Navigating Healthcare – Patient Safety and Personal Healthcare Management

Improving Healthcare’s Security Posture

Blackhat

Healthcare’s Security Posture

As part of my interview series from BlackHat I spoke with Mike Weber VP Coalfire Labs – they are a large Cybersecurity Systems provider focused on securing transactions in the cloud working with all if not most of the cloud providers. Coalfire just released their Penetration Risk Report that included a special section on Healthcare. Not surprisingly the news wasn’t good showing that healthcare had the worst “External Posture” with the least security for anything that can be seen by an attacker – external facing systems such as routers, firewalls etc.

Healthcare

The biggest issue was with legacy systems and many instances upgrades installed but the legacy and unsecured systems remain in use.

Healthcare

Listen in to the interview and hear Mike’s thoughts on Incremental Steps to combat the Security challenges faced in healthcare. As he and others have pointed out Medical records are high risk because they have such a long shelf life offering a rich vein to exploit for anyone able to steal these records.

 

Incremental Steps for Improving Healthcare’s Security Posture

 

  • Upgrade Old Systems and Importantly plan retirement for old systems as part of the upgrade
  • Consolidated Your audit program to Decrease Audit Fatigue
  • Prioritize Your “Crown Jewel’s” of the data and Systems you are protecting

Here’s the short list:

  1. Personal data is the top target (highest value) – medical identity information has a smaller market
  2. Platform Access – and the ability to install ransomware
  3. Encrypt everything

Encrypt

Improving Healthcare’s Security Posture was originally published on Dr Nick – The Incrementalist

Advertisements

Incremental Steps to Health

Incremental Steps to Health

The Incrementalist Graphic Khan Siddiqui

This week I am talking to Dr Khan Siddiqui (@DrKhan ) radiologist, programmer, serial entrepreneur, and Founder, CTO, and CMO of HIGI – the company that is taking the concepts of consumer engagement and tracking to the next level and creating actionable insights that patients and their care team can use

Much of Khan’s journeys mirrors my journey into the space of Digital Health – starting as a programmer in school where he was building applications on a PDB-11 using punch cards and continuing on through his early work on the Electronic Health Record mining data and applying machine learning and deep learning as far back as 2005 to healthcare data.

Microsoft Kinect

Listen to his story of a turnabout of shared innovation at Microsoft where the work the healthcare team had done on image analytics was applied to the Kinect bar and gaming solving one of the challenging problems of “missing body parts”

He was involved in the early work of Microsoft Health Vault and like others believed in the mission of sharing clinical data with patients and getting them engaged was a key requirement to solving health challenges – many of which are tied up with personal behavior. Frustrated by the lack of uptake compared to the Xbox gaming system he took this experience with him to found Higi and replicate the gaming user engagement and bring this to healthcare

Listen in to gain a different perspective to Xbox gaming and how healthcare has contributed and learned from this world.


Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.


Listen along on HealthcareNowRadio or on SoundCloud

Incremental Steps to Health was originally published on Dr Nick – The Incrementalist

Is Aspirin Good for Preventing Heart Disease?

Posted in Healthcare Technology by drnic on September 3, 2018

 

Heart Health
Is Aspirin Good for Preventing Heart Disease?

Aspirin

This week we are focusing on Aspirin. A drug that’s been around for thousands of years going back to the Egyptians. It has some clear uses for getting rid of pain, reducing fever and decreasing inflammation but we have found other benefits as well. It is used as an emergency treatment for anyone thought to be suffering from a heart attack – chewable and full dose aspirin if possible, and for some time, the general medical guidance has been giving a baby or low dose aspirin to help prevent heart attacks.

But that guidance has been called into question with the release of a new study: Aspirin to reduce the risk of initial vascular events in patients at moderate risk of cardiovascular disease (or ARRIVE for short)

Incremental Steps in Deciding if Aspirin is Right for You

This week’s Incremental step – educate yourself on the background of Aspirin and its use for prevention in heart disease and then if you fall into any of the potential risk categories for heart disease book an appointment to discuss aspirin as part of your healthplan

 

As the Arrive Paper concluded:

“The use of aspirin remains a decision that should involve a thoughtful discussion between a clinician and a patient, given the need to weigh cardiovascular and possible cancer prevention benefits against the bleeding risks, patient preferences, cost, and other factors. The ARRIVE data must be interpreted and used in the context of other studies, which have tended to show a reduction primarily in myocardial infarction, with less of an effect on total stroke (including both ischaemic and haemorrhagic stroke). The overall decision to use aspirin for cardiovascular effects should be done with the help a clinician, given the complex calculus needed to balance all potential benefits and risks.”

