A secure democratic Net is a fundamental right

We don't see anything, we don't hear anything so we don't know anything

In the UK this is different for e-health and that this kind of controls is needed is shown in this article because it is not because it is on paper that the monkeys will do what they are supposed to do. It is only because you control, monitor and test.

"A total of 140 security breaches were reported within the NHS between January and April this year. These included computers containing medical records stolen and left by skips, and passwords taped on encrypted discs with sensitive information, The Independent newspaper said."
http://www.telegraph.co.uk/health/healthnews/5381605/Thou...

But some of them (including the one from the Belgian official Privacycommission who points out that the readers that are used have NO legal basis for the moment) are quite interesting. The details are what it is all about.

• Introductie (Vincent Naessens, KaHo Sint-Lieven)
• Adder(s) in het e-ID gras (Willem Debeuckelaere, Voorzitter Privacy Commissie)
• The Hitchhiker’s Guide voor de e-ID (Peter Strickx, Chief Technology Officier Fedict)
• e-ID toegangscontrole voor beperken van toegang tot bedrijfsparkings en containerparken (David Maelfait, Alphatronics)
• e-ID kaartlezers en e-ID software ondersteuning (Johan De Vriendt, Arena Solutions)
• Toepassingen met e-ID handtekeningen (Frank Delanghe, DSoft)
• Een e-ID gebaseerd ticketing systeem (Jorn Lapon, KaHo Sint-Lieven)
• eHealth-toepassingen en het gebruik van de Belgische elektronische identiteitskaart (Frank Robben, Administrateur-generaal eHealth platform)

A Dutch Cabinet minister has stopped the development of the eHealth card as security  researchers have successfully discovered the secret encrypted key on that card.an attack that ia already old and analysed the electromagnetic fields on the chip of the card. It was also possible because the chip didn't use the best security to be able to handle transactions faster. This was done in an university (where are our universities doing such important work ?) and you need also the pincode to be able to do something with it (but hey we got keyloggers for that and most people keep all those pincodes together or they use the same). So theoretically it is only useful in a very targeted attack or by a lucky theft (in which you have the card and the pincode).

The chip  is not only used for the ehealth card but also in other  smartcards. The chips have to be replaced. Meanwhile the development of the ehealth card has been stopped but some just think that this is because there are numerous other technical difficulties and because opposition against the card is bigger than expected and still growing. The main objections are the information about the patients can be found on laptops and computers of all kinds of medical staff and institutions, while the security of those installations can differ enormously.

Security has to follow the data. If you claim that some data is more important and others, it must have more security than other data at all times wherever it is to be found. Even if Holland has a very stict law (dutch) that for some kind of data even imposes penetration testing, it is not sure that it would be implemented acros the board at all times. The minister has announced that the ehealth infrastructure and card will be tested by penetration testers and hackers. That is in Holland off course. Maybe they should test their incident response at the same time.

In Belgium we also have ehealth, but we don't have the technical norms, laws and controls as the USA nor the critical penetration testing, research and oversight by professionals and researchers as in Holland.  There are some promises but these are words in the wind. On paper the ehealth business controls its own business. If you would do that in any other business, they would have a word for it. Especially in times like these when everybody wants to implement more controls. I hope we don't need 10 years to realise that we ought to implement much more controls and overight and laws about the security and privacy of ehealth after something went awfully wrong.

the dutch articles (about which the Belgian press wrote NOTHING)

330.000_bezwaren_tegen_patientendossier

Invoering_medisch_dossier_ligt_stil_na_kraak_pas

Klink verliest geloofwaardigheid door uitstel EPD

"

On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:

"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

The site, https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx appears to have been entirely disabled and is presently unavailable.

The linked file provides the full ransom message.

The PMP is used by pharmacists and others to discover prescription drug abuse.

The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable" source Wikileaks.org

yeah safe, sure and not sick..... all that ehealth bizz and buzz  - just trust us, we know what we are doing....

In June the parliament discussed and finally approved the e-health proposal on the basis of faith in the people responsable for the project. As we don't have faith but just want to see the facts, we studied it and had some attention for the subject. I am sure that we will have more attention for it in 2009 as this is a very important subject.

