Risk Factor

The rollout of electronic heath records (EHR) continues in the U.S., with doctor and patient ratings running the gamut from "great" to "needs a do-over."  For instance, Information Week reports the results of a study in the American Journal of Managed Care indicating that Kaiser Permanente members who used the health insurer’s My Health Manager personal health record (PHR) service were more than twice as likely to stay with Kaiser as those who did not.  The AJMC study concludes that online access to medical data and advice may becoming a factor in choosing a health plan.

According to a Kaiser press release, some 63 percent of the nearly 4 million eligible users of My Health Manager are active users; more than “1 million secure email messages are sent to Kaiser Permanente doctors and clinicians each month, and nearly 2.5 million lab test results are viewed online.” Kaiser completed the rollout of its EHR system in March 2010.

Despite the seeming popularity of Kaiser’s EHR/PHR system, the American public at large still seems generally wary of digital medical records. A recent survey by Xerox Healthcare, for instance, showed that while 40 percent of Americans believe EHRs “will deliver better, more efficient care”—a low percentage in and of itself—only 28 percent of respondents want EHRs. Just as many (26 percent) say they aren’t interested in them, with nearly half of that group claiming that  they are frightened by the prospect of their medical records exist in digital form. The biggest worry expressed by the dissenters is that EHRs are vulnerable to electronic theft or misuse. Interestingly, survey respondents said that patients had the least to gain from EHRs; healthcare professionals, they thought, benefited the most.

Xerox says that what healthcare organizations must do to overcome this wariness is "continue to educate Americans on the value of EHRs."

A number of doctors may also need convincing of their value. Some of the more recent data (pdf) from the U.S. Centers for Disease Control (CDC) indicate that 55 percent of doctors are adopters of EHRs. But while an increasing number of doctors and hospitals seem to accept the necessity (or inevitability) of adopting EHRs, not all are necessarily happy about it.  The CDC survey indicates that 38 percent of doctors who are using EHRs are very satisfied with their systems, while 5 percent are very dissatisfied with them.  In addition, 47 percent of doctors say they are somewhat satisfied, while 10 percent indicate they are somewhat dissatisfied with their EHR system.

A recurring issue of concern for healthcare professionals is the steep EHR learning curve (often caused by their abysmal design) and the dip in healthcare facility productivity that a move to EHRs creates. For example, an Associated Press article reported that wait times in an Ohio hospital emergency room doubled as it switched to its new EHR system in June. The wait times are now being reduced, but have yet to reach pre-EHR levels.

Another recurring issue is that the implementation of EHR systems doesn’t always go smoothly for healthcare organizations large or small, as seen by the problems recently reported in Vermont, Pennsylvania and Kansas.

A looming implementation concern is what will happen when U.S. government EHR incentive money runs out. According to a Modern Healthcare article, “as of July 5, there were 816 different EHR vendors offering 1,477 'unique' certified products.” All of them have managed to make it onto the Office of the National Coordinator for Health Information Technology’s official Certified Health IT Product List. And more EHR vendors are expected to appear over the next few years. No doubt, a large number of these vendors will not survive, especially as the EHR market hits the saturation point. Then the "fun" will really begin as doctors and hospitals have to change EHR systems on their own nickel.

Two days after Wired technology writer Mat Honan revealed in a 6 August Wired article that a hacker had eviscerated his online persona, Apple, which played a role in the drama, announced that it has temporarily cut off customers’ ability to reset their passwords by talking to a live customer service rep. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com),” said Natalie Kerris, an Apple spokeswoman, in a written statement. ‘This system can reset a password in one of two ways – either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up.” Apple assured customers that when it does return to password resets over the phone, customers will face more stringent identity verification before they’re allowed to make any account changes.

