Navigating Healthcare – Patient Safety and Personal Healthcare Management

Improving Healthcare’s Security Posture

Blackhat

Healthcare’s Security Posture

As part of my interview series from BlackHat I spoke with Mike Weber VP Coalfire Labs – they are a large Cybersecurity Systems provider focused on securing transactions in the cloud working with all if not most of the cloud providers. Coalfire just released their Penetration Risk Report that included a special section on Healthcare. Not surprisingly the news wasn’t good showing that healthcare had the worst “External Posture” with the least security for anything that can be seen by an attacker – external facing systems such as routers, firewalls etc.

Healthcare

The biggest issue was with legacy systems and many instances upgrades installed but the legacy and unsecured systems remain in use.

Healthcare

Listen in to the interview and hear Mike’s thoughts on Incremental Steps to combat the Security challenges faced in healthcare. As he and others have pointed out Medical records are high risk because they have such a long shelf life offering a rich vein to exploit for anyone able to steal these records.

 

Incremental Steps for Improving Healthcare’s Security Posture

 

  • Upgrade Old Systems and Importantly plan retirement for old systems as part of the upgrade
  • Consolidated Your audit program to Decrease Audit Fatigue
  • Prioritize Your “Crown Jewel’s” of the data and Systems you are protecting

Here’s the short list:

  1. Personal data is the top target (highest value) – medical identity information has a smaller market
  2. Platform Access – and the ability to install ransomware
  3. Encrypt everything

Encrypt

Improving Healthcare’s Security Posture was originally published on Dr Nick – The Incrementalist

Advertisements

Incremental Steps to Health

Incremental Steps to Health

The Incrementalist Graphic Khan Siddiqui

This week I am talking to Dr Khan Siddiqui (@DrKhan ) radiologist, programmer, serial entrepreneur, and Founder, CTO, and CMO of HIGI – the company that is taking the concepts of consumer engagement and tracking to the next level and creating actionable insights that patients and their care team can use

Much of Khan’s journeys mirrors my journey into the space of Digital Health – starting as a programmer in school where he was building applications on a PDB-11 using punch cards and continuing on through his early work on the Electronic Health Record mining data and applying machine learning and deep learning as far back as 2005 to healthcare data.

Microsoft Kinect

Listen to his story of a turnabout of shared innovation at Microsoft where the work the healthcare team had done on image analytics was applied to the Kinect bar and gaming solving one of the challenging problems of “missing body parts”

He was involved in the early work of Microsoft Health Vault and like others believed in the mission of sharing clinical data with patients and getting them engaged was a key requirement to solving health challenges – many of which are tied up with personal behavior. Frustrated by the lack of uptake compared to the Xbox gaming system he took this experience with him to found Higi and replicate the gaming user engagement and bring this to healthcare

Listen in to gain a different perspective to Xbox gaming and how healthcare has contributed and learned from this world.


Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.


Listen along on HealthcareNowRadio or on SoundCloud

Incremental Steps to Health was originally published on Dr Nick – The Incrementalist

Unbreakable Encryption

Encryption Algorithms Under Siege

NewImage

Over the course of history, the development and subsequent breaking of encryption standards have been a constant cycle. As new keys were developed so they were broken and the speed of with which new keys were broken has increased. Modern day encryption “Data Encryption Standard” or DES was launched int he 70’s with a 56-bit key (64 bits but with 8 parity bits). This encryption was cracked in 1999 and with the likelihood, looming NIST launched a new search for encryption standards giving rise to Advanced Encryption Standard (AES) (aka Rijndael) with 256-bit keys and is under attack both cryptographically and by brute force of faster computers including as and when they arrive. As a result, NIST is seeking new proposals for cryptographic standards to replace AES when it is broken – but with the advent of Quantum computing this will be broken too

Unbreakable Encryption

NewImage

I spoke with John Prisco, President & CEO for QuantumXchange who in his words are pioneering unbreakable encryption. I know what you’re thinking – the idea of something being unbreakable/unhackable seems impossible and I was dubious as well.

