FOIA for updated HIPAA enforcement data

As many of you already know HHS has released an RFI for how HIPAA should be modified to support digital health information exchange as well as other important and needed updates.

However, for those of us who are working on a response, we are crippled by the lack of current HIPAA enforcement data from OCR. As far as I can tell, most data outputs end with 2016.

We really need to see data summarizing enforcement patterns for 2017 and 2018. This data will show us two important things:

  • How OCR is choosing to devote its current resources?
  • What real world problems is OCR detecting in the healthcare industry?

For most of the items under consideration in the current HIPAA RFI, commenters need to be able have both of these questions answered.

With that in mind, you can read the FOIA for the updated HIPAA enforcement data that we sent yesterday.

FOIA for updated HIPAA enforcement data

We feel very strongly that this data should be available before the RFI deadline. We are asking for the RFI deadline to be extended if OCR is not able to release the data in a timely manner.

Reviewing HIPAA enforcement data

As many of the twitterati already know there is an RFI from HHS for significant revisions to HIPAA, which is due Feb 12th 2019.

In many of the issues that are covered under the current RFI, I feel very strongly that the answer is “You must have more substantial enforcement” from the Office of Civil Rights (OCR). OCR is the office at HHS that is responsible for enforcement, and I have a tremendous appreciation for the work that they do, but they are getting more and more complaints each year and they are (IMHO) under-funded and under-staffed. I also think they are too focused on education and not enough on hard-core enforcement. But I also acknowledge that given the funding levels, a focus on education was probably more effective than a focus on strict enforcement. I would have made the same decision if I had been in their shoes.

So is enforcement going well or going badly? Well its hard to tell, since many of the critical HHS OCR enforcement data is out of date, and many of the released data does not reveal critical data points. (again, all IMHO). What does the enforcement data look like… what should it look like?

We will be discussing what should come next for the patient community, but before we get to far along, I wanted to try and share with the rest of the patient a tour of the enforcement data.

To start, I would familiarize yourself with the kind of enforcement that the OCR office is doing. There are two resources that I think are really informative for this:

  • The All Case Examples page gives summaries on what healthcare providers/payers etc did wrong and what changes they made that ultimately satisfied OCR. This is a good example of that it is like to get a “slap on the wrist” from OCR.
  • More serious issues result in Resolution Agreements which list when the OCR felt a fine was necessary. As you might expect the actions taken by the organizations here is much more clearly in the wrong.
  • Last I would look at the top five issues in investigate cases report. This is a good source of understanding what types of issues the OCR is commonly enforcing.

This last one we see our first “trend to note”:

For the first time in 2016, the top enforcement issue was not “impermissible uses and disclosures” (i.e. a covered entity released data that they should not have) but rather “Access” which means a patients right to access their own data.

We also find our first significant problem with the data. The last year that this data was updated was 2016. We really need to understand if this trend was continued in  2017 and 2018. 

I would prefer if we had numbers associated with this too. It makes a big difference if “Access” was the top issue and it was 90% of the cases they got, or if it was the top issue and it was 30% of the cases they got.

According to the HITECH act which was passed as part of healthcare reform by Obama, which amended HIPAA, HHS owes congress annual reports on HIPAA compliance efforts. This requirement can be read by following the link above and searching for “SEC. 13424.”.

I am confused by this, because from what I can tell, HHS has been submitting this report once every two years, and has not submitted anything since 2014. At least that is what this page says. Granted, most of the items that are required to be reported to Congress are available in the enforcement data section of the website. But why did they stop reporting to Congress. FWIW there is also a requirement to report Breach notification data to congress, and it seems like HHS is doing this the same way: Once every two years, stopped in 2014. It’s all very confusing.

Next, I think it is helpful to look at how OCR processes HIPAA complaints. For those of you who just love to dig in to huge documents, with very low payoff.. you can also read the current and historical versions of the enforcement rule.

Much of what follows was influenced by this thread from Erin Gilmer on twitter (GilmerHealthLaw). Essentially it is a quick summary of the overall enforcement highlights page from HHS OCR.

Since 2003, there have been 183,568 HIPAA complaints. This big number is further split out as following:

  • 26,296 investigated and resolved (58 of these resulted in fines, which totaled about $80 million dollars).
  • 11,573 OCR determined that no violation had occurred.
  • 30,323 times, OCR has reached a resolution without investigation.
  • 115,376 times OCR determined that a compliant was not eligible for enforcement.

Apparently, the reasons for determining that a compliant was not eligible were:

  • OCR lacks jurisdiction (i.e. not a HIPAA covered entity)
  • Compliant is untimely
  • Complaint is withdrawn
  • Activity is not a violation of HIPAA

I really wish I had numbers on each of the above. I want to know, for instance, how often patient complaints are ignored because they are made too late!.

Next we have the list of problems that OCR is encountering in the complaints listed from most to least frequent…

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information.
  • Use or disclosure of more than the minimum necessary protected health information.

This list is particularly important, because if we look back at the top five issues in investigate cases report we see that ‘Access’ is the number one issue in 2016. Why does it not make this list at all? Strange. We really need to know how many of each type of event is occurring trended per year.

Next, we get a list of the type of organization that is typically complained about, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Outpatient Facilities;
  • Pharmacies; and
  • Health Plans (group health plans and health insurance issuers).

I wish we had numbers on these.. again it makes a so much difference if “General Hospitals” is #1 at 90% or at 20%.

Strangely there are actually two charts on how many complaints OCR receives. One that covers 2003 (partial) to 2015 and another that covers 2013 to 2016. Obviously, this needs to be made current until 2018. But it would also be awesome if the data did not conflict, specifically:

Year 2013-2016 data page 2003-2015 data page
2016 21381 missing
2015 17622 17643
2014 17819 18015
2013 12652 12825
2012 missing 10379
2011 missing 8987
2010 missing 8752
2009 missing 7586
2008 missing 8729
2007 missing 8221
2006 missing 7362
2005 missing 6866
2004 missing 6534
2003 (partial year) missing 3742

I think its a little weird that the numbers between the two pages do not add up. But maybe it’s just me. It does not seem like the numbers differ too much, I am much more interested in having current numbers than dithering about a few hundred complaints a year.

