• Posted on January 26, 2017 11:55 am
    Joseph Forbes
    No comments

    Keeping track of passwords can seem like a hassle. Most of us have multiple sites we visit which require password logins. So many, in fact, that it's tempting to use the same username/password combo for all of them. Don't. Otherwise, it takes only the compromise of a single site's credentials to have a toppling domino affect on the security of all your online assets. Fortunately, there is a fairly straightforward way to have different passwords for each site you use but still make the passwords easy enough to remember. Creating Unique Passwords Before you begin creating strong passwords, you need to consider the use of those passwords. The intent is to create strong passwords unique to each account, but easy enough to memorize. To do this, first begin by splitting the sites you frequently login to into categories. For example, your category list might read as follows: social networking sites auction sites ecommerce sites email accounts banking sites forums A word of note here about forums. Never use the same password for a site's forum as you would for logging into the site itself. Generally speaking, the security on forums is not as strong as it is (or should be) for the regular site and thus the forum becomes the weakest link in your security. This is why, in the example above, forums are split into a separate category. Now that you have your categories, under each appropriate category, list the sites to which you must log in. For example, if you have a Hotmail, gmail, and Yahoo account, list these under the category 'email accounts'. After you've completed the list, you're ready to begin creating the strong, unique, and easy-to-remember passwords for each. Creating Strong Passwords A strong password should be 14 characters. Each character less than that makes it a little easier to compromise. If a site absolutely won't allow a password that long, then adapt these instructions accordingly. Using the 14 character password rule, use the first 8 characters as the common portion to all passwords, the next 3 to customize by category, and the last 3 to customize by site. So the end result ends up like this: common(8)|category(3)|site(3) Following this simple rule, when you change your passwords in the future - which, remember, you should do often - you'll only need to change the first common 8 characters of each. One of the commonly recommended means of remembering a password is to first create a passphrase, modify it to the character limit, then begin swapping characters for symbols. So to do that: Come up with an 8 letter passphrase that is easy to remember. Take the first letter of each word to form the password. Substitute some of the letters in the word with keyboard symbols and caps (symbols are better than caps). Tack on a three letter abbreviation for the category, also replacing one of the letters with a symbol. Tack on a site specific three letter abbreviation, again replacing a single letter with a symbol. As an example: In step 1 we might use the pass phrase: my favorite uncle was an air force pilot Using the first letters of each word, we end up with: mfuwaafp Then we swap some of those characters with symbols and caps: Mf{w&A5p Then we tack on the category, (i.e. ema for email, and swap out one character of ema: e#a Finally, we add the site abbreviation (i.e. gma for gmail) and swap out one character: gm% We now have a password for our gmail account of Mf{w&A5pe#agm% Repeat for each email site, so perhaps you end up with: Mf{w&A5pe#agm% Mf{w&A5pe#aY%h Mf{w&A5pe#aH0t Now repeat these steps for the additional categories and sites within those categories. While this may look hard to remember, here's a tip to simplify - decide in advance what symbol you will equate with each letter. Be sure to check out these other tips for remembering passwords. You may be surprised to learn that some of the oldest advice may just be the wrong advice.

    Blog Entry, DATA, Internet
  • Posted on January 9, 2017 11:11 am
    Joseph Forbes
    No comments

