Benlog | security, privacy, transparency.

Jumpstarting Health IT innovation

Posted on March 3, 2011 by ben

Until last month, I was lead architect on the SMART Project at Harvard Medical School and Children’s Hospital Boston (now I’m an advisor). One key issue that all Health IT folks grapple with is how to make the Health IT ecosystem more dynamic and innovative, because technology in that space moves so slowly. The SMART Project is one attempt to jumpstart Health IT innovation.

If you’re interested in this stuff, you might want to read the blog post I wrote on the SMART site about how SMART addresses the Presidential Report on Health IT. Key ideas:

PCAST very eloquently identifies lack of interoperability as the central problem of healthcare IT. To spark innovation, PCAST proposes a universal exchange language, with atomic data elements and a strong metadata philosophy for privacy and provenance. We wholeheartedly agree.

One of PCAST’s suggestions is to eschew efforts to define universal semantics, leaving to the market the task of semantic harmonization. While we agree that the market will significantly contribute to semantic harmonization, our experience indicates that an organized initial foray into standardizing semantics for common, well-understood health data is critical to getting the ball rolling.

With SMART, we are building such a universal health language — inspired by existing standards and built on existing coding systems — and empowering with it a modern, web-based application ecosystem. We specifically address PCAST recommendations of data atomicity, metadata tagging, and semantic extensibility, while simultaneously addressing what some have identified as weaknesses in the PCAST report, notably the risk of incomplete patient context when working with disaggregated atoms of data.

More details over at the SMART blog.

Posted in health | Leave a comment

everything I know about voting I learned from American Idol

Posted on March 2, 2011 by ben

Tonight, American Idol began online voting. Yes, I’m a fan of American Idol, but don’t let that fool you: I’m still a bitchin’ cryptographer. I suspect that American Idol online voting will give rise to many questions such as “wow, awesome, now when can I vote in US Elections with my Facebook account?” and “Why is online voting so hard anyways?” Perhaps I can be of assistance.

the voting process

So the process is much like other Facebook-connected sites: using Facebook Connect, you log in and grant the American Idol Voting site some permissions, including reading your profile info (ok), getting your email address (ok I guess), and accessing your Facebook data even if you’re offline (ummm, why?). Then you select your favorite contestant, solve a CAPTCHA, and click “vote”. You’re prompted to post the vote to your Facebook feed, and told you can vote up to 50 times.

My first question was “what’s the CAPTCHA defending against?” I have some thoughts on that, which I’ll get back to…

“a secure solution”

The news that American Idol would use online voting was reported with enthusiasm:

“We have been wanting to do online voting for several years, and now Facebook has offered us a secure solution and we are ready to go,” said Simon Fuller, Creator and Executive Producer, American Idol.

So what does that mean, exactly? What guarantees do American Idol producers have that the system is “secure?” Hard to say. But let’s explore a few possibilities.

ballot secrecy and coercion

American Idol voting is not secret: your vote is posted to your Facebook newsfeed! Of course, unless you’re a contestant’s mother, chances are no one’s going to be upset at you if you don’t vote “the right way.” In political elections, and in fact in many elections where the outcome impacts voters in a material way, ballot secrecy is important, and undue influence of voters is a concern. That’s what makes things particularly difficult in “real” online voting: you should receive some believable proof that your vote was counted properly, but somehow that information can’t be leaked to others who might try to influence you, waiting to see how you voted to decide whether to pay you or break your kneecaps.

one user = 50 votes?

The voting itself is happening on the American Idol site, not on Facebook, so what American Idol is getting from Facebook is mostly the identity layer: to vote, you must have a Facebook account. Between that and the CAPTCHA, it’s probably fairly difficult for an individual user to have disproportionate influence. I have a feeling that’s why they allow individual voters to vote up to 50 times and require a CAPTCHA. After all, if any user can vote 50 times, but the process is fairly time-intensive, how worthwhile is it to register more accounts so you can vote more than 50 times? If voters could legitimately vote only once, then it would be very enticing to create a few fake Facebook accounts to easily quintuple your impact. But to just double your impact with 50 legal votes each, you’re going to have to manually fill out 50 more CAPTCHAs. Eh. Not worth it, right?

