Risk Factor iconRisk Factor

IT Hiccups of the Week: New NHS 111 Helpline Needs to Call 999

It has been an unusually quiet week in regard to IT-related problems. Of greatest significance seems to be the ongoing technical and training issues associated with the new UK National Health Service (NHS) 111 patient helpline service.

NHS 111 Healthcare Helpline in Meltdown Mode?

Earlier this month, the UK National Health Service began its England-wide roll-out of a new helpline service; to access it, NHS patients can simply dial 111. The service is meant to provide one simple number that people can call to get timely and appropriate information about non-life-threatening but still important medical issues—especially after normal business hours. The plan is that a patient calling in will be quickly connected to a trained call-handler who will assess the patient's request for information and then use a directory of medical services available in the caller's area to provide specific advice on which NHS services could best meet his or her healthcare needs. If the call taker assesses that immediate care is required, an ambulance will be summoned. Patients with life-threatening or other urgent medical emergencies are still able to call 999 to get an immediate emergency service response.

The NHS 111 telephone service is replacing NHS Direct, which was started in 1997, and is staffed primarily with NHS nurse advisors. But to reach NHS Direct, the patient has to dial an 0845 number and incur a charge for the call. Calls to the NHS 111 line are free, but the service uses non-clinically trained call takers who are supposed to be supported by a much smaller number of experienced nurses. This change—along with a setup whereby the provider of the NHS 111 service is contracted for and operates locally rather than the service being provided for by the NHS nationally—is seen as a bid to save the NHS money.

Last month's soft roll-out of the 111 service in the London, Manchester, and Birmingham areas went poorly, according to various news outlets. The weekly medical publication Pulse, for instance, reported of doctors warning that “patient care [was] being hampered by the service due to improperly trained staff, a lack of personnel, long waits and out-of-hours GPs having to take on extra work.”  The BBC reported that in the Greater Manchester area, the entire 111 system crashed, which meant that an unknown number of patient calls went unanswered.  

The British Medical Association was so concerned at the scope of the initial problems being experienced that it said, “The Department of Health needs to reconsider immediately its launch of NHS 111 which clearly is not functioning properly. They must ensure that the system is safe for patients before it is rolled out any further.” In response, the NHS said the April rollout, despite the “teething problems,” would go on as planned, but that it would “carry out thorough testing to ensure that those [111] services are reliable.”

Well, in light of news reports last week, it looks like even more 111 system testing is called for.  The London Telegraph reported that there were long delays in responding to patient 111 calls in 30 out of the 37 areas across England where it has been rolled out. In some instances, instead of a patient's call being routed to a central triage center where the medical issue would be prioritized, a vaguely described “system error” caused patient cases to be automatically closed instead.  The Pulse reported that despite the NHS insistence that things were going well with the 111 roll-out, “more than 40% of calls to NHS 111 [over the Easter weekend] were abandoned by patients in some regions [because they couldn’t get through], while elsewhere one patient had to wait more than 11 hours for a call-back.”

The Daily Mail reported, in its usual understated manner, on emergency services workers' complaints about the staff handling the 111 calls. The call takers are so poorly trained, say the ambulance crews, that they have sent ambulances to deal with obvious non-emergency situations,  e.g., an ingrown toenail. In some cases, ambulance crews complained that their workload has doubled since 111 was introduced (researchers last year identified increases in "emergency ambulance incidents" as a possible consequence in an evaluation of four NHS 111 pilot programs (pdf)).  One hospital trust in Kent was even said by the Mail to be so overwhelmed by patients being sent to it via the local NHS 111 service that it had to declare an “internal Major incident,” which usually only happens when there is a major traffic accident, fire, plane crash, or other emergency event that threatens to overwhelm its care-giving capacity.

The NHS 111-related chaos has spurred a Parliamentary review of all emergency services by the House of Commons Health Committee. The review is supposed to be completed by mid-July.

Read More

This Week in Cybercrime: Tax-related ID Thefts Hit 1.8M in 2012

IRS Tax Refund Fraud Epidemic

Monday, April 15, is the deadline for individual income tax returns to be filed. This year, the U.S. Internal Revenue Service is expecting more than 146 million individual tax returns to be sent in, of which some 121 million will be entitled to refunds totaling approximately US $333 billion. However, among those 146 million returns, the IRS is also expecting millions of tax returns to be filed using stolen social security numbers and other personal information in an attempt to fraudulently obtain refunds, Senator Susan Collins (R-ME) said at a Senate Special Committee on Aging hearing earlier this week that looked into tax-related ID theft.