Next I would head over to the Enforcement Results by year. This is perhaps the best page to really understand what OCR is doing. It breaks the enforcement up into 5 charts. This whole page really should be just one big CSV file. I will probably make one… and add it in to this article later.. perhaps even a trend chart to see how enforcement is changing over time.

The State Attorneys General are allowed to enforce HIPAA since HITECH. And they are required to send notice to HHS when they do so. We need data to know how often this is happening and if it is effective.

What are the big takeaways? I think these count:

  • We are know that HIPAA complaints are increasing steadily each year.
  • It seems generally, like OCR is “resolving” more, but investigating less in the relative sense.
  • A very very small number of infractions result in financial penalties, but there are many cases were corrective action occurs of some kind.

It seems like the picture here is that OCR is the proverbial one-legged man in an ass kicking contest. They are, in fact, becoming more efficient over time, but it is because they are focusing on getting more people to do the right thing, and they are really not going after many of the very bad actors.



Hospitals frequently do not follow HIPAA access to records requirements.

According to researchers from Yale, as well as prominent ePatient activists Hugo Campos,  Marilyn Mann and ePatient Dave:

Hospitals frequently do not follow HIPAA access to records requirements.

The patient community has known this for years, nice to see evidence is catching up.

This is quite a criticism towards HHS Office of Civil Rights, which enforces the rule. Having said that, it is another open secret that the office is under-funded and under-resourced on these enforcement activities.

There is also a right for State Attorneys General to pursue this. I hope they do.


Managing passwords for patient activists

Recently, I have been getting lots of requests from the patient community about how to manage passwords. Correct password management is not that hard, once you learn the rules, but it can be difficult to remember all of the things. So this going to be a 10000ft summary, with some links for those who want to go deeper.

First, there are two different types of people who might find this useful.

  • Patients or others who are concerned that their healthcare information might be used against them.
  • Patient activists and community leaders who are responsible for the managing web resources for other patients.

If you manage data for other patients on the Internet, then you need to have much better password management than if you are just concerned about your own/your families data. If you manage an online patient community, then you might be the target of a focused attack from a very sophisticated online opponent.

But lets start with the easy case first. If you are just concerned about your own healthcare data online, then I recommend you simply follow the advice offered by the EFF on strong passwords. To summarize that article, which you should read in full.

All of this is echoed in the EFF article. Generally, you can trust resources from the EFF, and unlike this article, they are much more likely to maintain the information on that page with the “right answer” much longer than I maintain this blog post. So if my advice ever differs from the EFF advise, choose the EFF advice.

However, if you are responsible for the security of other people online, then I recommend further steps.

Further steps for patient community managers

The simple reality is that having a third-party manage your passwords for you puts a big target on those third parties. Imagine if LastPass or the google password service ever got hacked. The problem with those resources is that they create a single point of failure. They are also likely to be far better managed then you can easily replicate. But if you are responsible for more than 100 other peoples health information on the Internet, you may want to go further and ensure that your password information is not stored in any central password management system.

You do not need to store all of your passwords this way, only those that are protecting the privacy of lots of other people. Remember, if you can “reset” your patient community password with your email, then you email password is also on the list of critical passwords that you must take extra steps with.

To do this, I recommend that you use pwsafe. This is a downloadable password manager. It allows you to create an encrypted local repository for your passwords. Then you need to keep a copy of your local password store (called a .psafe3 file) in an offline usb backup drive, as well as in a online backup service like DropBox.

pwsafe can also help you generate secure passwords.

You should not use the any browser extension to automatically fill-in critical passwords for you. Instead copy them from pwsafe and paste them into the password field for the resources that you need to login to.

Further, you need to change your passwords occasionally. I recommend that you do this once a year at least, twice is better.

Am I doing this password thing right?

Here are some hints. No matter which version of the advice you which to follow, the process for working with your passwords needs to be something like:

  • You decide you want to login to an website or other resource.
  • You login to your password manager using a pass phrase something like “Fred Meows At The Puppy”
  • Then your password manager gives you (or automatically fills in) the real password to the site, which will look like A^4Fa@ath*^23Asg%9Sd*f(ba 

If that is your basic work flow you are probably doing it right.

Anything else to remember

Yes, never click a link you get in an email to go to an important web resource. Lets say your website is

If you get an email saying “Your account has been compromised, click here to login and change your password” or even “Someone sent you flowers on click here to login

Never click the link in the email. Maybe its a legit email from, maybe its not. If I had several hours to spend with each one of you, I could explain how DNS, and spoofing and SMTP works, so that you too might be able to figure out if those links are legit.


Just do not click the links in emails that you did not solicit. Just go to a browser and type “” into the url space and hit <enter>. Maybe your account really was compromised, maybe you really did get some flowers. There is no reason to every use a link you got in your email to find out!

Now if you ASKED to be emailed by, (say to reset your password) then it is ok to click the link that they sent you. But if you did not initiate the site sending you an email… then do not click the links. This is a bother, I know, but it will make you much safer browsing online.




Troll vs Russian Hypothesis for the Facebook MeToo Group Hack

Recently, a central Me Too Facebook Group was deleted by Facebook after it had been overrun with fake accounts intent on harassing its users. This was covered in a recent Wired article but so far it has not received too much media attention. Only the blurb summaries that complex articles like this sometimes receive in the video media stream.

This article, which is necessarily conjecture, will start off from where that article ends, so it will not make any sense at all unless you have read it.

Beyond what that article says, here are some trivially true issues regarding the hack that is troubling.