In other words, I think the 50 votes per person + CAPTCHA produce the great equalizer: almost no one is going to bother trying to find ways to cast more votes, because the payoff isn’t worth the pain. Clever!

verifying the tally

In typical secret ballot elections, it’s quite hard to check that the tally was properly computed. After all, once the vote is submitted, via web, SMS, or phone, the tallying process is visible only to the organizers, and the voters must trust that process blindly. Now, physical in-person elections have admittedly only a little bit more auditability: you can kind of watch the ballot box and, if you’re really motivated, stick around to see the ballots counted. But in the online voting space, unless you’ve got some fancy solution, the process is totally opaque.

Except… voting for American Idol isn’t secret! So, technically, the tally could be recomputed from culling together all of the Facebook newsfeed posts…. And that’s actually a key insight into how the fancy truly auditable voting systems work: all of the votes are published for the world to see, in a special encrypted form that doesn’t reveal individual votes but can be intelligently combined and checked against the claimed tally. That’s what systems like Helios do.

was my vote captured correctly?

If you post your vote to your Facebook newsfeed, you can verify that it was recorded correctly. But what if something hijacks your browser, waits for you to log into Facebook, casts votes on your behalf (waiting for you to fill out the CAPTCHA or outsourcing it to some CAPTCHA solving farm), and opts not to post the results to Facebook? How can the American Idol producers ever detect this? They probably can’t.

The simplest way one might hijack your browser is via a technique called clickjacking: by wrapping the voting site in an HTML frame and layering a different user interface on top of it, a malicious site could trick you into voting for a different contestant than you intend. For example, the attacker might wait for you to cast your first vote freely, find out who you like by looking at your Facebook wall, and then switch the order of the candidates (by layering new photos on top of the underlying real site) to trick you into voting for a different candidate the other 49 times. Now, to American Idol’s credit, my quick-and-dirty attempt to frame their site and implement clickjacking failed: they’ve got some basic defense against clickjacking that I’m still investigating. Nice work! But of course, attacks that hijack the user’s browser can be much more intricate, including deploying and spreading a virus that takes full control of the browser and its display. There’s absolutely nothing a web site can do to defend against that.

And that, in fact, is the key issue we don’t know how to address when voting online in elections that have a high material impact. We don’t know how to make sure that your browser is really working on your behalf and hasn’t been hijacked by malware. It probably wouldn’t happen for American Idol (or would it?), but it surely would happen when voting for US President.

Posted in crypto, voting | 4 Comments

a personal update

Posted on January 30, 2011 by ben

Tomorrow (Jan 31st) is my last day on the Research Faculty at Harvard Medical School and Children’s Hospital Boston. It’s been a fantastic ride thanks entirely to the folks with whom I had the pleasure of working, in particular Zak Kohane and Ken Mandl. Ultimately, I finally noticed what was staring me in the face: I love building software systems, and the right place for me to do that now is industry. I’m no stranger to it, and I’m excited to be back.

I’m taking two weeks off. I won’t be blogging or tweeting (much). I’ll be digging into a very thoughtful gift just received (what timing!): the Flour Bakery recipe book. If you live in Boston and you haven’t been to Flour, you’re simply missing out (or you don’t like baked goods, which is just too sad to think about.) This week’s goal, currant scones. Should be at least interesting, maybe delicious.

As to what I’m doing next… that’s for a blog post to be written 2 weeks from now. I’ve had some fantastic discussions with amazing people these last few weeks, and there are a few more conversations to be had before the picture is truly filled in. See you on the flip side of a few days spent with family and friends.