According to Collins, tax-related ID theft has exploded over the past five years. In 2008, the IRS reportedly confirmed “only” 52 000 such cases, compared to the nearly 1.8 million incidents the Treasury Inspector General for Tax Administration said the IRS identified last year. Another 1.5 million tax-ID fraudulent returns apparently slipped through without being caught in 2011 as well, Collins said. The total cost of refund fraud in 2011 was estimated to be as high as $5 billion (which does not include the hundreds of millions of dollars the IRS spent in trying to identify all the tax-related identity theft).

Deputy Commissioner of the IRS Beth Tucker wrote in an editorial in USA Today yesterday that in 2011, the IRS blocked $14 billion in fraudulent refunds, while in 2012 she said $20 billion in fraudulent refunds were blocked. She also stated that already this tax season, 2 million suspicious returns have been blocked (a total of 5 million were blocked in 2012, and 3 million in 2011, but it should be noted that not all of these were ID-theft related).

ID thieves have figured out that if they file fraudulent tax returns early in the tax season, they have a good chance of getting a refund before the IRS is able to discover their scam because the taxpayer information the IRS needs to verify a taxpayer’s earnings and withholdings aren't available until the end of March. In one case, scammers successfully used a single address in Lansing, Michigan to file 2137 fraudulent returns, which netted a total of $3,316,051 in refunds.

Tucker claims that the IRS is making progress in its fight against tax ID-theft and other tax fraud by claiming, “We're also going after the bad guys. We've started 800 criminal investigations since October. And crooks are going to jail for up to 20 years.”

Somehow I don’t think the tens of thousands of tax refund scammers are too worried.

Read More

NTSB: Texting While Flying Contributed to 2011 Helicopter Crash

Yesterday, the U.S. National Transportation Safety Board (NTSB) reviewed the findings of its investigation into the crash of a Eurocopter AS350 B2 helicopter operated by Air Methods Corporation (and doing business under the name LifeNet). On Friday, 26 August 2011, at 1840 CDT the helicopter, which was on an emergency medical services (EMS) mission, crashed following a loss of engine power as a result of fuel exhaustion a mile from Midwest National Air Center (KGPH), Mosby, Mo. The pilot, flight nurse, flight paramedic and patient were fatally injuried.

At yesterday’s NTSB inquiry, the board cited (pdf) as the probable causes of the accident “the pilot's failure to confirm that the helicopter had adequate fuel onboard to complete the mission before making the first departure, his improper decision to continue the mission and make a second departure after he became aware of a critically low fuel level, and his failure to successfully enter an autorotation when the engine lost power due to fuel exhaustion.”

In the preliminary NTSB accident report, the pilot was thought to have successfully entered into autorotation mode before the crash. However, the full NTSB investigation found this not to be the case, and believed that he may have been unsuccessful because of “the lack of practice representative of an actual engine failure at cruise airspeed in the pilot's autorotation training" in the model and make of helicopter being flown. The pilot, the NTSB found, had not received any of his autorotation training in a simulator which, the NTSB stated, would have made him “better prepared” to deal with an emergency situation.

Also contributing to the accident, the NTSB said, were “(1) the pilot's distracted attention due to personal texting during safety-critical ground and flight operations, (2) his degraded performance due to fatigue, [and] (3) the operator's lack of a policy requiring that an operational control center specialist be notified of abnormal fuel situations.”

Read More

IT Hiccups of the Week: Computer Technology Upgrade Sours Small Michigan County

Last week saw a real hodgepodge of IT-related errors. While none of them could be called of major significance, they did serve to exemplify the daily annoyance and exasperation for those experiencing them, as well as the unexpected good fortune that sometimes results.  We start off with a story whose plotline is no doubt experienced with some regularity. This time it is set in Lenawee, Michigan (population 100 000), where a new computer system intended to make life easier and more productive for county employees has instead made it more difficult and highly stressful.

