Risk Factor

Yesterday, the French newsmagazine l'Express claimed that French government cybersecurity experts have concluded that the U.S. government used malware resembling Flame to surreptitiously enter  “the computers of several close advisers to then-president Nicolas Sarkozy—including Chief of Staff Xavier Musca,” The Hill reported.

The White House has so far refused to comment on the l’Express story, as has the Palais de l' Elysées.

According to the l’Express, the cyberattack happened shortly before the second round of the French presidential elections in May in which the conservative Sarkozy lost to socialist candidate  Francois Hollande.

The l’Express article, which details how the break-in occurred,  indicates that the Sarkozy’s advisors’ computers were hacked via phishing emails.

The Hill article says that U.S. Department of Homeland Security Janet Napolitano “reportedly did not deny the allegations when asked point-blank about them” by l’Express.

 Napolitano also stated in the article that neither the Flame nor Stuxnet had “never been linked to the U.S. government.”  Hmm, I guess that all depends on what the definition of “linked” means.

Late last week, word came out that the the massively multiplayer online (MMO) role playing game Glitch, which went live in September 2011, will be closing down in early December.

An article last year in MassiveOnlineGamer.com, described Glitch this way: “Set in the minds of dreaming giants, the game's surreal, psychedelic visual style sets the stage for equally offbeat gameplay. Character skills include Bubble Tuning, Cocktail Crafting, and Bureaucratic Arts. New skills take real-world time to learn, with advanced skills requiring several hours of elapsed time. … Instead of combat grinding, the game emphasizes exploration, experimentation, and socializing. Missions and activities are completely non-violent (although one vegan player apparently took issue with the pig-nibbling element).”

While Glitch generated a lot of buzz at the time, the one thing it apparently wasn’t able to do was generate enough money to justify its $17 million investment.

In an FAQ page announcing Glitch’s demise, the creators of the game—a collective called Tiny Speck—said: “Unfortunately, Glitch has not attracted an audience large enough to sustain itself and based on a long period of experimentation and our best estimates, it seems unlikely that it ever would. And, given the prevailing technological trends — the movement towards mobile and especially the continued decline of the Flash platform on which Glitch was built — it was unlikely to do so before its time was up. Glitch was very ambitious and pushed the limits of what could be done in a browser-based game...and then those limits pushed back.”

Under the “Why why why why?” FAQ, the group elaborated further: “We had ambitious goals to create a crazy, beautiful, worthwhile game with a wide audience that would be very successful, both creatively and financially — and therefore make lots of money for our employees and for our investors. But we only managed to create a crazy, beautiful game.”

The closing announcement also states that the live game/world will be closed on December 9th at 8pm Pacific time, whereas Glitch’s website and forums will remain available until the end of the year.  Automatic refunds for recent purchases will begin immediately, while those for older transactions will be done manually—from most recent to oldest—as quickly as possible.

What 2013 Portends

As we near the end of the year, it’s a good time to assess the evolving methods of attack employed by cybercriminals and the countermeasures aimed at limiting the effectiveness of their schemes. Websense Security labs told Business Standard that traditional tools used to thwart attacks will no longer get the job done because attackers’ techniques and targets are evolving. For instance, cybercriminals are already working out how to sidestep virtual machine defenses such as sandboxes. Advanced attacks, says Websense, will remain hidden until they are sure they aren’t in a virtual security environment. Furthermore, Websense told Business Standard, more computers and mobile devices will be vulnerable to malware because legitimate app stores such as Google Play and Apple’s App Store will unwittingly serve as dissemination points for malicious code designed to slip through the sites’ validation processes.

Even your TV set could put hackers hot on your trail. A Computerworld article quotes Eddy Willems, a security expert at G Data Software: “We think that cyber criminals are already using the freely available software development kits from the TV manufacturers to discover opportunities for [attacking Internet-connected smart TVs that let viewers do many of things they currently do on their home computers]. Just as worrisome, the security experts say, is the specter of more governments stepping into the cyberwarfare arena. The Business Standard article sums it up thusly: “While the effort to become another nuclear superpower may be insurmountable, almost any country can draft the talent and resources to craft cyber-weapons. Countries and individual cybercriminals all have access to the blueprints for previous state-sponsored attacks like Stuxnet, Flame and Shamoon.”

