Protecting yourself from hacked credit card readers: Google Wallet & Apple Pay

First TJX with 90 million accounts stolen, then Target with 40 million accounts stolen and now Home Depot with 56 million accounts stolen.  I found it interesting that Target was hacked through a flaw in Microsoft Active Directoy.  No news yet on the details of Home Depot.

What's a person to do?   Buy a phone with NFC payment option.  The newer Android phones have Google Wallet and it looks like Apple Pay is coming soon.  When you activate Google Wallet, you link it to a credit card.  I prefer American Express because they have great anti-fraud detection and allow you to dispute un-authorized charges from their website.

When you are shopping, look for the wireless payment option on the card reader.  Most grocery stores have them and big chains like Best Buy.  Walmart is too cheap and does not (use cash if you must shop there).   WirelessWhen you touch your phone to the card reader, Google prompts you for a pin.  And that's it.  What's interesting is that to the card reader, it looks like a single use Master Card regardless of your actual credit card.  And you need a data connection, because Google sends out the authorization code real time.  Pretty cool.  On your credit card statement it will say GOOGNFC*merchant name

If your phone gets misplaced, you can deactivate your wallet from the Google website.  Of course you have 2-factor authentication for your Google account, right?  And you have a lock code on your phone. And a good PIN for Google Wallet.

Bottom line, if that card reader was hacked, the bad guys only get a fictitious credit card number that can't be used.  Not bad.


Why Are You Special?

And by you, I mean your customers.   How do they view you?   Why did they buy and will they buy Customeragain?  This is the first question I try to understand whenever I start a new project (or talk to a company about a position). 

Once we figure that out, then you only need to do two things:

  1. Do more of what is special.
  2. Eliminate or automate anything that does not contribute to number 1.

The problem I see in many companies is they follow the latest "process" without understanding what is different about them versus everyone else.   On the other side of the coin I also see companies who generate plenty of good ides, without having the means to test and execute on them.

In my last consulting engagement it turned out that what management thought was "special" was completely different than what their customers thought.  In three months after going through the two steps above, revenue increased by 80%. 

Think about your specialness from your customers' eyes.

Designing for Privacy & Security : All your base are belong to us

Last week I had a lively discussion with an education expert talking about privacy and security.  This resulted after interpretations of FERPA resulted in universities selling student directories / email addresses to spammers third party marketing organizations. (just because they can, doesn't mean they should).

Then we moved on to the topic of security.   I always start with the assumption that all systems will be compromised, either externally or internally.   That is reality.  But it can be managed.  Starting with that premise, how do you design or improve your system?

First you need to compartmentalize your system to the smallest discrete pieces.  So if one compartment is compromised, none of the others will be.  Cloud systems tend to be monolithic silos.  Break into one part and everything else is exposed.   At my last company we built a separate virtual instance for each customer.  That way if one customer was compromised, it had zero effect on anyone else.

We also segregated the data (we were dealing with patient health records).  But we needed subsets of that data aggregated to do analytics.  Pulling the data is very bad, because that creates a single point of weakness.  Instead, each instance pushed the summary data to the aggregation database. 

Next you need audit.  Record everything.  And make sure that the system administration role is completely seperate from the auditing role.

Finally you need remediation.  What are the protocols to observe when any part of the system is compromised?  

  • Isolate it
  • Fix it
  • Notify those effected
  • Identify the root cause
  • Change to eliminate the root cause

This goes beyond system design into understanding how your customer / users need to interact with the system.  Do all new users really need to default to administrator role?

It is our job to take security and privacy seriously and engage our users to make sure they have what they need without making their lives more difficult (give me two-factor authentication to my cell phone over complicated passwords any day).

update:  I showed this blog post to a college student and they thought I had typos in my title.  To complete your education on video game nostalgia, read this.

Living in the HealthCare IT Bubble

Reality is a harsh mistress.  With the advances in Electronic Health Records, patient portals and records transport ala Direct X.509, my peers and I see a very bright future for healthcare in the U.S. and talk about all the great things we have accomplished.

Then a friend gets sick and enters the U.S. medical system and the bubble bursts.  The following happened over the last two weeks.   They have an issue and go to the ER of an Atlanta hospital.  Afterwards they are sent to their primary care physician and get a blood workup.  And sent for a CT scan at the imaging center.   The physician, hospital and imaging center are part of the same healthcare delivery system and all have the same EHR from a company in Tampa Florida.