New Computer System “Overwhelms” Lenawee County Employees

Back in December 2011, Michigan’s Lenawee County Commission approved a US $1.45 million technology upgrade for outdated county computer systems and equipment, the Daily Telegram reported at the time. Poor economic conditions caused county tax revenue shortfalls, which in turn forced the county government to reduce its staff, yet the public was still expecting that “the same level of services” be provided. The Commissioners' expectation was that the new computer software and hardware would make county employees not only more productive but help avoid future staff lay-offs. The goal was to have all the system upgrades, which would affect every government Lenawee County agency and department, in place by the end of 2012.

The Daily Telegram reported last July that the upgrade had reached the half-way mark. While the county's IT staff were reported to be “under stress” from having to install the new system as well as maintain the legacy system (some county agencies had complained about the IT staff not responding quickly enough to on-going problems involving the legacy system),  the county administrator informed the County Commissioners that, “We’re actually on the downhill side for IT.” County staff members were beginning their training on the upgraded system, the installation of which looked to be generally within budget and on schedule.

Last week, however, the Daily Telegram published a story indicating that all was not well with the tech upgrade. The Telegram quotes the county treasurer at a County Commissioner hearing as saying, “Things with the new system, they’re going slow and there are things we haven’t conquered yet.” The county clerk stated, “It’s not just a learning process. It’s the system itself. There’s things we thought it would do but it doesn’t do.” One example is the new financial and payroll system, which has created “more work and stress” for county employees instead of making them more productive and efficient, the Telegram reported.

The Lenawee county sheriff is none too happy either. With apparent anger, the sheriff told the Commissioners that, “There is no way we should be in the position we are in right now…  We’ve got a system that’s supposed to save us time, but they’re overwhelmed over there.” He also complained that the technology contractor was unresponsive to the technical problems being raised, and that the “level of training” the contractor provided was less than expected.

In addition, the sheriff, as well as other county agency officials, said that the county’s IT staff, which was resource thin, was over in over its head and unable to cope with all the problems cropping up.  The Lenawee IT department head basically agreed, saying that “…we probably faltered along the way,” and added that “The stress level everywhere is up through the roof right now.”

Unfortunately, exactly what happened between last July’s “downhill side for IT” and today’s IT tar pit is not explained in any other Telegram or newspaper stories that I can find.  It makes one wonder whether upgrade progress was being reported as “green” up until the day it was reported as really instead being “red.”  The latest Telegram story indicates that the Commissioners are now thinking of allowing the county IT department to hire another person “to help with a logjam of computer problems.” Whether that will help much, at least in the short-term, is debatable.

Read More

This Week in Cybercrime: Companies Attacked Every Three Minutes

Hackers Are Nothing If Not Persistent

Pick a company, any company. Well before you finish reading this blog post, that firm will likely have faced at least one malware-related event—and perhaps several. That’s the main takeaway from a new report on advanced persistent threats [pdf] released by researchers at the FireEye Malware Intelligence Lab. The group, which examined 89 million global malware events that FireEye documented during the second half of 2012, found that some companies have to fend off attacks as often as once every three minutes. "This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends," says the report. The most targeted types of companies are tech firms, because of the value of their intellectual property. Rounding out the top five most attacked industries, says a Kaspersky Threatpost article, are: telecom, logistics/transportation, manufacturing, and banking/finance. Who gets attacked the least? According to the report, government agencies, energy companies, and legal firms get comparatively little attention from hackers. The FireEye report also details the most common infiltration methods as well as the techniques attackers are now employing to evade security measures.

Read More

First Portable Telephone Call Made 40 years Ago Today

Forty years ago today, Motorola announced that Martin Cooper, director of system operations at its Communication’s Systems Division, made the world’s first public call (pdf) in Manhattan on its Dyna T-A-C (Dynamic Adaptive Total Area Coverage) Portable Radio Telephone System. The Motorola press release also credits the late John Mitchell, the division’s general manager and later president of Motorola from 1980 to 1995. The press release quotes Mitchell as saying, “What this means is that in a city where the Dyna T-A- C system is installed, it will be possible to make telephone calls while riding in a taxi, walking down the city's streets, sitting in a restaurant or anywhere else a radio signal can reach.”