First, allowing all of those harassing profiles in the group at that scale is something that only a group administrator can do. The story that has been heard is that “suddenly” there was a new group administrator and then “suddenly” the harassing profiles came into play. But there are only a few ways that a new administrator could have happened.

  • One of the original administrator accounts could have been a fake account, and the whole thing could have been a honey pot.
  • Second, one of the original, legitimate administrators could have been targeted for hacking, and then once the account had been hacked, the reins for the group handed over to the new malicious admin.

Either way, what happened next was obviously intended to destroy the groups internal cohesion and trust. Not literally the facebook groups trust, but the actual MeToo movements trust. Once a Facebook groups size reaches some critical mass (I know of no reliable way of measuring when this has happened, but for very large Facebook Groups, it is obvious that it has) the groups influence on the larger community that it is seeking to connect becomes “girder like”, and actually hinders the creation of other forms of group organizing.. People start saying things like “we do not need to do an in-person conference, just post this question to the Facbook group” etc etc. The administrators and moderators of the group frequently become more influential in the community than the leaders of the non-profits that work in the space. This effect is very common in the patient communities that I pay attention to on Facebook.

My hypothesis (not in any way original, just the opinion of others that I find convincing) is that this happened in a meticulously timed manner to destabilize the next election. I do not know if this was done by Russians, or merely by American right-wing trolls. From now on I will call the attackers “Trolls” but there is good reason to assume that the attackers were Russian, based on the the previous behavior of the Russian cyber attacks, and the law enforcements assurances that the Russian attacks are again active. The last reason to suspect that it was Russians, rather than less-organized Internet Trolls is the timing, which I will get into in a moment.

For attacks like this, one must assume that the “impact as the intention”. The attack was successful, and the attackers were in a position to anything they wanted. They had other options. They could have taken a “low and slow” approach and simply slurped up the communities data for the next decade. This is a common strategy for “Advanced Persistent Threat” attackers. But the attackers did not choose to do that. Instead, they took actions that would ensure that the group was destroyed, either by an exodus of its members, or (which is what actually happened) by Facebook pulling the plug. So why did the “blow things up” in this way.

I suspect that this happened in order to damage the MeToo community’s ability to organize politically. Plans for political activism are coming together right now. This is when organizations are planning their marches and their community meetings and their get-out-the-vote strategies for the November 2018 elections. These are the elections that will be subject to “the Blue Wave” of frustration with president Trump. The Me Too movement would presumably be at the center of such a movement and now, that community has been attacked in a way that will make it more difficult to organize effectively.

The underlying goal of the Russian hacking, as distinct from hackers that are US citizens in the Far-Right, is not primarily to have one candidate or party win over another, but to keep the population divided and polarized. The idea is just to sow chaos, while a hacker with a motivation just to win, might take very different strategies.

Doing this now means that they have destabilized a group in a way that will ensure that their ability to organize in the next election will be damaged. This could happen in one of two ways.

  • A. they will not be able to organize effectively at all, and the impact of the community will be substantially less. or
  • B. They will reorganize with profound trust issues and seething anger at having been attacked, and ensure further polarization in the political process.

Both of these outcomes would be excellent for Russian attackers, who are not so much interested in having Trump allies “win” as much as having increasing an mounting tensions accelerate.

Much of what I am doing is a somewhat sloppy attempt to apply ideas about modeling the motivations of attackers that I have learned about from Josh Corman’s excellent work on the subject. Work that you can find through I am the Calvary or Cognitive Dissidents.

But the secondary problem here is Facebooks reaction to this. I cannot find any information from Facebook on who the attackers might have been, or how the accounts in questions came to control the Group. So people like me are forced to use guesswork to figure out what happens and what it means. Was this attack originating in Russia? Facebook actually has evidence that would help address that issue. And that is an important question for the Me Too community to ask as it decides what to do next.

My frustration with this set of circumstances, is that it continues to add evidence that Facebook wants to be perceived as a “safe place” while not taking the steps needed to ensure that the actual space is protected. The attack on the MeToo group had specific elements that Andrea and I had proposed to be corrected in regards to the Facebook Groups security design. Super frustrating to see people being hurt, even as the warnings that we gave continue to be ignored.




Emergency AHRQ Backup

Recently, due to budget cuts at AHRQ and have been scheduled for shutdown. This blog post documents our efforts to mirror those resources and our reasons for doing so. We have published the raw files that we mirrored at


  • Multiple different efforts to backup the websites have been successful. Take a look at this tweet for others besides the one featured here. Several different approaches were taken, which should hopefully ensure that we can resurrect most of the sites on shutdown day. We will see, and I need to sleep.
  • Twitter user @randyprine got a quick reply from the AHRQ folks that he posted. Indicated that the folks at AHRQ are trapped by lack of funds.
  • We are coordinating further progress on the twitter hashtag #SaveTheGuidelines
  • If you do not ALREADY HAVE a mirror bot running, please do not start now, we have multiple people using multiple approaches to mirror the site, and it is obvious that we are causing something of an organic DDOS..
  • If you want to help, take a look at It is both sourcecode for cloning and the resulting mirrored html files.. Help me figure out what I am missing. The assumption should be that if way back machine does not have it, or we do not have it by midnight.. it could be lost forever.
  • Also, although the decision to take down the web resource lies with the Trump administration, the decision to substantially defund AHRQ was an Obama-era change. So not sure exactly who the “credit” for this should stay with.

