Fred Trotter

Fred's HeadRecently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Recently GovInfoSecurity reported that Anthem has again refused the OIG the ability to scan its network. OIG prefers to perform it’s own vulnerability assessments, so that it does not have to rely on the organizations internal assessments.

This is not the first time this has happened. When Anthem was called “WellPoint” it refused a request from OIG to scan, according to the OIG’s report at the time. OIG stands for Office of Inspector General and is essentially the “generic audit arm” of the US government. They are responsible for ensuring that government contractors are complying with regulations, and Anthem has an important contract to process medical claims for Federal Employees.

Here is what OIG had to say about this issue in September of 2013, the first time that Anthem refused its audit process:

This performance audit was conducted in accordance with generally accepted government auditing standards (GAS) issued by the Comptroller General of the United States, except for specific applicable requirements that were not followed. There was one element of our audit in which WellPoint applied external interference with the application of audit procedures, resulting in our inability to fully comply with the GAS requirement of independence.

We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers (see the “Configuration Compliance Auditing” section on page 9 for additional details.)

As a result of the scope limitation on our audit work and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Just months before, in July of 2013 Anthem (as WellPoint) had just payed 1.7 Million dollars for a HIPAA violation. That fine was the result of an investigation that found that Athem had not:

  • adequately implement policies and procedures for authorizing access to the on-line application database
  • perform an appropriate  technical evaluation in response to a software upgrade to its information systems
  • have technical  safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

Vulnerability scanning is intended, among other things, to detect exactly these kinds of problems.

Continue reading “Anthem Arrogantly Refuses Audit Processes. Twice.”

Screen Shot 2015-02-22 at 7.23.57 AMBeing provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

Continue reading “Why Anthem Was Wrong Not to Encrypt”

Optimized-FredTrotterThe Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.

Continue reading “Anthem Was Right Not to Encrypt”

Screen Shot 2014-04-18 at 1.39.05 PM

The American Medical Association (AMA) says the number one issue with recent data releases from HHS is that “there is currently no mechanism for physicians and other providers to review and correct their information.”

We think we have a way to fix that problem over at the DocGraph project!

Over the last two years there have been three major breakthroughs in the analysis of doctors using Open Data. The first was the original teaming and referral database obtained by DocGraph (us) under a FOIA request. The second was the prescribing data set obtained by ProPublica. Both DocGraph and Propublica worked around the 1978 injunction limiting the use of FOIA for doctor data.

The third is the new procedure pattern data set announced as the direct result of the overturning of the 1978 injunction.

We are happy to announce the release of the first “all-in-one” open doctor data browser that we are calling DocGraph Omni. We have created a public tool that allows you to browse the merger of all three major new open data sets about doctors and other healthcare providers that bill Medicare.

Now in one place you can view how a provider prescribes, how they collaborate, and which procedures they work with. Our intention to turn Omni into a browser where you can find any open data about doctors, no matter what the source.

But this is not just about “finding” the data. We have created a system that allows anyone to comment on any given data point in these data sets.

Continue reading “A New Way to Explore and Comment on Doctor Data”

The federal government’s announcement last week that it would begin releasing data on physician payments in the Medicare program seems to have ticked off both supporters and opponents of broader transparency in medicine.

For their part, doctor groups are worried that the information to be released by the Centers for Medicare and Medicaid Services will lack context the public needs to understand it.

“The unfettered release of raw data will result in inaccurate and misleading information,” AMA President Ardis Dee Hoven, MD, said in a statement to MedPage Today. “Because of this, the AMA strongly urges HHS to ensure that physician payment information is released only for efforts aimed at improving the quality of healthcare services and with appropriate safeguards.”

On the other hand, healthcare hacker Fred Trotter has raised concerns about CMS’ plan to evaluate requests for the data on a case-by-case basis. That isn’t much of a policy at all, he wrote, giving federal officials too much discretion about what to release.

So, how is this all going to shake out?

Three recent examples offer some clues. Continue reading “Some Predictions on How Medicare Will Release Physician Payment Data”


What: Join healthcare data journalist Fred Trotter‘s lecture on graph theory and find out how to translate healthcare issue into solvable graph problems.

When: Thursday, October 24th at 2pm PT/5pm ET (TODAY).

Where: Sign up here.


What: Join healthcare data journalist Fred Trotter‘s lecture on graph theory and find out how to translate healthcare issue into solvable graph problems.

When: Thursday, October 17th at 2pm PT/5pm ET (TODAY).

Where: Sign up here.

The original Hipoocratic Oath states:

I will not use the knife, not even on sufferers from stone, but will withdraw in favor of such men as are engaged in this work.

One modern version reads:

I will not be ashamed to say “I know not,” nor will I fail to call in my colleagues when the skills of another are needed for a patient’s recovery.

The idea here is that a doctor needs to recognize when another practitioner has a skill that they do not, and that they must refrain from “practice” when another person has demonstrable expertise in that area of practice.

It is now 2013. It is time for doctors to stop “writing their own EHR” from scratch. They need to bow out of this in favor of people who have developed expertise in the area.