But here’s what’s interesting – the foundation of the technology is the Heisenberg (no not that Heisenberg) uncertainty principle

 

You have to go deep into theoretical quantum physics to understand the background to this and while no expert I’m fascinated by the quantum world. This explanation in the Encyclopedia Brittanica is helpful comparing the concept to measuring the pressure of air in your tires TL;dr you can’t because as soon as you attach the pressure gauge you change the pressure. Essentially you can never know with perfect accuracy both of the position and velocity of a particle. It is impossible to determine accurately both the position and the direction and speed of a particle at the same instant.  You could learn more from the always brilliant Richard Feynman video Lecture: Probability and Uncertainty in Quantum Mechanics

Cryptography

Single Photon Based Encryption Keys

That uncertainty is a physical property, not a mathematical derivation (the foundation of encryption). QuantumXchange uses the quantum properties of single photons (light) to exchange data between two locations, with keys derived from the exchanged quantum information. The keys are Tamper Evident: Any attempt to intercept (look at or break) the key will change the state thanks to Heisenberg Uncertainty Principle causing a change in quantum state thereby corrupting the key – in which case those keys are rejected and a new pair created.

All this takes place on “Dark Fiber” from Boston to Washington DC and offering this up to customers in the healthcare and financial services markets and have examples already in play of oil rigs using their Quantum Keys to secure the huge numbers of IoT devices that are used in critical infrastructure and control for oil drilling and production

This concept is especially important for Healthcare data which has the longest shelf life of any data in the industry so protecting it over extended periods of time is essential if we are to maintain patients privacy and confidentiality

Here’s the Interview:

 

Unbreakable Encryption was originally published on Dr Nick – The Incrementalist

Artificial Intelligence in Medicine

Artificial Intelligence in Medicine – Better More Rewarding Medicine

The Incrementalist Graphic Anthony Chang

Incrementalist Chang

It was great to catch up with colleague and friend Dr. Anthony Chang (@AIMed_MD) Pediatric Cardiologist, Founder of Artificial Intelligence in Medicine (AIMed) and Director of Medical Intelligence and Innovation Institute (MI3) .

How did a pediatric cardiologist find his way into the field of Artificial Intelligence, Machine and Deep Learning?

Those of you that saw the original Watson Jeopardy Challenge

Anthony like me had the same reaction to this incredible achievement by the IBM Watson team that beat out the top 2 Jeopardy champions with an Artificial Intelligence Computer system that consumed the contents of the internet library and tested out the correct answers more frequently than the two human champions.

With a background teaching statistics augmented with an MS in Biomedical Data Science/Artificial Intelligence, he has blazed a path to attract colleagues and data geeks from around the world to participate in the future of healthcare augmented by data

For those of you challenged understanding the terminology of the space this Venn diagram is helpful in putting the various disciplines in perspective

AI Deep Learning and Big Data Venn Diagram

Along the way, he like many of my other guests has discovered the value of the adjacent possible – in his case adjacent to data scientist and technologists with clinicians deeply invested in day to day clinical care – both learning from each other

We cover everything from machine learning and data science through the requirements for clinicians (or not) to gain qualifications in data science. Hear his eloquently answers the age-old question of

Will I still have a job once AI has replaced me

TL;dryes and it will be more rewarding

Join me as you hear how and why you should change the way you think of medicine and data. The good news is – you can participate in the next AI Med event which mixes specialist, clinicians, data geeks and patients from around the world in a unique experience that offers a great learning and mind opening experience.


Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.


Listen along on HealthcareNowRadio or on SoundCloud

Artificial Intelligence in Medicine was originally published on Dr Nick – The Incrementalist

Are Your Pagers Leaking PHI Data

Hospital Paging Systems Security

Blackhat
Mark Nunnikhoven Trend Micro

I spoke with Mark Nunnikhoven, VP of Cloud Research at Trend Micro talking about their recently published paper: Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry which were designed and built in an era when it took a lot of resources and technology to access the system but now all it takes a couple hundred dollars and a pc add-in and you are in.