First I contacted the medical records department at the hospital to get the CCD for the ER visit through their patient portal.  After being directed to four different people, they had no idea what a patient portal was.

The blood panel came back from the lab and since the physician had no patient portal, they sent a fax of the results.  The physician got the CT scan and was concerned (if you guessed the imaging center didn't have a patient portal, you would be correct).

My friend was sent to a surgeon on a referral.  During his examination he prescribed a simple medical procedure to correct what he saw.  He too was part of the network, but never got the CT scan or physicians report and we did not have copies.  Fortunately it was brought to his attention before he left, he ordered a rush on the reports and he scheduled surgery.

In the hospital the mishaps continued.  During prep for surgery the anesthesiologist went over the check list and stated the patient weighed 110 kilograms.  She was corrected and told 110 pounds.  The surgical nurse said not to worry, it happens all the time with the EHR but they always catch it in the operating room.

After the surgery and a few days on the med-surgical ward, the physician specifically prescribed a non-opiate pain medication.  Well, the pharmacy couldn't deliver it in 6 hours so she was given an opiate and had a severe reaction to it. 

6 hours later she was given the correct drug, to be repeated in 6 hours.  3 hours later the nurse came in to deliver the next dose.  She hadn't looked carefully at the chart.  When questioned, she said it was no big deal because the system would have caught it.

In discussions with the physicians and staff, it turns out they do have an patient portal.  It just doesn't work.

And this is one of the best hospital systems in Atlanta.  I'm sure they collect their MU1 and MU2 payments.  And the CEO makes over $1.5M a year.

added: Overall, the staff and the physicians are excellent.  Poor UX design, implementation and training resulted in these issues, and that's on us.  Depending on a system to catch your medication errors is like waiting to change the oil in your car when the check engine light comes on.  And that's a training issue all the way up to the CEO!

We have a lot of work to do.


Changing the Language of Healthcare from Cost to Outcomes and Productivity

The US healthcare system has been warped by reimbursements for care.  In Sharin's piece "The End of Hospital Cost Shifting", he talks about the impact on hospitals of the Medicare cutting reimbursements to hospitals based on work done by Austin Frakt

  • Cost shifting: Increasing the prices it charges commercially-insured individuals to compensate for reduced Medicare reimbursement.
  • Cost cutting.  Reduce cost for all patients to ensure average profitability across the entire Medicare/commercial payer mix.
  • Reduce profit margins.  Reduced Medicare reimbursement could simply eat away at hospital profits.

And he notes that cost cutting is the most likely result and that would impact patient outcomes:

Wu and Shen (2011) found that hospitals that faced large payment cuts from the 1997 Balanced Budget Act cut operating costs and staff and experienced increased mortality rates of heart attack patients relative to those seen at hospitals that faced smaller cuts.  They calculated that a 1 percent cut in payment results in a 0.4 percent increase in heart attack mortality rates.

And he concludes:

Such a trade-off calls to mind what Mark Pauly expressed in a 2011 paper in Health Affairs, “Perhaps a little less quality for a lot less money might be acceptable to consumers and taxpayers, as we work to keep medical spending from siphoning off funds required for other needs” (Pauly 2011). Whether it is acceptable or not, it may be what consumers and taxpayers get.

Let me break it down: Lower quality = worse patient outcomes = increased mortality = more people die.   And that's o.k. because it costs less.

And that's where the vocabulary is just wrong.  Nowhere does he focus on productivity improvement, resource utilization and the impact on outcomes.  They just don't think like that.  But every other industry does, except healthcare.  

I don't accept that more people dying in hospitals or post acute care is an acceptable tradeoff for lowering costs and I hope you don't either.

It's time to retire CPT® in health care

CPT (Current Procedural Terminology) is a medical billing coding system created by the American Medical Association (AMA) with the sole purpose of charging insurance companies for health care services and putting royalty money in the AMA's pocket.  Cpt-2014-professional-pIt's an artifact of the pay for service reimbursement system that has caused the US to spend the most on healthcare while delivering mediocre patient results.

If a CPT code does not exist for a service, chances are your physician won't do it.  Wonder why adverse drug reactions are under reported?  There is no CPT code for that. 

There is absolutely no relationship between good CPT coding and good patient care.  And there is no relationship between CTP code reimbursement rates and what those services actually costs a provider.  (Just ask the CEO of any hospital how much it costs them to perform a hip replacement.)