    How your online habits leave you and your computer at risk Keeping safe online takes more than just installing a few security programs. To protect both you and your computer, here are the top ten bad habits you need to avoid. Browsing the Web with javascript enabled by default Today's attackers are more likely to host their malicious files on the web. They may even update those files constantly using automated tools that repackage the binary in an attempt to bypass signature-based scanners. Whether through social engineering or through website exploit, the choice of browser will be of little help. All browsers are equally susceptible to Web-based malware and this includes Chrome, Firefox, Opera, and the much-maligned Internet Explorer. Disabling Javascript on all but the most trusted sites will go a long ways towards safer web browsing. Using Adobe Reader/Acrobat with default settings Adobe Reader comes pre-installed on most computers. And even if you never use it, just the mere presence can leave your computer at risk. Vulnerabilities in Adobe Reader and Adobe Acrobat are the number one most common infection vector, bar none. Making sure you stay up-to-date with the latest version of Adobe products is imperative, but not foolproof. To use Adobe Reader (and Acrobat) safely, you need to make a few tweaks to its settings. Clicking unsolicited links in email or IM Malicious or fraudulent links in email and IM are a significant vector for both malware and social engineering attacks. Reading email in plain text can help identify potentially malicious or fraudulent links. Your best bet: avoid clicking any link in an email or IM that is received unexpectedly - particularly if you do not know the sender. Clicking on popups that claim your computer is infected Rogue scanners are a category of scam software sometimes referred to as scareware. Rogue scanners masquerade as antivirus, antispyware, or other security software, claiming the user's system is infected in order to trick them into paying for a full version. Avoiding infection is easy - don't fall for the bogus claims.   Logging in to an account from a link received in email, IM, or social networking Never, ever login to an account after being directed there via a link received in an email, IM, or social networking message (i.e. Facebook). If you do follow a link that instructs you to login afterwards, close the page, then open a new page and visit the site using a previously bookmarked or known good link.   Not applying security patches for ALL programs Chances are, there are dozens of security vulnerabilities waiting to be exploited on your system. And it's not just Windows patches you need to be concerned with. Adobe Flash, Acrobat Reader, Apple Quicktime, Sun Java and a bevy of other third-party apps typically host security vulnerabilities waiting to be exploited. The free Secunia Software Inspector helps you quickly discover which programs need patching - and where to get it.   Assuming your antivirus provides 100% protection So you have antivirus installed and are keeping it up-to-date. That's a great start. But don't believe everything your antivirus does (or rather doesn't) tell you. Even the most current antivirus can easily miss new malware - and attackers routinely release tens of thousands of new malware variants each month. Hence the importance of following all the tips provided on this page.   Not using antivirus software Many (probably infected) users mistakenly believe they can avoid malware simply by being 'smart'. They labor under the dangerous misconception that somehow malware always asks permission before it installs itself. The vast majority of today's malware is delivered silently, via the Web, by exploiting vulnerabilities in software. Antivirus software is must-have protection. Of course, out-of-date antivirus is almost as bad as no antivirus software at all. Make sure your antivirus software is configured to automatically check for updates as frequently as the program will allow or a minimum of once per day. Not using a firewall on your computer Not using a firewall is akin to leaving your front door wide open on a busy street. There are several free firewall options available today - including the built-in firewall in Windows XP and Vista. Be sure to choose a firewall that offers both inbound and (as importantly) outbound protection.   Falling for phishing or other social engineering scams Just as the Internet makes it easier for legitimate pursuits, it also makes it easier for scammers, con artists, and other online miscreants to carry out their virtual crimes - impacting our real life finances, security, and peace of mind. Scammers often use sad sounding stories or promises of quick riches to hook us into being willing victims to their crimes. Exercising common sense is one of the best ways to avoid online scams. For extra help, consider installing one of the free anti-phishing toolbars

    Blog Entry, Hacking, Internet
  • Posted on January 5, 2017 11:24 am
    Joseph Forbes
    No comments

    You’re not really sure How the Heck They Got Your Password, but they did, and now you’re freaking out. The password to one of your accounts has been cracked and you don’t know what to do to get control back of your account. Let’s look at several things you can do to get control of your account and get things back to a secure state: If Someone Cracked Your Password But You Can Still Log Into Your Account The worst case scenario is that your account password gets hacked and the hackers change your password. Hopefully the security questions that you answered when you set up your account will help you regain control of your account and allow you to reset your password back and lock them out. What if there aren’t any security questions? Many accounts have a password reset process that will allow you to initiate a reset using an email account that you have on file with the account provider. Unless the hacker has changed this email address, you should be able to regain control of your account by having the password reset link sent to your email. If They’ve Taken Control Of Your Account and Locked You Out By Changing The Password If the person who cracked your password has locked you out by changing your password then getting it reset might be a little more complicated. You may need to contact the account support line of the account provider and explain the situation, they should be able to verify that you are who you say you are via other means such as by looking at the phone numbers you have on file, verifying your address, or reviewing the answers to your security questions. Make sure that you inform the account provider that this just happened and that any new information recently added to your account is false and that you want to place your account on hold until everything is sorted out. Reporting the password hack quickly is essential to limiting the damage. If The Account Was Your Main Email Account If your main email account is hacked then things can become even more complicated because, chances are, you have a lot of other accounts pointing to your email account for password reset purposes. Thankfully most email providers have multiple ways of verifying that you are whom you say you are. Follow their account password reset procedures and if all else fails contact their account support. The next step you should take after resetting your main (hacked) email account password is to change all passwords for any other account that you have that point to that account for password reset purposes. The reason: the password crackers could have initiated password resets for those other accounts. Steps to Take To Prevent it From Happening Again: Make Your Next Password Much Stronger When creating passwords to replace ones that have been cracked, you need to create a much stronger, longer, and more complex password. For tips on creating strong passwords, check out our article: How to Make a Strong Password. Use Two-factor Authentication If It’s Offered Another way to prevent future account compromises is to enable two-factor authentication on the accounts that support it. Two-factor authentication usually requires some kind of token, such as a PIN that is sent by the account provider via an already established communication line that you have verified, such as a mobile phone or secondary email account. Other methods of two-factor authentication use fingerprint readers such as those featured on newer iPhones, iPads, and some Android devices. Linking these devices to your account works in two ways.  If you never lose your phone, you will always be notified of when someone or you are accessing online accounts.  If you lose your phone, then someone has your whole life in their hands.

