Medical Object Panopticon: Hospital Real-Time Location System (RTLS)

carolina_logo.gif Mostly increased monitoring provokes privacy concerns. But what if it’s objects that are being monitored?

Carolinas HealthCare System (CHS), the third-largest public healthcare system in the US, has completed the first phase of an asset tracking program that is believed to be one of the largest healthcare real-time location system (RTLS) deployments in the US. Currently about 5,000 assets are being tracked over 1.4 million square feet at five facilities.

CHS plans to extend the WiFi-based RTLS system throughout its network, which includes 15 hospitals and medical centers in the Carolinas. Additional facilities totaling about 3 million square feet are scheduled to go live by the end of the quarter.

"As a healthcare organization, we’re required to upgrade or perform preventive maintenance regularly on medical equipment," Clay Fisher, director of information service at Carolinas HealthSystem, told RFID Update. "Imagine trying to find one specific IV pump when you have thousands of them across multiple facilities. We have reduced our ‘time-to-find’ for individual pieces of equipment from hours to less than ten minutes."

Carolinas HealthCare Launches Huge RTLS System, RFID Update, Tuesday October 9th, 2007

One odd side effect is that CHS says if your wireless network isn’t configured for VoIP, you should add that, because then it will have enough coverage to do RTLS.

Now if they can find a way to track patient orders between nursing shifts, and which doctors sign off on drugs without seeing their patients….

-jsq

Myanmar Destablized by Chinese Imports

shankachin.jpg Well, not quite yet, but this could be the start:
“It is learnt that taking advantage of the inability of the Myanmar military junta to provide satisfactory and affordable mobile phone services in the Shan State and the Kachin State areas of North Myanmar, Chinese companies have been operating mobile phone services in Yunnan for the benefit of the people of North Myanmar.”

Chinese Mobile Phone Services in North Myanmar, By B. Raman, Paper no. 2470, South Asia Analysis Group, 21-Nov.-2007, quoted in Lots More Reasons Why China is the New America, By Bruce Sterling, Beyond the Beyond, Wired Blogs, November 23, 2007 | 8:35:27 AM

This bears watching, also because while I’ve been predicting the U.S. may end up buying fast Internet access from Japanese companies, just like cars, actually it could be Chinese companies.

-jsq

Breached Party: Labour Loses Confidence Due to Lack of Breach Security

breachedwhale.jpg The U.K. Revenue ministry has been leaking massive amounts of personal information, and now it’s affected the ruling party:
The Government will face fresh questions over the loss of millions of voters’ personal data amid evidence the debacle has helped fuel a massive slump in public confidence.

One poll showed those backing Labour’s ability to handle economic problems had been more than halved to 28%, with just a quarter deeming Gordon Brown’s administration “competent and capable”.

And another gave the Tories a nine-point overall lead, its strongest position for 15 years, just weeks after Labour enjoyed an 11-point advantage in the same poll.

Confidence in Labour ‘plummets’, Press Association, Guardian Unlimited, Friday November 23, 2007 7:03 AM

A government in risk of falling due to lack of breach security and perceived lack of technical confidence might be what it takes to get governments and industry to take breach security seriously. For example by requiring breach reporting.

-jsq

Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq

Malware Leverage: Dan Geer on How Attackers Can Bankrupt Defenders

cumulative.jpg I keep talking about the black hats using the leverage of the Internet. Dan Geer summarizes the situation:
The thing to remember is that the attacker’s workfactor is the cost of a new variant, and as the production of variants (whether of malware or URLs) is now automated, the arms race between attacker and defender can be manipulated by the attacker to bankrupt the defender.

A Quant Looks at the Future Extrapolation via Trend Analysis, by Dan Geer, v6xi07, accessed 13 Nov 2007 “Rescaled, cumulative,” page 22,

He’s got lots of data from various viewpoints to back up that assertion.

-jsq

Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.

-jsq

What to Measure

05ANT-20070-1465-navigation.jpg Adam evaluates a New York Times article about NYC school evaluations, and sums it up:
The school that flunked has more students meeting state standards than the school that got an A.

Measuring the Wrong Stuff, by Adam Shostack, Emergent Chaos, 9 Nov 2007

Measurement is good, but for example in information security if your measurements aren’t relevant to the performance of the company (economic, cultural, legal compliance, etc.), measurement can waste resources or steer the ship of state or company onto ice floes.

-jsq

Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

figure4.gif How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.

-jsq

Antitrust and Microsoft: Still on the Table?

Taft.jpg More time to determine whether Microsoft has a monopoly?

Microsoft, state prosecutors, and the U.S. Department of Justice on Tuesday said a federal judge needs more time to weigh whether Redmond should be subjected to a lengthier period of antitrust policing.

In a joint filing with U.S. District Judge Colleen Kollar-Kotelly, who has been overseeing Microsoft’s antitrust compliance, they asked for a soon-to-expire oversight period to be temporarily extended until at latest January 31, 2008. That way, the judge will have more time to weigh the merits of last-minute pleas from a number of state prosecutors to add another five years to the oversight regime.

Right now, most of Microsoft’s 2002 consent decree with the Bush administration is set to expire November 12. One small portion, related to a communications protocol licensing program that has encountered numerous delays since its inception, has already been extended through November 2009.

U.S.-Microsoft antitrust deal to get temporary extension, by Anne Broache, C|Net News.com News blog, October 30, 2007 2:24 PM PDT

The story says the judge and Microsoft are expected to agree to the extension. Not surprisingly, there’s an objection from a different quarter:

The Justice Department has already said it doesn’t believe there’s any need to extend the oversight period and that the agreement with Redmond has been working as designed.

It’s state prosecutors from 10 states who are driving this extension.

These days we don’t have Teddy Roosevelt to bust trusts, nor even William Howard Taft, whose Department of Justice started 80 antitrust lawsuits. Maybe the states can do it.

-jsq