Subverting Smart Card Security

Smart cards are supposed to make online transactions much more secure. But according to Computerworld, a team of researchers from Luxembourg has demonstrated that malware can be installed on a Windows computer so that attackers can take remote control of a USB smart card reader attached to the infected machine. The malware—which they tested using the Belgium national electronic identity card—installs a special driver that lets the hacker manipulate the middleware provided by the smart card manufacturer. A hacker can then conduct “authenticated” transactions with the victim's card as if the reader was attached to the hacker’s own computer. The malware even has a keylogger component so it can steal PIN or password information associated with a smart card. The researchers say will present their proof-of-concept malware at the MalCon security conference in New Delhi, India, on 24 November.

Court’s Former Webmasters Charged With Stealing Database

On 14 November, two former IT workers at Alabama's Administrative Office of the Courts were indicted on charges that they stole the source code for a court-records database. The suspects, one of whom had been director of information systems for the courts, not only took the source code to the Namemaster database, but purloined hundreds of thousands of court records and turned them over to CyberBest Technology in Orlando, Fla. It remains to be seen whether CyberBest—which specializes in computer systems for the courts and police agencies—will face legal penalties, though it stood to benefit the most. The accused are being prosecuted in federal court, and could each serve 10 years in prison and be hit with a US $250 000 fine.

You Might Remain Silent, But Anything Your Computer Says Will Be Held Against You

A riveting and revealing Business Week article with the ongoing Syrian conflict as the backdrop provides ample evidence that governments see hard drives as important theaters in any battle. But think for a second: How does the story of Taymour Karim, a doctor who stood up to torture aimed at getting him to divulge the names of his compatriots who were also protesting the Syrian government, parallel what could happen (or already be happening) to you? Karim didn’t give up the info. But, says the Business Week article:

It didn’t matter. His computer had already told all. “They knew everything about me,” he says. “The people I talked to, the plans, the dates, the stories of other people, every movement, every word I said through Skype. They even knew the password of my Skype account.” At one point during the interrogation, Karim was presented with a stack of more than 1,000 pages of printouts, data from his Skype chats and files his torturers had downloaded remotely using a malicious computer program to penetrate his hard drive. “My computer was arrested before me,” he says.

We start this week’s installment of IT-related “ooftas” with United Airlines' third “computer outage” of the year. This time the problem began yesterday around 0830 EST and ended near 1030 EST and according to the AP, involved the system used by dispatchers at the company's operations center in Chicago to communicate critical information such as aircraft weight and fuel loads to all of United’s operating locations around the world. A United spokesperson told the AP that “the airline has identified the specific problem, and said it won't happen again.”

Okay, regular United flyers, you can wipe those tears of laughter away now.

United told Reuters that the outage delayed less than 200 of the 5 679 United flights scheduled for yesterday (interestingly, United told the AP it was 250 flights), but I suspect that doesn’t count the number of flights that experienced knock-on effects from those 200 or so being delayed. The outage doesn’t help United’s quest for winning back business customers who have fled United because of its IT system problems this year. Just three weeks ago, CEO Jeff Smisek said the company, which took a major financial hit because of its earlier botched IT-system integration effort, fully expected “to earn back those customers who took a detour” around the airline. That just got harder after yesterday.

United wasn’t the only airline to suffer from an IT-related outage this past week. Last Saturday morning, 10 November, the Navitaire reservation system used by Jetstar, Virgin Australia, Tiger Airways and Rex went down for three hours due to a power failure at its data center in Sydney, Australia, the Herald Sun reported. Both Virgin Australia and Jetstar are contemplating whether to demand compensation from Navitaire, which is owned by Accenture. Last year Navitaire reached a confidential settlement with Virgin for damages after a major Navitaire meltdown negatively affected Virgin Blue flights for days in 2010.

Apparently, for the third week out of the last four, U.K. retailer Tesco suffered yet another product pricing glitch, this time affecting the online prices for its new London-area “exclusive-to-Tesco” organic fruit and vegetable boxes called Soil & Seed. According to a story in The Grocer, small, medium and large vegetable boxes were being offered for £5, £10 and £15 instead of the true price of £9, £13.50 and £18. Tesco said that it would honor the mistaken prices for customers who had ordered the vegetable boxes before the price glitch was corrected. However, there were no reports of stampedes of shoppers stocking up on the vegetable boxes as in previous Tesco pricing glitches involving beer, wine or cheese.

