Risk Factor iconRisk Factor

IT Budget: Low Hanging Fruit to Pluck?

Apples.gif

ComputerWeekly ran a story last week on the advice being given by the consultancy The Hackett Group to corporations in this time of possible recession: significantly cut your IT budget.

According to the story, instead of targeting across the board cuts in general and administrative (G&A) accounts (such as IT, finance, HR and procurement), Hackett "says firms should concentrate on making easier savings in IT, while 'minimally affecting service delivery and the ability to provide strategic value'."

According to Hackett, typical Global 1000 companies can generate £40m to £80m per year in savings through targeted IT cuts.

So IT departments are carrying the most amount of corporate G&A fat? I think more than a few IT departments, most who are running pretty lean from my experience, might find that conclusion surprising. As they would, I think, the idea that they can easily cut back and at the same time "minimally affect service delivery and the ability to provide strategic value."

Does the Internet Promote Sports Cheating?

on-line-betting.gif

There was a very interesting story over the weekend in the New York Times about the on-line sports betting company Betfair and its alerting of sports officials in different countries about the possibility of sports game-fixing.

As the story notes, "At any moment, Betfair's customers have $360 million on account and are at their keyboards, matching odds with fellow bettors in 80 countries. It is eBay for gamblers, with wagers being made in real time, usually after the matches have begun."

"Betfair has become a focal point after several match-fixing scandals. Over the past seven years, it has alerted dozens of sports about suspicious betting activity, leading to investigations in horse racing, soccer and now tennis."

Betfair's computers watch for irregular patterns of betting, which if they occur, are further analyzed. If fraud is suspected, the information is turned over to the governing body of the sport. Betfair has agreements with 32 sports governing bodies, according to the story.

Others, however, also criticize Betfair, saying that by allowing bets to be made during a sporting contest, the odds can be manipulated.

The story quotes David Forrest, an economics professor at the University of Salford in England and co-author of a recent study, "Risks to the Integrity of Sport From Betting Corruption," "says that there are sports like tennis, in which a player can deliberately lose the first set against an inferior opponent so that the odds rise, then go on to win."

' 'It is a greater incentive for an athlete or official to participate in this type of manipulation,' Forrest said. 'It is within their control, and they do not have to lose the match.' "

Others don't see Betfair as a specific problem, but more of a general example of how the Internet seems to be increasing gambling as a whole, as well as opportunities for corruption. With Internet gambling estimated to be $20 billion in 2008, the concerns are real, although they pale in comparison to the over $80 billion spent yearly on gambling in the US alone.

Electronic Health Records: How Much Do They Really Save?

Medical-record-1.gif

The US Congressional Budget Office (CBO) released a controversial report last week questioning how much information technology use in health care (especially electronic health records) would actually save.

The CBO report, while acknowledging there are benefits from using IT in health care, argues that the savings are over-stated. Quoting from a CBO blog summary of the report,

"Research does indicate that in some instances, health IT appears to have reduced the cost of providing health care, helped eliminate inappropriate services, and improved the quality of care. In general, however, health IT appears to be necessary but not sufficient to generate cost savings; that is, health IT can be an essential component of an effort to reduce cost (and improve quality), but by itself it typically does not produce a reduction in costs."

"The most auspicious examples involving health IT have tended to involve relatively integrated health systems. For providers and hospitals that are not part of integrated systems, however, the benefits of health IT are not as easy to capture, and perhaps not coincidentally, those physicians and facilities have adopted electronic health records (EHRs, the primary health IT package commonly purchased by a provider) at a much slower rate. For example, office-based physicians in particular may see no benefit if they purchase such a product â'' and may even suffer financial harm. Even though the use of health IT could generate cost savings for the health system at large that might offset the EHRâ''s cost, many physicians might not be able to reduce their office expenses or increase their revenue sufficiently to pay for it."

The report goes on to question the widely-quoted 2005 RAND study and its claims of about a $80 billion in net annual savings if health IT were widely employed.

