(Update May 2019.) Publishing this article was part of what started my recent investigation into Facebook’s cybersecurity and privacy practices. The outcome of that investigation means that I do not have any hopeful or positive things to say regarding Facebook and I believe that I was… and we all were, naive. I no longer hold […]
Category: Cybersecurity
Is the NSA sitting on medical device vulnerabilities?
Today is not a fun day to read slashdot if you care about healthcare cybersecurity. First, it highlights how the DEA is strong-arming states into divulging the contents of their prescription databases. Second, and even more troubling, was the claim that the NSA was looking to exploit medical devices. The story was broken by Intercept […]
Clintons Server Politifact
Most of the time that I spend as a security-wonk is focused on email security. This is due almost entirely to my involvement as one of the architects of the Direct Project, which is a specification for using secure encrypted email in healthcare settings. Which is why I was surprised by a recent analysis from […]
Selected for the Health Care Industry Cybersecurity Task Force
I am very honored to be selected for the Health Care Industry Cybersecurity Task Force. Of course I have my “patient access beats pointless security” ax to grind, but I will be on my best behavior and try not to screw this up. (update June 19 2015: I am reddit user ftrotter and I am on twitter […]
EHR Vulnerability Reporting issues
For those who actually bother to read to the bottom of my bio, I was actually in Internet Security before going into Health IT. I spoke at DefCon and everything. During my career in Health IT I have had to report a security vulnerability to an EHR developer once, and it was such a painful […]
Sharks, Bees and Privacy
Hi, I am happy to announce that my new article on healthcare privacy and interoperability has been accepted in the Journal of Participatory Medicine. I am not against privacy in healthcare, but I am against the notion that privacy concerns should trump issues relating to good healthcare. You can read the full article here: http://www.jopm.org/opinion/commentary/2011/07/05/sharks-bees-and-health-privacy-paranoia/ […]
Responding to Sweeney
I am again discussing the privacy comments from Dr. Latanya Sweeney. She testified to Congress that both the NHIN CONNECT and NHIN Direct security models where flawed. Figure 2(b) summarizes concerns about these two designs. The NHIN Limited Production Exchange has serious privacy issues but more utility than NHIN Direct. On the other hand, NHIN […]
The Power of Push
Hi, The NHIN Direct network has been criticized for lacking relevance for health information exchange. Specifically, Latanya Sweeney has submitted testimony to congress which has nothing good to say about either NHIN project. The paragraph I want to highlight says: ONC’s website also describes NHIN Direct [11] as a parallel initiative underway [3]. The idea […]
The Burden of Trust
Hi, I am a vocal participant on the NHIN Direct Security and Trust working group. Its a perfect place for me. I love Open Source healthcare, but my background was in InfoSec… and we never really forget our first love.. do we? At the NHIN Direct Security and Trust workgroup, I get to exercise all […]
On Being Threatened
Express Scripts, one of the nations largest pharmacy benefit management companies, is being blackmailed with the release of private health information. The blackmailer proved that he/she has access to the data by providing information on 75 Express Scripts customers. The company has done a fine job of swallowing this bitter pill. They have done exactly […]