Also making a reappearance on the glitch list after a short time away was another trading glitch at the New York Stock Exchange. This time, a hardware problem forced the suspension Monday of trading in 216 stocks for the day, a story at the Wall Street Journal reported. The WSJ also reported that a “technical glitch” caused trading on the Mexican Stock Exchange to be suspended twice Monday, while Bloomberg News reported that a “software error” halted trading in Russian rubles late Wednesday.

Next, commuters on the new,  £1.5 billion S Stock London Underground Metropolitan line trains have been ending up at stations they weren’t expecting due to a software error. According to a story in the Buckinghamshire Examiner, when passengers boarded on what was “advertised as a Chesham train only [they] ended up in Amersham without warning and vice versa.”

The story said that “Transport for London (TfL)… is working with Derby-based Bombardier Transportation, which makes the trains, to resolve the issue,” which is being described as a “teething problem” with the digital destination boards software which shows the destination of the subway train.

More intriguing was a statement in the article by the Chairman of the Federation of the Metropolitan Line Users' Committees who said, “It's pretty rare, it only happens to about five per cent of journeys but I'm pleased it's being sorted.” An interesting definition of the term “rare.”

While arriving at the wrong destination may be annoying, it isn’t as stressful as receiving a text and voicemail from the police telling you that there has been a shooting on campus and that the suspect is still at large. This is what happened at Michigan’s Oakland University when a regularly scheduled campus Police Department test of its emergency communications procedures went wrong and a technical error caused the system to accidentally sent out a pre-recorded real emergency message instead of the test message, the campus paper reported. The error was caught quickly, but not before students started to panic. The campus police said, “We regret the error and any confusion and inconvenience it may have caused,” after which it promised it wouldn’t happen again.

Finally, Maine’s Office of Program Evaluation and Government Accountability released its report (pdf) into the software bug in Maine's Integrated Health Management System (MIHMS) that led to roughly 19 000 people to continue to get their medical bills paid by Medicaid even though they were ineligible from September 2010 to March 2012 and costing the state over $10.6 million.  

The short version of the report is that the bug was found in August 2010, and joined the list of 89 others also listed as severe. A lack of resources and a lack of a method to prioritize which bugs should be worked on first meant it wasn’t addressed until March 2011. Correcting the bug turned out to be much harder than expected, taking nearly a full year to fix, test and implement. The situation was exacerbated by a lack of communication between the IT department, which recognized the increasing financial impact of the uncorrected bug, and executive management, which was kept in the dark by IT about the ever increasing costs. This led to the “surprise” $10.6 million in unanticipated Medicaid payments being "discovered" earlier this year.

Maine's Department of Health and Human Services, which is in charge of MIHMS, says it is now “changing its organizational culture to create an atmosphere of healthy communications and transparency” to avoid a similar issue in the future. Funny that: I would bet before this incident happened, DHSS would have proudly proclaimed that they already had an organizational culture that fostered an atmosphere of healthy communications and transparency.

The U.S. Department of Defense latest strategy for putting lipstick on a pig, when faced with a major project debacle, has been to say, “Well, it’s not a total waste because the effort creates an opportunity to harvest technologies and lessons learned.” I expect to see the same lipstick strategy, maybe in a new shade, from the U.S. Air Force regarding its Expeditionary Combat Support System (ECSS), which it finally decided to scrap after blowing through a billion dollars over seven years of development to produce a system which it admits as having no “significant military capability,” Defense World reported late last week.

The ECSS project (pdf) began in 2004 as an ambitious and risky effort to replace 240 outdated Air Force computer systems with a single integrated system so that the Air Force could finally come up with an auditable set of financial records, something I don’t think it has been ever able to do since its creation as a separate branch of the military in 1947. The decision to trash the ECSS system is of no great surprise, except for why it took so long.

Back in April, the Air Force's comptroller, Jamie Morin, told the Senate Armed Services Committee's Subcommittee on Readiness and Management Support that, “We're now approaching seven years since funds were first expended on this system. The total cost is now over US $1 billion. I'm personally appalled at the limited capabilities that program has produced relative to that amount of investment.”