    Blog Entry, DATA, Data Recovery
  • Posted on January 4, 2017 12:02 pm
    Joseph Forbes
    No comments

    Here are example passwords that discourage 'brute force' dictionary cracking: OK Password: Better Password: Excellent Password: kitty 1Kitty 1Ki77y susan Susan53 .Susan53 jellyfish jelly22fish jelly22fi$h smellycat sm3llycat $m3llycat allblacks a11Blacks a11Black$ usher !usher !ush3r ebay44 ebay.44 &ebay.44 deltagamma deltagamm@ d3ltagamm@ ilovemypiano !LoveMyPiano !Lov3MyPiano Sterling SterlingGmail2015 SterlingGmail20.15 BankLogin BankLogin13 BankLogin!3 Shelby ShelbyPass1 Shelby.Pass1. Rolltide RollTide% RollTide%.% StarWars $tarwarz $tar|warz Why are some passwords stronger than others? A strong password resists guessing. Hackers and computer intruders will use automated software as a way to submit hundreds of guesses per minute to open your online account. These software tools are called 'dictionary' or 'brute force repetition' tools, because they will use English dictionaries to sequentially guess your password. For example, a dictionary tool will submit sequential guesses like this: Dog Dogs Dogcatcher Dogcatchers Dogberry Dogberries Dogma Dogmatic Dogmatized Dog1 Dog2 Dog3 Dog4 These password-guessing tools can submit up to 1000 attempts per minute. The less that your password resembles regular English word patterns, the longer it will take for a repetition tool to guess it. Beating dictionary programs: use non-English word combinations. These password variations below purposely avoid using complete English word patterns. By injecting numbers and special characters instead of letters, these passwords will take exponentially longer to guess by a dictionary program: Dog.lov3r dOG.lov3r i7ovemydog!! d0gsaremybestfr13nds sn00pdoggyd0G Karm@beatsDogm@ C@ts-and-Dogs-Living-together

    Blog Entry, EDUCATION, Hacking
  • Posted on January 3, 2017 12:00 pm
    Joseph Forbes
    No comments

    Keeping track of passwords can seem like a hassle. Most of us have multiple sites we visit which require password logins. So many, in fact, that it's tempting to use the same username/password combo for all of them. Don't. Otherwise, it takes only the compromise of a single site's credentials to have a toppling domino effect on the security of all your online assets. Fortunately, there is a fairly straightforward way to have different passwords for each site you use but still make the passwords easy enough to remember. Creating Unique Passwords Before you begin creating strong passwords, you need to consider the use of those passwords. The intent is to create strong passwords unique to each account, but easy enough to memorize. To do this, first begin by splitting the sites you frequently login to into categories. For example, your category list might read as follows: social networking sites auction sites ecommerce sites email accounts banking sites forums A word of note here about forums. Never use the same password for a site's forum as you would for logging into the site itself. Generally speaking, the security on forums is not as strong as it is (or should be) for the regular site and thus the forum becomes the weakest link in their security. This is why, in the example above, forums are split into a separate category. Now that you have your categories, under each appropriate category, list the sites to which you must log in.  For example, if you have a Hotmail, Gmail, and Yahoo account, list these under the category 'email accounts'. After you've completed the list, you're ready to begin creating the strong, unique, and easy-to-remember passwords for each. Creating Strong Passwords A strong password should be 14 characters. Each character less than that makes it a little easier to compromise. If a site absolutely won't allow a password that long, then adapt these instructions accordingly. Using the 14 character password rule, use the first 8 characters as the common portion to all passwords, the next 3 to customize by category, and the last 3 to customize by site.  So the end result ends up like this: common(8)|category(3)|site(3) Following this simple rule, when you change your passwords in the future - which, remember, you should do often - you'll only need to change the first common 8 characters of each. One of the commonly recommended means of remembering a password is to first create a passphrase, modify it to the character limit, then begin swapping characters for symbols. So to do that: Come up with an 8 letter passphrase that is easy to remember. Take the first letter of each word to form the password. Substitute some of the letters in the word with keyboard symbols and caps (symbols are better than caps). Tack on a three letter abbreviation for the category, also replacing one of the letters with a symbol. Tack on a site specific three letter abbreviation, again replacing a single letter with a symbol. As an example: In step 1 we might use the pass phrase: my favorite uncle was an air force pilot Using the first letters of each word, we end up with: mfuwaafp Then we swap some of those characters with symbols and caps: Mf{w&A5p Then we tack on the category, (i.e. ema for email, and swap out one character of ema: e#a Finally, we add the site abbreviation (i.e. gma for gmail) and swap out one character: gm% We now have a password for our gmail account of Mf{w&A5pe#agm% Repeat for each email site, so perhaps you end up with: Mf{w&A5pe#agm% Mf{w&A5pe#aY%h Mf{w&A5pe#aH0t Now repeat these steps for the additional categories and sites within those categories. While this may look hard to remember, here's a tip to simplify - decide in advance what symbol you will equate with each letter.