Can I ask a favor – if you like the video, please subscribe to my channel, and if you don’t leave me your feedback/thoughts on how I can improve things

Is Aspirin Good for Preventing Heart Disease? was originally published on Dr Nick – The Incrementalist

Unbreakable Encryption

Encryption Algorithms Under Siege

NewImage

Over the course of history, the development and subsequent breaking of encryption standards have been a constant cycle. As new keys were developed so they were broken and the speed of with which new keys were broken has increased. Modern day encryption “Data Encryption Standard” or DES was launched int he 70’s with a 56-bit key (64 bits but with 8 parity bits). This encryption was cracked in 1999 and with the likelihood, looming NIST launched a new search for encryption standards giving rise to Advanced Encryption Standard (AES) (aka Rijndael) with 256-bit keys and is under attack both cryptographically and by brute force of faster computers including as and when they arrive. As a result, NIST is seeking new proposals for cryptographic standards to replace AES when it is broken – but with the advent of Quantum computing this will be broken too

Unbreakable Encryption

NewImage

I spoke with John Prisco, President & CEO for QuantumXchange who in his words are pioneering unbreakable encryption. I know what you’re thinking – the idea of something being unbreakable/unhackable seems impossible and I was dubious as well.

But here’s what’s interesting – the foundation of the technology is the Heisenberg (no not that Heisenberg) uncertainty principle

 

You have to go deep into theoretical quantum physics to understand the background to this and while no expert I’m fascinated by the quantum world. This explanation in the Encyclopedia Brittanica is helpful comparing the concept to measuring the pressure of air in your tires TL;dr you can’t because as soon as you attach the pressure gauge you change the pressure. Essentially you can never know with perfect accuracy both of the position and velocity of a particle. It is impossible to determine accurately both the position and the direction and speed of a particle at the same instant.  You could learn more from the always brilliant Richard Feynman video Lecture: Probability and Uncertainty in Quantum Mechanics

Cryptography

Single Photon Based Encryption Keys

That uncertainty is a physical property, not a mathematical derivation (the foundation of encryption). QuantumXchange uses the quantum properties of single photons (light) to exchange data between two locations, with keys derived from the exchanged quantum information. The keys are Tamper Evident: Any attempt to intercept (look at or break) the key will change the state thanks to Heisenberg Uncertainty Principle causing a change in quantum state thereby corrupting the key – in which case those keys are rejected and a new pair created.

All this takes place on “Dark Fiber” from Boston to Washington DC and offering this up to customers in the healthcare and financial services markets and have examples already in play of oil rigs using their Quantum Keys to secure the huge numbers of IoT devices that are used in critical infrastructure and control for oil drilling and production

This concept is especially important for Healthcare data which has the longest shelf life of any data in the industry so protecting it over extended periods of time is essential if we are to maintain patients privacy and confidentiality

Here’s the Interview:

 

Unbreakable Encryption was originally published on Dr Nick – The Incrementalist

Artificial Intelligence in Medicine

Artificial Intelligence in Medicine – Better More Rewarding Medicine

The Incrementalist Graphic Anthony Chang

Incrementalist Chang

It was great to catch up with colleague and friend Dr. Anthony Chang (@AIMed_MD) Pediatric Cardiologist, Founder of Artificial Intelligence in Medicine (AIMed) and Director of Medical Intelligence and Innovation Institute (MI3) .

How did a pediatric cardiologist find his way into the field of Artificial Intelligence, Machine and Deep Learning?

Those of you that saw the original Watson Jeopardy Challenge

Anthony like me had the same reaction to this incredible achievement by the IBM Watson team that beat out the top 2 Jeopardy champions with an Artificial Intelligence Computer system that consumed the contents of the internet library and tested out the correct answers more frequently than the two human champions.

With a background teaching statistics augmented with an MS in Biomedical Data Science/Artificial Intelligence, he has blazed a path to attract colleagues and data geeks from around the world to participate in the future of healthcare augmented by data

For those of you challenged understanding the terminology of the space this Venn diagram is helpful in putting the various disciplines in perspective

AI Deep Learning and Big Data Venn Diagram

Along the way, he like many of my other guests has discovered the value of the adjacent possible – in his case adjacent to data scientist and technologists with clinicians deeply invested in day to day clinical care – both learning from each other

We cover everything from machine learning and data science through the requirements for clinicians (or not) to gain qualifications in data science. Hear his eloquently answers the age-old question of

Will I still have a job once AI has replaced me

TL;dryes and it will be more rewarding

Join me as you hear how and why you should change the way you think of medicine and data. The good news is – you can participate in the next AI Med event which mixes specialist, clinicians, data geeks and patients from around the world in a unique experience that offers a great learning and mind opening experience.


Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.