Morin went on to explain to the Senate what the Air Force was going to do next in regard to ECSS and how it was going to achieve the objective of having auditable financials by 2017. This was going to be a challenge since in March, the Air Force had terminated the ECSS contract with prime contractor CSC for performance reasons. This followed on from a stop work order that had been issued to CSC in September of last year for a lack of progress. Since then, the Air Force has been trying to figure out how to once again restructure the project (it had been restructured at least twice before) in hopes of finding that elusive path to success.

Apparently, however, after a thorough analysis, the Air Force determined that there wasn't a feasible or affordable path to success available. Continuing the program, it determined, “would have cost an estimated $1.1 billion for about one-quarter of the original scope, with fielding delayed until 2020,” Defense World said.

Why, you might ask, didn’t the U.S. Air Force leadership take action to keep ECSS from turning into a billion dollar debacle? The reasons are explained well in a 2011 Institute for Defense Analysis report (pdf) on why DoD ERP projects are routinely “over budget, behind schedule, and have not met performance expectations.”

In the report, IDA states that on these projects, “Program managers are unable to deliver a completely factual version of their status to leadership if it contains any element that could be considered significantly negative. To do so is perceived as weakness in execution even though the root causes may be out of the control of the program manager. Program managers fear that an honest delivery of program status will result in cancellation. As a result of this, leadership is unable to be effective in removing obstacles to program success.”

In short, no one in the DoD leadership chain wants to hear bad news. The IDA report further noted that bringing up bad news required “courage,” which apparently is in short supply in DoD ERP projects in particular and, from my experience, DoD programs in general.

Avantor Sues IBM, Claims Fraud

In another ERP-related debacle story this week, Avantor Performance Materials, a global manufacturer of high-performance chemistries and materials, announced in a press release that it was filing suit against IBM for a failed SAP software implementation. Avantor alleges that IBM, which was retained by Avantor to upgrade its global computer systems to an SAP platform," fraudulently misrepresented the capabilities of its proprietary software solution and engaged in other misconduct leading to a failed implementation in Avantor’s U.S. locations."

The press release quotes John Steitz, President and CEO of Avantor, as saying, “IBM representatives assured us that its Express Life Sciences Solution, a prepackaged software solution, was suitable to run Avantor’s core business processes. In fact, the solution—and the service and support offered by IBM throughout the implementation—proved to be woefully misaligned with the unique needs of our company and our customers.”

The company claims that it has spent the last seven months recovering from the effects of the failed SAP implementation, and wants tens of millions of dollars in damages from IBM as a result.

A Reuters story says that IBM was surprised by the lawsuit, and that the complaints “are exaggerated and misguided.” It went on to say that IBM claimed that it had “met its contractual obligations and delivered a solution that Avantor continued to use in its operations,” a claim that the Avantor press release seems to contradict.

At least the IBM failed implementation failed quickly.

Yesterday, NASA sent a message to all NASA employees informing them of a data breach involving an agency stolen laptop.

According to the NASA message posted at SpaceRef.com, “On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee's locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.”

The message goes on to state that NASA will be sending letters to affected individuals, once the agency figures out who they are, which may take up to 60 days. Those individuals receiving letters will be offered a free credit and ID monitoring service.

 Meanwhile, NASA is urging employees to be suspicious of “any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it” since neither NASA nor its data breach specialist contractor, ID Experts, will be asking for such information.

The message then goes on to say that, “The Administrator is extremely concerned about this incident and has directed that all IT security issues be given the highest priority. NASA is taking immediate steps to prevent future occurrences of PII data loss.” The steps include requiring NASA-issued laptops that don’t have whole disk encryption software enabled or have sensitive files individually encrypted can’t leave a NASA facility and requiring the purging of sensitive files no longer required for immediate work. NASA plans to have all of its laptops running whole disk encryption software by 21 December 2012.

The NASA message ends in the usual way, “NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.”

Why it has taken so long for NASA to finally decide to fully encrypt its laptops remains a mystery, given its long-time poor record on IT security. As noted at NASA Watch, NASA has a history of laptops with personally identifiable information being stolen, one as recently as March.

Maybe NASA decided to act this time because it involved a NASA Headquarters' person who in all likelihood is very senior and should have known better than to possess a laptop with no data encryption.