16/10/08 16:48 KUL Leuven and the TAS3 EU project (ehealth) 

13/08/08 10:17 Medical ID theft in the US from test to reality (and Belgium)

07/08/08 23:23 Belgian Ehealth has no Privacy culture or awareness 

24/06/08 09:56 3 bedenkingen bij het Ehealth platform voorstel 

from the boss himself, Mr Robben  :)

Het eHealth-platform: doel, organisatie, stand van zaken en prioriteiten - La plate-forme eHealth: objectifs, organisation, situation actuelle et priorités

European Commission - i2010 subgroup on eHealth - Brussels - January 15, 2009

The new Belgian legal framework for eHealth

Ceremony 5th Covidien Awards for excellence in hospital management - Vilvoorde - December 11, 2008

eHealth met respect voor privacy en beroepsgeheim - eHealth avec respect de la vie privée et du secret professionnel

Conference of the Centre for Scientific Development of Pharmacists on "What can we expect from pharmacists in a patient-centric healthcare IT environment ?" - Brussels - November 27, 2008

Mogelijke ondersteuning van het elektronisch farmaceutisch dossier door het eHealth-platform

General Assembly UNAMEC - Brussels - November 26, 2008

Het eHealth-platform: doel, stand van zaken en prioriteiten - La plate-forme eHealth: objectifs, situation actuelle et priorités

eHealth Congres of TMAB and Agoria ICT - Brussels - November 18, 2008

Overview of some on-going eHealth projects in Belgium

Some people here and in the US are dreaming of doing everything electronic in the health infrastructure - forgetting that we are talking about medical information that would be interesting for economic spionage, blackmail and intelligent scams and phishing.

Now they are talking on the news that several hospitals have great problems with that new (already two weeks old) virus that is spreading. They say that everything is working but that it takes more time to download medical information and so on

let us make a few things clear

* this is not a supervirus. This virus only works if you haven't updated your computer since october with an easy downloadable patch from Microsoft. Surely in a network like a hospital you should have organised your patching and updating centrally and control it so that it is done effectively. And there is nothing NEW

* it means that the security of the computers in hospitals is too lax to be confident that they should treat in their present situation in a confidential and high secure computernetwork with information that is as important as our medical information

* the great law of silence and just trust us has proven its weakness, especially after the new Belgian ehealth law needed more security and auditing and norms before going ahead with all their great plans. The system as a whole is only as secure as their weakest part. This means that maybe the computer use and culture and infrastructure in hospitals has to change and that hospitals have to understand that their computers are as important for saving lives as their operating rooms.

I am sure some people can tell stories about security in hospitals or on the computers of the doctors that would be quite interesting..... but that is the real reality that is responsable for this situation. You only need one pc to get the rest into trouble.

A general presentation of the global certificate structure of the EID and how it is going to be used in the ehealth project.

presentation

TAS3 focuses federated identity management

TAS3 consolidates scattered research inSecurity, Trust, Privacy, Digital identities, Authorization, Authentication…

TAS3 integrates adaptive business-driven end2end Trust Services based on personal information: Semantic integration of Security, Trust, Privacy components

TAS3 provides dynamic view on application-level end2end exchange of personal data

presentation

Gezien de unieke positie van Frank Robben hebben deze presentaties meer dan informatieve waarde.

Het eHealth-platform: doel, uitwerking en stand van zaken - La plate-forme eHealth: objectifs, concrétisation et situation actuelle

Debate organised by the Belgian Association for Medical Ethics on the ethical aspects of the eHealth-platform - Ostend - 4 September 2008

Het eHealth-platform: doel, uitwerking en stand van zaken - La plate-forme eHealth: objectifs, concrétisation et situation actuelle

Workshop of the Ministry of the Interior and the Ministry of Foreign Affairs - Brussels - 3 September 2008

Verwerking van biometrische gegevens in de administratieve rechtshandhaving. Beschouwingen inzake de bescherming van de persoonlijke levenssfeer

Google Tech Talks July 25, 2008 ABSTRACT Faculty Summit 2008 - Day 2 Google Health - Jerry Lin Google Health launched May 19, and has encountered a number of challenges in terms

Frank Robben said in an interview with a belgian ICT journal - that has been under a lot of pressure to correct its too critical viewpoint - that he learned how to network and that everything depended on how to network and work with people. He also had all the opportunities in the interview to showcase his own intentions and motivations and all the self-promotion one can think off.

But he said in that interview one thing that bothered me most - and should bother everyone that is occupied with internetsecurity in Belgium because it is the perfect example of how we are completely messing up the ICT business in Belgium.

He says that if there is later a problem with the security of ehealth he will have to report it and will be held accountable for it.

No. Someone else that has totally nothing to do with you will have to report it to the public institutions responsable for the public control on ehealth - among other things. And you will have nothing to do with it. You will be held accountable for it, but with the analysis, research and report you should have absolutely nothing to do with it, you shouldn't even know who is doing the analysis and you shouldn't even know when this analysis is taking place and who does it.

If you want the public to have confidence in it, you should give the public its own auditors that have absolutely nothing to do with anyone that is in any way linked to the project they have to research.