    Blog Entry, Data Recovery, Hacking
  • Posted on December 27, 2016 9:08 am
    Joseph Forbes
    No comments

    [ALERT] Scam of the Week: George Michael Dies at 53. Watch out for Phishing Attacks Yesterday, news broke that George Michael was found dead on Sunday at his home in Goring in Oxfordshire, England. He was 53. A police statement said: “Thames Valley Police were called to a property in Goring-on-Thames shortly before 2 p.m. Christmas Day. Sadly, a 53-year-old man was confirmed deceased at the scene. At this stage the death is being treated as unexplained but not suspicious.” Mr. Michael’s manager, Michael Lippman, told The Hollywood Reporter that Mr. Michael had died of heart failure “in bed, lying peacefully.” This is a celebrity death similar to Prince that the bad guys are going to exploit in a variety of ways. You have to warn your users right away that a series of scams are underway using the George Michael death as social engineering trick. Earlier celebrity death scams show there will be a high click rate on scams that claim to show Michael's last words on video. Whatever ruse is being used, your users will wind up with either infected workstations at the house or in the office, giving out personal information or unleashing ransomware on the network. Give them a heads-up that especially now they need to Think Before They Click. I would send your employees, friends and family something like the following. You're welcome to copy/paste/edit. "Yesterday, news broke that pop star George Michael was found dead in his home in Oxfordshire, England. He was 53. Internet scum are going to exploit this celebrity death in a number of ways, so be careful with anything related to George Michael's death: emails, attachments, any social media (especially Facebook), texts on your phone, anything. There will be a number of scams related to this, so Think Before You Click! For KnowBe4 customers, as you read this, there will be a new template "George Michael Dies at 53" in the Current Events campaign that I suggest you send to everyone more or less immediately. If you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to emotional manipulations like this. We recommend you do your complimentary Phishing Security Test and find out what your phish-prone percentage of your users is. https://info.knowbe4.com/phishing-security-test-chn Let's stay safe out there.

    Blog Entry, ENTERTIANMENT, Hacking
  • Posted on June 14, 2016 10:31 am
    Joseph Forbes
    No comments

    Email is here to stay Despite the growing popularity of applications like WhatsApp, email is still considered to be the most important communication tool for online workers 1and is likely to grow in importance over the next five years2. A problem with email however is that email was designed in a time when Internet security was non existing. Email can be easily forged and intercepted. Growing economic espionage is becoming more and more a problem for companies worldwide. The FBI estimates that economic espionage "costs the American economy hundreds of billions of dollars per year" 3. New laws, like the European "General Data Protection Regulation", requires companies to protect all personal data. Non compliance can lead to "a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater". Rules and regulations Today, most users are no longer surprised when they hear about the security issues involving email. Most professions have strict rules and regulations on how to deal with privacy sensitive information (for example HIPAA in the medical industry). What is surprising however is that even though most users are aware that unencrypted email is not safe, many users still send privacy sensitive information unencrypted. Unfortunately there is a big gap between knowing and doing. The role of auditors In order to improve the security of their digital "Fort Knox", organizations spend large sums auditing and protecting their IT infrastructure. Sometimes companies are even required to buy firewalls from two, or more, vendors. If a vulnerability is found in firewall from vendor A, you will still have a backup firewall from vendor B. Strangely enough, it looks like auditors think their responsibility of what needs to be audited stops at the borders of the company's infrastructure. In other words, when data has left the company's infrastructure, it seems the company is no longer responsible for the data. Of course auditors are not stupid. They are aware that email can be forged and