Cooper made his call—which was as much as a well-thought out publicity stunt as an exhibition of a revolutionary technological (and societal) capability—on his “less than three pound” phone to the landline (of course) phone of his rival and counterpart Joel Engel, at AT&T’s Bell Labs. Cooper said the purpose of the call between the two engineers was to show not only AT&T and the public what Motorola had created, but more importantly to put U.S. government regulators on notice that there could and should be competition to AT&T.

Cooper told the Wall Street Journal that the demonstration, “… had little to do with making a phone call. The whole purpose of building that phone was to shut down AT&T.”

While Cooper and Mitchell told UPI in 1973 that they expected to install the first DynaTAC portable phone network in New York by 1976, it took nearly another decade before the U.S. Federal Communications Commission (FCC) approved the DynaTAC phones for general public use.  Motorola says it invested US $100 million between 1973 and 1983 to create its original cell network; its first cell phones would have set you back about $4000 in 1983 or about $9 000 in today’s currency.

Read More

IT Hiccups of the Week: Expect Problems with New Medicaid System New Hampshire Warns

Last week was a relatively quiet week on the IT-related snag, snarl and uff da front. But it seems no one can roll out a new Medicaid system without IT problems, as many of New Hampshire's 10 000 Medicaid providers are likely to unhappily learn, beginning today.

New Hampshire Government Officials Say Expect Problems Today With Its New Medicaid System

At least no one can say they weren’t warned.

“No one is under the illusion that we won't have problems… It's not going to be perfect. We know that there are a number of issues we have with this. We want to make sure we have a full understanding of what those issues are.”

Those presentiments come courtesy of New Hampshire’s Health and Human Services Commissioner Nick Toumpas, quoted in the New Hampshire Union Leader last week when he told the state’s Executive Council and the Union Leader on what to expect when the state's long-delayed new US $90 million Medicaid Management Information System (MMIS) goes live today, 1 April.

The new MMIS system contract was originally let in December 2005 to Affiliated Computer Services (which was acquired by Xerox in 2010). The total contract cost, New Hampshire Watchdog.org states, was for $60 million: “$26 million for the design phase, and $34 million for the full five-year operational phase.” The design phase was supposed to be complete by the end of 2007, and operations were scheduled to begin on 1 January 2008.

The Union Leader reports that the MMIS design “has been modified at least five times, with the Executive Council repeatedly voting to extend the contract after Xerox missed eight deadlines over the six-year period.” According to the paper, the reason for the design changes and delays were caused by both state and federal additional system requirements, as well as contractor implementation problems.

New Hampshire has been paying EDS (now owned by HP), the until-today current MMIS system developer and operator—and losing bidder to ACS—some $8 million a year to keep the legacy system operational.

Toumpas told the Executive Council to expect angry phone calls from many of the state's 10 000 Medicaid providers saying that they were having problems with the new MMIS since there were known defects that haven’t been corrected yet. He also said there may be “calls from people about a defect we haven't anticipated yet,” as well. Toumpas said that Xerox had beefed up its response team in anticipation of the expected complaints.

I’ll let you know next week whether the anticipated errors were minor or major. If the recent experiences of other states like Florida, Idaho and Ohio are any indication, the latter is more likely than the former.

Read More

Drone Manufacturers Whine That They Are Misunderstood

The AP published a story today about how drone manufacturers are worried about the growing “privacy backlash” in the United States concerning the prospect of swarms of government and private UAVs taking to the air once the U.S. Federal  Aviation Administration works out how to let them fly safely in U.S.  airspace. The agency  intends to have the rules worked out by 2015.

The manufacturers, says the AP, are worried that the FAA will dawdle in its rule making and thus allow politicians, privacy advocates, and others who worry that drones will be abused the time to place what they consider to be unnecessary barriers to their use.They are worried that their $6 billion in expected sales to law enforcement and public safety agencies might be negatively impacted, especially with military contracts shrinking.

Apparently, in the manufacturers’ mind, those who “fear … the technology will be misused” just need to be re-educated to their life-saving benefits. The AP story quotes a UAV support services supply company CEO as saying, “Our lack of success in educating the public about unmanned aircraft is coming back to bite us,” while a drone manufacturer is quotes as saying, “Any legislation that restricts the use of this kind of capability to serve the public is putting the public at risk.” The story also quotes the executive director of the Airborne Law Enforcement Association as saying that UAVs “clearly have so much potential for saving lives, and it’s a darn shame we’re having to go through this right now. It’s frustrating.”

