17, 2012

Now that's getting personal: how small data is the new oil

I am not sure what to make of the personal.com company and application. There is a health information component, making it relevant to this blog. I am not sure I am so hyper concerned about personal information that I would use the personal login to access my facebook account. I suppose I am more of an exponent of open data, and even big data for that matter. Don't get me wrong. I understand the need for privacy and security of data. But "small data is the new oil"? They really might have something here:


Small data puts the power and tools of big data into the hands of people. It is based on the assumption that people have a significant long-term competitive advantage over companies and governments at aggregating and curating the best and most complete set of structured, machine-readable data about themselves and their lives – the “golden copy”. With proper tools, protections and incentives, small data allows each person to become the ultimate gatekeeper and beneficiary of their own data.
Built on privacy by design and security by design principles, small data can help people become smarter, healthier, and make better, faster decisions. It can help people discover new experiences more easily, reclaim time in their busy lives, and enjoy deeper, more positive relationships with others.

Saturday, October 27, 2012

COACH Privacy Guides now available for Healthcare Organizations from eHealth Ontario

I knew eHealth Ontario was licensing the patient portal guidelines from COACH, because I was working with the COACH Expert Group that was writing them when it was announced. The recent news announcement that all 3 privacy and security of personal health information guidelines are being offered for free to Healthcare organizations in Ontario is wonderful.  I am now working on updates to the 2011 EMR guideline and the special edition of implementing the EMR with a COACH Expert Group again. Unfortunately, I am not as much as an expert this time because a lot of it is about legislation - not my speciality.  I knew more about patient portals at the time.  If you work in healthcare, you can apparently download them for free here.  So far, however, the download has not worked for me.  Not sure what the problem is.  Maybe it recognized my name and somehow knew I already have copies of these:
http://www.ehealthontario.on.ca/en/privacy/guides/


Privacy Guides

The 2011 Guidelines for the Protection of Health Information is an easy-to-use guide that covers topics such as accountability, consent, collection and security safeguards. This guide reflects the core principles of the Canadian Standards Association Model Code for the Protection of Personal Information and the content is aligned with Canada Health Infoway requirements and standards (international and national) such as the ISO 27002 Security Management Standards.
  • 2011 Guidelines for the Protection of Health Information
    A comprehensive resource on privacy and security best practices that helps health care professionals protect the PHI that they require to do their day-to-day work. This resource is designed as a stepping stone to help health care organizations address common concerns, avoid confusion and prevent misunderstandings related to the protection of PHI.
  • Privacy & Security for Patient Portals 2012 Guidelines for the Protection of Health Information Special Edition
    Developed for use by those designing, implementing and maintaining a patient portal system, this helpful guide is appropriate for organizations of all sizes—from a physician’s office to a large hospital. Topics include: choosing a portal model, Canadian privacy legislation and privacy and security risks/controls related to patient portals.
  • Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records COACH Guidelines for the Protection of Health Information Special Edition
    Provides health care providers with up-to-date privacy and security considerations and best practices related to the procurement, implementation, setup and maintenance of an electronic medical record system in a community practice setting.


Monday, September 24, 2012

Quantum Computing and eHealth

If you want a glimpse of the future, subscribing to IEET is probably the best way to go, though I think many writers tend to be overly optimistic.  This article on Quantum Computing and the future of health in 20 years might be one such, but who knows. I didn't know that a Canadian company D-Wave, developed the first QC machine.  Their website has an interesting article on how QC programming is different from regular programming, which reminds me a little about Bell's theorum.


Quantum Computers: Headband Telepathy, Medical Advances, and more!


Dick Pelletier
Dick Pelletier
Positive Futurist

Posted: Sep 22, 2012
Quick: without grabbing your cell phone, tablet or PC, when did Earth population reach 7 billion? In the near future, the answer might be immediately whispered into your ear, “October 31, 2011.”
Any query you can think of will soon be answered with a headband that gathers data from the Internet and feeds it directly into your brain, say Peter Schwartz and Rita Koselka in this Fortune Magazine article
Stuart Wolf, Nanostar director at University of Virginia predicts an even more Earth-shaking change. Within 20 years, he says, instead of cell phone conversations, we will have “network-enabled telepathy;” communicating directly to another person’s headband, using just our thoughts.   
Recognizing thoughts instead of ‘voice-speak’ may be confusing at first, experts say, but with training, “thought-talking” could one day become the preferred way for humans to communicate with each other.   
How do quantum computers think? This 5 minute video explains. The world’s first QC, D-Wave One, was made and sold by D-Wave Systems to Lockheed Martin, to solve security issues. The 7-minute video below offers more details on this groundbreaking project:
  
QCs will accelerate advances in medical technologies. In a paper published recently in Nature Scientific Reports, Harvard researcher Alan Aspuru-Guzik presented results of the largest protein folding problem solved to date using a quantum computer. QCs will accelerate advances in many areas of life sciences, including drug and vaccine design, Aspuru-Guzik says.   
The following scenario imagines what life could be like in tomorrow’s quantum computer future:   
“It’s the year 2030, and as I glance around my bedroom, I feel secure knowing that microscopic sensors embedded throughout the house constantly monitor my breathing, heart rate, brain activity and other vital health issues. For example, blood extracted last night by the bathroom sink checked for free-radicals and precancerous cells, and then ordered all the necessary preventative drugs from the home nano-replicator. 

