We don't see anything, we don't hear anything so we don't know anything
In the UK this is different for e-health and that this kind of controls is needed is shown in this article because it is not because it is on paper that the monkeys will do what they are supposed to do. It is only because you control, monitor and test.
"A total of 140 security breaches were reported within the NHS between January and April this year. These included computers containing medical records stolen and left by skips, and passwords taped on encrypted discs with sensitive information, The Independent newspaper said."
But some of them (including the one from the Belgian official Privacycommission who points out that the readers that are used have NO legal basis for the moment) are quite interesting. The details are what it is all about.
- Introductie (Vincent Naessens, KaHo Sint-Lieven)
- Adder(s) in het e-ID gras (Willem Debeuckelaere, Voorzitter Privacy Commissie)
- The Hitchhiker’s Guide voor de e-ID (Peter Strickx, Chief Technology Officier Fedict)
- e-ID toegangscontrole voor beperken van toegang tot bedrijfsparkings en containerparken (David Maelfait, Alphatronics)
- e-ID kaartlezers en e-ID software ondersteuning (Johan De Vriendt, Arena Solutions)
- Toepassingen met e-ID handtekeningen (Frank Delanghe, DSoft)
- Een e-ID gebaseerd ticketing systeem (Jorn Lapon, KaHo Sint-Lieven)
- eHealth-toepassingen en het gebruik van de Belgische elektronische identiteitskaart (Frank Robben, Administrateur-generaal eHealth platform)
A Dutch Cabinet minister has stopped the development of the eHealth card as security researchers have successfully discovered the secret encrypted key on that card.an attack that ia already old and analysed the electromagnetic fields on the chip of the card. It was also possible because the chip didn't use the best security to be able to handle transactions faster. This was done in an university (where are our universities doing such important work ?) and you need also the pincode to be able to do something with it (but hey we got keyloggers for that and most people keep all those pincodes together or they use the same). So theoretically it is only useful in a very targeted attack or by a lucky theft (in which you have the card and the pincode).
The chip is not only used for the ehealth card but also in other smartcards. The chips have to be replaced. Meanwhile the development of the ehealth card has been stopped but some just think that this is because there are numerous other technical difficulties and because opposition against the card is bigger than expected and still growing. The main objections are the information about the patients can be found on laptops and computers of all kinds of medical staff and institutions, while the security of those installations can differ enormously.
Security has to follow the data. If you claim that some data is more important and others, it must have more security than other data at all times wherever it is to be found. Even if Holland has a very stict law (dutch) that for some kind of data even imposes penetration testing, it is not sure that it would be implemented acros the board at all times. The minister has announced that the ehealth infrastructure and card will be tested by penetration testers and hackers. That is in Holland off course. Maybe they should test their incident response at the same time.
In Belgium we also have ehealth, but we don't have the technical norms, laws and controls as the USA nor the critical penetration testing, research and oversight by professionals and researchers as in Holland. There are some promises but these are words in the wind. On paper the ehealth business controls its own business. If you would do that in any other business, they would have a word for it. Especially in times like these when everybody wants to implement more controls. I hope we don't need 10 years to realise that we ought to implement much more controls and overight and laws about the security and privacy of ehealth after something went awfully wrong.
the dutch articles (about which the Belgian press wrote NOTHING)
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
- "I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx appears to have been entirely disabled and is presently unavailable.
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable" source Wikileaks.org
yeah safe, sure and not sick..... all that ehealth bizz and buzz - just trust us, we know what we are doing....
In June the parliament discussed and finally approved the e-health proposal on the basis of faith in the people responsable for the project. As we don't have faith but just want to see the facts, we studied it and had some attention for the subject. I am sure that we will have more attention for it in 2009 as this is a very important subject.
from the boss himself, Mr Robben :)
Information session of the National Institute for Sickness and Incapacity Insurance - Brussels - January 15, 2009
European Commission - i2010 subgroup on eHealth - Brussels - January 15, 2009
Ceremony 5th Covidien Awards for excellence in hospital management - Vilvoorde - December 11, 2008
Conference of the Centre for Scientific Development of Pharmacists on "What can we expect from pharmacists in a patient-centric healthcare IT environment ?" - Brussels - November 27, 2008
General Assembly UNAMEC - Brussels - November 26, 2008
eHealth Congres of TMAB and Agoria ICT - Brussels - November 18, 2008
Some people here and in the US are dreaming of doing everything electronic in the health infrastructure - forgetting that we are talking about medical information that would be interesting for economic spionage, blackmail and intelligent scams and phishing.