Posted in personal | 2 Comments

the difference between privacy and security

Posted on January 26, 2011 by ben

Facebook today rolled out new security features, both of which are awesome: SSL everywhere, and social re-authentication. True, SSL everywhere should probably be a default, even though I continue to believe that the cost is significantly underestimated by many privacy advocates. Regardless, this announcement is great news.

The only nitpick I have, and I point it out because I think it’s significant in Facebook’s case, is that the announcement confuses privacy and security. The first paragraph mentions Data Privacy Day, then the general concept of controlling your data, then transitions to the new security features. But those are quite different.

Security is about stopping the bad guys from stealing your data. Privacy is about controlling the good guys’ handling of your data. (Ron Rivest is said to have phrased this most eloquently, but I can’t find his quotation.)

So, SSL and social re-authentication provide security because they prevent bad guys from seeing your network traffic at the coffee shop or stealing your login. That’s fantastic, but it has little to do with privacy. If Facebook wanted to celebrate Data Privacy Day specifically, they might consider giving users more control over their data on Facebook. Maybe letting users control who gets to tag them in photos (i.e. not my stalker). Or letting users indicate fields by which advertisers cannot target them (i.e. sexual orientation.) Those would be privacy features.

I don’t mean to knock Facebook’s announcement: it’s great. But it’s about security, not privacy.

Posted in privacy, security, web | 5 Comments

Facebook, the Control Revolution, and the Failure of Applied Modern Cryptography

Posted on January 14, 2011 by ben

In the late 1990s and early 2000s, it was widely assumed by most tech writers and thinkers, myself included, that the Internet was a “Control Revolution” (to use the words of Andrew Shapiro, author of a book with that very title in 1999). The Internet was going to put people in control, to enable buyers to work directly with sellers, to cut out the middle man. Why? Because the Internet makes communication and commerce vastly more efficient, obviating the need for a middle man to connect us.

Fast forward to 2011, and the world is vastly more centralized than it ever was. Almost everyone’s most intimate conversations are held by four companies. And one company knows basically everything about everyone under 25.

How did we get so giddy about the Internet that we didn’t see this coming? We missed an important detail: communication and commerce became vastly more efficient for everyone, including the would-be middle-men, the would be mediators. The Internet enabled economies of scale never before imagined. So while it is possible to host your own email server, it’s a lot easier to use gmail. While it’s possible to host your own web page, post your updates to your blog, subscribe to your friends’ RSS feeds hosted at different blogs, it’s a heck of a lot easier to use Facebook. The Internet put the 1990s middle-men out of business then enabled a new breed of data mediators that provide incredibly valuable services no individual user can dream of performing on their own: apply massively parallel facial recognition to billions of photos to find that one picture of you and your best friend’s grandmother, do deep graph analysis to find your long-lost friends and suggest you connect with them, learn how to filter spam messages so efficiently (thanks to training by billions of messages received on behalf of millions of users) that the spam wars are effectively over.

The Internet has been vastly more empowering to mediators than to individuals. And so we have, in fact, a Control Revolution of a very different nature: one company, namely Facebook, is effectively shaping the future of social interactions, what’s acceptable and what’s frowned upon, what’s private and what’s not.

I say this without any value judgment, purely as an observation. Facebook is making the rules, and when the rules change in Palo Alto, 550 million people follow.

The Failure of Applied Modern Cryptography

Cryptography in the 1980s was about secrecy, military codes, etc. I’m not talking about that.

Modern Cryptography is about individuals achieving a common goal without fully trusting one another. Think of a secret-bid auction. Or an election. Or two people discovering which friends they have in common without revealing the friends they don’t have in common. In all of these cases, people come together to accomplish a common result, but they cannot fully trust one another since their incentives are not perfectly aligned: I want to win the auction by bidding only one dollar more than you, Alice wants her candidate to beat yours, and Bob would like to find out which movie stars you’re friends with even though he knows none.