The CBO report says, "This study has received significant attention, but unfortunately it suffers from significant flaws and is therefore not an appropriate guide to estimating the effects of legislative proposals aimed at boosting the use of health IT:"

"- The RAND researchers attempted to measure the potential impact of widespread adoption of health IT, assuming that it was used effectivelyâ''rather than the likely impact, which would take account of factors that might impede its effective use. For example, health care financing and delivery are now organized in such a way that the payment methods of many private and public health insurers do not reward providers for reducing costsâ''and may even penalize them for doing so."

"- The RAND study is based solely on empirical studies from the literature that found positive effects for the implementation of health IT systems; it excluded the studies of health IT, even those published in peer-reviewed journals, that failed to find favorable results. The decision to ignore evidence of zero or negative net savings clearly biases any estimate of the actual impact of health IT on spending."

"- The RAND study was not intended to be an estimate of savings measured against the rates of adoption that would occur under current law, but rather, against the extent of adoption in 2004. That is, the study did not allow for growth in adoption even without a policy intervention, as CBO would in a cost estimate for a legislative proposal."

According to the Wall Street Journal, the primary RAND report author, Richard Hillestad, a senior principal researcher at RAND, "... said he disagreed with the budget office's argument that his group overstated the likely savings tied to health-information technology. Mr. Hillestad said he stood by the RAND projections, and indeed feels they may 'actually be relatively conservative' because they didn't take into account some potential benefits such as billing efficiencies."

I am glad the CBO has published its report and its criticisms, as this may finally start to begin a serious debate on the value of health IT and what is truly needed to create that value from a societal as well as technology perspective. There is a tremendous amount of hype about what health IT can do, and very little discussion of the true costs or risks involved. I am all for health IT, but its application needs to be addressed in a realistic fashion.

Software Unhorses Derby Bettors

horse-race.gif

There is an investigation by racing authorities in California over a "mysterious" software problem that affected some 7,000 BetJet horse wagering machines around the US. The problem surfaced, according to news reports, when an unidentified bettor at Bay Meadows Race Track put down 1,300 one-dollar quick pick superfecta bets (in which the first four finishers must be selected in the exact order of finish) on the Kentucky Derby on May 3rd. Not one of the computer-generated tickets included the eventual winner, Big Brown.

One story says that, "It was initially believed that the problem was limited to wagers such as the superfecta and multi-race bets like the Pick 4 or Pick 6, but it actually extended to all transactions involving the quick-pick key on both self-help and teller computer boards."

Scientific Games, the betting machine vendor, said that it couldn't say how long the problem had been going on or how many bettors had been affected, as it had no way of tracking quick pick tickets independently of the other tickets it sold.

When informed of this, California authorities indefinitely suspended quick pick betting at all racetracks in California.

Other news reports are saying that a top California horse racing official has suggested in a leaked e-mail that Scientific Games may have kept quiet about the malfunction for months. If so, the company can expect big trouble.

State politicians have already joined the fray, and are calling for an investigation by the California state auditor's office: "Certainly hundreds and potentially thousands of California consumers may have been defrauded," says one.

Now we'll get to see how good Scientific Games's software configuration management system is: the company should be able to easily see when the offending software was developed, tested, installed and if and when it was changed. If they can't do this, expect the company to get hammered, and rightly so, by racing authorities across the US.

Users Put Headlock on LifeLock

The company LifeLock, whose founder Todd Davis, dares criminals to try stealing his identity using his social security number (457-55-5462) in ads, is being sued by customers in Maryland, New Jersey and West Virginia who claim that his service is ineffective and doesn't work, according to an AP story.

Adding salt to the wound, they also claim that Davis himself has been scammed.

According to the story, "Davis acknowledged in an interview that his stunt has led to at least 87 instances in which people have tried to steal his identity, and one succeeded: a guy in Texas who duped an online payday loan operation last year into giving him $500, using Davis's Social Security number."

LifeLock charges customers $10 per month to set fraud alerts with credit bureaus. However, anyone can do it themselves for free.

Furthermore, the story notes that, "LifeLock is also being sued in Arizona over its $1 million service guarantee, which the plaintiffs claim is misleading because it only covers a defect in LifeLock's service, and in California by the Experian credit bureau. Experian accuses LifeLock of deceiving consumers about the breadth of its protection and abusing the system for attaching fraud alerts to credit reports."

This just reinforces the old adage about reading the fine print.