The move comes too late for Honan, whose online accounts were taken over after hackers used an accumulation of security lapses—his own and those of the companies entrusted with securing his data—to break in and pillage. The result, in a nutshell:

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”

According to Honan, the hacker first broke into his account at Amazon.com, which gave the cybercriminal access to the last four digits of a credit card. Unfortunately for Honan, not only he had used the same credit card to sign up for his Apple iCloud account, but the hacker, who uses the screen name “Phobia,” was aware that Apple customer service considered that bit of information sufficient to positively identify customers (well, at least until earlier this week). Also serendipitous for “Phobia” was the Honan’s Apple account was set up as the fallback for password recovery for Honan’s Gmail account, giving him access to that as well. The Gmail account was linked to Honan’s Twitter account in the same way. And with access to these accounts, the hacker was able to prevent Honan from retaking control of his Twitter account by remotely wiping the journalist’s cellphone, tablet, and laptop. Doing so had the maddening effect of erasing documents and e-mails including “more than a year’s worth of photos, covering the entire lifespan of my daughter, [and] documents and e-mails that I had stored in no other location.”

He accepts his share of the blame, admitting that, “In many ways, this was all my fault. My accounts were daisy-chained together.” Though Honan went on to lament this and his failure to back up his data, that doesn’t let Amazon, Apple, and Google off the hook for creating an avenue that “Phobia” so deftly navigated.

Both the Tokyo Stock Exchange (TSE) and Madrid Bolsas y Mercados Españoles (BME) have suffered technical glitches during the past 24 hours.  

The Japan Times is reporting that the TSE halted trading in derivatives this morning for about 95 minutes this morning. While the impact doesn’t seem to be consequential, the “systems problems” as the TSE is calling its computer glitch is yet another major embarrassment. The TSE has a history of repeated outages over the past several years, with the last one occurring in February affecting the TSE for three hours or more. The February incident cost the head of the TSE 30 percent of his salary for one month, while other executives had their pay cut by 20 percent.

In Spain, according to the Associated Press, trading at the BME was interrupted from 1005 to 1450 Madrid time yesterday. The BME would not comment on the cause of the technical difficulty, other than to say that its technicians were studying  it, reported the Financial Times of London. The BME outage, which was termed by the FT as “rare,” doesn’t appear to have caused any lasting consequences either.

In other market glitch news, over the weekend, Knight Capital was able to secure a $400 million bailout to cover the $440 million loss it suffered last week because of its out-of-control trading algorithm. Without the rescue, the brokerage would likely have gone out of business, a prospect that many apparently still think possible.

The U.S. Security and Exchange Commission (SEC) is reportedly about to “require trading firms and other market participants to disclose system failures and test computer-code changes before they go live,” in response to the Knight Capital incident, the flash crash, and several others, according to a story in the FT.

The New York Times reported last week that Knight’s “technical difficulties” were due to it rushing “to develop a computer program so it could take advantage of a new Wall Street venue for trading stocks. But the firm ran up against its deadline and failed to fully work out the kinks in its system, according to people briefed on the matter. In its debut [last] Wednesday, the software went awry, swamping the stock market with errant trades and putting Knight’s future in jeopardy.”

Let’s hope that the SEC (and Congress and the public at large) doesn’t think that a “test your code” mandate (whatever that means) is going to prevent future trading system screw-ups. At best , and assuming the trading companies invest the time, money, and expertise in the most effective testing practices possible (a big assumption to be sure when money is to be made), software-related glitches might be reduced, but they aren’t going to go away. 

August is the height of the news media's “silly season.” Major news outlets run stories they normally wouldn’t because most of the major news makers and reporters are on vacation. There's also the hope that readers/watchers/listeners, also on vacation, would prefer frivolous stories anyway. You can read some of the best silly season stories that have appeared in British papers courtesy of The Guardian, including the death of Benson, Britain's best-loved carp and an invasion of killer chipmunks.

I am not sure that the hackers who have been posting false Internet news stories recently are intentionally contributing to silly season, but they might as well be. For instance, a fake New York Times op-ed supporting WikiLeaks appeared a week ago Sunday. It was realistic enough to fool some journalists. Hackers (or hacktivists) supporting WikiLeaks later claimed responsibility for it.

Then, as reported by the sports website Deadspin.com and others, on Thursday there was a hilarious message appearing to have been sent to fans from the New York Yankees Facebook page that stated, “We regret to inform our fans that Derek Jeter will miss the rest of the season with sexual reassignment surgery. He promises to come back stronger than ever in 2012 as Minnie Mantlez." (The name is a combined reference to  Hall-of-Famer Mickey Mantle and the Disney characters Mickey and Minnie Mouse.) The Yankees were only one of several Major League Baseball teams to have been struck, Deadspin reported.

