Categories

Tag: Fred Trotter

Taking on Facebook for Health Data Privacy: Fred Trotter, CareSet Systems

By JESSICA DaMASSA, WTF HEALTH

While patients can often find comfort, compassion, and support in Facebook Groups dedicated to their health conditions, they don’t realize that their identity, location, and email addresses can be found quite easily by other members of their closed group — some of whom may not have well-meaning purposes for that information. Called a Strict Inclusion Closed Group Reverse Lookup (SICGRL) attack, this is a privacy violation of unprecedented magnitude. 

Fred Trotter is one of the leaders of a group of activists co-led by Andrea Downing and David Harlow that is taking on Facebook to correct this health data privacy violation. 

While this interview was filmed at Health Datapalooza in the Spring of this year, Fred has just published an update that details how Facebook continues to ignore the issue and remains unwilling to collaborate on a solution. 

Catch up on the background behind this data privacy issue — currently, one of the most important opportunities we as healthcare innovators have to learn about what NOT to do when it comes to user privacy and sensitive data. 

Health in 2 Point 00, Episode 75 | Rounds & IPOs, Health Datapalooza, & the Facebook Controversy

Today on Health in 2 Point 00, Jess and I are at 10th annual Health Datapalooza in Washington D.C.! Jess talks to me about Xealth’s $11 million round to develop out its company, and Change Healthcare is applying for a $100 million IPO. The big takeaways from Health Datapalooza are that many people and companies have integrated data into their systems, but they haven’t been able to gain many actionable insights from it. Also, if you haven’t heard of the complaint Andrea Downing, Fred Trotter, and David Harlow wrote to the FTC concerning the privacy and data that can be downloaded from Facebook’s groups, you better check it out. It details out the concern that Facebook is not protecting the data of patients as anyone can download sensitive data from the groups and use it — Matthew Holt

Health in 2 Point 00, Episode 61

On Episode 61 of Health in 2 Point 00, Jess and I are still in Tokyo—but this time we’re reporting from a famous whiskey bar. In this episode, Jess asks me about the most important takeaways from Health 2.0 Asia-Japan and the growing health tech market there. We also have two special guest stars today: Yuuri Ueda, the director of Health 2.0 Asia-Japan, tells us how loosening government regulations are opening up opportunities for more and more startups to break into telemedicine, and Fred Trotter explains how Japanese startups can learn from the U.S. in terms of data security and privacy. All this in (exactly) two minutes.

There’s so much more from Health 2.0 Asia-Japan that you all need to see, so keep an eye out on THCB for my three-point takeaway from the conference and be sure to watch Jess’s WTF Health interviews to hear from amazing people in the Asian health tech community —Matthew Holt. 

Is Obamacare Working? Show us the Data

MU_stages_final
As President Obama’s healthcare reform unfolds in the last years of his administration, critics and supporters alike are looking for objective data. Meaningful Use is a funding program designed to create health IT systems that, when used in combination, are capable of reporting objective data about the healthcare system as a whole. But the program is floundering. The digital systems created by Meaningful Use are mostly incompatible, and it is unclear whether they will be able to provide the needed insights to evaluate Obamacare.

Recent data releases from HHS, however, have made it possible to objectively evaluate the overall performance of Meaningful Use itself. In turn we can better evaluate whether the Meaningful Use program is providing the needed structure to Obamacare. This article seeks to make the current state of the Meaningful Use program clear. Subsequent articles will consider what the newly released data implies about Meaningful Use specifically, and about Obamacare generally.

Continue reading…

Is Obamacare working? Where’s the data?

flying cadeuciiAs President Obama’s healthcare reform unfolds in the last years of his administration, critics and supporters alike are looking for objective data. Meaningful Use is a funding program designed to create health IT systems that, when used in combination, are capable of reporting objective data about the healthcare system as a whole. But the program is floundering. The digital systems created by Meaningful Use are mostly incompatible, and it is unclear whether they will be able to provide the needed insights to evaluate Obamacare.

Recent data releases from HHS, however, have made it possible to objectively evaluate the overall performance of Meaningful Use itself. In turn we can better evaluate whether the Meaningful Use program is providing the needed structure to Obamacare. This article seeks to make the current state of the Meaningful Use program clear. Subsequent articles will consider what the newly released data implies about Meaningful Use specifically, and about Obamacare generally.

Continue reading…

Anthem Arrogantly Refuses Audit Processes. Twice.

Fred's HeadRecently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Continue reading…

Why Anthem Was Wrong Not to Encrypt

Screen Shot 2015-02-22 at 7.23.57 AMBeing provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

Continue reading…

Anthem Was Right Not to Encrypt

Optimized-FredTrotterThe Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.

Continue reading…

A New Way to Explore and Comment on Doctor Data

Screen Shot 2014-04-18 at 1.39.05 PM

The American Medical Association (AMA) says the number one issue with recent data releases from HHS is that “there is currently no mechanism for physicians and other providers to review and correct their information.”

We think we have a way to fix that problem over at the DocGraph project!

Over the last two years there have been three major breakthroughs in the analysis of doctors using Open Data. The first was the original teaming and referral database obtained by DocGraph (us) under a FOIA request. The second was the prescribing data set obtained by ProPublica. Both DocGraph and Propublica worked around the 1978 injunction limiting the use of FOIA for doctor data.

The third is the new procedure pattern data set announced as the direct result of the overturning of the 1978 injunction.

We are happy to announce the release of the first “all-in-one” open doctor data browser that we are calling DocGraph Omni. We have created a public tool that allows you to browse the merger of all three major new open data sets about doctors and other healthcare providers that bill Medicare.

Now in one place you can view how a provider prescribes, how they collaborate, and which procedures they work with. Our intention to turn Omni into a browser where you can find any open data about doctors, no matter what the source.

But this is not just about “finding” the data. We have created a system that allows anyone to comment on any given data point in these data sets.

Continue reading…

Some Predictions on How Medicare Will Release Physician Payment Data

The federal government’s announcement last week that it would begin releasing data on physician payments in the Medicare program seems to have ticked off both supporters and opponents of broader transparency in medicine.

For their part, doctor groups are worried that the information to be released by the Centers for Medicare and Medicaid Services will lack context the public needs to understand it.

“The unfettered release of raw data will result in inaccurate and misleading information,” AMA President Ardis Dee Hoven, MD, said in a statement to MedPage Today. “Because of this, the AMA strongly urges HHS to ensure that physician payment information is released only for efforts aimed at improving the quality of healthcare services and with appropriate safeguards.”

On the other hand, healthcare hacker Fred Trotter has raised concerns about CMS’ plan to evaluate requests for the data on a case-by-case basis. That isn’t much of a policy at all, he wrote, giving federal officials too much discretion about what to release.

So, how is this all going to shake out?

Three recent examples offer some clues.Continue reading…

Registration

Forgotten Password?