We have known for some time that AHRQ resources might be targeted for deletion. Hard to say whether this started in the Trump administration, since apparently funding was originally cutoff during the Obama administration, but Trump certainly put the nail in the coffin for this web resource. Thankfully, we had taken some steps to study the problem in advance. Sadly, that preparation did not keep us from being surprised that by the press that several important sites will be taken down tomorrow. Thanks to the dailybeast and sunlight foundation for cluing us in. Specifically, the sites and resources that were targeted include:

  • – a website provides meta-information for clinical guidelines, including evaluation mechanisms, comparison tools and of course, links.
  • – the quality measures clearing house, is searchable from this main page. This is a webapp that provides meta information for clinical quality measures.
  • – The clinical measures inventory. At this point I do not understand the difference between the “clearinghouse” and the “inventory” but they have different search functions and results pages, and the number of results is not identical… so I am backing them both up distinctly.
  • – Expert commentary, I think these are all backed up in wayback, but I am making sure.

(Note: Are there other top level domain names that are threatened? Let me know)

For those who have no idea what this means, these two domains provide critical information on evidence-based medicine. Frequently, clinicians who provide services can become blind to the effectiveness of their treatments. While not necessarily malicious this has happened multiple times over the years. Specifically in the controversy around the effectiveness of spinal surgery, high-dose chemotherapy and the early aggressive treatment of prostate cancer. In all of these cases, physicians recommended expensive and traumatic treatment in the face of evidence that those treatments were ineffective or unnecessary. If this topic interests you I recommend the book “How we do harm” by Otis Webb M.D.

The movement to prioritize science over profit or instinct when determining which medical treatments are recommended is called “Evidence Based Medicine”. AHRQ as a government agency, along with IHI, Academy HealthThe Cochrane Collaboration and even Wikipedia have been central figures in this ongoing movement, to ensure that patients are treated ethically, from science-based principles.

I am not sure which lobby was tired of having AHRQ resources recommend against their clinically ineffective services or products, but we suspect that a “union” of Spinal Surgeons was involved.

It is not actually clear, however, just how important these websites are in the larger scheme of promoting evidence-based medicine. AHRQ as an organization has clearly been a great benefit. But these sites, for the most part, simply provide links to the Guidelines and Standards that other organizations maintain. It is not clear that they contribute substantially to the understanding of the average clinician has on evidenced based medicine, as opposed to the work of the underlying standards organizations.

There have been criticisms that the AHRQ website has been out-of-date, for instance, and did not actually do that great of a job at ensuring that the latest and greatest information was available. Especially as we move forward it is critically important that people check with the original source of the guideline or measure, to ensure that they are following the latest evidence. This will become a bigger and bigger problem as the “last day” snapshot that we are taking ages, and eventually we will likely take down this cache, once a suitable replacement arrives.  (Thanks to Jenniffer Hinkle @Oncotastic for the insights here)

However, there must be some legitimizing effect that having this information on a “dot gov” website must have.

Now, we are in a desperate situation, we need to backup the sites that are being taken down. Thankfully, is very good about mirroring static websites. The concern has been that search functionality and the contents of the underlying databases would go missing. A report from the Sunlight Foundations Web Integrity Project says as much.

So far, we have been able to mirror the contents of the “search all” and the individual guidelines and measures pages. That work, both the code and the resulting archives, are available at the following url:

Here are two videos, that I will likely delete from the final version of this article to catch you up on what the cloning repo has done, and what might still need to be done.

How you can help!!

  1. Create github issues for functionality, sites or data that we are not yet mirroring. 
  2. If that is too geeky for you, contact me at to let me know if I am missing something.
  3. As you are browsing the websites, if you see “data full” pages, use the chrome wayback machine extension to convince to make a quick backup of the page.




Cyber Woke for the Victims of Stalkers

People who are the victim of stalkers have a startlingly different cybersecurity risk profile.

I heard the idea articulated and clearly defended by Allison Bishop at CyberWeek. Here is her twitter, proof that she is funny and evidence that she is wicked smart.

She articulated several specific positions that are worth carefully articulating.

First, she discussed passwords on post-it notes. Now, old-school cyber-security people will say that written passwords are always a bad idea. But in reality, there is good evidence that writing passwords down, as long as you take the steps needed to secure the object they are written on is a pretty decent idea. Motherboard has a good discussion on this, but I have also heard the point made by cyber-luminary Bruce Schneier who has pointed out simply that we have a long history of securing access to physical things and we understand it pretty well. I think he makes this point in one of his excellent books, but it also might be on his excellent blog.

The new-school wisdom is that having a written password book, or post-it-note pad is an OK idea, as long as it is at home or if you have a good means of securing it.

What Allison pointed out is that very frequently Stalker Victims have a person going through their stuff when they are not at home. Frequently from an ex-romantic partner who “still has the keys”.

The second point she made was the stalker victims are more vulnerable to being forced to unlock devices using their fingerprints and faces under duress.

For most people, having fingerprint or face-based access control allows them to set their devices to “time-out” and require login much more frequently, which on balance can serve to improve device security. Without this change to the time-out period, it should be noted that the addition of biometric login pathways (to the current pin, pattern or password methods that most cell phones support) generally serve to open another authentication pathway, which inherently makes the devices less secure overall. One has to change the timeout to get a benefit.

All of this is based on the normal calculus of threat modeling for the typical person. The typical person (certainly me) assumes that the threat that they are mitigating is having their device stolen from them and accessed by a thief that might be attempting to use saved passwords to a bank or to share personal/naughty pictures with the Internet.

In fact, if you have a stalker, the notion that your phone can be opened, without a password, by a potential attacker using your unconscious face, or a limp finger, is pretty scary.

Her third point was that these women definitively need a “sanitized environment” to be able to be loaded with a false pin on their devices. I will not describe the proposal with her elegance, but basically, it means that if you open your phone with pin “4321” normally, that if you enter a second pin, say “5678” the phone will automatically open into a sanitized environment, but hide certain data and/or apps. This way, if you are forced to open your phone under duress, you can open it in a way that does not reveal your data, but satisfies the person who is threatening you with physical violence.