Listen along on HealthcareNowRadio or on SoundCloud

Artificial Intelligence in Medicine was originally published on Dr Nick – The Incrementalist

Are Your Pagers Leaking PHI Data

Hospital Paging Systems Security

Blackhat
Mark Nunnikhoven Trend Micro

I spoke with Mark Nunnikhoven, VP of Cloud Research at Trend Micro talking about their recently published paper: Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry which were designed and built in an era when it took a lot of resources and technology to access the system but now all it takes a couple hundred dollars and a pc add-in and you are in.

“When pagers first came out the effort to interact with the system was high”

TL;dr Pagers in the Clinical setting are unencrypted and represent a security risk for breach of Personal Health Information

Mark’s Incremental step – don’t include PHI in any pager traffic, then get rid of pagers and replace with mobile devices that have end to end encryption

In their study they found that the transmissions are not encrypted and contain multiple elements of PHI – they saw lots of examples – (you can download the report here) but the summary of the exposure of PHI information in the unencrypted messages being sent analyzed by TrendMicro offers a peek into the potential breaches taking place on a daily basis

Mark also mentioned another report on Securing Connected Hospitals that looked at connected devices highlighting the huge increase in attacks on healthcare information systems in particular with Ransomware

 

 

Incremental Steps for Securing Your Pager System

  1. Don’t Include Personal Health Information in Pages but rather ask for a Call Back
  2. Replace the Old Style Pagers with New Technology and Devices, and
  3. When Building Devices you must build security into the product

 

Are Your Pagers Leaking PHI Data was originally published on Dr Nick – The Incrementalist

Improving Security by Default

Security by Default

The opening Keynote by Parisa Tabriz | Director of Engineering, Google: Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes covered the journey taken by Google to bring the status of browsing into the Security age. It was sobering to see that a company like Google with the resources available started this journey in 2014 and only now starting to see significant progress – 4 years so far. Their path, like so many others, was a series of incremental steps to improvement and change

Wacka-Mole

Security, as described by Parisa, is much like the Wacka-Mole game

The biggest round of applause came when she stated:

“Bl

 

But the biggest round of applause came when Parisa stated:

Blockchain is not going to solve all your security problems

https://platform.twitter.com/widgets.js

Clearly not a lot of support for Blockchain in the BlackHat audience….. yet?

From the journey taken to securing the Chrome browser the key learning boiled down to three elements

  1. Tackle the Root Cause
  2. Project Zero (disrupt the industry)
  3. More Transparency and Collaboration – shared security goals

 

https://platform.twitter.com/widgets.js

 

Ultimately it is hacking the status quo and bureaucracy is achieved through Incremental steps that challenge the status quo. For those that don’t remember the concept of bug bounties was controversial initially now it is the gold standard
Also, Auto updates of security patches were controversial now not so much

Interesting slide of the different presentation of “secured” site in chrome

Security
Chrome Connection Indicators circa 2014

In their survey, most users perceived the second choice as normal and secure. Over time they have moved the security indicators bringing along a large consortium of people along the way

Rethinking the Security Indicators

And in bringing together experts Parisa highlighted something I have long advocated in Engineering healthcare technology – the people creating and experts in the technology are rarely the right people to optimize usability – as she put it

Security people are rarely the right people to ask about usability in security interactions/interfaces

 

“Be a team player, don’t be a jerk”

Also noted that Google Page Rank used as an influencer

 

Incremental Steps to Security

At the press conference afterward what one incremental step should you take in securing your enterprise:

Getting everyone pulling in the same direction is a key requirement

Focus on finding the incentive and/or ROI for the people who are responsible for security

Everyone has too much on their plate – what is required is allowing people to focus on the security as a priority over all the other tasks on their to-do lists. This was true with project zero and with the https push (remember this took from 2104 to 2018)

https://platform.twitter.com/widgets.js

I will leave you with this as a closing thought

A Product that has no security flaws/bugs probably just doesn’t know about them

 

Improving Security by Default was originally published on Dr Nick – The Incrementalist

Telehealth is Here – Getting There Quicker with Incremental Steps

Telehealth is Here – Getting There Quicker with Incremental Steps

The Incrementalist Graphic Til Jolly

This week I am talking to Dr. Til Jolly, CMO for Specialists on Call (SOC) Telemed who are delivering enterprise-wide telemedicine to over 450 hospitals

Dr Jolly is an Emergency Room physician with a fascinating background that includes working for the NFL Super Bowl “Emergency Preparedness Team” planning super bowls around the country over multiple locations. He shares some of his experiences in that role and some of the things he learned along the way – learning from previous events, clear role assignment and division and above all practice (he’s talking about the medical teams but I’m sure that’s true for the NFL teams :-))

We talk about the small incremental improvements that have been adding up in Telehealth delivery – as he puts it the barriers are not technology anymore and there has been some good progress around reimbursement. In an interesting twist and different perspective, he looks back with fondness at the introduction of the Fax machine and the positive impact it had on care with the ability to fax EKG’s direct to clinicians.