Modern cryptography teaches us how to accomplish these tasks without ever trusting a third party. That’s hard to imagine if you’re not steeped in the field. But that’s what modern cryptography does: take an interaction that is easily imaginable with the help of a trusted third party that deals with each individual, and replace the trusted third-party with a beautiful mathematical dance that achieves the same end-goal. No centralization of data in one big database, no trusted dealer/counter/connector, just individuals exchanging coded messages in a particular order and obtaining a trustworthy result. Cryptographers call this secure multi-party computation.

Modern Cryptography would, if properly implemented, give us all the functionality of Facebook without the aggregation of everyone’s data in a single data center. And we couldn’t be further from this world if we tried! We are headed for a world of increased data centralization and increased reliance on trusted third parties. Because they’re vastly more efficient, have economies of scale that allow them to provide features we didn’t dream of just a few years ago, and of course because the economic incentives of becoming that trusted third party are staggering.

As a privacy advocate, and again without value judgment, I can’t imagine a more surprising consequence of a technology that was meant to empower the little guy. It is, in a word, shocking.

Posted in crypto, privacy, web | 9 Comments

an answer to John Gruber: Google dropping H.264 is good for everyone

Posted on January 12, 2011 by ben

Google just dropped support for H.264 in Chrome. John Gruber, among others, is not happy. Now, John Gruber is a very smart guy, but his Apple bias is too much even for me, and it’s preventing him from seeing what is fairly obvious. So, allow me to answer John’s questions, even though I have no inside knowledge whatsoever:

In addition to supporting H.264, Chrome currently bundles an embedded version of Adobe’s closed source and proprietary Flash Player plugin. If H.264 support is being removed to “enable open innovation”, will Flash Player support be dropped as well? If not, why?

Look more carefully at what Google did. They started by supporting H.264 when they had no alternative. Then they introduced a truly free alternative, WebM, which was a major coup. Unlike H.264, this video codec will never hold the Web hostage. Once WebM saw adoption, improvements, and a healthy open-source community, Google was ready to drop H.264, and so they did.

I’m sure that if Google had a true open alternative to Flash, they would follow the exact same pattern. But they don’t. This means they are pragmatists, not free-software purists. They work towards the Open Web, sticking with closed alternatives when they have no other option. I do hope that, when the market tips sufficiently against Flash (and Apple is doing a very good job helping this along, good for them), Google also drops Flash. But there’s a lot more legacy to deal with, so it will take a lot longer.

Android currently supports H.264. Will this support be removed from Android? If not, why not?

I’d say probably yes, but Google is a big company and I’m guessing those decisions are made by different folks. Do you actually expect perfect principled, perfectly timed consistency across the board from such a large business?

YouTube uses H.264 to encode video. Presumably, YouTube will be re-encoding its entire library using WebM. When this happens, will YouTube’s support for H.264 be dropped, to “enable open innovation”? If not, why not?

Maybe. But YouTube dropping H.264 when Apple and Microsoft’s browsers don’t support WebM yet would be a much harsher move, since Safari and IE users would be SOL, and Apple and Microsoft would have to rush to make their browsers compatible with YouTube again while users flock to other browsers. Google Chrome dropping H.264 is a risk Google is taking on, by making their own product less feature-full. That’s a bold move showing they truly believe in the Open Web. Don’t like it? Download another browser. Who’s stopping you?

I suspect Google will gently nudge Apple and Microsoft to support WebM, and only when they do will YouTube switch. That’s the pragmatist, non-confrontational approach.

Do you expect companies like Netflix, Amazon, Vimeo, Major League Baseball, and anyone else who currently streams H.264 to dual-encode all of their video using WebM? If not, how will Chrome users watch this content other than by resorting to Flash Player’s support for H.264 playback?