Now they are talking on the news that several hospitals have great problems with that new (already two weeks old) virus that is spreading. They say that everything is working but that it takes more time to download medical information and so on
let us make a few things clear
* this is not a supervirus. This virus only works if you haven't updated your computer since october with an easy downloadable patch from Microsoft. Surely in a network like a hospital you should have organised your patching and updating centrally and control it so that it is done effectively. And there is nothing NEW
* it means that the security of the computers in hospitals is too lax to be confident that they should treat in their present situation in a confidential and high secure computernetwork with information that is as important as our medical information
* the great law of silence and just trust us has proven its weakness, especially after the new Belgian ehealth law needed more security and auditing and norms before going ahead with all their great plans. The system as a whole is only as secure as their weakest part. This means that maybe the computer use and culture and infrastructure in hospitals has to change and that hospitals have to understand that their computers are as important for saving lives as their operating rooms.
I am sure some people can tell stories about security in hospitals or on the computers of the doctors that would be quite interesting..... but that is the real reality that is responsable for this situation. You only need one pc to get the rest into trouble.
A general presentation of the global certificate structure of the EID and how it is going to be used in the ehealth project.
TAS3 focuses federated identity management
TAS3 consolidates scattered research inSecurity, Trust, Privacy, Digital identities, Authorization, Authentication…
TAS3 integrates adaptive business-driven end2end Trust Services based on personal information: Semantic integration of Security, Trust, Privacy components
TAS3 provides dynamic view on application-level end2end exchange of personal data
Gezien de unieke positie van Frank Robben hebben deze presentaties meer dan informatieve waarde.
eBelgium Congres - Leuven - 14 September 2008
Debate organised by the Belgian Association for Medical Ethics on the ethical aspects of the eHealth-platform - Ostend - 4 September 2008
Workshop of the Ministry of the Interior and the Ministry of Foreign Affairs - Brussels - 3 September 2008
Google Tech Talks July 25, 2008 ABSTRACT Faculty Summit 2008 - Day 2 Google Health - Jerry Lin Google Health launched May 19, and has encountered a number of challenges in terms
Frank Robben said in an interview with a belgian ICT journal - that has been under a lot of pressure to correct its too critical viewpoint - that he learned how to network and that everything depended on how to network and work with people. He also had all the opportunities in the interview to showcase his own intentions and motivations and all the self-promotion one can think off.
But he said in that interview one thing that bothered me most - and should bother everyone that is occupied with internetsecurity in Belgium because it is the perfect example of how we are completely messing up the ICT business in Belgium.
He says that if there is later a problem with the security of ehealth he will have to report it and will be held accountable for it.
No. Someone else that has totally nothing to do with you will have to report it to the public institutions responsable for the public control on ehealth - among other things. And you will have nothing to do with it. You will be held accountable for it, but with the analysis, research and report you should have absolutely nothing to do with it, you shouldn't even know who is doing the analysis and you shouldn't even know when this analysis is taking place and who does it.
If you want the public to have confidence in it, you should give the public its own auditors that have absolutely nothing to do with anyone that is in any way linked to the project they have to research.
Assistant Director of Information Security and Networking, Bucknell University
Dr. Shana Dardan
Assistant Professor of Information Systems, Susquehanna University
In less than an hour, during a scheduled pentest, our team was able to retrieve 3.2 million patient insurance records from a HIPAA-compliant medical facility. Using these records, we could have generated counterfeit insurance and prescription cards which would pass muster at any doctor’s office or pharmacy counter. If you are one of the 47 million Americans with no health insurance or happen to have a medical condition you wished to hide from employers or insurers, would you consider purchasing falsified medical documents? Thousands of Americans have already said yes, without thinking twice about the victim of their victimless crime.
What happens to you if your medical identity is stolen? You may find yourself liable for thousands of dollars of co-pays, deductibles, and denied claims. Is this because you forgot to shred an important document? Did you fall for a phishing scheme online? Of course not — it was entirely outside of your control, and it happened because the current HIPAA regulations are insufficient to protect your medical identity.
Here is the LWAPP decoder script that we demonstrated during our talk:
Usage: lwappdecoder.pl lwapp_input.pcap
This script takes as input a .pcap file containing traffic collected between a Cisco LWAPP AP and its Wireless LAN Controller (WLC). The LWAPP headers are removed from any data packets detected, and the resulting wireless client data is written to an output pcap file.
Comment : In Belgium don't have such a law, we don't have resonsabilities defined and audits obliged and stuff like that. We have something called e-health but nobody has a clue who is checking and auditing that thing. The privacycommission ? That would be odd because the big chief of ehealth is member of that commission that should audit and control and reglement his 'big vision'.
PS I know some doctors and I had to help them because their VPN server in the hospital was hacked and infecting computers of doctors with trojans and backdoors and from what I hear off the record this isn't the only hospital having huge problems (like doctors walking around with unsecured laptops and unsecured wireless while being connected to the network).
