IBM Healthcare Could Have Done Better Today

Today @IBMHealthcare tweeted this …

‏@IBMHealthcare Beyond the basics: Crafting an in-depth #healthcare #security strategy

… which linked to IBM’s Security Thought Leadership White Paper Healthcare Securing the healthcare enterprise: Taking action to strengthen cybersecurity in the healthcare industry (March 2015).

While I can’t comment on IBM’s business solutions “to strengthen cybersecurity in the healthcare industry,” I am surprised at the quality of information that IBM relies on to describe “the nature of today’s cyber attackers” to its potential customers.

For example, IBM presents a figure (reproduced below) and references a CNN Money report, Hospital network hacked, 4.5 million records stolen (August 18, 2014).

Leading source of data leaks in healthcare institutions
Figure 1. IBM’s leading source of data leaks in healthcare institutions

In fact, CNN is not the source for Figure 1. Another IBM publication, MSS Industry overview – Healthcare: Research and intelligence report (October 7, 2014) presents the same figure, and references “Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse.” IBM seems to have generated Figure 1 by querying an API on the Privacy Rights Clearinghouse website.

I wonder why IBM does not use authoritative, readily available data on breaches of protected health information to make its business case and to educate the public.

For instance, a research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.

Recently, we extended the original dataset of Liu et. al. to include breaches of health information up to the present. Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.

Counts and Victims of Health Information Breaches - US 2010-2015
Table 1. Number of incidents and victims of breaches of health information. † 2015 data are for January – August inclusive only.

Notice the tremendous spike in the number of victims in 2015 – a dramatic development that IBM took no note of today.

Figure 2 depicts the distribution of victims/breach of health information as a series of boxplots.

Distribution of number of victims/incident (log scale) of breach of health information U.S. 2010-2015
Figure 2. Distribution of victims/incident (log scale) of breach of health information. † 2015 data are for January – August inclusive only.

We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.


In light of these dramatic developments, it’s a shame that IBM is relying on outdated information when it comes to educating the public and identifying potential solutions “to strengthen cybersecurity in the healthcare industry.”


  1.  Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.

Toronto Citizen’s Arrest of South Korea’s Smart Sheriff

From The Citizen Lab, Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application, Appendix B: Legal and Policy Issues (2015)

South Korea is one of the most highly connected countries in the world when it comes to Internet and mobile phone access. Whereas 36.2 percent of Korean minors had smartphones in 2011, the number grew to 81.5 percent within two years, with high penetration rates even among elementary school children.

The South Korean government has taken steps to regulate the use of digital media among minors, maintaining a “shutdown” rule that restricts access to online gaming for minors under the age of sixteen after midnight.

In 2013, regulators began focusing on combating excessive smartphone use, requiring that schools organize “boot camps” where no Internet usage is allowed, teach classes on Internet addiction, and educate those as young as three on how to prevent overuse of digital devices and the Internet.

By 2014, schools were piloting a program that required students, with parental approval, to download an application that allowed teachers to remotely track and control students’ smartphones, including the ability to lock the phone or allow only emergency calls.

By April 2015, the Korean government enacted a new measure requiring telecommunications business operators that enter into service contracts with minors to provide a means of blocking harmful content on the minor’s mobile device and ensure that parents receive notifications whenever the blocking means becomes inoperative. This measure has ushered in the wide-ranging use of parental monitoring software, with Smart Sheriff one of the most prominent options for fulfilling the mandate. One month into the mandate, these applications were reportedly downloaded at least 480,000 times.

With cooperation on implementation from numerous entities in the public and private sector, the new requirements constitute a pervasive parental monitoring and control mandate.

While Smart Sheriff is not the only tool offered to support compliance with the new regulations on provision of means to block harmful content, the Korean government appears to have uniquely supported its development and promotion.

According to its terms of use, Smart Sheriff collects and retains for one year information about applications installed on the child’s smartphone, data related to account password, member name, phone number, child’s date of birth, IP addresses of service access, and log file information such as access time.

Smart Sheriff’s terms of use also provide for sharing the student’s data with the Office of Education and the student’s school for purposes of smartphone addiction counselling, and with telecommunications business operators for the purpose of complying with the notification obligations of the mandate on installation of means for blocking harmful content.

What could go wrong?


Section 215: The “gentlest touch” or “database of ruin”?

On April 20, 2015, the Army Cyber Institute at West Point hosted a debate on the question, Privacy & transparency vs. intelligence collection capabilities: What takes precedence?

The debaters were General Michael Hayden, former Director of the NSA and CIA, and Dr. Christopher Soghoian, Chief Technologist, ACLU. The debate was moderated by Stephanie Pell, Ethics Fellow, Army Cyber Institute. A videotape recording of the debate is available on Youtube. We have excerpted Prof. Pell’s joining of the issues, and the points of view of Gen. Hayden and Dr. Soghoian.