Ummm, dude, it’s Google’s product! What are you so upset about? It’s not as if they have a monopoly like, say, Mobile Safari on smart phones. Netflix, Amazon, Vimeo, MLB will have to decide how important the Chrome market is to them. As you say, Flash fallback will still work, so they may simply ignore this. More likely, they may be nudged to dual-encode, if enough users like Chrome and are willing to stick with it. That’s the bet Google is making “our product is so good, we have a chance to make the Web more open with it.”

Who is happy about this?

Anyone who sees the risk of deploying another closed technology to form the basic infrastructure of the Web, and the benefit of having truly open Web infrastructure. You should be happy about this.

Posted in web | 19 Comments

privacy icons

Posted on December 27, 2010 by ben

Aza Raskin has posted alpha 1 of the proposed Mozilla Privacy Icons. I was at the Mozilla-sponsored get-together where this was first discussed, and I’m really happy to see this moving forward. A few quick thoughts:

the least useful of the icons is the “used only for intended use.” I don’t think that icon can be boolean, because what, exactly is the intended use? This is one area where an icon alone probably won’t be enough, and a web site should list the intended uses.

machine-readability: yes, fantastic, I’m glad this is part of the story, it’s an incredibly important aspect of how we did this at Creative Commons. Now, hopefully, unlike what Aza said at the get-together a few months ago, Mozilla will stop poo-pooing RDFa and use it, rather than define yet another one-off standard for machine-readable, HTML-embedded data. You don’t have to invent everything, right Mozilla?

I really like the general concept of the data-retention icons. Very nice!

Want to be really ballsy? Default Firefox to all the green icons, and force the user to click through “you’re now okay with your data being sold” the first time they hit a site that has a red icon. The browser could even block the first time it sees a site without privacy icons, so the user is warned that there’s no telling what the site will do. It’s time the browsers start fighting back big time on privacy.

Overall, very nice work.

Posted in privacy, web | Leave a comment

Crisis in the Java Community… could they have used a secret-ballot election?

Posted on December 9, 2010 by ben

There is a bit of a crisis in the Java community: the Apache Foundation just resigned its seat on the Java Executive Committee, as did two individual members, Doug Lea and Tim Peierls. From what I understand, the central issue appears to be that Oracle, the new Java “owner” since they acquired Sun Microsystems, is paying lip service to the Java Community while taking the language and, more importantly, its licensing, into the direction they prefer, which doesn’t appear to be very open-source friendly.

That said, I’m not a Java Community expert, so I won’t comment much more on this conflict, other than to say, wait a minute, what’s this from Tim Peierls’s resignation note?

Several of the other EC members expressed their own disappointment while voting Yes. I’m reasonably certain that the bulk of the Yes votes were due to contractual obligations rather than strongly-held principles.

Wait a minute, the Executive Committee votes by public ballot? They’re influenced by contractual obligations? That’s fascinating, and that’s hardly democratic! It means that, even where standards bodies are concerned, the secret ballot might be a very interesting tool.

There are arguments against the secret ballot in this case, of course: maybe the Executive Committee members are representative of the Java Community, and as such they should serve their constituents? Much like legislators, their votes should be public so the community can decide whether or not to reelect them? In that case, contractual obligations to vote a certain way should be strictly disallowed or required to be published along with the vote… To whom are these Executive Committee members accountable? To themselves as well-intentioned guides of the Java community? To the people who elected them? It’s difficult to have it both ways, since one requires a secret ballot, and the other a public ballot.

Maybe the right solution is to publish all comments, but keep the ballots secret? There’s always a chance that a truly hypocritical member would consistently vote differently than their publicly stated opinions, but I’m not sure that risk is worse than the problems the Java Community just faced with what appears to be anything but a democratic vote. In a tough spot like this one, it seems to me that Executive Committee members should be able to vote their conscience without fear of retribution.

(Oh, and if the Java community is looking for a secure voting system, I might have a suggestion.)