intercepted. However, since most companies are still allowed to use unencrypted email, even for privacy sensitive data, it seems most auditors turn a blind eye when it comes to email encryption. Why is email encryption not used? Email encryption products have been available for years and most email clients already have encryption capabilities built-in. If email encryption is already supported out the box, why is email encryption not used more often? There are a couple of reasons why email encryption is not popular. The paper "Why Johnny can’t encrypt: a usability evaluation of PGP 5.0" published in 1999, discusses why email encryption products are hard to use and why email encryption is not used more often. In my opinion the two most important conclusions of the article are: Individual users are not motivated to encrypt their email. Email encryption is too complex. Users might not be motivated to encrypt their email because users do not think encryption is important. "I have never encrypted my email so why should I change this" is an often heard excuse. The first conclusion might also be related to the second conclusion. If email encryption was easy, more people would be motivated to encrypt their email. If email encryption is too difficult to use, people will either send email unencrypted, or they will find different ways to send email. Recently, the Dutch minister of economic affairs, reported that he uses his personal email account for work related email and that his personal email account was hacked. It is against the rules for a minister to send work related emails to personal email accounts. The reason for him not using the official work accounts are unclear, but my guess is that it was probably too difficult for him to send sensitive documents via his work mail account and he therefore chose the easier route using his personal mail account. How to make email encryption easier? I think the best option for email encryption is to encrypt email at the network level using a centralized email encryption gateway. The main benefits of an email encryption gateway is that it allows you to define a centralized security policy. For example, you can define a policy that all email to a certain domain must be encrypted. Because the policy is centralized, users do not have to think whether to encrypt their email. The system encrypts automatically if required. The administrator is responsible for the security policy and for configuring the correct keys. Key management is too complex for end-users. An additional benefit of a centralized encryption gateway is that it is still possible to scan for spam and viruses at the gateway level. This is not possible if encryption is done at the desktop level because the centralized virus scanner cannot scan encrypted email for viruses. A gateway solution also supports a hybrid mode where digital signing is done at the desktop level and encryption at the gateway level. Is Transport Layer Security (TLS) the solution? Some might think "but this can all be done with TLS!". This is only partially true. Without going through all the details, I will try to explain why TLS is not sufficient. TLS only protects the communication channel but not the individual messages. Another problem with TLS is that you can only enforce a secure connection to the first hub. If an email is handled by an intermediate mail server, you cannot enforce TLS from the intermediate mail server to the next because you are no longer in control of the email. Another problem is that TLS is vulnerable to a "Man In The Middle" attack. This is especially so with SMTP. The problem with SMTP is that there is no inherent relationship between the domain of a recipient and the domain of the mail server responsible for handling email for that domain. Until DANE is widely supported, TLS will be vulnerable to a "Man In The Middle" attack. Use open standards To make email encryption between servers successful, open standards should be used. Using open standards also lowers the risk of a vendor lock-in. There are currently two Internet standards for email encryption: S/MIME and OpenPGP. These two standards are supported by multiple vendors and are supported by many open source solutions. With most gateway solutions, you can configure domain-to-domain encryption. This makes email encryption completely transparent for end users. Future standards like DANE for S/MIME or DANE for OpenPGP makes key exchange between gateways and desktop clients virtually automatic.