“When pagers first came out the effort to interact with the system was high”

TL;dr Pagers in the Clinical setting are unencrypted and represent a security risk for breach of Personal Health Information

Mark’s Incremental step – don’t include PHI in any pager traffic, then get rid of pagers and replace with mobile devices that have end to end encryption

In their study they found that the transmissions are not encrypted and contain multiple elements of PHI – they saw lots of examples – (you can download the report here) but the summary of the exposure of PHI information in the unencrypted messages being sent analyzed by TrendMicro offers a peek into the potential breaches taking place on a daily basis

Mark also mentioned another report on Securing Connected Hospitals that looked at connected devices highlighting the huge increase in attacks on healthcare information systems in particular with Ransomware

 

 

Incremental Steps for Securing Your Pager System

  1. Don’t Include Personal Health Information in Pages but rather ask for a Call Back
  2. Replace the Old Style Pagers with New Technology and Devices, and
  3. When Building Devices you must build security into the product

 

Are Your Pagers Leaking PHI Data was originally published on Dr Nick – The Incrementalist

Mindfulness and Meditation

Stress
Mindfulness and Meditation

This week we are focusing on mindfulness and meditation and why it is important for your health. People that include mindfulness and meditation in their daily routing find they are better able to deal with pain, have improved immunity, sleep better, lower their blood pressure and have less inflammation.

What are the Incremental steps to get you into a regular habit of mindfulness and meditation – the first step is to find what works for you. What’s the best time and where is the best place that works for you? Once you have decided where and when, like most other incremental steps it requires you to take that first step. It can be hard and one of the important things is to understand that you don’t have to do it for very long – even a few seconds can be helpful and then work up to longer times.

There are a range of apps you can download to help you start including some great free apps and I talk about some of those choices and options
Here are 5 free apps you can download that can help you get started

Can I ask a favor – if you like the video, please subscribe to my channel, and if you don’t leave me your feedback/thoughts on how I can improve things

Mindfulness and Meditation was originally published on Dr Nick – The Incrementalist

Getting into the Exercise Habit

Exercise Routine

In this weeks video I discuss getting into the habit of exercise

Getting into a regular routine for exercise is the first step to making this part of everyday activity. How do you do that – the first step like most other incremental steps is to start. It can be hard and one of the important things is not to seek to do too much initially. If you can only get 5 minutes of exercise, get that. Once that’s a regular event and you are finding that easier, extend the time and distance to 10 minutes, 15 minutes and keep adding.

As for locations outside is always a good place to start but if that’s not ideal you can always try and find a gym, buy some cardio equipment maybe a second hand one or find a nearby mall to start your exercise program.
It can be hard to start but the most important thing is to start – if you can find a friend and start together, company always helps and if someone is expecting you it helps to keep you showing up every day.
Here are some simple suggestions for starting an exercise program

 

 

 

 

Getting into the Exercise Habit was originally published on Dr Nick – The Incrementalist

Exploiting Implanted Medical Devices

Hollywood Future Predictions

Spoiler Alert – for anyone who has not watched the Showtime series “Homeland” or not got past Season 2

 

Hacking Medical Devices – Homeland Broken Heart; Picture from Seriesandtv.com

In the Episode titled “Broken Heart” (December 2, 2012) we watch a hacker gain remote unauthorized access to the Vice Presidents Pacemaker and induces a tachycardia (increase in the heart rate) causing him to succumb to a heart attack. Abu Nazir kills the vice president by accessing his pacemaker remotely:

 

 

While the whole operation seemed almost too simple, it was not an implausible tactic. We saw this in October when Darren Pauli wrote about a researcher in Australia who

“reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.”

The risk was real enough that Dick Cheney revealed his fear of this hack to have the wireless function turned off in 2007 and it was covered in this piece in the NY Times A Heart Device Is Found Vulnerable to Hacker Attacks but was discounted based on the high cots and need for sophisticated equipment.