On Friday, the Thomson Reuters Corp. announced that its blogging platform was compromised and that multiple false stories had been posted, including a supposed interview with the Free Syrian Army leader Riad al-Asaad. A story in the Wall Street Journal on Friday said that Reuters had to take down its blogging site, which used the WordPress blogging software. Today the Journal reported that Reuters was using an “old version” of WordPress that had “publicly known security issues.” Maybe Reuters can run a future story on the importance of keeping up with IT patches.

Reuters News also reported today that its Twitter account was hacked yesterday and that 22 false tweets had been sent, again mainly about the Syrian conflict. Reuters said that it has suspended its Twitter account until it is sure that it is secure.

It will be interesting to see what "news" this week will bring.

On a side note, I wonder how these false Reuters stories are messing with Reuters’ machine readable news algorithms and the potential impact? Do the algorithms give Reuters’ stories more credibility that those reported by other news agencies?

To celebrate hitting 3 million Facebook fans, Southwest Airlines offered via a special e-mail promotion a 50 percent discount on certain air routes for customers who booked their flights last Friday before midnight. The “luv2like” promotion, however, quickly turned into a public-relations fiasco as a computer-related “technology glitch” caused many customers to be billed multiple times for their tickets or to be ticketed (and charged) repeatedly, reported the Associated Press.  In at least one instance,  a customer was charged 20 times for her $69 ticket, the AP said. KTLA television reported that another customer claimed that he was ticketed and charged for 25 reservations. Other customers complained that they were charged multiple times but never received a booking confirmation.

According to the AP, Southwest first became aware of the problem late Friday afternoon when the airline’s web site slowed due to the high response the promotion. The airline noticed that  customers were having to repeatedly refresh their web pages in order to take advantage of the sale. The airline also likely noticed the rise in their Facebook and Twitter traffic complaining of the overcharges as their customers' debit cards were being drained or credit card limits were being exceeded. It was surely aware as well of increasingly long customer service wait times experienced by those trying to rectify their billing problems.

Southwest has stated on its web site that it has now “identified all customers impacted and proactively initiated refunds back to their financial institutions for any erroneous bookings. These refunds are currently being processed, but timing will vary depending on the individual bank.” Some customers have been told it may take 8 to 10 days for their refunds to show up, the AP states, which has not made them real happy, especially if their credit or debit cards were maxed out. I also wonder how many customers are going to have to deal with the response by their credit card company's fraud detectors.

The airline also says that it will honor the original booking at the original advertised fare if the customer still wants it. In addition, Southwest states that for those customers “who used debit cards and have received overdraft fees as a result of the additional charges, we will process a reimbursement for all overdraft fees that were caused by duplicate charges from Southwest for a single purchase.” Again, that may take awhile.

Southwest said it was “extremely sorry for the inconvenience.”

Hey Southwest, up to offering another promotion to show how sorry you are?

Yesterday, a “technology issue” in the form of an electronic trading glitch at the Knight Capital Group brokerage firm caused confusion in the stock markets. According to the Wall Street Journal, at the beginning of the trading day yesterday, “Knight's computer program appeared to spit out duplicate buy and sell orders, jamming the market with high volumes of trades that caused the wild swings in stock prices.” For instance, the insurance company Berkshire Hathaway experienced  “more trading in the opening hour than it does in a typical day.”

Some 148 stocks were said to be involved, with the New York Stock Exchange (NYSE) having to cancel the trades in six stocks.

Another WSJ story states that Knight Capital is the  “biggest handler of stock orders for U.S. retail brokerage firms” and averages around 725 million shares a day. In comparison,  the NYSE trades about one billion shares a day.

An investigation has begun into the “Knightmare on Wall Street,” as it's being called, by regulators, who, in the aftermath of the NYSE flash crash in 2010, had already been investigating how the consequences of algorithmic trading systems glitches can be reduced, better contained, or unraveled. The flash crash was a major source of lost investor confidence in the integrity of the stock markets, which have suffered several other major glitches as well over the past few of years. The Knightmare won’t help.

Knight Capital saw its own stock price drop yesterday by one-third after it was identified as the source of the glitch. Some are apparently seeing that as justified comeuppance for the company, which was highly critical of how NASDAQ handled the Facebook IPO.