    Blog Entry, Emailed, Internet
  • Posted on July 27, 2013 10:30 am
    Joseph Forbes
    No comments

    from the trust-no-one dept. Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children Coming up next, our newest feature: Things I wish surprised me, even a little. As sad as it is, I have to agree. This doesn't surprise me one bit. I mean, investigating is hard! Can't have criminals hide behind things like strong encryption! Ergo, no one can use encryption. That said, I'm hoping we're slowly getting to a tipping point on the entire privacy vs security discussion. 9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.

    DATA, LAW, NERD NEWS
  • Posted on April 24, 2013 10:25 pm
    Joseph Forbes
    No comments

    But the majority of US health providers are in smaller practices that have been slow to embrace electronic medical records Nearly a decade after research firms predicted major cost savings and clinical benefits from the use of health-IT, adoption rates among U.S. medical providers remain sluggish, with the industry slow to embrace the big-data movement. Electronic health record (EHR) adoption has been fastest at larger, more technology-savvy medical organizations, while smaller practitioners -- which make up the bulk of U.S. clinicians -- have been slow on the health-IT uptake for a variety of reasons, chief among them the cost, but also the training time and effort needed to make the move from paper. Those that don't adopt EHRs by 2015 face decreased government reimbursements for Medicare patients under existing law. Questions surrounding the effectiveness and financial impact of EHRs were raised in a January report from RAND Corp., which reconsidered its 2005 prediction that health-IT, including EHRs, could save the U.S. approximately US$81 billion annually. The new report on the technology noted that health costs have increased since the 2005 research and called the clinical benefits "mixed." But there are EHR success stories such as Kaiser Permanente and the Cleveland Clinic, and some health-care providers are rapidly embracing the benefits that big-data analytics brings to clinical medicine. "The government is pushing [EHR use] along and it's becoming a standard of care," said Tom Handler, research director of Gartner's health-care provider analyst group and a former physician. "At some point in the near future, not heading down the path of an EHR [system] will not serve an organization well." Long-term use of health-IT can lead to reduced care costs, even if expenses initially increase, he said. In addition to the cost of the EHR system itself, its use could also increase medical costs by reminding doctors to order required tests that they forgot, he said. But this detailed care should lead to healthier patients who need less expensive medical treatments overall. For instance, an EHR system that reminds a doctor to contact a diabetic patient to schedule an appointment could lead to lower long-term care costs if the software ultimately helps to prevent the need for the patient to have a foot amputated, he said. The U.S. government is nudging providers to adopt health-IT and is picking up some of the tab for EHR deployments. Costs for a system vary widely, from tens of thousands of dollars for a small practice to upwards of $1 billion for a major system implementation. As part of the American Recovery and Reinvestment Act, the government dedicated $20.6 billion to EHR projects. Providers must show that EHR use improved health care through a series of reimbursement guidelines called meaningful use. The first phase dealt with purchasing and rolling out EHR systems and began in 2011. The second phase includes data interoperability provisions and started this year. Phase three covers improving outcomes and starts in 2015. EHR use is greatest at multidisciplinary practices with more than 50 doctors, Handler says. At smaller clinics the adoption rate is between 5 percent and 10 percent, he says, adding that 75 percent of U.S. physicians practice in groups of five or fewer doctors. As smaller practices merge, Handler sees the EHR adoption rate rising, but "100 percent EHR adoption could be another decade." Jed Weissberg, Kaiser Permanente Most providers are familiarizing themselves with EHRs but only a few organizations are delving into data projects, said Jed Weissberg, senior vice president, hospitals, quality and care delivery excellence and a doctor at Kaiser Permanente, a 9 million-member health plan and care provider in Oakland, California. "The rest of American medicine is getting on the platform and getting up to speed." But incorporating EHRs into health care does not automatically translate into robust data analysis. IT vendors, hospital executives and physicians pose unique challenges to getting big data into medicine. Core EHRs "are still mainly used for documentation of individual patient visits and don't contain all the data you might like," Weissberg said. At Kaiser, which completed rolling out its Epic Systems-powered EHR system, Kaiser Permanente HealthConnect, to its 37 hospitals and 533 medical offices in 2010, EHRs lacked the ability to capture pain and functionality data on patients who had joint surgery, for instance. Post-surgery metrics could be placed in a database that could help potential joint surgery patients learn how people with similar clinical conditions benefited from the operation. Kaiser will start capturing this data and is looking into having patients enter this information via a secure Web portal or having a physician assistant handle the task with a tablet during the follow-up visit. "Everybody wants this approach to big data and more advanced analytics to work," Weissberg said, noting that querying a database to research unique medical conditions is cheaper and faster than launching a research study. Personalized medicine usually entails talk of genomics, but EHRs and data mining can also lead to tailored care, he said. "Starting with overall population we can define subsets by age, gender, clinical conditions and body mass index that are enough like you. We have enough data that we can at least show what happened to them." Ramy Arnaout, Beth Israel Deaconess Medical Center For now, EHR functionality is limited to what developers build into the software, said Ramy Arnaout, a pathologist and associate director of the clinical microbiology laboratory at Beth Israel Deaconess Medical Center in Boston, noting that his views are his own and don't necessarily reflect those of his employer. "If they don't build software that lets you mine data in the kind of ways that you're suggesting then you're largely out of luck," he said. Vendors lack a financial incentive to add this functionality to their EHRs since they're already making profits on applications without these abilities. Adding data analysis functions means creating systems with greater interoperability and that threatens vendor revenue since it makes moving to another EHR system easier, he said. But interoperability, which entails feeding standardized data that comes from a hospital's many departments into a single analysis platform, is essential for big data, said Weissberg. "To get at that notion of big data, you