I just found out about another doctor who has decided to write his own EHR, because he has not been able to find one that supports his new direct pay business model adequately. In the distant past I encountered a doctor who believed that his “Microsoft Word Templates” qualified as an EHR system. This is a letter to any doctor who feels like they are comfortable starting from-scratch software development for an EHR in 2013 or later.

You might believe yourself to be an EHR expert.

Are you sure about that? Are you sure that you are not just an EHR expert user?

This difference is not unlike your relationship with your favorite thoracic surgeon. Or for that matter, your relationship with the person who built your car. The fact that you are capable of expertly evaluating and using EHR products does not mean you are qualified to build one. Just like the fact that you are qualified to treat a patient who has recently had heart surgery or to discern when a patient might need heart surgery does not make you qualified to perform that heart surgery. Similarly, the fact that you can drive, or even repair your automobile, does not provide you with the expertise you need to build a car from scratch.

The ethical situation that you are putting yourself in by developing your own EHR is fairly tenuous. Performing heart surgery without being a heart surgeon, building and driving your own car without being an automotive engineer and a doctor coding their own EHR system from scratch all have the same fundamental problem: You might be smart enough to pull it off, but if you don’t you can really mess up another person’s life. Make no mistake, you can kill someone with a shoddy EHR just as easily as by performing medical procedures that you are not qualified for or by driving a car that is not road-safe.

Continue reading “Why Doctors Should Stay Out of the Business of Building EHRs”

Health 2.0 EDU offers online classes with the world’s top experts in health care and information technology.

What: Join Fred Trotter’s lecture on Leveraging Big Data to Fix the Health Care System -How to Approach Large Data Sets Effectively.

When: Tuesday, July 9th at 3pm/6pm ET (TODAY)

Where: Sign up here.

There are two definitions of the word “Hacker”. One is an original and authentic term that the geekdom uses with respect. This is a cherished label in the technical community, which might read something like:

“A person adept at solving technical problems in clever and delightful ways”

While the one portrayed by popular culture is what real hackers call “crackers”

“Someone who breaks into other people computers and causes havok on the Internet”

People who aspire to be hackers, like me, resent it when other people use the term in a demeaning and co-opted manner.  Or at least, that is what I used to think. For years, I have had a growing unease about the “split” between these two definitions. The original Hackers at the MIT AI lab did spend time breaking into computer resources… it is not an accident that the word has come to mean two things.. It is from observing e-patients, who I consider to be the hackers of the healthcare world, that I have come to understand a higher level definition that encompasses both of these terms.

Hacking is the act of using clever and delightful technical workarounds to reject the morality embedded default settings embedded in a given system.

This puts “Hacking” more on the footing with “Protesting”. This is why crackers give real Hackers a bad name. While crackers might technically be engaged in Hacking, they are doing so in a base and ethically bankrupt manner. Martin Luther King Jr. certainly deserves the moniker of “protester” and this is not made any less noble because Westboro Baptist Church members are labeled protesters too.

Continue reading “Hacking Healthcare”

THCB BLOGGERS

FROM THE VAULT

The Power of Small Why Doctors Shouldn't Be Healers Big Data in Healthcare. Good or Evil? Depends on the Dollars. California's Proposition 46 Narrow Networking
MASTHEAD STUFF

MATTHEW HOLT
Founder & Publisher

JOHN IRVINE
Executive Editor

MUNIA MITRA, MD
Editor, Business of Healthcare

JOE FLOWER
Contributing Editor

MICHAEL MILLENSON
Contributing Editor

MICHELLE NOTEBOOM
Business Development

VIKRAM KHANNA
Editor-At-Large, Wellness

ALINE NOIZET
Editor-At-Large, Europe
THCB FROM A-Z

FOLLOW US ON TWITTER
@THCBStaff

WHERE IN THE WORLD WE ARE

The Health Care Blog (THCB) is based in San Francisco. We were founded in 2003 by Matthew Holt. John Irvine joined a year later and now runs the site.

MEDIA REQUESTS

Interview Requests + Bookings. We like to talk. E-mail us.

BLOGGING
Yes. We're looking for bloggers. Send us your posts.

STORY TIPS
Breaking health care story? Drop us an e-mail.

CROSSPOSTS

We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.

WHAT WE'RE LOOKING FOR

Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!

THCB PRESS

Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

HEALTH SYSTEM $#@!!!
If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to editor@thehealthcareblog.com.

REPRINTS Questions on reprints, permissions and syndication to ad_sales@thehealthcareblog.com.

WHAT WE COVER

HEALTHCARE, GENERAL

Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Prevention
Specialty practice
Oncology
Cardiology
Geriatrics
ENT
Emergency Medicine
Radiology
Nursing
Quality, Costs
Residency
Research
Medical education
Med School
CMS
CDC
HHS
FDA
Public Health
Wellness

HIT TOPICS
Apple
Analytics
athenahealth
Electronic medical records
EPIC
Design
Accountable care organizations
Meaningful use
Interoperability
Online Communities
Open Source
Privacy
Usability
Samsung
Social media
Tips and Tricks
Wearables
Workflow
Exchanges

EVENTS

Health 2.0
TedMed
HIMSS
SXSW
WHCC
AHIP
Log in - Powered by WordPress.