On 27 July, attendees of the DefCon conference in Las Vegas witnessed something unprecedented: The head of one of the most secretive U.S. government agencies addressed them and even stuck around to answer questions. General Keith Alexander, director of the National Security Agency (NSA) and head of the U.S. Army Cyber Command, then went a step further, asking the hackers at the conference to work for the spy agency. That was no empty gesture. According to Forbes, Alexander referred them to a job recruitment site created specifically for the conference. And despite decades of clashes between hackers and agencies such as the NSA, Alexander made a shameless attempt at flattery, calling the audience “the world’s best cybersecurity community.”

It was smart of NSA to enlist the help of hackers. If nothing else, it calls to mind the proverbial ‘enemy of my enemy...’ It also makes sense because the spotlight has been shining brightly on the vulnerability of the United States’ heavily computer-dependent infrastructure.

A PC Magazine article noted that Alexander asked for help with stopping gambits such as distributed denial-of-service attacks that limit the flow of information on the Web. He also made a more worrisome request, says MIT Technology Review: that the hackers at DefCon help to restructure the Internet in a way that would give the NSA the ability to "know instantly when overseas hackers might be attacking public or private infrastructure and computer networks." PC Magazine characterized that part of the appeal as “part of an effort to get around restrictions on monitoring Internet activity that the NSA, FBI, and other U.S. law enforcement agencies must abide by.”

Stepping into the erstwhile enemy’s camp was not without its uncomfortable moments. During the question-and-answer period, Alexander was asked whether the NSA kept dossiers on legions of U.S. residents. (He called the idea “absolute nonsense".) Social media was abuzz with comments expressing disbelief that the agency’s true aim is to keep the Internet safe from cyber thieves, vandals, and terrorists. PC Magazine also reported that the NSA’s booth was next to the one run by the Electronic Frontier Foundation, the Internet freedom and privacy group that is suing the NSA because of unauthorized wiretapping of U.S. citizens.

Last week, United-Continental Holdings CEO Jeff Smisek admitted in a conference call to investment analysts that the airline had been overly optimistic in its belief that the merger of United's and Continental's airline reservation systems last March would not have much impact on passengers or on the company's bottom line. You may recall Smisek's prediction of a smooth transition just before problems with the cut-over appeared, and his belief that the airline was "exceedingly well prepared for it."

Smisek expressed confidence at the time because the airline had conducted four dress rehearsals and had spent significant amounts of time and money training the airline’s staff on how to operate the new reservation system.  However, as he told the analysts in explaining the 39-percent drop in company profits compared with the same quarter last year, many customer-service agents and reservationists (mostly United personnel who have had to learn the Continental system) are still struggling to master the new reservation system. The result has been continued customer dissatisfaction with the airline. Upgrades to the reservation system aimed at rectifying the matter will be introduced in October. Hopefully for United passengers, there won’t be any glitches associated with the upgrade.

As a result of the problems, Smisek said, “our operational performance didn't meet our goal of providing the reliability that our customers expect.” He added that, “I know we created some customer disservice because of all the changes we made so quickly, and I apologize for that.”

Issues with the reservation system are not the only problem United is confronting. As noted in a story in the Chicago Tribune, “United has among the worst performance on several measures that are important to consumers, such as on-time arrivals, flight cancellations and handling bags properly.”

Out of curiosity (and since I will likely have to be flying on them soon), I'd like to know: Has anyone flown United Airlines recently and had problems caused by the reservation system? Or does your experience seem to indicate that the airline has gotten on top of the issues?

How secure do you feel about the wireless router you use at home? Maybe more than you should. Researchers at AppSec Consulting Inc., in San Jose, Calif., reported new vulnerabilities at the annual Black Hat computer security conference, which took place from 21–26 July in Las Vegas. To be sure, compromises to routers, switches, printers, and other frequently networked hardware have been discussed at Black Hat as far back as 2006.

But the associated attacks were hard to pull off back then, so the problem was never addressed. This year, though, the AppSec team demonstrated their exploit using a popular type of Linksys router. As reported by Information Week, after getting a computer user to go to a malicious website, the site pushed a JavaScript app instructing the Web browser to relay information about all locally-connected devices—including the router. A brute force attack—or in too many cases, an educated guess—can easily yield the router's login information and thus access privileges that let the attacker install malicious firmware.