Late last week, Australian Labor Government Communication Minister Stephen Conroy announced that his nearly five-year quest to centrally filter Internet content before it could be accessed by the Australian populace was officially over, the Herald Sun reported. The censorship plan never had much chance of success.  A few years ago, the head of Telstra, the largest ISP in Australia, insightfully stated, “My view on that is that's like trying to boil the ocean... to think that you're going to be able to centrally filter everything, I think that's a pipe dream.”

Declaring a victory of sorts, Conroy said that while the government would no longer pursue a centrally-directed means for filtering the Internet, the country’s telecom companies have agreed to block some 1400 child pornography websites that are on Interpol’s blacklist.

Minister Conroy, in a statement, said that, “Blocking the INTERPOL ‘worst of’ list meets community expectations and fulfils the  government’s commitment to preventing Australian internet users from accessing  child abuse material online. Given this successful outcome, the Government has no need to proceed with mandatory filtering legislation.”

The government’s plan to selectively censor the Internet was opposed by the Coalition and Green political parties. Both groups welcomed Conroy's news. The Coalition couldn’t resist, however, pointing out that the government’s decision was, in effect, “walking away from yet another promise it took to the 2010 election,” when it said Australian ISPs couldn’t be trusted.

The Australian Christian Lobby, which strongly supported the filter, said it was “greatly disappointed” that the government was breaking its campaign promise.

In related news, Google reported that its services in China were blocked on Friday 9 November and into Saturday, as the 18th Communist Party Congress—where China selects its next leadership—was set to begin, the New York Times reported over the weekend. Service came back later on Saturday and was said to be intermittent on Sunday, but access apparently is now fine.

Also late last week, the U.S. State and Treasury Departments levied sanctions against four Iranian nationals and five government-related bodies for “censorship or other activities that prohibit, limit or penalize freedom of expression or assembly by citizens of Iran or that limit access to print or broadcast media, including by jamming international satellite broadcasts into Iran, and related activities,” the AFP reported. Those affected by the sanctions include Reza Taghipour, Iran’s Minister of Communication and Information Technology, as well as the the country's Ministry of Culture and Islamic Guidance and its Press Supervisory Board.

A State Department press release explains what the sanctions mean: “U.S. persons are prohibited from engaging in transactions involving the designated individuals or entities, and all designated individuals and members of designated entities are subject to a ban on travel to the United States. This action also blocks, or freezes, the property and interests in property of designated individuals or entities.”

The Iranian government, in response, dismissed the sanctions as ”unimportant.”

It’s been a relatively quiet week in the world of cybercrime. We start off this week’s review with Chevron’s admission yesterday that its IT systems were infected with the Stuxnet malware back in July 2010. This is the first time a U.S. company has acknowledged being infected by the malware which the U.S. and Israel created and used to target Iran’s uranium enrichment program.

Mark Koelmel, general manager of the earth sciences department at Chevron, told the Wall Street Journal that, “I don’t think the U.S. government even realized how far it [Stuxnet] had spread. I think the downside of what they did is going to be far worse than what they actually accomplished.”

Chevron’s admission will no doubt fan the debate over whether Stuxnet escaped into the wild or not, or whether Chevron was itself targeted may have been deliberately targeted.

Chevron told the WSJ that it was not adversely affected by Stuxnet, but I think that all depends on how you define “adversely affected.”

Coincidentally, a story at ComputerWorld yesterday reported that a team of Russian security researchers have found that the Siemens updated WinCC SCADA (Supervisory Control And Data Acquisition) software which was targeted by Stuxnet is still full of security holes.  The story says that the research team “found more than 50 vulnerabilities in WinCC’s latest version, so many that Siemens has worked out a roadmap to patch them all… Most are problems that would allow an attacker to take over a WinCC system remotely.”

Looks like Siemens has more work to do.

In a case of do-as-I-say, but-not-as-I-do, Reuters reported yesterday that staffers at the U.S. Security Exchange Commission “failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks.” The irony is that the staffers were part of the SEC's Trading and Markets Division, which is responsible, Reuters says, “for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems.”

The security breach caused the SEC to spend over $200 000 to conduct a security audit to ensure that no information was compromised.  The SEC also had to notify all the stock exchanges of the breach, which made none of them very happy (although the schadenfreude felt was likely acute), especially since the SEC has been pushing public companies hard to disclose the risk of cyber incidents.

The SEC had no comment on the Reuters story. It likely will be forced to break its silence and explain to Congress how the breach was allowed to exist, however, once a report is published on the incident in the near future by the SEC Interim Inspector General.