Billy Rios – Security Researcher

Enter a security manager and researcher – Billy Rios who, thanks to an unplanned extended visit to a hospital surrounded by a slew of unsecured access points in his hotel room and devices connecting via WiFi connected to him went on an 18-month journey to study the risks.

 

This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient.

He presented his findings at BlackHat 2018: Understanding and Exploiting Implanted Medical Devices

Here’s the video of the hack demonstrated at the event:


I was fortunate to speak to him to discuss the journey, his findings and thoughts on incremental steps to mitigate this

As Billy points out – it is essential for the clinical team to focus on these risks, understand the concerns raised by the security researchers and others and provide the essential clinical perspective missing from healthcare security discussions

Here is the live stream of their presentation and demo:

https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2FDrNickvT%2Fvideos%2F1860967050661827%2F&show_text=0&width=267

Exploiting Implanted Medical Devices was originally published on Dr Nick – The Incrementalist

World Malaria Day 2017

Posted in Africa, DigitalHealth, Healthcare Technology, Innovation by drnic on April 25, 2017

Malaria

 

World Malaria day is today – Tuesday, April 25, 2017. Recognizing global efforts to control and perhaps one day eradicate this major killer that disproportionately affects my home country of Africa.

The WHO African Region continues to shoulder the heaviest malaria burden, accounting for an estimated 90% of malaria cases and 92% of malaria deaths in 2015. The WHO South-East Asia Region accounted for 7% of global malaria cases and 6% of malaria deaths. Three quarters of these cases and deaths are estimated to have occurred in fewer than 15 countries, with Nigeria and Democratic Republic of the Congo accounting for more than a third

 

Status of Malaria Today

Based on the WHO 2016 Malaria report there were 212 Million cases globally of Malaria. While we have seen some great progress with a decrease in Malaria infection rate between 2010 and 2015 of 21% and a decrease in the mortality rate of 29% we have a long way to go. Almost Half the population of the world is at risk from Malaria, and in 2015 an estimated 429,000 people died from Malaria. That’s the whole population of Miami dining every year.

Source: Marc Averette

More than 2/3 of the deaths that occur in children under the age of 5 and pregnant women are really susceptible – that’s a double hit on vulnerable populations.

The lifecycle encompasses the mosquito as carriers and transmission to humans. This is a great graphic summarizing the

 

 

Prevention and Treatment

The basis of prevention and treatment is tied to 3 basic methods

  • Insecticides and Mosquito Nets
  • Indoor spraying of insecticides
  • Preventative Therapies for pregnant women, children and infants in Africa

 

The good news is that advances in Digital Health and mobile technologies that are bringing testing capabilities to many remote and underserved areas. Testing rates of suspected malaria cases have increased from 40% in 2010 to 76% in 2015 much of it due to rapid testing capabilities that economical and are increasingly available.

Sadly despite the progress, some of the mainstays of prevention and treatment are being impacted by the emergence of insecticide and drug resistance that has seen 60 countries reporting resistance to at least one of the 4 classes of insecticides and even more troubling 5 countries have reported drug resistance to the core compound used in antimalarials artemisinin

 

 

The report card by country is a mixed bag with some progress and success but increases in incidence in other areas

Many organizations have been working hard in this area and that includes the work by the Bill and Melinda Gates foundation has been focusing for many years on a World free of Malaria. They have invested over $2 Billion in grants spread across multiple areas prevention, mitigation and treatment.

Current Problems

Its a tricky virus that uses all sorts of clever subterfuge to fooling our bodies and the other carriers into ignoring the infection. There is even a clever “bending” of the red cell wall to allow the virus to enter more easily as demonstrated at Imperial College – Malaria parasites soften our cells’ defenses in order to invade:

However, now researchers led by a team at Imperial College London have found that the parasites also change the properties of red cells in a way that helps them achieve cell entry. The results are published in Proceedings of the National Academy of Sciences.