Yep, we need drones everywhere for the children’s sake.

If it wasn’t for those loud, pesky politicians like Rep. Ed Markey, D‐Mass., co‐chairman of the House Bipartisan Congressional Privacy Caucus, who introduced updated legislation last week to among other things (pdf), require the FAA to “not issue drone licenses unless the application includes a data collection statement that explains who will operate the drone, where the drone will be flown, what kind of data will be collected, how that data will be used, whether the information will be sold to third parties, and the period for which the information will be retained” as well as require “law enforcement agencies and their contractors and subcontractors [to] include an additional data minimization statement that explains how they will minimize the collection and retention of data unrelated to the investigation of a crime,” those drones could be out saving lives right now.

Well, maybe once New York City’s Mayor Bloomberg term-ends, the drone manufacturers can hire him as their spokesperson to educate Americans on how, as one drone manufacturer told the AP, “the benefits of these solutions (drones) …  far outweigh the concerns.” Bloomberg said last week that drones are coming no matter what and, as a consequence, that Americans are just going to have to learn to live with “more visibility and less privacy.” Just think of them as merely roaming security cameras in the sky, he suggested.

There, don’t you feel safer already?

Photo: Erik Simonsen/Getty Images

This Week in Cybercrime: “Anonymized” Cellphone Tracking Data is Pure Fiction

Anonymizing Cellphone Tracking Data Doesn’t Work

Earlier this month, we highlighted a Data Center of China Internet (DCCI) report revealing that up-to-the-minute information on where people are is becoming a big quarry for cybercriminals. Though that report focused on thieves using malware-laced apps to acquire the location data, researchers from MIT and the Universite Catholique de Louvain in Belgium recently found that anonymized mobile phone location data—the kind that police and other legal authorities might demand from a wireless carrier—can easily be used to home in on the identity of a single cellphone user. The American and Belgian team, which looked at 15 months of anonymized mobile phone data for about 1.5 million European users, found that they could identify 95 percent of them from just four data points. The data points are generated when a handset periodically connects to nearby cell towers as they move and when they make and receive calls and text messages. What’s worse from a privacy standpoint? About half of the users could be identified using only two data points. In a paper published this week in Nature Scientific Reports, the researchers note that:

"We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy. Indeed, this uniqueness means that little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern."

The concern is warranted because governments including the United States have radically increased their snooping activities. For example, the FBI has gone hog wild issuing so-called National Security Letters (NSLs), which compel businesses such as wireless carriers and Internet service providers to turn over information without a warrant. In 2011, the FBI sent out more than 16 000 NSLs.

The researchers conclude that, “Going forward, the importance of location data will only increase and knowing the bounds of individual's privacy will be crucial in the design of both future policies and information technologies.”

Read More

Divers Caught Cutting Internet Backbone Cable

What’s the least sophisticated, but probably the most foolproof, way to cut off a country’s Internet traffic? Literally cutting it by severing undersea Internet cables. That’s what the Egyptian navy caught three scuba divers doing in the waters 750 meters off the port city of Alexandria on Wednesday. The cable they were going after was the 18 000-kilometer-long South East Asia–Middle East–Western Europe 4 (SEA-ME-WE 4) line, the Internet backbone that carries data between Europe, Africa, the Indian subcontinent, and Malaysia and Singapore in southeast Asia.

Internet service in Egypt had already been off since 22 March, supposedly because a passing ship damaged a separate cable. The trio, who approached “hacking” from a different angle than usual, took to the water a day before repairs to the other cable were expected to be completed and service restored.

The effects of the ship taking out that cable were experienced as far away as Pakistan and India, Jim Cowie, chief technology officer at Renesys, a network security firm, told the Associated Press. Cowie noted that a severed cable can force wide scale data rerouting, with some of the packets traveling the long way around the world.

Ship anchors and propellers have been blamed for serious cable breakages in the Mediterranean that affected northern Africa. Perhaps this incident will cause investigators to cast a more jaundiced eye in future cases.

Illustration: TeleGeography


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More