Hayden-Soghoian debate - Army Cyber Institute, West Point - 20150425

Prof. Pell: In about six weeks, on June 1st of 2015, section 215 of The Patriot Act will expire unless Congress re-authorizes it. So the question for our debate today is whether Congress should provide a clean and unqualified re-authorization of this law, which would permit the government to continue its bulk collection of American telephony metadata. Now, what is section 215? It’s an intelligence collection authority, it’s a statute that allows the government to compel any tangible thing from a third part – like a phone company, or a rental agency, or a hotel – where there are reasonable grounds to believe that the information is relevant to an authorized investigation to protect against international terrorism. Sounds reasonable, correct? Government is doing a particular investigation to protect the United States against international terrorism, and it needs a particular set of records -whether they be phone records, whether they be hotel records. So why, then, was section 215 the subject of the very first story published about the Snowden disclosures in June of 2013? Well, here’s the controversy. This authority was actually being used to compel from phone companies on an ongoing basis to give the government records of every phone call that was being made, and when I say every phone call what I mean is numbers that every phone is calling, and numbers that are calling that phone, the time, the date, and the duration of those phone calls. Now we’re not talking about the content of the calls. What we later learned through declassified information – everything we’re talking about here today has been declassified – is that the NSA had created a massive database to collect all these telephony metadata records and here’s in a nutshell essentially what it was doing- again, with the idea of protecting against an international terrorist attack. Let’s say you have a seed identifier – s-e-e-d – usually a phone number, where there is a reasonable, articulable suspicion that that number is associated with a terrorist or a terrorist organization. What the NSA would want to know is if this known terrorist number was communicating with potentially unknown terrorists in the United States. So it would take that seed identifier and it would run it against the phone database and see, are there any connections with that seed identifier number calling any numbers in this domestic telephony database, or any numbers in the database calling that number? Now, when it was disclosed that the statute was being used to authorize this kind of bulk collection on an ongoing basis, there was criticism across the legal community. The question was, how could an entire database of phone records being collected on an ongoing basis be relevant to a particular international terrorist investigation? In fact, the Privacy and Civil Liberties Oversight Board, which is a bi-partisan, independent government agency, which is tasked with looking at the actions the Executive Branch takes to protect us against international terrorism and evaluates whether privacy and liberty considerations are appropriately being taken into consideration in the Executive Branch’s execution of those actions. Here’s one of things that the Privacy and Civil Liberties Oversight Board said:

In the Board’s view, this interpretation of the statute is circular and deprives the word “relevant” of any interpretive value. All records become relevant to an investigation under this reasoning, because the government has developed an investigative tool that functions by collecting all records to enable later searching. The implication of this reasoning is that if the government develops an effective means of searching through everything in order to find something, then everything becomes relevant to its investigation. The word “relevant” becomes limited only by the government’s technological capabilities to ingest information and sift through it efficiently.

So, General Hayden, let me stop here and turn to you. I’ve ended my understandably very brief summary of this program with one …

Gen. Hayden: It was very accurate, thank you.

Prof. Pell: … thank you … with one particular criticism levelled by the legal community and the Board –  the Board we’ll call them to be short – and forgive me, because I’m a lawyer, but this program has rendered the word “relevant” to be irrelevant. But you, perhaps, more eloquently than anyone in the past, have defended this program, please tell us why.

Gen. Hayden: The quotation that Professor Pell just read to you from the Privacy and Civil Liberties Oversight Board was a product about a year ago now of their look at the 215 program. The vote on the Board, a five person Board, the vote on the Board for that product, was three-to-two, and by and large the vote was largely along party lines, depending on who was appointed to the Board and what their background was. Um, it raised very important arguments, but a lot of people, myself included, wonder why the Privacy and Civil Liberties Oversight Board is second-guessing the American court system with regard to what a statute does or does not mean. This statute has been reviewed by judges about three dozen times – thirty-six, thirty-seven – right now, it’s thirty-six-to-one in the view of the court system, which is actually the organ of government that’s designed to make these kinds of decisions, that it was relevant, that is was lawful, and that it was constitutional in terms of what the 215 program did with regard to the records. Now I understand, Stephanie has a great point, that this was a story first pushed out there by Glenn Greenwald and Bart Gellman with the Snowden revelations because it’s a story about you, it’s your record, there is no ambiguity whatsoever about this, that’s a lot of American data sitting in servers at Fort Meade, Maryland – and that naturally, given our political culture and our history, raises a whole host of questions, with regard a concern of that much data being in the hands of the federal government. I think as we go forward what we need to discuss also then is what happens to the data, because it’s the totality of that, which I think gets us to both the relevance and the reasonableness – attributes that make this program both worth doing and legally worth doing. …