There are many fronts open and Papua New Guinea are one of the countries that dare to hope with encouraging progress that may bring about the end to the disease

In PNG, control measures – in particular the rollout of long-lasting, insecticide-treated bed nets – have resulted in the prevalence of malaria declining by more than 80% across the country since 2009. Cases reported at four sentinel sites have dropped from 205 to 48 per 1,000, surpassing all expectations.

 

New Strategies in Treatment of Malaria

There has been a lot of work on Vaccines for Malaria and it would appear some successful studies including this one from Germany

University of Tübingen researchers in collaboration with the biotech company Sanaria Inc. have demonstrated in a clinical trial that a new vaccine for malaria called Sanaria® PfSPZ-CVac has been up to 100 percent effective when assessed at 10 weeks after the last dose of vaccine.

So perhaps like Dengue – it may be “The Beginning of the End”. Let’s not let up – this is a major killer. Even with prevention and mitigation therapy as expatriates living overseas in Malaria ridden areas my mother still contracted the disease. We have had a global eradication program in action since the 1950’s – with advancement in science and understanding perhaps we are finally on the cusp of eradication?

You can find out more here and download the Infographic: Malaria Can Be Defeated

 

World Malaria Day 2017 was originally published on Dr Nick – The Incrementalist

Patient Centered Systems

What will it take to move our healthcare system to a truly patient-centered system? We know based on multiple data points that engaged patients have a big impact on the successful outcome of treatment. Leonard Kish cited the phrase back in 2012

Patient Engagement is the Blockbuster Drug of the Century

Referencing a 2009 Kaiser study of coordinated cardiac care and comparing to those not enrolled in the study

“patients have an 88 percent reduced risk of dying of a cardiac-related cause when enrolled within 90 days of a heart attack, compared to those not in the program.”

“clinical care teams reduced overall mortality by 76 percent and cardiac mortality by 73 percent.”

And this study in Telemedicine and e-Health. Dec 2008; Vol.14 (10): 1118-1126 that showed impressive results for chronic disease management:

  • 19.74% reduction in hospital admissions
  • 25.31% reduction in bed days of care
  • 86% patient satisfaction
  • $1,600 average cost per patient per year, compared to $13,121 for primary care and $77,745 for nursing home care
  • 20% to 57% reduction in the need to be treated for the chronic diseases studied, including diabetes, COPD, heart failure, PTSD, and depression

 

Patient Data Ownership

I believe as do many others that the patient is at the center of everything we do and deliver in healthcare. By placing the patient and their information at the center of care and allowing them access and control we empower them and enable a model that moves away from the historical paternalistic delivery of healthcare to patient-centered and enabled care. It does come with challenges since many people contribute to that care and the current administrative and financial configuration focus the management and ownership of data with providers, healthcare systems and payors. While many patients want access to their data and some even want to own and manage it, many do not and are ill equipped to be responsible for this data. Perhaps what we need are some independent services and providers who aggregate, manage, secure and maintain patient data on behalf of patients – much as banks do with our money. There was some hope when Google and Microsoft jumped into healthcare offering Google Health and Microsoft Health Vault respectively. Microsoft’s version continues to this day – google withdrew theirs and Sergey Brin was widely quoted when he said

“Generally, health is just so heavily regulated. It’s just a painful business to be in, I think the regulatory burden in the US is so high that think it would dissuade a lot of entrepreneurs.”

But while complex, not insurmountable and as he rightly points out

“I am really excited about the possibility of data also, to improve health”

I am too and while there remain many challenges associated with securing and sharing that data the “entrance” of these alternative participants into the healthcare space – some perhaps looking at this from a simple employee perspective, is an opportunity for new ideas, insights, and people applying the collective brain power to one of our most pressing problems. I continue to hear from colleagues and friends of companies that are exploring and looking at healthcare. UPS highlighted their healthcare focus and the potential for 3-D printing in a recent tweet:

//platform.twitter.com/widgets.js
And I heard from a friend that Dyson even has a healthcare “focus”.