Save, share and give others this useful free stuff also
stumbleupon.com / digg.com / del.icio.us / technorati.com / mister-wong.com / reddit.com / ma.gnolia.com / newsvine.com / propeller.com / slashdot.org / simpy.com / facebook.com / fark.com / furl.net / google.com/bookmarks / spurl.net / sphere.com / myjeeves.ask.com / backflip.com/blinklist.com/blogmarks.net /buddymarks.com /citeulike.org /connotea.org /netvouz.com / syncone.net / live.com / myweb.yahoo.com //
We are in possession of a publicly published PPT presentation (from 2005) that can be found on the ehealth portal of the Belgian Government that shows real client data in an example of how a hospital network would work and how data would be exchanged.
It is typical that in the document there is no mention at all of the necessities of security or authentification nor any mention worth the paper it is written on about all the problems and attacks such a network could have.
Without any such awareness it is totally normal that anyone could edit the PPT file in any PPT writer and make the data clear for anyone to see - medical data that is from REAL persons. (well just hospital visits and birth dates and so - but you see what I mean).
We won't publish it, but we said that the ehealth proposal of the self-assigned mister Ehealth that has been voted in law was dangerous and didn't have any controls or security audits worth that name built into it. Nor any oversight. With a lack of privacy and security awareness in the ehealth sector there is a lot to be done and nobody, nothing and no means will be in place to do it.
There is even no mention at all of standards, procedures and norms in the proposals.
why do I think this is only the beginning ?
The EHIC covers all health care which is needed during a temporary stay in one of the 31 participating countries other than the country of residence, be it for travel, for work or for studies. The card entitles you, in case of illness or accident, to the same medical treatment and on the same basis as local patients, as if you were insured in the state of stay.
As each Member State has its own rules for public medical provision, the EHIC covers free medical treatment in some Member States, whilst in other Member States it covers reduced cost medical treatment. Some Member States may provide care free at the point of use (such as Spain or the United Kingdom), while others may require payment, to be claimed back later (such as Belgium or France).
The EHIC can only be used in the framework of public health care provision. Private health care providers (hospitals, doctors, pharmacists, dentists, etc.) can therefore refuse the EHIC.
In which countries can I use the EHIC?
The EHIC is valid in 31 European countries. These include the 27 European Union countries (Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom) as well as Switzerland, Norway, Iceland and Liechtenstein.
Where can I obtain the EHIC?
Each Member State is responsible for the distribution of the EHIC on its territory. Therefore each Member State has its own distribution procedures. In some cases the card can be ordered online. People should contact their local sickness insurance institution or equivalent for further information
EHIC in circulation 31/12/2007
% population holding an EHIC
1 907 993
8 400 000
45 000 000
source a bit stupid that our SIS card (health card) isn't European at the same moment, this should have made a lot of bureaucracy and paperwork unnecessary, what e-health is all about at its best
and the soldiers since 2006 in this battle in the US for the moment (but of which the EU is also dreaming as our ehealth gurus) are also the world privacy forum and not without success
their most important documents are
and also about
the personal health systems (Google, Microsoft) Personal Health Records: Why Many PHRs Threaten Privacy (PDF, 16 pages)
and this is made clear by their recommendations which make it directly clear that the ordinary citizen will not have the knowledge, time or resources to fully understand what the consequences are of agreeing to make a personal health file
more info on their special page
After the disclosure of information breaches, maybe medical errors"LOS ANGELES—California hospitals reported that during a 10-month period ending in May, doctors performed the wrong surgical procedure, operated on the wrong body part or on the wrong patient 41 times, records show.
During the same period, hospitals reported that foreign objects were left in surgical patients 145 times.
These types of errors, officially called "adverse events," are among the 1,002 cases of serious medical harm to patients disclosed by hospitals statewide, according to figures compiled by the California Department of Public Health. Under a new state law, hospitals must report to health officials all substantial injuries to their patients.
There are 28 types of dangerous mistakes that must be reported to state regulators, including medication errors and suicide attempts.
Beth Capell, a lobbyist for consumer advocacy group Health Access California, called the number of instances of these preventable events "a wake-up call to everyone about the safety of California hospitals."
But Dr. Angela Scioscia, senior medical director of the UC San Diego Medical Center, said hospitals "are becoming safer and safer all the time."
The public reporting requirement, Scioscia said, "is a great opportunity to make rapid improvements" because facilities can learn from one another's mistakes.
The health department has levied $25,000 fines against 10 hospitals that reported adverse events so far." source
They want to put ehealth in motion in Belgium but they have no idea (or don't want to say so) how they will put the standards and norms in order and which ones they are going to use. They will do that later and maybe in two years time we will have something, but before that we have to pay ocnsultants thousands of Euro's to find out how warm water becomes warm.
Google and Microsoft that will be the direct competitors for ehealth (and who are both setting up their ehealth tents in Mons, not for from Brussels) have already agreed upon a framework and standards. The European commission is also throwing a lot of money at this new idea.
Well read this and take what is applicable in Belgium and you already have some idea to start with. Which is a lot better than to have non-public documents and thoughts that aren't spoken out.
There is one advantage of this framework. It can become international and be used for every patient independent if his medical information (or part of it ) is in the hands of private or public players.