Showing posts with label Android. Show all posts
Showing posts with label Android. Show all posts

Friday, August 7, 2015

Health IT Cyber Thieves have their own "ENIGMA"` machines

Veterans of World War II will remember the efforts to crack the Japanese encryption used for military communication during WWII.
Enigma was invented by the German engineer Arthur Scherbius at the end of World War I.[1] Early models were used commercially from the early 1920s, and adopted by military and government services of several countries, most notably Nazi Germany before and during World War II.[2] Several different Enigma models were produced, but the German military models are the most commonly recognised.
The mechanical/electrical components of the device were easily duplicated. The secret sauce was in the encryption method. 
German military messages enciphered on the Enigma machine were first broken by the Polish Cipher Bureau, beginning in December 1932. This success was a result of efforts by three Polish cryptologists, Marian Rejewski, Jerzy Różycki and Henryk Zygalski, working for Polish military intelligence. Rejewski reverse-engineered the device, using theoretical mathematics and material supplied by French military intelligence. Subsequently the three mathematicians designed mechanical devices for breaking Enigma ciphers, including the cryptologic bomb. From 1938 onwards, additional complexity was repeatedly added to the Enigma machines, making decryption more difficult and requiring further equipment and personnel—more than the Poles could readily produce.
On 25 July 1939, in Warsaw, the Poles initiated French and British military intelligence representatives into their Enigma-decryption techniques and equipment, including Zygalski sheets and the cryptologic bomb, and promised each delegation a Polish-reconstructed Enigma. The demonstration represented a vital basis for the later British continuation and effort.[3] During the war, British cryptologists decrypted a vast number of messages enciphered on Enigma. The intelligence gleaned from this source, codenamed "Ultra" by the British, was a substantial aid to the Allied war effort.[4]
What does this have to do with health information technology and mobile health in particular?
Ask Google, since they are planning regular weekly updates to the android operating system.

Google's comment regarding the 'stagefright' hack, 
"This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users...As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat."  How to see if your Android Device is vulnerable to the Stagefright hack ?
Google's Android Blog  "Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store."
In recent months many breaches have been reported by health insurers. In most instances medical records were not accessed other than an attempt to gather consumer identification and credit information. Identity theft is a major concern.
The moral of the story is that security breaches will be present for a long time. Thieves are inventive.

Saturday, December 21, 2013

mHealth----More Necessary Regulations


Much of the big news in health IT this year came out of the Office of the National Coordinator for Health IT. ONC -- along with CMS -- is in charge of overseeing the widespread adoption of EHRs through the meaningful use program. After years in the works, the first phase of that program is wrapping up right now.

The past several years were almost frantic for HIT and ONC, with meaningful use standards, interoperability standards, incentive funding and a succession of creative and dynamic national coordinators, each with their own focus on what needed to be accomplished.

Unlike other Executive departments, Medicine has been fortunate to have a clear path, relatively clear goals, and minimal political divisiveness......all to the benefit of our patients.

mHealth has had an explosive growth in mobile applications for iOS and Android.  The hardware form factors are multiple with stiff competition and new hardware offerings almost monthly.

Growth and competition are plentiful and numerous manufacturers (Nokia, Windows, Google, Motorola,iPhone) in smartphone or pc tablet form.  In many cases EHR vendors have rapidly developed a mobile app portal.  The acceptance rate has been high for those who are tech savy.  Despite the potential vulnerability to a security breech and all that HIPAA stands by on the sidelines ready to pounce with a hefty penalty. The plain truth is that these applications and hardware offer so much to efficiency a way needs to be found quickly to certify HIPAA compliance for each application and device.

Not withstanding this urgent need there have been several attempts to regulate this market. FDA, FTC, FCC,  and HHS have all been mentioned. Suffice it to say that regulatory agencies are pressed to stay current with new hardware and devices.

Why, How and Which  Mobile Health applications need regulation?

In an article (blog post) in June 20012 I discussed  Five Reasons Why Digital Health Technologies Need FDA Oversight   Now the FDA is in the process of forming a mobile health division to study, certify and authenticate applications.  A new workgroup in HHS has been formed,

According to mobiHealthNews;

"The workgroup’s efforts will likely end up affecting the regulation of mobile health and health IT. According to HHS, FDASIA requires Sibelius, with the ONC and the FCC, to “develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.”  The new workgroup’s input will feed into that report.

According to Brian Ahier,

"As a general matter FDA regulates all medical devices and FCC regulates devices that utilize electromagnetic spectrum - i.e. broadcast devices. So with regard to mobile health devices - sensors, applications, systems - FDA regulates any given device as a medical device while FCC regulates the device as a communications device. 

Recognizing the potentially overlapping jurisdiction in digital health, in 2010 the agencies entered into a Memorandum of Understanding "to promote collaboration and ultimately to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices."

Last month FCC announced its mobile body area network (MBAN) proposal, which would allocate electromagnetic spectrum for personal medical devices (see link below). The allocated spectrum would be used to form a personal wireless network, within which data from numerous body sensors could be aggregated and transmitted in real time."


Representative Marsha Blackburn (R-TN) and others introduced The Software Act.which will act to build a cohesive multi-agency over view of mHealth.