Her fourth point is that the “nanny” rootkits that are especially available in the Android ecosystem are a significant problem for stalker or abuse victims. They can easily be in a position where they lose access to their phone to a person who is violating their physical security without their knowledge. This temporary loss of physical control can snow-ball into a long-term escalated threat as the abuse or stalking victim cannot understand how their stalker/abuser seems to “always know” where they are and what they are doing. Rootkits might also subject other online resources to break in, as the stalker/abuser uses the key-logging capabilities of the rouge app to gain greater access.

Taken as a whole, Bishops points provide a characterization of the stalker victims threat model. They have an ever-present, nearby, physically dominant threat that typically demonstrates that they have no respect for either morality or the weight of the law.

I imagine that the only two frequently cited threat models that come close are nations where there is an omni-present authoritarian government that is willing to threaten or enact violence against any evidence of disloyal of thinking. (Taliban/Trump et al). And the troubling pattern of US border patrol requiring device surrendering upon entering the United States.

These two threat models and corresponding use cases are certainly the subject of concern for me, but I mostly avoid them by not traveling to autocratic countries. And only infrequently “re-entering” the United States. I assume that most world citizens can take the same steps, and therefore these problems are limited to those trapped in autocratic countries or who are performing critical international journalism. Both of those are critically important, of course, but Bishop reminded me that there are people living next door to me, who essentially have to navigate the same type of threats, without the benefit of the massive amount of attention that the cybersecurity gives to the previous two use cases. At least, I have never before heard a cogent talk given about the cybersecurity issues that these communities face.

It should also be noted that in the typical case, although the stalker might have the advantage of surprise, timing and domineering physical presence they might not have the advantage of technical sophistication. That detail is critically important because it changes important conversations like this one: about whether the Signal Iphone app should have a secondary access pin. Now Signal uses a system creates a “secondary locking” without a “secondary pin” for the Android or iPhone  for this use case, that is not the best design. It would be best, for instance, to give these victims the choice to insist on pin-only access (and not biometric) even though they had both biometric and pin based access to their main device.

The stalker or abuser who knocks his victim unconscious (or attempts to access a phone while a victim is asleep) using a biometric access control method, might have the sophistication to “check every app for something interesting” and might even have the sophistication to “use” a nanny rootkit. They might have the the capacity to even use passwords gained from a rootkit to abuse access to online resources. But they are still unlikely able to get around a simple additional pin code function on a phone. It means that certain features that are simple to implement on the part of apps like Signal or other privacy enhancing applications might be much more worthwhile then they originally appear.

The difference between the “stalker” threat and the “crooked state police” threat is that the stalker only has momentary physical superiority over the victim. There are many different cyber solutions that justifiably need to be abandoned because they cannot resist sustained physical threats. But this community presents valid use-cases for solutions that fail against persistent physical threats, but do not fail against temporary threats.

This is critical because it obvious that efforts to create tool-kits for this particular community of people is worthwhile. They have specific, reasonable requirements that are not always difficult to implement. There is low-hanging fruit here, that could dramatically improve the day to day lives of this community which is surprisingly large.

It is also obvious that there is work to be done educating this community with specific advice that they might find helpful given the currently available cybersecurity tools. For instance, now that Signal piggy-backs on the authentication mechanism of the phone to provide its additional layer of locking, It is likely to be excellent advice that people threaten by stalkers avoid using biometric unlock mechanisms for their devices. They should probably avoid android devices, until that platform makes it more difficult to install nanny rootkits. I am sure that Bishop has dozens of other specific points of advice that are relevant. For the purpose of this article, it is enough to point out that specific advice exists and would be valuable to disseminate.

It is also worth pointing out the critical connections between other classical women’s health issues and this one. Most victims of stalking and domestic abuse are women. Frequently, stalking and reproductive health (in all kinds of ways) become intertwined. Thinking about cyber, from the perspectives of women’s health should always include some kind of check “are you the victim of a stalker or other forms of physical abuse”? Because the advice changes. How a person should manage passwords changes, and there are likely to be many other interactions between a woman’s cybersecurity needs and her potential status as an abuse victim.

Sufficed to say, Bishops talk was eye opening and served to challenge multiple assumptions that I had, that I did not know I had. The best type of technical talk, really. I believe that the University of Tel Aviv plans to release most of the CyberWeek content on their Youtube channel eventually, and when that happens I will try and update this paragraph with a link to the original talk. In the mean time, thanks for reading my celebration of her ideas, which are worth spreading.






No Shit In The Ranch House

Please forgive my use of a four-letter word. But it is central to my overall point, as I hope you will soon see.

Ranches are shit-management systems. There are other ways to think about a ranch, more refined and polite. But this way of looking at a ranch is useful. A ranch is all about raising animals for food, and animals shit. A proper ranch, unlike the factory farming methods criticized in the new film Eating Animals, handles these goals in a manner that is respectful to the animals in question.

The single biggest problem with having lots of animals in a single location is shit. More animals means more shit.

Properly managed ranches have all kinds of systems in place for managing shit. They design their animal stalls to be easy to shovel. They use wheel-barrows and bobcats and all kinds of reliable solutions to ensure that shit does not pile up in the wrong places.

Cows are willing to defecate in transit. Which means that as cows are herded from one ranch facility to the next, they occasionally make a trail of cow paddy. Cowboy boots are designed to be easy to wipe-down, for this reason. On a ranch, shit tends to get everywhere, and the ranch as a system spends a huge of amount of energy addressing this problem.

My understanding of ranches arise from fond childhood memories and family lore. My great-grandfather was the foreman of the Pfluger Ranch (which would later become Pflugerville). My understanding of a ranch is based mostly on third and second-hand stories, and is likely not too much better anyone else’s. But what limited understanding I have is enough to grasp two basic concepts: First, shit management is an ongoing unpleasant task on a ranch. And second, there is typically a large expansive home at the center of large ranches. This second concept is where we get the reference to a “ranch-style” home, a single-floor phenomenon where there is very little incentive to build a second story.