There was also a disturbing story this week in the Minneapolis Star Tribune about a former policewoman who has collected more than $1 million so far from lawsuits filed against a number of Minnesota cities because police officers illegally accessed her driver's license information from the state’s motor vehicle database. According to a story at CityPages, her information had been “accessed 425 times by 104 officers between 2007 and 2011… and additional 174 times in 2006.”

The Star Tribune story noted that police officers accessed the woman’s license “because she was very attractive and so they could see that 'she's changed and she's got a new look.’ ”

The routine and unauthorized access of the Minnesota's driver license database by police has been alleged in the suit, something that the city police departments involved deny. However, city governments across Minnesota have apparently taken steps to tightened police access to driver's license information as well as increase the penalties for unauthorized access in light of the lawsuits. So far, though, none of the officers identified as taking part have been disciplined.

Finally, in a case of locking the barn door after all the horses have escaped, South Carolina announced that it will be spending the next two to three months encrypting its revenue department data. As I noted last week, some 3.6 million unencrypted taxpayer Social Security numbers, 387 000 credit and debit cards, and information on over 657 000 South Carolina businesses were stolen by cybercriminals last month from South Carolina’s Department of Revenue.

Governor Nikki Haley had recently stated that Department of Revenue taxpayer data hadn’t previously been encrypted because doing so was “cumbersome” and what’s more, data encryption wasn’t an IT security industry best practice. I guess she has changed her mind.

It is estimated that South Carolina will be spending in excess of $30 million alone to provide affected taxpayers fraud protection services for the next year.

As expected, voting glitches related to Tuesday’s U.S. presidential election occurred, but luckily they had no discernible impact on the results. Otherwise, we might all now be crying like Abigael Evans.

There were reports of scattered electronic voting problems in Pennsylvania, New Jersey, North Carolina, South Carolina, and my home state of Virginia. Probably the most “infamous” glitch was the one where a voter in Pennsylvania using a touchscreen voting machine tried to vote for President Obama, but Republican candidate Mitt Romney kept being selected instead. The voter posted his experience on YouTube, and it quickly went viral. Touch screen calibration errors, where other candidates than the one selected popped up, were a common complaint.

What happened in Spotsylvania County, Virginia, was more typical. Several of electronic voting machines wouldn’t work from the onset of voting or later broke down, leading to very long wait times to vote. In another case, Congressional voting districts changed, but the electronic voting machines used in several voting precincts didn’t properly reflect the changes. In two Spotsylvania voting precincts, the votes cast for the state’s Congressional race had to be thrown out as a result.

All the states with electronic voting issues promise that the problems will be corrected by the next election; I would love to take bets against that happening.

Twitter managed to upset lots of its users this week by mistakenly resetting the passwords of “a large number” of its 140 million users, the Chicago Tribune reported. It happened as Twitter was conducting standard security screening to identify accounts that may have been compromised. When it suspects one has been compromised, it resets the account's password.  However, in this case, it not only reset the passwords of accounts believed to be compromised, but for some unexplained reason many non-compromised user accounts as well.

Twitter then made things worse by sending out the same email to those accounts mistakenly reset as it normally sends to users of accounts believed to be compromised, namely, your account may have been compromised, and please reset your password. Many users receiving the email thought it was a phishing attempt, and decided to ignored it, until they found they couldn’t log on to their accounts.

Twitter later apologized for any inconvenience or confusion this all may have caused.

Government social workers in British Columbia are reportedly highly irritated by the continuing operational glitches in their new CAD $182 million Integrated Case Management system that went live in April. According to The Province newspaper, the ICM system is “supposed to streamline management of computer files across ministries that care for poor children, disabled people and troubled families racked by addiction, mental illness and violence.”

However, the paper quotes a B.C. social worker as saying, “It freezes. It crashes. Data disappears or is extremely difficult to locate. It’s incredibly cumbersome and hard to use….The biggest fear we all have is a crucial piece of information will be lost or overlooked — and a child will die as a result.”

In September, the paper said, social workers across B.C. turned on their computers and were surprised to see that in place of the ICM system home page, the U. S. Department of Homeland Security popped up instead. It turns out the ICM system was built on top of a platform designed by Siebel Systems for other governmental agencies, including the DHS, and a bug somehow allowed the DHS homepage to appear.