The resistance is no longer coming from patients and in some instances is clinicians and health systems who want to find “traditional” methods of care delivery but the writing on the wall is clear: Telehealth is here to stay and will be a major part of helping support our aging population even mitigating some of the loneliness these individuals have


Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.


 

Listen along on HealthcareNowRadio or on SoundCloud

Telehealth is Here – Getting There Quicker with Incremental Steps was originally published on Dr Nick – The Incrementalist

Exploiting Implanted Medical Devices

Hollywood Future Predictions

Spoiler Alert – for anyone who has not watched the Showtime series “Homeland” or not got past Season 2

 

Hacking Medical Devices – Homeland Broken Heart; Picture from Seriesandtv.com

In the Episode titled “Broken Heart” (December 2, 2012) we watch a hacker gain remote unauthorized access to the Vice Presidents Pacemaker and induces a tachycardia (increase in the heart rate) causing him to succumb to a heart attack. Abu Nazir kills the vice president by accessing his pacemaker remotely:

 

 

While the whole operation seemed almost too simple, it was not an implausible tactic. We saw this in October when Darren Pauli wrote about a researcher in Australia who

“reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.”

The risk was real enough that Dick Cheney revealed his fear of this hack to have the wireless function turned off in 2007 and it was covered in this piece in the NY Times A Heart Device Is Found Vulnerable to Hacker Attacks but was discounted based on the high cots and need for sophisticated equipment.

Billy Rios – Security Researcher

Enter a security manager and researcher – Billy Rios who, thanks to an unplanned extended visit to a hospital surrounded by a slew of unsecured access points in his hotel room and devices connecting via WiFi connected to him went on an 18-month journey to study the risks.

 

This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient.

He presented his findings at BlackHat 2018: Understanding and Exploiting Implanted Medical Devices

Here’s the video of the hack demonstrated at the event:


I was fortunate to speak to him to discuss the journey, his findings and thoughts on incremental steps to mitigate this

As Billy points out – it is essential for the clinical team to focus on these risks, understand the concerns raised by the security researchers and others and provide the essential clinical perspective missing from healthcare security discussions

Here is the live stream of their presentation and demo:

https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2FDrNickvT%2Fvideos%2F1860967050661827%2F&show_text=0&width=267

Exploiting Implanted Medical Devices was originally published on Dr Nick – The Incrementalist

Social Media Insights from MayoInOz

Posted in Healthcare Technology by drnic on July 29, 2017

I attended the MayoinOz conference some time back and captured some of the key elements of the presentations and discussions

The core principle – Teamwork

http://”//platform.twitter.com/widgets.js”

If the #Mayo Bros had Twitter: “The best interest of the #patient is the only interest to be considered” #MayoInOz pic.twitter.com/lnxBOB17fC

— ANZCA (@ANZCA) November 14, 2016

We are being disrupted  – captured perfectly in this one slide from Andrew Grills highlighting volumes of activity of WhatsApp vs the SMS text volume

Just in case you thought we had not moved to Digital: WhatsApp volume far higher than SMS text messaging #mayoinoz pic.twitter.com/Zdl4g6frw5

— Nick van Terheyden (@drnic1) November 14, 2016

http://”//platform.twitter.com/widgets.js”

Social is not a channel – although as several commentators pointed out many companies have jumped on the Social Media Band wagon and use it as another channel to pump content to potential customers

Top skills in demands as surveyed by LinkedIn feature data analysis and statistical

Moving to the cognitive era – Humans + Machines. It is not Artificial Intelligence but rather augmented intelligence

Test out your profile ith a Watson Analysis

http://gwen-systemu.mybluemix.net/

If the #Mayo Bros had Twitter: “The best interest of the #patient is the only interest to be considered” #MayoInOz pic.twitter.com/lnxBOB17fC

— ANZCA (@ANZCA) November 14, 2016

http://”//platform.twitter.com/widgets.js”

The last best experience has anyone has anywhere becomes the minimum expectation for the experience they want everywhere

This captures everything about competition

Your competitors are everyone – FedEx, Airlines, Hotels etc

So true. Think airlines/hotel rooms #MayoInOz pic.twitter.com/r7TXNRWP2L

— Michelle Carnovale (@M_Carnovale) November 14, 2016

http://”//platform.twitter.com/widgets.js”

Social Media Insights from MayoInOz was originally published on DrNic1