Now, imagine that you run a grocery. You decide which ranches provide the meat to the butchers in your grocery store. In that role you would have a pretty good idea how ranches are supposed to operate, having seen many of them over the years. You would be familiar with the rituals undertaken upon arriving as a guest at a new ranch. You are invited into the central home, which looks from the outside to be a spacious, welcoming house. This is the reason it is so often referred to as simply, the “Big House”. This is the seat of power in the ranch, and you note that the cowboys/girls that enter with you defer to the significance of the place by removing their hats.

Now further imagine, upon visiting this ranch, that you find a big, heaping pile of shit, in the main parlor of this central house. Right inside the front door. Right on the obviously expensive rug. Inside the house.

This is your first impression of the ranch. What are your thoughts? You might wonder “How did a cow get in here?”, “How long has this shit been here?”, “Why didn’t someone clean this shit up before we got here?”

But from the perspective of your evaluation of the ranch, it does not matter what the answer to any of your questions are. From your perspective, this is not a ranch you want to work with. Because you know that there are lots of moving parts to a ranch, lots of things that need to go well, and if the ranch is so poorly managed that it cannot keep bullshit out of what should be the best-kept part of the ranch, then it is extremely unlikely that the ranch has its shit together anywhere else. (see what I did there?) Most importantly, it is not worth your time to perform the very careful examination of the ranch that would be required to undo your first impression.

That does not mean that you (as the grocer still) would penalize a different ranch for having shit in the stalls, or shit in the barn or shit on a walkway… Dealing with shit, even stepping in shit is part of the life of working on, or even visiting, a ranch. But it really matters where the shit is. And if you see shit in the parlor of a ranch, it will take herculean efforts by the members of that ranch to ever regain your trust. But most importantly, even if the ranch were to undertake those efforts to change your mind, you are just going to go down the street to the ranch that seems like it has its shit together. You simply do not have time for that shit. (it is too easy)

Of course, you think that I have been talking about ranches and shit this whole time, and you would be right in guessing that this is just a metaphor for something else. Something that I, in a non-cow related technical profession, might have more experience with.

What I am really talking about here is software bugs. Bugs = Shit in this analogy and Ranch = Software Project. One way to think about the software development process is that it is all about fixing the bugs that are a natural by product of software features. More features, more bugs. More cows, more shit. Everyone expects the bugs in software, just like everyone expects shit on a ranch.

But if you have shit in the parlor of your ranch house, then it is obvious to anyone who is evaluating your ranch that you are not effectively managing your shit. In the same way, if you have a bug in the instructions that are covered in the of your Github software repo, people are highly unlikely to forgive that.

When a new developer comes across a project on Github, (or Gitlab or Sourceforge or who knows now that Microsoft has bought Github) and that project fails to correctly install, or basically function as the project file in the repo suggests that it will, then that developer will judge that software is useable and will probably never come back. (For those who are not following there is a special file, called, that Github treats as the introduction to your software resource. When you scroll down in the VueJS/Vue project, for instance, when you start scrolling down, you start seeing the main files inside the software project, followed by a web content that is generated by GitHub by interpreting the Markdown contents of the file.

This is the reason why I get so upset that projects that I fund, sponsor, contribute to or rely on have failures in the way that the software should function in the Readme. It means that the maintainers of the project have profoundly forgotten how the process looks from the outside. The team has become so focused on moving forward with new features and functionality that it has forgotten what the experience of a new developer or user reaching out to a new project is.

When a developer of a FOSS software project on github releases a new build of their software, pushing to “master” in git-speak and suggesting that some other version of a software project is acceptable, they need to do a final manual check to ensure that on a new server, with a fresh OS installation, with nothing configured, that following the installation and configuration instructions in the file will work all the way to the “example usage” stage.

I love the new focus on automatic integration. Travis-CI et al have made it much easier to automate final unit testing. Test-driven development is a wonderful idea. But developers still need to do a manual check before a specific release of software to ensure that the current version of the instructions in the Readme, actually result in a good experience for first-time users. Unit tests cannot tell you if the english-language “startup” instructions in the Readme are up to date.

Sometimes, changes in software result in the need to update the Readme instructions. Sometimes the Readme contents are correct, but there is an introduction of a new requirement for the project (new database tables for instance) that need to be automatically detected and fixed on first-time use. I cannot imagine that there will every be an automated system that will predict every new dependency and process change.

I am also not suggesting that every bit of documentation needs to be updated with every release. It is certainly important that documentation generally be maintained and certainly documentation coverage should be considered at a minimum for every release. But while that is important, that is not what I am talking about here. The question that every new user is asking when they download software that solves a problem from Github is “will this thing work for me”, and answering that question frequently requires a huge investment of time and money. But before they make that decision, they want to know “is this software project basically sound?”. If the answer to this question is “yes” then they will make the greater effort to discover if the software works for their use cases.

As long as the new developer believes that the underlying software project is basically sound they will be tolerant or even better, collaborative, with regards to the bugs that they do find. But they want assurances that the software basically does what it says on the Tin. They want to know that the maintainers of the software basically have their shit together, which makes investing in the software a reasonable choice.

Play testing a new software release will always need to be a manual task that is done at the end of sprints. If it is not done then software that is publicly version controlled (on Github or elsewhere) run the risk of alienating new developers which is a death-sentence for any project. If a software sprint ends without “time” to play-test the new release to ensure that it works on fresh systems, then the scope of the sprints needs to be reduced until time for that task is accounted for.

In my opinion, this is the single most important thing that a software project can do to market itself and succeed in market that is crowded with other publicly available Open Source software. It one of the great weapons that modern developers have against the scourge of the “it-works-on-my-machine” disease that all developers seem infected with.

No shit belongs in the ranch house. Try to ensure your Readme “get going” instructions are perfect with every new release.