The B.C. government, while admitting there have been some system glitches, has been trying to play down the problems, saying that, “There are always challenges when implementing complex new systems and procedures.” However, the B.C. government has already spent another CAD $12 million on top of the original CAD $182 trying to deal with these "challenges," and more money is likely going to be needed.

What really puzzles me: Why did it cost CAD $182 million to tailor an existing system to meet B.C. social worker requirements in the first place?

Finally, the cost of the massive IT meltdown that affected millions of customers of the RBS Group of banks has increased from an originally estimated £125 million to £175 million, ComputerWeekly reports. RBS Group had to pay more compensation to its customers than expected, hence the cost increase. RBS Group is spending another £80 million to shore up its IT infrastructure to try to avoid a  repeat performance.

According to the latest figures from the Centers for Medicare and Medicaid Services, the Medicare and Medicaid Electronic Health Records Incentive Program has now paid out over US $7 billion since January 2011 to over 100 000 healthcare providers that meet federal EHR use standards, a story at Government Executive magazine reports. The incentive program was set up under the HITECH Act of 2009 to encourage the adoption of EHR systems and use them “in ‘meaningful’ ways that lead to higher quality care, improved patient safety, and shared decision making by patients and physicians.” Eligible healthcare professionals can receive up to $44 000 through the Medicare EHR Incentive Program and up to $63 750 through the Medicaid EHR Incentive Program. In addition, there are penalties planned to be introduced in 2015 and increased over time for healthcare providers who aren't using EHR systems by then.

As I noted last month, within the medical community, the debate over the value of EHR systems has become increasingly heated as more healthcare providers adopt them. A survey report (pdf) released last week from Accenture will likely add more fuel to the fire.

According to Accenture, private practice doctors are saying that the cost of EHR systems is increasingly becoming a deciding factor in whether they continue to operate as an independent practice or close it down, typically to be hired as a hospital employee.  Over the past decade, “the number of independent U.S. physicians has dropped dramatically, from 57 percent in 2000 to 39 percent in 2012,” Accenture states, and this number is expected to drop to only 36 percent by the end of 2013.

Accenture states that its survey indicates that “business operations are one of the main reasons why 61 percent of physicians have decided to seek employment, with cost and expense of running a business indicated as the chief concern for 87 percent of those independent doctors surveyed.”  Furthermore, the cost and hassle involved in installing and operating EHR systems is given by 53 percent of doctors surveyed as a main reason for giving up their private practice.

Also appearing this week in the Washington Post was a timely article that discusses the reasons behind the decision by several highly experienced doctors not to install an EHR system in their private practices, despite the Federal government’s incentive program. While the EHR system cost was a factor in their decisions—one doctor said he was quoted about $30 000 upfront for a system—which likely would be covered by the incentive (there was also $2000 a month in subscription fees and another $300 a month for cyber insurance to cover against data breaches, not to mention the lost productivity for several months during the transition from paper to digital records)—doubt about whether an EHR system would really improve their effectiveness as doctors was also voiced as a major barrier to installing one.  As one internist noted, “We have 10 000 diagnoses and thousands of medicines. It’s not like automating that would make it easier.” (That point may spawn another debate in the near future; EHRs might be a necessary step in applying IBM's Watson and other technologies to improve the accuracy of doctors' diagnoses, thereby raising the issue about whether EHR systems should become mandatory as a standard of medical practice.)

The Accenture report indicated that doctors who wish to stay in private practice should look to increasing their revenue and reducing their costs by turning to subscription-based models like that offered by Multnomah Family Care Center, a Patient/ Physician Cooperative in Portland, Oregon, where “patients pay a one-time enrollment fee to join, and then pay monthly membership and primary care provider fees, which combined average less than $60 a month.” Patients there use their health insurance to pay for “acute conditions or emergencies,” but otherwise, patients pay the doctor directly for their medical care, thereby bypassing many of the limits on payments imposed by insurance companies or the Federal government.

What this all implies, given that, as a consequence of the Affordable Care Act, millions of previously uninsured American families will soon be looking for doctors, is open to speculation. But I would hazard a guess that if the cost of EHR systems continues to encourage doctors to leave private practice or turn to a subscription-based model, the planned financial penalties for not "meaningfully" using certified EHR system by 2015 will be postponed or incentive rates increased.