Eric Smith
Assistant Director of Information Security and Networking, Bucknell University
Dr. Shana Dardan
Assistant Professor of Information Systems, Susquehanna University

In less than an hour, during a scheduled pentest, our team was able to retrieve 3.2 million patient insurance records from a HIPAA-compliant medical facility. Using these records, we could have generated counterfeit insurance and prescription cards which would pass muster at any doctor’s office or pharmacy counter. If you are one of the 47 million Americans with no health insurance or happen to have a medical condition you wished to hide from employers or insurers, would you consider purchasing falsified medical documents? Thousands of Americans have already said yes, without thinking twice about the victim of their victimless crime.

What happens to you if your medical identity is stolen? You may find yourself liable for thousands of dollars of co-pays, deductibles, and denied claims. Is this because you forgot to shred an important document? Did you fall for a phishing scheme online? Of course not — it was entirely outside of your control, and it happened because the current HIPAA regulations are insufficient to protect your medical identity.

Here are the slides:

Defcon 16 Medical Identity Theft Slides

Here is the LWAPP decoder script that we demonstrated during our talk:

Cisco LWAPP Packet Decoder

Usage:  lwappdecoder.pl lwapp_input.pcap

This script takes as input a .pcap file containing traffic collected between a Cisco LWAPP AP and its Wireless LAN Controller (WLC).  The LWAPP headers are removed from any data packets detected, and the resulting wireless client data is written to an output pcap file.

Comment : In Belgium don't have such a law, we don't have resonsabilities defined and audits obliged and stuff like that. We have something called e-health but nobody has a clue who is checking and auditing that thing. The privacycommission ? That would be odd because the big chief of ehealth is member of that commission that should audit and control and reglement his 'big vision'.

PS I know some doctors and I had to help them because their VPN server in the hospital was hacked and infecting computers of doctors with trojans and backdoors and from what I hear off the record this isn't the only hospital having huge problems (like doctors walking around with unsecured laptops and unsecured wireless while being connected to the network).

Save, share and give others this useful free stuff also

stumbleupon.com / digg.com / del.icio.us / technorati.com / mister-wong.com / reddit.com / ma.gnolia.com / newsvine.com / propeller.com / slashdot.org / simpy.com / facebook.com / fark.com / furl.net / google.com/bookmarks / spurl.net / sphere.com / myjeeves.ask.com / backflip.com/blinklist.com/blogmarks.net /buddymarks.com /citeulike.org /connotea.org /netvouz.com / syncone.net / live.com / myweb.yahoo.com //

We are in possession of a publicly published PPT presentation (from 2005) that can be found on the ehealth portal of the Belgian Government that shows real client data in an example of how a hospital network would work and how data would be exchanged.

It is typical that in the document there is no mention at all of the necessities of security or authentification nor any mention worth the paper it is written on about all the problems and attacks such a network could have.

Without any such awareness it is totally normal that anyone could edit the PPT file in any PPT writer and make the data clear for anyone to see - medical data that is from REAL persons. (well just hospital visits and birth dates and so - but you see what I mean).

We won't publish it, but we said that the ehealth proposal of the self-assigned mister Ehealth that has been voted in law was dangerous and didn't have any controls or security audits worth that name built into it. Nor any oversight. With a lack of privacy and security awareness in the ehealth sector there is a lot to be done and nobody, nothing and no means will be in place to do it.

There is even no mention at all of standards, procedures and norms in the proposals.

why do I think this is only the beginning ?

The EHIC covers all health care which is needed during a temporary stay in one of the 31 participating countries other than the country of residence, be it for travel, for work or for studies. The card entitles you, in case of illness or accident, to the same medical treatment and on the same basis as local patients, as if you were insured in the state of stay.

As each Member State has its own rules for public medical provision, the EHIC covers free medical treatment in some Member States, whilst in other Member States it covers reduced cost medical treatment. Some Member States may provide care free at the point of use (such as Spain or the United Kingdom), while others may require payment, to be claimed back later (such as Belgium or France).

The EHIC can only be used in the framework of public health care provision. Private health care providers (hospitals, doctors, pharmacists, dentists, etc.) can therefore refuse the EHIC.

In which countries can I use the EHIC?

The EHIC is valid in 31 European countries. These include the 27 European Union countries (Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom) as well as Switzerland, Norway, Iceland and Liechtenstein.

Where can I obtain the EHIC?

Each Member State is responsible for the distribution of the EHIC on its territory. Therefore each Member State has its own distribution procedures. In some cases the card can be ordered online. People should contact their local sickness insurance institution or equivalent for further information

some example

source   a bit stupid that our SIS card (health card) isn't European at the same moment, this should have made a lot of bureaucracy and paperwork unnecessary, what e-health is all about at its best