"We're replacing an operating system on a network device and taking complete control of it," AppSec presenter Phil Purviance, an information security specialist, told Information Week. The exploit, which could easily go undetected,

“could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.”

The Black Hat conferences annually supply a rich vein of revelations about just how vulnerable computers and related devices are to the machinations of people intent on doing dastardly things. Fortunately, despite the suggestive name, the presenters conduct their hacks with the aim of revealing vulnerabilities before they can be exploited for nefarious purposes.

Another of this year's hacks looked at the new cellphones that allow users to share photos and other data by tapping the devices together. They're cool and convenient, but the near-field communication that allows this swapping of data—including credit card information for making online payments—may leave handsets open to outside attacks. In a session called “Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface,” researchers from Accuvant Labs reported that there are technologies capable of letting someone access another person’s phone to view stored images, videos, and documents, open Web pages in the phone’s browser, or turn the handset into a zombie that allows them to send text messages and make phone calls using the victim’s calling and data plan.

And a researcher at Universidad Autonoma de Madrid delivered a talk debunking the notion that the binary code used in biometrics databases to represent scanned iris images do not contain enough information to allow the original iris image to be reconstructed. Javier Galbally, whose research focus is on synthetic generation of biometric traits, came up with a probabilistic approach to reconstituting the images from binary templates. Subsequent experiments showed that although they wouldn’t fool a human biometrics expert, the reconstructed images may be good enough to fake out an iris recognition system.

IT glitches—both technical and human-caused—occurred in abundance this week. On the same day that it was disclosed that UK government regulators at the Financial Services Authority were planning to tell all UK banks that they better gain control of their IT infrastructure systems and processes in the wake of the RBS-NatWest-Ulster banking system meltdown last month, word spread that Nationwide, the UK’s largest building society, had accidentally double-charged debit card transactions its customers made on Tuesday.

Ironically, Nationwide has been trying to use the problems at RBS Group to get those banks' customers to switch accounts. Nationwide admitted that 704 426 accounts (and some 2 million transactions) were affected by the glitch (with another 50 000 debit transactions declined on Wednesday because of it).  The double-charging was blamed on human error. Apparently, someone sent the batch file for the debit card payments made on Tuesday through the building society’s processing system twice.

However, whatever schadenfreude the folks at RBS Group may have been feeling at Nationwide’s embarrassment was short-lived, as yesterday afternoon NatWest had to admit to yet another banking glitch where its own customers were now having problems with their debit cards and online banking accounts. NatWest says that the glitch has been fixed and has attributed its problems to a hardware error. Even so, the bank’s systems are being closely monitored today for signs of other problems that might be cropping up. Given that there are already reports today that some customers are still having difficulties, this is probably a very good idea.

Elsewhere in the Commonwealth, there is word via ZDNet Australia today that at the Commonwealth Bank of Australia, an “internal software upgrade fault has caused some the bank's branch offices to operate at limited capacity, and has crashed computers at its national head office.” About 95 of the 1000 bank branches have been affected. CBA has had a recent rash of IT glitches that I have blogged about previously.

Glitches this week weren't limited to the real world. Twitter also suffered a world-wide outage for about two-hours yesterday, which was blamed on a double failure in its data center and backup systems, reports the Wall Street Journal. The Journal quotes Mazen Rawashdeh, Twitter vice president of engineering, from his blog post as saying that, “What was noteworthy about today's outage was the coincidental failure of two parallel systems at nearly the same time. We are investing aggressively in our systems to avoid this situation in the future.”

Last month a “cascading bug” affected Twitter for several days.

There were two other high profile outages yesterday as well. Google Talk went down for about 5 hours, and Microsoft Azure’s cloud in Western Europe for about 2.

Last, but not least, Information Week reported that Cerner Corporation’s remote hosting service went down for some six hours on Monday, which meant that users of Cerner’s electronic health record system across the country and possibly around the world had to revert to paper and pencil. Cerner, which refused to say how many users were affected or the scope of the outage, blamed it on human error. It wouldn’t disclose exactly what the error involved, either.

Per standard operating procedure, the companies involved expressed their profound apologies for the inconvenience of it all and promised to try to keep it from happening again.