Posted in crypto, privacy, security, voting | Leave a comment

The Health IT report is very good; some opinionated suggestions

Posted on December 8, 2010 by ben

“Oy,” I thought, when I received a copy of “REPORT TO THE PRESIDENT REALIZING THE FULL POTENTIAL OF HEALTH INFORMATION TECHNOLOGY TO IMPROVE HEALTHCARE FOR AMERICANS: THE PATH FORWARD” [PDF]. I worried this would be a lot of vague, easy-to-agree-with advice with little actionable material. I was wrong. Hats off to the team that wrote this!

Problem Analysis is right on

Some nuggets of the problem analysis, all from the executive summary (a quick and useful read):

First, most current health IT systems are proprietary applications that are not easily adopted into the workflow of a clinician’s day, and whose proprietary data formats are not directly exchangeable from one system to another.

Yes! Proprietary systems and data formats are the number one problem, as I’ve complained about before.

Second, most healthcare organizations that utilize electronic health records (EHRs) view them as purely internal resources, and have little incentive for investment in secondary or external uses, such as making them accessible in appropriate form to patients, to a patient’s healthcare providers at other organizations, and in deidentified or aggregated form to public health agencies and researchers.

Yes! I’ve heard someone phrase this as “there’s no billing code for sharing data with a patient or another hospital.”

Third, legitimate patient concerns about privacy and security make patients uneasy about participating in health IT systems or granting consent for their information to be used in research. Fourth, health IT has historically been oriented toward administrative functions, not better care. This is in part because, under the current fee-for-service payment model, the economic benefits of investing in health IT can rarely be realized by the provider or organization that makes the investment.

OK, so the privacy-and-security point is a little bit vague, but the point about administrative functions vs. care is right on. Overall, this is one of the clearest explanation of the problems with Health IT today that I’ve seen.

Patient Involvement: too timid

2. [...] achievement of the President’s goals requires significantly accelerated progress toward the robust exchange of health information.

Effectively, the meaningful use rules are too modest in their interoperability demands. I agree. That said, the report doesn’t sufficiently emphasize the role patients could play. They certainly talk about giving patients their data, but not about how giving patients their data is the natural path to secure health-data exchange between providers. No one can argue that the patient doesn’t have the right to see their own data, and if the patient is the messenger, then consent is inherently part of the mix. Instead, for some reason, Health IT folks are obsessed with solving every problem on the backend, fuzzy matching master patient indexes, etc. I continue to believe that the patient (as in, you, me, every user of the healthcare system) is far better positioned to manage their health data than anyone else. Giving patients their data is not just an end-goal, it’s a means to accomplishing other health data exchanges.

So when the report says:

The best way to give clinicians a unified, patient-centric record tailored for each medical encounter is to store, maintain, update, and exchange the data as small, distributed, metadata-tagged elements.

I disagree. The solution isn’t a specific technology used in expressing the data, it’s about how/where the data flows. The best way to give clinicians a unified patient-centric record is to give patients all of their data and the means to share it easily with the doctors of their choice.

Data Exchange and Interoperability: needs more work

The report then spends a good bit of time talking about a universal exchange language, and an infrastructure for locating and assembling [...] a patient’s record. These are interesting points, but the devil is in the details.

On the universal exchange language: it’s a lot harder than it sounds. The report does mention extensibility as a key feature to allow for private industry to build on top of this universal language, and that’s a very good thing. The report also briefly says the language must be “open.” That’s very, very good, assuming we have the same definition of open: anyone can use it and redistribute it, without asking for permission from anyone.

The problem is that existing standards organizations in health IT believe existing solutions to be “extensible” and “open.” SNOMED is open! RxNorm is open! HL7 is open! CCR is open! No, they’re not. Most are free of cost, but they’re not free of obstacles: you still need to sign up to get a “free license,” which means any organization must check that every other organization it deals with has signed those many “free licenses” to those vocabularies before data can flow. We need truly free medical vocabularies and formats, and we don’t have them yet. I wish the report emphasized this need more, since only the Federal government can make this happen.