How to be Cyber Woke for patients. Facebook lesson 1

So I wrote a post supporting the notion that Facebook could do some good by integrating with hospital data. That blew up on Twitter, and so much so that it eventually ended up on CNBC. 

Before I go on, I must recommend the continued reporting from @chrissyfarr who broke the original story.  I also recommend that you read the article on WaPo from @KirstenOstherr  which provides some much needed context on why this is important. She is a professional healthcare media analyst and it shows.

Since all of this, a patient group (will update later with information on who) has reached out to me for help understanding exactly what the risks are for patients who are using Facebook, especially those who are using Facebook to connect with other patients inside patient support groups. We agreed that some specific advice might be useful to other patients and patient support group admins, so I am posting this here for anyone to reference. The first thing I should note is that I will be writing a separate guide for people who are hosting patient support groups on facebook. The damage that can be done through an single admin account on a patient group on Facebook is tremendous (the power is like raw Plutonium) and there is a difference between the advice that I would give someone who is essentially responsible for other people’s private information, versus someone who just wants to be able to share information about their healthcare condition with their friends on Facebook.

Think of it like this: a surgeon has very different hygiene protocols to follow, compared with a person who is just visiting a hospital, vs someone who is healthy and not visiting sick people.

In the same way there is a difference between how you use Facebook and the Internet generally, in a secure and private fashion if:

  1. You are not sharing health information online at all.
  2. You are a patient participating in a topical health discussion on social media
  3. And a person who manages a patient community on Facebook, Twitter, etc.

This post is all about #2 people. If you are #1, you might be better served with an general introduction into how to use Facebook securely. I will cover those topics here too, but I will also cover things that will only make sense to patients.

I am also going to try to be as brief as possible, because I know you have other things to do. But this is not a simple subject. And if you care about this, you need to take a second and realize that there is a lot to learn.

So I am going to leave you with checklists and pictures to speed things up. Also, please note that I intend for this post to be a work-in-progress. Feedback is welcome. But you should tell me what you think by tweeting to me.

How to get to your Facebook Settings:



Almost all of the instructions below start from the Settings page, which can be reached by clicking the drop-down in the top-right of the Facebook web interface.


The only relevant thing you can do here is to download your data. Note that once you have downloaded your data, it is possible for someone to hack your computer and steal it. I recommend that you encrypt your backup in a zip file. And then upload that file to DropBox or something like it, for safekeeping…

Security and Login

The most important lesson you can use regarding your Facebook password is to:

  • Use passphrase. They are much more secure than passwords and they are easier to remember.
  • Never use the same password you use for Facebook on ANY other site.

If you are the ONLY PERSON who uses your computer.

  • Then you want to make it difficult for other people to even access your computer at all. You need an inactivity password (i.e. you have to login to your computer again after not using it for an hour or so).
  • Then use the password management capability on your computer

If you SHARE a computer

  • Try to use a different user account on your operating system than the other people using your computer.
  • Do not save your facebook password or use the automatic login functionality in Facebook
  • On a shared computer, you are going to have to type your password everytime you use Facebook, if you want to ensure that you are using it securely.
  • When you are done using the browser erase your history and cookies.

Now you might be thinking, “I share my computer with my husband/wife/father/mother/son/friend/dog and I really trust them, there is no need for me to protect my facebook login from them”. Remember that this is a hygiene exercise. Lets say that you have a Windows computer and you have a login for yourself separate from your loved one. That is a bother, you have to switch users every time you want use Facebook. But, if your loved one accidentally visits a website with malware, their account might become infected with a virus. If you are lucky, the Windows/Whatever operating system might be able to protect your username and password information, if you are not using the same account.

There is a difference between trusting in someone else’s personal integrity, vs trusting in their browsing habits. It is very easy to download something that will try and hurt your computer on the Internet.

Here are more specific instructions on how to use the “Security and Login” settings for Facebook.


  • If you are a patient on facebook, it might be possible that many, or even all, of the friends that you have on facebook also share the same medical condition as you do. You can help protect their privacy by setting “Who can see your friends list” from “Public” to “Friends”. You can find that setting under Settings->Privacy
  • Also on Settings->Privacy you probably want to disable phone number based look up. There are lots of people who enter random phone numbers into Facebook and try to figure out who they belong to.
  • Also on Settings->Privacy is “Do you want search engines outside of Facebook to link to your profile”. You probably want that set to “no” unless you really need people to be able to google you, and find your facebook account.
  • If you are not a patient advocate, and you are using Facebook to share your health experiences primarily in order to stay connected with people you already know, I recommend that you set both your future and past posts to “Friends”, “Friends except..”, or “Specific friends”. Having your activity be public means that “bots” or scrapers, can access your information, which might not be what you want.


Apps and Websites:

  • Turn  off all of the apps that you are not using under Settings->Apps and Websites.
  • Second, for those apps you keep, click “view and edit” and remove access to any data that you think they should not have access to. This is a good time to ask the question: “Why would an app that does X need access to data about Y”. If it does not totally make sense to you, turn it off.
    • You probably do not want to allow apps to see your list of friends
    • You probably do not want to let an app read your posts, or your likes, or your photos, places or videos.
    • You probably do not want an app to be able to control your “pages”


There are a ton of settings under Settings->Ads. But trying to navigate those are pretty difficult. Ultimately, Advertisers pay Facebook lots of money to reach you.

Try not to click on Facebook ads. If you see an ad for something you like, just use Google to find the company instead. If you click an ad, and that ad only targeted people similar to you, it might be possible for that company to eventually figure out what your healthcare status is. If this feels like a bother to you, then you need to spend some time exploring the Settings->Ads section… which can give you some control over the types of ads you see, but does little to help advertisers from building a data model about you.