Moody's Software Rating Bug Gives Credit Where Credit Isn't Due

Moody.gif

This morning's Financial Times of London (subscription may be required) has two interesting stories (here and here) about a software coding error that is causing some turmoil both within the rating company Moody's and the financial markets. Look for this story to have some long legs.

According to an investigation conducted by the FT:

"Moodyâ''s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models... "

The debt product goes by the name Constant Proportion Debt Obligations or more commonly CPDOs.

The FT goes on: "Internal Moodyâ''s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower."

"... While coding errors do occur there is no record of one being so significant."

When Moody's gave their AAA rating on CPDOs last year, many analysts thought the rating was too good to be true. Seems it was.

What makes this story even more interesting is the implication that Moody's wasn't exactly forthcoming in acknowledging its software error after it was found and may have even tried to hide it. The FT article states that:

"On discovering the error early in 2007, Moodyâ''s corrected the coding glitch and instituted methodology changes. One document seen by the FT says 'the impact of our code issue after those improvements in the model is then reduced'. The products remained triple A until January this year when, amid general market declines, they were downgraded several notches."

Moody's responded to the FT article this way: "Moodyâ''s regularly changes its analytical models and enhances its methodologies for a variety of reasons, including to reflect changing credit conditions and outlooks. In addition, Moodyâ''s has adjusted its analytical models on the infrequent occasions that errors have been detected."

â''However, it would be inconsistent with Moodyâ''s analytical standards and company policies to change methodologies in an effort to mask errors. The integrity of our ratings and rating methodologies is extremely important to us, and we take seriously the questions raised about European CPDOs. We are therefore conducting a thorough review of this matter.â''

In other words, Moody's really, really, really hopes that the decisions to change the rating methodology and the fixes to the coding problem were taken independently, but if they weren't, its reputation is likely going to take a very, very big hit, on top of its rather undistinguished showing in the sub-prime and credit debacle. Earlier this month, Moody's President and COO "decided" to retire, which was seen by financial observers as an admission that the company performed poorly last year in assessing risk.

This fall-out from this small coding error should be be entertaining to watch. Reminds me a little in terms of both cause and impact of the AT&T switch software problem of 1990.

CCTV Doesn't Reduce Crime in UK

CCTA.gif

I wrote awhile back about the seeming rush the UK government is in to create a Big Brother surveillance society. One aspect of this is the extensive use of CCTV cameras, with an estimated 4.2 million now in operation in the UK.

As noted in a story by the London Guardian, a presentation from Detective Chief Inspector Mick Neville, head of the Visual Images, Identifications and Detections Office (Viido) at New Scotland Yard indicates that, "Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe."

This does not mean, however, that CCTV cameras will be reduced in numbers. More likely, even more will be put up as a means to increase their effectiveness.

Supporters of additional CCTV cameras can just point as justification the aftermath of the Uefa Cup final held in Manchester last week and the CCTV images produced.

Google Gagga Over Personal Health Records

Medical-record-1.gif

After a year and a half of development, Google announced yesterday that it was now offering personal health records on-line.

According to Google's Health website, "Google Health allows you to store and manage all of your health information in one central place. And it's completely free. All you need to get started is a Google username and password.

"Google believes that you own your medical records and should have easy access to them. The way we see it, it's your information; why shouldn't you control it?"

"With Google Health, you manage your health information â'' not your health insurance plan or your employer. You can access your information anywhere, at any time."

So, why is Google doing this?

â''Itâ''s what we do. Our corporate mission is to organize the worldâ''s information and make it universally accessible and useful. Health information is very fragmented today, and we think we can help.â''

Google has partnered with over two dozen organizations, including hospitals (Beth Israel Deaconess Medical Center, The Cleveland Clinic), pharmacies ( Longs Drugs, Medco Health Solutions, RxAmerica, Walgreens), diagnostic laboratories (Quest Diagnostics) and medical information providers (SafeMed, Heathgrades) which have agreed to provide electronic copies of medical information (or help interpret the information) to add to your Google personal medical record. You can go here to get profiles of Google's partners.

Google also promises to keep your medical information private:

"You should know two main things up front:"

"1. We will never sell your personal health information or data"

"2. We will not share your health data with individuals or third parties unless you explicitly tell us to do so or except in certain limited circumstances described in our privacy policy."