And then there’s the “extensible” issue. This is, in my opinion, the worst part of the report:

We believe that the natural syntax for such a universal exchange language will be some kind of extensible markup language (an XML variant, for example) capable of exchanging data from an unspecified number of (not necessarily harmonized) semantic realms.

The emphasis is mine. Not necessarily harmonized? Then what is the point? We already have dozens of syntaxes for expressing medical data, and they all punt on semantic interoperability. That is insanity. We need semantic interoperability in this universal exchange language, lest we once again define the envelope without ever standardizing what goes inside the envelope. This is, sadly, how most health IT standards have defined interoperability: you can put anything in the envelope, so it’s extensible, right? No. Think about the implementer: where do they start on parsing that completely unspecified payload?

Let’s make this universal exchange language truly open and truly extensible. For best practices on openness, we can look to Open Source and Creative Commons for advice. For best practices on interoperability/extensibility, we can look to the World Wide Web Consortium‘s standards on Linked Open Data and RDF. These problems have been solved before, let’s not recreate half-baked solutions for health IT. And in the name of all that is holy, enough with the payload-agnostic interoperability standards. Payload agnosticism is anti-interoperable.

Privacy and Security: some good, some bad

The report recommends data provenance and privacy preferences tied to the data. That is a very good idea. It’s hard to do in practice, though, so if we go down this path, let’s really invest the time and money needed to figure out how to do provenance and privacy-preferences right. This is a big endeavor.

The report also recommends giving patients more control over the flow of their data. This is great, but it’s almost impossible for the average patient to understand what the various flows mean and how they’re used. This is yet another reason for giving patients their data so they can choose who gets to see it directly, rather than having to make decisions about transitive trust: do you allow doctor A, who spoke to doctor B yesterday, to speak to doctor C? Good luck with that.

Then the report goes into far too much detail about security and cryptography. It talks about keys, and digital signatures, and shared keys, and never storing the key on the same machine as the encrypted data (really? It’s only going to come together in RAM? How’s that going to work for gigabytes of MRI data?) There’s even discussion of how Data Entity Access Services can run authorization checks before delivering the encryption keys, and other descriptions of crypto protocol details. This is bad. It’s overly prescriptive and thus cannot take into account recent innovation, such as secure access delegation via attribute-based encryption. Instead, the report should have focused on general principles and requirements, such as:

data should be secure even if someone eavesdrop on the network
data should be secure even if someone obtains the hard drives from a decommissioned server
authorized physicians, as certified by the AMA, should have access to any record via a break-the-glass approach, as long as there is an audit trail

Focus on requirements, and don’t mandate specific crypto concepts, as if all crypto innovation had stopped in the 80s. Let the technologists find/discover/invent the specific solution that meets the requirements.

Conclusions

I’m harsh on a few pieces of this report because, overall, I think it’s quite good. (And I thought this even before I realized, just now, that my colleague Ken Mandl was on the advisory committee for this report.) There are a few points that need more emphasis, however:

the government should NOT be building a concrete infrastructure for health data exchange. We don’t know the best way to exchange data nationwide, and we shouldn’t have a central, expensive top-down effort to achieve this. The market can figure this out… with some help (see next points.)

the government can and should define a truly interoperable syntax and semantics for medical record exchange. This may involve one-time purchases of proprietary coding systems, but at the end of the day, the output should be a truly free set of codes for all major medical concepts, an abstract model for representing them, and one default syntax for serializing this data.

the government should mandate that any healthcare provider make available, to any patient that wants it, all of their data in digital form using the universal syntax and semantics just mentioned, using a standard, open protocol. This should include transfer of said data to any Personal Health Record provider that complies with proper privacy protections and with the standard protocols, data format, and data semantics. No more one-off deals between one hospital and one PHR.

the government should mandate that any healthcare provider be capable of receiving, from a compliant PHR, a patient’s record, using the standard protocol, data format, and data semantics.

the government should sponsor Personal Health Records for all medicare/medicaid patients, say $5/month. Providers of these PHRs should fit conformance criteria for data portability and exchange, but otherwise should provide a relatively complete PHR service that the government can subsidize. The choice of the specific PHR should remain the patient’s, not any large hospital’s or other organization’s. We need market forces at work improving the PHR space, but we can use medicare to kickstart this market.