With regard to the Why of the program – I was the Director of the National Security Agency on September 11th, 2001. What we saw there, what we saw there was an erosion of some traditional divisions in our way how Americans decided to keep ourselves both safe and free. Over the long term we had decided we could, because of our history, and really because of our geography, put “foreign” over there, and “domestic” over here, we could put “intelligence” over there, and we could put “law enforcement” over here, and because of a lot of things – and we can discuss that if you like – because of a lot of things 9/11 showed us, those old divisions – foreign-domestic, law enforcement and intelligence – just weren’t quite as crisp as they were. And that simple separation of those things may not be the best way going forward for us to keep ourselves both safe and free. There was a committee formed, called the JIC, the Joint Inquiry Commission, it was an unusual thing – almost like the Civil War committee on the conduct of the war, which they combined both House and Senate to look at why did 9/11 happen? They levelled several criticisms at NSA. The core criticism of NSA by the American Congress within a year or so of 9/11 – was NSA was far too cautious, far too cautious, when it came to the kind of terrorist communications most important to defending the United States. And then they went ahead and defined what those communications were: terrorist communications, one end of which was in the United States of America. This program was the gentlest touch we could come up with to respond to that requirement and criticism, and still balance that security need with privacy.

Prof. Pell: So, let me turn to Dr. Soghoian and pick up on General Hayden’s “gentlest touch” language. Dr. Soghoian, it’s only metadata, a bunch of records of telephone calls, phone numbers, dates of calls, times of calls, durations of calls, what’s the big deal?

Dr. Soghoian: … So, to Professor Pell’s point – It’s true, the U. S. government has a database of records from most of the phone companies with a huge amount of information about telephone calls, and it’s true this does not include the names of people, this does not include what is said on the phone. But let’s just think for a second of what you get if you have a database of most of the telephone calls that take place in this country. Within that database are calls to suicide hotlines at 2 in the morning, within that database are calls to abortion clinics, or to gun stores, or to psychiatrists, does it really matter what you say, if the government knows that you were talking to someone at a suicide hotline for an hour? Does it really matter, if you’re calling an alcohol assistance hotline, or a gambling hotline? It doesn’t matter, that information could both be embarrassing to you personally, it could harm your career, it could harm your relations with your loved ones, and with others in your community, if it were to become known at a later date. One of my friends and colleagues, a professor in Washington, D.C., Paul Ohm [Director, Center on Privacy and Technology, Law Faculty, Georgetown University] describes a “database of ruin” – the idea that there is a database out there somewhere that contains information about all of us that, if it were to become public, could destroy our lives. Now, I’m not saying that the NSA is going to make that information public, but the U. S. government doesn’t have a particularly good track record of keeping things secret in the long term, and so I really want to push back on this idea that this is data that isn’t really that sensitive – I also want to quote from something that General Hayden has said in the past which is that the U. S. government kills people based on metadata, this is extremely sensitive and important stuff and that’s why the government wants it, let’s not kid ourselves.

Gen. Hayden: I did add, we didn’t use this metadata for that [laughs].

Dr. Soghoian: Right, yeah, you used data about other people in other countries. But metadata is powerful. In some ways, metadata is more important than content, for the simple reason that metadata can be analyzed at scale with computer software. If you have the content of an email or the content of a telephone call, you have to first somehow transcribe it, either with a computer or a human, you have to maybe translate it into a language that’s useful if it’s not in your native language, and then you just figure out what someone’s saying. If someone says, “The package is coming at midnight” does that mean that “FedEx is coming at midnight” or does that mean” there’s an attack happening at midnight”? With metadata you don’t have to deal with that. Every email, regardless of which country it is sent from, and regardless of which language the person who wrote it speaks, has a subject line, it has a To, it has a From, it has a Time, and that kind of structured data lends itself to large-scale, systematic analysis, the kind of analysis that the intelligence community does so well. That kind of data truly powers the oppressive surveillance that we are now operating under. I’m actually more worried about government collecting metadata than I am about content because I don’t the NSA or any other government could actually make full use of all of the content of our emails, but metadata they can use right now.

Note: Less than a month after this debate, the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper ruled that the NSA’s telephone records program went far beyond what Congress authorized when it passed Section 215 of the Patriot Act in 2001.

Eben Moglen

Eben Moglen is the Founder of the Software Freedom Law Center, Columbia law professor and historian.

He received the 2003 EFF pioneer award for his role in legalizing software encryption and defending free software.

Eben Moglen

Snowden and the Future

  • Part I – Westward the Course of Empire – 20131009 – Text – Video
  • Part II – Oh, Freedom – 20131030 – Text – Video
  • Part III – The Union, May It Be Preserved – Text – Video
  • Part IV – Freedom’s Future – Text – Video