"We make it a point to let you know what information we collect when you use Google Health, how we use it, and how we keep it safe."

I personally would take this assurance with a grain of salt. A person's Google health record is not covered by HIPAA (Health Insurance Portability and Accountability Act of 1996).

So how is Google going to make money on the effort if it is free? It says:

â''Much like other Google products we offer, Google Health is free to anyone who uses it. There are no ads in Google Health. Our primary focus is providing a good user experience and meeting our users' needs.â''

That is a good, very coy, non-answer if I ever saw one. I will remain skeptical, if you don't mind, about Google not deciding in the future to change its, â''We will never sell your personal health information or dataâ'' tune to one more like â''We will never sell your personally-identifiable health information or data.â'' Aggregated health data is seen as a gold mine by medical researchers, pharmaceutical companies, and the government alike.

Of course, the value of the data depends on how accurate it is. Google makes a big deal that the individual is in charge of their medical record; that the individual decides how much is actually going to be disclosed to whom, and; that the individual can edit their medical information as well.

This is where it gets interesting to me. How much will doctors trust Google (or Microsoftâ''s or anyone else's) personal health records if they start encountering a number of patients who are wholesale editing their personal medical information? Or do doctors just assume that the information provided is incomplete or biased?

It occurs now with paper-records, but I wonder if the perception of selective editing of medical records will change with an electronic health record.

Also, will insurance companies start demanding that patients disclose to them all their Google-stored information if the patient wants to get a doctorâ''s visit paid for? And what happens when an insurance company finds a record that is edited?

Lawsuit Comet Hits Project Jupiter

Comet-Jupiter.gif

The London Times reports that British Gas is suing Accenture for £182 million ($365 million) over an IT system project called Project Jupiter "it claims reduced British Gasâ''s customer-billing process to a shambles."

British Gas, according to the story, says the billing project "was the cause of the appalling customer service that lost British Gas hundreds of thousands of customers, a High Court writ from Centrica [the parent company of British Gas] says."

British Gas claims that it had to employ 2,500 extra staff to help resolve the billing problems created.

The story goes on, "The writ says the problems could be traced back to 2002, when Centrica engaged Accenture to provide a new IT system. Project Jupiter was to bring together British Gasâ''s electricity and gas-billing schemes into one system capable of handling 250,000 meter readings and 200,000 bills a day. The price was £317m, with Accenture being paid from the £397m in savings that British Gas expected from the new system over a decade."

"Various glitches arose, but the two sides agreed a revised contract in March 2006 under which Accenture provided guarantees that a software upgrade would work. According to Centrica, it did not," the story says.

An older article on the issues involved as reported in Computing can be found here.

The Times story also includes Accenture's response:

"An Accenture spokesman said that Centrica 'conducted extensive testing' on the system before it was handed over. He added: 'We are confident, based on the facts of the situation, that this claim is baseless and without merit. Accenture will vigorously defend the High Court proceedings.' "

â''Accenture delivered the system at the end of 2005. The system we delivered met all of our commitments and the specifications that Centrica set; it was delivered on the agreed timeline and budget.â''

I doubt this will ever make it to court. More likely is an out of court settlement with no fault being assigned to either party.

Spam's 30th Anniversary

SPAM.gif

I don't know how I missed it, but the 30th anniversary of the first recorded instance of spam happened on the 3rd of May.

According to a story in the Wall Street Journal, Gary Thuerk, who at the time worked for Digital Equipment Corp., sent what is believed to be the first spam message, an invitation to an open house for a new DEC computer (a VAX 11/780?) that he sent to 400 of the 2,600 or so people who had email accounts on the ARPANET at the time.

Thuerk claims that his email generated about $12 million in new sales. However, many people who received his email also got highly irritated, complained to US Defense Department ( which operated the net) which in turn told him never to do it again. Thuerk says he never did, either.

Thuerk also said in the story that "people have one of three reactions when they meet him: Some are excited to meet someone with an unusual claim to fame; some want to beat him up on the spot; and others just avoid him like the plague."

Unfortunately, if it hadn't been Thuerk, it would have just been someone else. I am surprised, to be honest, that it is only the 30th anniversary of spam. I would have guessed someone would have tried doing it before 1978.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More