The standard protocol for exchanging data between two endpoints could be NHIN Direct / the Direct Project, assuming they continue to simplify their approach.

There is an opportunity for the government to significantly improve health IT, mostly by greasing the wheels of data exchange and interoperability. There are some tough decisions to make, however. We cannot punt on the medical data payload and semantics. And we must involve the patient at the crux of the architecture. Once the government has established fertile ground for innovation, by standardizing the data exchanges, privacy standards, and otherwise removing silly licensing obstacles, the market can do what it does best: find the set of optimal solutions within those principled constraints.

Posted in data, health, privacy | 2 Comments

Wikileaks — not ideal, but a force for good in the end

Posted on December 4, 2010 by ben

I’ve found myself quite conflicted over the latest Wikileaks “dump”, specifically the hundreds of thousands of US diplomatic cables.

On the one hand, there is no doubt that the mainstream press is failing miserably in its role of investigating and breaking stories about illegal secret activities. We’ve seen numerous high-profile publications delay stories for fear of impacting elections (e.g. the NY Times and Bush-era warrantless wiretapping). Where the War in Iraq is concerned, it seems fairly clear that the US government misled its people, and that, in my opinion, deserves complete whistleblower protection.

On the other hand, while Wikileaks claims to have information proving banking corruption during the financial crisis, BP corruption during the oil spill, and many others, they chose to release secret diplomatic cables first. The argument that the people have the right to know everything the government does in real time does not hold water: many lives have been saved by secret operations and negotiations. Secrecy has a role to play in a peaceful society. Of course, all information should eventually be made public, so the Freedom of Information Act is critical, and multi-partisan oversight of secret operations and negotiations is necessary while those are ongoing. So what is the justification for this particular leak? Does it reveal significant lies by the US government where the public is being deeply misled? I don’t quite see it, although it’s possible that I’m not looking closely enough.

All that said, in this fog of uncertainty, some (many) are arguing that Wikileaks is a terrorist organization and that Julian Assange should be arrested. Senators are pressuring tech companies to censor the information, and tech companies are buckling at record speed (ahem, Amazon, Paypal,…) This line of argument is deeply disturbing, and the speed with which the system is cracking down on Wikileaks through political pressure is surprisingly scary. Where is due process? Whatever happened to freedom of the press? Recently, some members of the State Department have implied that students vying for jobs with them should refrain from publicly discussing Wikileaks. Ummm, which country is this again? Home of the Brave, Land of the Free, right?

One note to the Wikileaks folks: why not focus on the areas that are clear no-brainers first? Tell us about the BP corruption. Tell us about how the banks abused the bailout funds. This is true, unadulterated whistle blowing. In the end, there may well be a case that releasing these diplomatic cables is proper whistleblowing. Unfortunately, it’s not nearly as clear-cut, and that is going to hurt the Wikileaks mission significantly in the long run.

All that said, Mr. Assange, you have balls of steel. I can’t quite believe that you are real, but I’m glad people like you exist to fight bravely for freedom of information, even if, in some cases, I’m not sure I agree with your judgment calls.

Posted in policy | 7 Comments

My name is Ben Adida. I write about the intersection of the Web, Crypto, and Policy. More About Me.
Recent Posts
May 2012

M T W T F S S

« Apr

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31

May 2012
M	T	W	T	F	S	S
« Apr
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31