need to take information from multiple data marts and systems that are very disparate and aren't built in an integrated way." Hospital executives may not be eager to customize their EHR systems with data analysis modules since such additions can knock a customer off a vendor's standard upgrade cycle and result in multimillion-dollar upgrades, said Forrester vice president and principal analyst Craig Le Clair. Instead, hospitals are turning to agile technologies, like mobile applications and tablets, to plug into their EHRs. These technologies are dedicated to the "$50 billion problems that we have in health care," like analyzing readmissions, he said. Executives are also watching the bottom line and won't fund IT projects that lack a proven return on investment. Large data-analysis projects fall under this category, said Arnaout. "You're asking folks, when they have no money, to take a chance on something that is unproven when they've got a lot of other things that are less sexy, but are proven," he said. "Right or wrong, unless you have a case study showing an ROI they're going to be watching their dollars." Doctors too harbor doubts on data analysis' benefits although how they practice medicine -- analyzing data stored over time from a variety of sources and constantly updating it to develop an output based on certain parameters -- is how EHR data analysis would also function. Computers differ from humans in their ability to take all the data on a topic, keep it in memory indefinitely and generate outcome percentages with confidence values, Arnaout said. "Providers don't think of going to a big-data-type interface on the computer because they haven't seen it even though they're that computer right now." And with doctors focused on treating patients they're not demanding this technology, he added. Building systems that medical professionals can trust requires hiring people with a strong understanding of medicine and computer science. Doctors with coding skills may not write the program but knowledge of both fields can lead to software that generates clinical value, said Arnaout. With software developers in strong demand across many industries, programmers are accepting positions at technology companies with lucrative salaries that exceed the compensation hospitals offer, he said. "We may be coming out of a recession but there's never been a recession for coders for the past 10 years." Cloud-based EHR data analytics services have started to enter the market, touting benefits like lower IT costs and access to medical information from multiple health-care systems. Cleveland Clinic is among the providers well-poised to take advantage of those technological advances. Credit: Fred O'Connor EHRs and data analysis play important roles in the Cleveland Clinic's future clinical care plans, said Chris Coburn, who leads the hospital's venture arm. "As we try to create the Cleveland Clinic of the future that enables us to best help our patients and also be as financially viable as possible, the use of EHRs and now with these big-data tolls that are arriving, it's a perfect match," said Chris Coburn, executive director of Cleveland Clinic Innovations, the corporate venture arm of the Cleveland Clinic, which records 5.1 million patient visits annually and began using EHRs from Epic Systems in the late 1990s. In 2009 the Cleveland Clinic launched Explorys, which sells a private SaaS (software-as-a-service) platform that allows medical professionals to explore care options using clinical, financial and operational data from 120 hospitals and 15 million patients. At the time, security concerns were paramount because of the sensitive nature of the data. "In a relatively short period of time a very secure system was created that we all trust now," Coburn said. "We all worry about this. We're all patients. Folks will have as much confidence in security for their electronic medical records as it relates to things like banking electronically. People treat HIPAA extremely seriously." (The Health Insurance Portability and Accountability Act -- HIPAA -- was passed in 1996 and it governs, among other things, medical-data privacy.) For hospitals, cloud systems like Explorys offer affordable access to troves of data compared to the expense of developing their own systems that will contain less information, said Colburn. "We're not there yet in terms of where big data is going to take health care. But we are moving there pretty rapidly." Last Wednesday, the American Society of Clinical Oncology (ASCO) debuted the prototype for its CancerLinQ database. The prototype, which focuses on breast cancer, contains deidentified information from EHRs, care providers and researchers. Physicians will be able to use the data stored in CancerLinQ's full build, which will be a private cloud accessible via a Web portal, to develop treatment plans tailored to a patient's specific cancer and clinical condition. Credit: Fred O'Connor Clifford Hudis, president elect of the American Society of Clinical Oncology, discusses the CancerLinQ prototype last week. "The CancerLinQ prototype leverages a number of new IT trends: the availability of low-cost storage, the affordability and rapid scalability of virtual (cloud) servers, the growth and maturity of open-source software, as well as NoSQL (unstructured) databases," said Dr. Clifford Hudis, president-elect of ASCO, in an email interview. "Many of the benefits from these trends will likely carry forward into the full build." The final build will include natural language processing, machine learning algorithms and distributed computing, among other technologies, he said. The final role of open-source software is still being considered, although open-source applications were mostly used in the prototype, according to an ASCO webcast. Hadoop, an open-source program used to distribute data processing loads, is a staple in large-scale data analysis. Click to see: Prototype CancerLinQ interface Because the medical community is slow to incorporate IT into its workflow, these technologies were selected to make the adoption process easier. "Typically, health care is slow to adopt IT due to the high cost associated with implementations and competing priorities," Hudis said. "Many of our goals around the architecture chosen was to reduce implementation burdens for practices and physicians." With 85 percent to 90 percent of ASCO members using EHRs, oncology seems like a good match for a large data-analysis project, Hudis said. Additionally, patients and providers are very willing to volunteer their health data, he added. ASCO, whose 30,000 members are physicians and health care professionals representing all fields of cancer treatment and research, received 130,000 EHRs to populate the prototype after initially setting a goal of 30,000 patients. Regardless of government mandates on EHR use, data analysis will lead to tangible patient benefits. "We've got all this stuff in the health care guidelines and things that are reimbursable and they end up being a little bit divorced from how our patients actually end up feeling," said Beth Israel's Arnaout. "[Data analytics] is actually going to help how our patients actually end up feeling."