  
As I step into the shower, wall tiles display the day’s top headlines: ‘Mars mission launches ahead of schedule;’ ‘Military drones destroy another terrorist training camp using ‘smart dust;’ and ‘today is the 20th anniversary of the first quantum computer.’
Glancing in the mirror, I find it hard to believe that I will celebrate my 100th birthday later this year. Having recently opted for total body rejuvenation, my reflection displays the image of a healthy twenty-something, with wrinkle-free skin, perfect sight, original hair color, strong muscles and bones; and an enhanced brain that, although it took some getting used to, has greatly increased my intelligence.
Getting ready to fly to a conference, my auto-drive electric car rolls its top down on this warm day. I manually drive to the electronic roadway on-ramp, and then relinquish the wheel to the vehicle. Arriving at the airport, my ‘smart’ car drops me off at the terminal, and then returns home. An ‘intelligent cam’ scans my mind and gives an instant approval, no waiting for ticket-check or security.
While boarding the plane, I see a familiar face. My headband immediately flashes his identity data and displays it on my eyes. Dr. Jones, I call out. It’s so nice to see you again. How was the conference? Only a slight flicker of Jones’ eyes betrays that he is Googling my details too. Hi Dick; the conference was great; and congratulations on your Estonia presentation.”
Welcome to the future! Headbands, because they can access all of the information on the Internet, enables us to think of any issue; then immediately receive data pertinent to that issue in our eyes or ears.
In another application for the technology, the necessity to learn languages would disappear. This would allow more friendships to develop; and if the devices were cheap enough, which experts claim will be a certainty with nano-replicators expected in this future time, headbands would be affordable for everyone.
These techno-wonders hold great promise to improve relationships. No more forgetting names and details, plus increased intimacy generated by thought-talking could bring people around the world closer together, creating a Global Village; a society acting as one voice to advance peace. Comments welcome.

Dick Pelletier is a weekly columnist who writes about future science and technologies for numerous publications. He's also appeared on various TV shows, and he blogs at Positive Futurist.

Tuesday, August 7, 2012

ehealth Saskatchewan public survey on personal health records

Saw this news story:
http://www.canhealth.com/
News2029.html
"eHealth Saskatchewan is polling the public on its website, www.ehealth-sk.ca, to discover whether the residents of the province would like to see development of a Personal Health Record, and if so, what they would like to see in it."

eHealth Saskatchewan Public Message from eHealth Saskatchewan on Vimeo.


This to me is a credible thing to do.  Most surveys of the public attitudes towards electronic health records show a great interest in them.  An equally high percentage are concerned with the privacy and security of their health records. Sounds like Saskatchewan is sizing up the feasibility of a provincial architecture for the personal health record.  I would like to see the results of the survey.  

Wednesday, July 4, 2012

Privacy and Security for Patient Portals: 2012 Guidelines for the Protection of Health Information Special Edition

COACH special edition on patient portals
The COACH 2012 Special Edition "Privacy and Security for Patient Portals 2012 Guidelines for the Protection of Health Information Special Edition", has just been released. I got my web version copy in advance last week because I was a member of the Expert Group who initially drafted it.  The final product looks really good, and presents the hard work of the volunteer group really well. Highly recommended reading if you are at all thinking of implementing or using patient portals, otherwise known as electronic Personal Health Records.

Sunday, May 27, 2012

Hacking an insulin pump - no good unless it is your own

www.kslaw.com/library/publication/HH051412_Bulletin.pdf

Here is another reason why separate channels for health data is a good idea - if we can only get the encryption right.  A man was able to hack into an insulin pump and turn it off.  Mind you, the hacker was just doing a demo and was a computer security  expert, as well as a diabetic:

During an August 2011 Black Hat conference, a security researcher demonstrated how an outside actor can shut off or alter the settings of an insulin pump without the user’s knowledge. The demonstration was given to show the audience that the pump’s cyber vulnerabilities could lead to severe consequences. The researcher that provided the demonstration is a diabetic and personally aware of the implications of this activity. The researcher also found that a malicious actor can eavesdrop on a continuous glucose monitor’s (CGM) transmission by using an oscilloscope, but device settings could not be reprogrammed. The researcher acknowledged that he was not able to completely assume remote control or modify the programming of the CGM, but he was able to disrupt and jam the device
Story also found < here >

Thursday, May 3, 2012

Universal Health IDs?

This is a brilliant article by John Moehrke on his healthcare privacy and security blog.  It made me wonder if the Ontario healthcard ID could be used more universally.  I learned a few years ago that the healthcard number was ruled available for health record identification.  If anyone can confirm that, please let me know.