Protecting Patients

There are some major concerns as these data-focused companies offer access but do so with agreements that contain so much legalese as to be unintelligible and opaque to the consumer who may well be giving up much more than his own personal data but potentially giving up his future health. The GINA act offers some protection to individuals who in sharing personal genomic data that tag them with a “pre-existing’ condition could have found themselves unable to access care. But the act did not go far enough failing to address the issue of other insurance and employers who can use this data to deny access or coverage and perhaps even employment?

We need the combined power of this patient data to create the insights into diseases but not at that personal expense. There are many technologies on the horizon that offer a potential path to help achieve this and blockchain represents an interesting innovation of decentralized secured data that offers individualized control and dynamic revocation options for access. If you are interested in learning more about Blockchain this article in HealthcareIt News is a good primer for its potential in Healthcare: How does blockchain actually work for healthcare?. It is not a panacea and the fundamental rights and ownership still need to be addressed without giving away the farm to corporations and businesses.

Interoperability

The existing healthcare system incentivizes behavior that is in opposition to a scalable nationwide vendor neutral interoperable patient-centered data. Our model has multiple groups who have a vested interest in the control and ownership of data (for example Payers, Providers, Patients and even employers). Each has their own economic and commercial drivers and in many instances, these do not coincide with open sharing of data. In a system that is driven by activity and delivering care (Fee for Service) sharing data could mean a reduction in work and income. Until our reimbursement system moves to a more holistic care model that focuses on wellness and outcomes and incentivizes behavior that delivers better health and outcomes for patients through cooperative and coordinated care and ultimately equitably rewards all the contributors to these outcomes we will remain stuck in the quagmire of limited interoperability.

The key to a patient-centered interconnected care model is the free flow of data between all the areas responsible for delivering care. We moved away from the single index card medical record held by your personal physician who was the focal point of care and care coordination to a distributed team-based model of care that encompasses multiple areas and people. In some instances, thatcher coordination may be carried out, at least in part by the patient or their family members, and they need to be included and ultimately in control of the data and its flow. The only way this team can deliver excellent care is through the frictionless flow of enhanced data and knowledge. This information flow must include the patient and all their family members that are authorized, interested and engaged in their care. Data should be shared with the patient’s consent with everyone concerned and available for as long as it is needed to deliver care but this access should be flexible enough to allow it to be revoked or removed when it is no longer needed or necessary

Welcome to the Fray

I am a big fan of learning from other industries and perspectives and spoke about this at HIMSS Conference in Orlando

The Best Exotic Marigold Hotel and I am excited to see the rush of companies and people into the healthcare space but for those stepping in and thinking about data and the ownership and control of this data, I would suggest this requires a new way of thinking. Much like security – patient access and control needs to be baked in from the start. Taking ownership and rights away from patients will stall progress and anger your constituents and community. As ePatient Dave would say or better yet sing:

Give me My Damn Data

Here’s hoping that these new players see the value of the engaged patient and include some of these principles in their march towards our common goal of better more cost effective healthcare. For the large organizations thinking about the data, remember you and your family members are patients too. The following thoughts are offered as some basic guiding principles on data stewardship:

  • Patients want control of their own data,
  • Patients want to be able to share safely and securely share their data with all their care providers and participants (this will include family members and friends)
  • Patients want granular control of some elements of the data limiting individual access to certain elements and areas
  • Patients requires a full audit capability tracking who has access and has accessed their data
  • Patients want to be able to easily and dynamically revoke access
  • Patients will share their data for research and benefit of others but their contributions need to be recognized and accounted for
  • Data cannot be used against Patients to deny coverage or increase their costs

 

What have I missed – what controls or limits would you place on your data that would make you more willing to share your data. What would stop you from sharing your data and why?

 

 

Patient Centered Systems was originally published on Dr Nick – The Incrementalist