    DATA, Hardware, HEALTH
  • Posted on April 22, 2013 11:45 am
    Joseph Forbes
    No comments

    A House committee doesn't change the cyberthreat sharing bill enough to win support from some digital rights groups A U.S. House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said. The House Intelligence Committee, in voting 18-2 Wednesday to approve the Cyber Intelligence Sharing and Protection Act (CISPA), did not address concerns that the bill would allow private companies to share too much customer information with government agencies in the name of fighting cyberattacks, digital rights groups said. Committee leaders expect the full House to vote on CISPA as soon as next week. "Cyberhackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," Committee Chairman Mike Rogers, a Michigan Republican and cosponsor of the bill, said in a statement. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters." But digital rights groups said the bill still has major flaws. "The changes that were offered during the closed-door markup do nothing to address the specific concerns we've been expressing about the bill for months," said Evan Greer, campaign manager at digital rights group Fight for the Future. The bill will allow private companies to share a wide range of customer information they deem to be related to cyberthreats with U.S. agencies like the National Security Agency, Greer said in an email. "The version of CISPA that passed out of Committee yesterday has several amendments that make it appear better on the surface, but do nothing to address the fundamental flaw with the bill, which is that it still allows massive amounts of private user data to be shared with secretive agencies," he added. "It still provides sweeping legal protections for corporations that share our data." If CISPA's sponsors don't want it to be a surveillance bill, they should make additional changes, Greer added. "If that's true, there's an easy fix: write that into the bill," he added. Sponsors and some other lawmakers defended the bill, saying it provides significant privacy protections. The committee accepted an amendment from Representative Jim Langevin, a Rhode Island Democrat, that prohibits companies from counterattacking, or hacking back, against cyberattackers after digital rights groups raised concerns that the bill's language could allow such activity. Langevin praised the bill, saying more cyberthreat information sharing is needed, but he also suggested that CISPA "is not a final solution to cybersecurity." "While [the bill] promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack," he said in a statement. "Our most vulnerable and valuable infrastructure must meet minimum cybersecurity standards in order to minimize the risk of a major cyberattack that could leave millions without electricity or safe drinking water for an extended period of time." Another amendment approved by the committee would limit the private sector's use of any cybersecurity information received to only cybersecurity uses. Some digital rights and privacy groups had questioned whether the bill would allow companies to use the cyberthreat information they receive for other purposes. The committee also removed language from the bill would allow the government to use data collected under CISPA "for national security purposes," in an attempt to narrow the government's use of the information. But Greer questioned whether that was a substantial improvement. The change is "not a real fix," he said. "The term 'cybersecurity' is so poorly defined within the bill that it does not provide meaningful limitations on what can be done with the data that's collected." Sponsors of the bill said it contains several privacy protections. CISPA prohibits the government from forcing private sector entities to provide information to the government, and encourages the private companies to "anonymize" or "minimize" the information they voluntarily shares with the government, sponsors said. The bill also allows individuals to sue the federal government for privacy damages, costs and attorney's fees in federal court, and it requires an annual review of the information-sharing program by the intelligence community inspector general. CISPA will sunset in five years. Still, Representative Adam Schiff, a California Democrat , said he was disappointed that the committee rejected his amendment that would have required companies to make reasonable efforts to remove unrelated private information from the cyberthreat information they share. "It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information," he said in a statement. Among the groups voicing support for the bill were the BSA and the Software and Information Industry Association, both software trade groups. CISPA would "provide the critical necessary framework for early detection and notification of cybersecurity threats," the SIIA said.A

    DATA, LAW, MONEY
  • Posted on April 21, 2013 11:45 am
    Joseph Forbes
    No comments

    Set the rules for what happens to your Google data if you go off to that great results page in the sky Google provided a somewhat morbid reminder of the increasing primacy of digital data in our lives with the release today of the euphemistically named Inactive Account Manager feature. The service allows users to customize what will happen to their account data -- everything from Gmail messages to Drive content to Google+ posts -- if their account goes inactive for whatever reason. Options range from simply deleting everything to carefully arranged disbursement of personal information to selected contacts. Google's new Inactive Account Manager feature Digital beneficiaries (who have to be verified via text message) will receive an email notifying them that the account has become inactive, along with links to any data that the user has chosen to share. The system warns users, via email and text message, before any deletion or sharing takes place. "Not many of us like thinking about death -- especially our own. But making plans for what happens after you're gone is really important for the people you leave behind," wrote project manager Andreas Tuerk in an official blog post. "We hope that this new feature will enable you to plan your digital afterlife -- in a way that protects your privacy and security -- and make life easier for your loved ones after you're gone," Despite the fluffy name -- which Tuerk himself acknowledges is "not a great name, we know" -- Inactive Account Manager could well prove to be a comfort to survivors in the event of a user's death, not to mention a handy privacy prevention tool for those who eventually just move on from the Google ecosystem. (Google accounts can be deleted manually as well.)

    DATA, HAPPINESS, NERD NEWS
  • Posted on April 18, 2013 11:15 am
    Joseph Forbes
    No comments

    from the you-can-trust-us dept. The ACLU has issued a FOIA request to determine whether the IRS gets warrants before reading taxpayers' email. The request is based on the antiquated Electronic Communication Protection Act — federal agencies can and do request and read email that is over 180 days old. The IRS response can be found at the ACLU's website. The IRS asserts that it can and will continue to make warrantless requests to ISPs to track down tax evasion. Quoting: 'The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 "Search Warrant Handbook" from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that "the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications." Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the "4th Amendment Does Not Protect Emails Stored on Server" and there is "No Privacy Expectation" in those emails.'

    DATA, LAW, NERD NEWS