Sad but true.

The insurance companies are basically a cost plus business, so they focus on reducing the price paid per CPT.  The American Medical Association makes a from licensing the codes, so they have no incentive to change it.

Hopefully new "pay for performance" mandates in PPACA will shift the power to patient care quality / results from this very broken system.  And the AMA will have to find other ways to make money. 

CPT® is registered trademark of the American Medical Association.

Encyrption is easy: Key management is hard

Encryption basically has two use cases:

1. Moving information from point A to point B and not letting anyone else be able to see it during transit.
2. Making sure that when the information is at rest (data, email, etc.) that unauthorized people cannot use it or read it.

You often hear claims like "AES 256 bit encryption" or "We use military grade encryption".  Doesn't mean much.  All encryption uses keys.  These keys are mathematical constructs, when used properly, Keys provide the amount of security necessary.  Who ever has access to the keys, can see your information.

Key management is a very big deal.  Your first consideration is who generates the keys and how do they do it.   For instance, if you are storing data off site, and the service provider generates and stores the key, you have to ask yourself "Do I trust them"? 

This is the model of Google Drive for instance.  In that case you are at the mercy of rogue Google employees, stolen equipment, or unknown subpoenas from government agencies.

Amazon Web Services also will generate the key for you, but not store it.  That's a little better, but you are vulnerable if a copy is being made surreptitiously.

The best case scenario is you generate your own keys using a proven key generation mechanism (a topic for discussion in itself). 

Now comes the hard part.  Whoever has the key can read the information.  How are you protecting and distributing those keys?  What is your access control and audit?  What happens if an employee leaves and has a key?

The best scenario is to assess the balance of risk and usability.  If it is too difficult it won't be used.  One of the slickest methods I've seen for protecting a user / application communicating to a server works like this:

1) The user / application starts a secure session using a public key (PKI uses a lot of overhead)
2) After the connection is made, a single use symetrical key is created (very fast)
3) The session switches to using the same symmetrical key

This gets more interesting when you're talking about backups and disaster recovery.  To fail over to a cloud warm site, that site needs your key to restore the data.  One way to get around this is to have the service provider hold the key and have that key encrypted.  To release the key, you would simply log into the recovery site, enter your credentials and now the key would be released.  They don't need to store your password, just an encrypted hash of the password to verify (and maybe 2 factor authentication to your cell phone).

This is all doable and well worth the time to think through the process from beginning to end.


Saving Healthcare in the US: Focus on Efficiency, Efficacy and Motivation

I won't bore you with the statistics on how the US spends more and gets less than any other industrial nation in the world and consumed about 17.9 percent of GDP last year.  Instead I want to focus on the goal of colleagues of mine who are serious about shaving 1% of GDP in healthcare.

How to do this?

First off, you need to measure precisely how much you actually spend on each patient.  Then you need to examine how much utilization of resources you actually are using for patient care (not how much you bill).  Focus on maximazing work flow and resource utilization and you now improve efficiency and save money.

But that does not mean you are doing the right thing by the patient.  Next you need to measure efficacy to see if you are getting the best results for what you did.  By doing so we found in occuptational health that patient outcomes improved while physician visits decreased by 40%.

While this is all well and good, it doesn't matter if no one uses it.  So you need to have the proper motivation.  Many times this means a cultural change in the organization.  For example we had a case where an organization could save $8M a year by employing these methods.  The medical director killed the project becauses he did not want his patient outcomes measured.

Efficiency, efficacy and motivation, when implemented, will change the landscape of healthcare.

HealthIT 2.0: Time for the Hospitalist?

Imagine taking care of 15 patients a day.  And you've never met them before.  And coordinating care among three shifts of nurses, labs and specialists.  That is the plight of the hospitalist. 

HealthIT 1.0 has failed them.  Patient histories from multiple sites of care?  Disparate PAC systems, care coordination?  Medication reconciliation?  There are bits and pieces but no system does it all.

Instead the 1.0 vendors try to bolt on new functionality to very old legacy systems.  Epic is based on MUMPS that was developed in 1967.  And they are the leaders.

The next generation 2.0 vendors will disrupt the establishment by focusing exclusively on the physician / care providers and the patient.  And we're seeing examples of this from outfits like Doximity, Practice Fusion, Hello Health and Image32

It will get better.