But lets say you reeaaallly need to click an ad. Well, if you are using Chrome or Firefox you can open the link in a way that passes less information to the advertiser about who you are…  To do this choose “Open in Incognito Window” in the right-click menu in Chrome browsers. And in Firefox open “Open Link in New Private Window”. There is a way to browse privately on almost every modern browser.



Which browser?

There are good reasons to use Google Chrome and Mozilla Firefox exclusively if you want to have a more secure online experience. First, their code is subject to public inspection because they are Open Source. But also because they support browser extensions which can dramatically improve the security and privacy of your browsing. Specifically, I recommend:

Privacy Badger – a tool that keeps websites like FaceBook track your web-browsing when you are NOT on Facebook. This can sometimes make websites break, but I encourage you to try to learn how to use it, as it will substantially decrease the amount of information that you “leak” online.

HTTPS Everywhere – a tool that attempts to ensure that your connection to the web is encrypted when ever possible.

Note that both of these browser extensions are developed and maintained by the EFF, which is one of the most vocal and effective organizations for protecting your security and privacy online. Also, getting an EFF branded cover for your webcam is definitely the way the cool kids are showing they are “Cyber Woke”. Also, they have cool hoodies.


Other random stuff:

If you really value your security, get a Google Chromebook. They are difficult to hack.

Do not insert USB sticks that you “find” into your computer. Make sure you purchase USB sticks yourself from reputable vendors.




Facebook and Healthcare data, the contrarian view.

Recently, I read an article that Facebook had been considering partnering with hospitals to connect their social data with the hospitals’ patient data in order to provide improved services to patients. Facebook had decided, in the wake of the Cambridge Analytica fiasco, to put those plans on hold. Here is the video version of the report, which is definitely worth watching.

I thought this was disappointing, because I know that many patients rely on social media generally, and Facebook in particular to coordinate patient care. Connecting healthcare data with a patients social graph, when done with permission and with limited and intelligent goals could result in real improvements in patient care, especially for our most vulnerable populations.

I tweeted as much:

I have been surprised by the subsequent reactions, very few of my tweets seem to garner this much attention or engagement. Given this reaction, I thought it wise to more carefully defend my position.

I do not think anyone should claim “expertise” in anything as nebulous and unknowable as healthcare cybersecurity currently is, but I am definitely comfortable saying, that I am not a novice.

I have spent time thinking carefully about the intersection of healthcare information systems, and cybersecurity and privacy. This has lead me to be frequently at odds with other cybersecurity experts who are legitimately concerned about the dangers of connecting to early.

The problem that I see again and again are knee-jerk policy reactions to technology potential and, more generally, a tendency for talking-head histrionics regarding healthcare information privacy. Probably the most extreme of these, historically, has been my friend Dr. Deborah Peel. Dr Peel has continued to suggest that all health information exchange halt, until it can be made entirely secure and entirely respect patient privacy and ongoing consent.

The problem with that approach is that it tends to drive healthcare data exchange efforts “underground”. The discussion about Facebooks change in policies is a good example such fear-mongering. Note how CNBC chose to frame the news that Facebook was NOT going to reach out to hospitals. Let me quote some of the article, highlighting some of the terms that I find concerning.

Facebook sent a doctor on a secret mission to ask hospitals to share patient data

Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients.

The idea was to build profiles of people that included their medical conditions, information that health systems have, as well as social and economic factors gleaned from Facebook.

Now, CNBC is not as given as some of the other networks to outright fear-mongering, but I do need to quibble with this type of reporting. First, if you read the article closely you will see that the project intended to link data using a two-sided hashing mechanism. This serves to protect the privacy of both the Facebook user data, and the hospitals’ patient data. The headline makes it seem like it would be trivial for both the hospital and Facebook to identify these patients. Of course, such a dataset would be relatively simple to re-identify given how much of Facebook’s user data is public information. And it is highly unlikely that either Facebook or the hospitals intended to release this merged dataset to the public. Still, de-identifying a dataset like this is a useful precaution to ensure that researchers are not tempted to violate patient privacy.

This type of de-identification strategy would have made the resulting dataset almost useless for Facebooks main profit center: selling targeted advertising. But the article makes it sounds like this is the aim, because the partnership was seeking to “build a profile”. A profile that is not connected to an identity is… well it’s not profile. A profile is a kind of an aggregation of multiple people.. and a dossier is about one specific person. Deidentified data is not really either one of those things. It is about a specific person, unlike a profile and unlike a dossier because no identity is attached. In this respect, building a “profile” does not seem like such a big deal, its an aggregate of people, a single average that is useful to help understand many potential individuals…

In fact, “building a profile” is clearly not the aim of such an endeavor, but only an intermediate goal. The reason such a “double anonymized” merged dataset would be useful, is because you could learn how to help patients by studying it. The research might help the hospitals, and Facebook, to understand how to better serve the patients that they both have as customers. A non-public anonymized dataset like this, shared only between the a limited set of researchers representing the two parties who contributed data, is pretty hard to abuse.

In fact, this is exactly the type of research that both Facebook and the hospitals have an independent and shared ethical obligation to undertake. There are more patients who share clinical information across Facebook than any software designed for that purpose (typically those products are called PHR systems). Facebook users use the platform every day to coordinate caregiving for their friends and family. They use it to coordinate whose turn it is to make dinner, and to coordinate which “friend” is going to show up and hold their loved ones hand. They use it promote the go-fund-me pages that have frequently taken the place of comprehensive health insurance in this country. They use it to request prayers, when the pain is really bad, and the pills no longer work.

Is this a good idea? Well, there are many who would warn that sharing data publicly like this is dangerous and they are profoundly correct. But this sharing is not done because users trust Facebook, quite the contrary. Facebook is tolerated, as a gateway to the friendships and family members that Facebook users so desperately need when they become seriously ill.

That use-case is not what Mark Zuckerburg imagined in his Harvard dorm. Frankly, it was a case of great foresight for Mark to guess that people might use his young platform get laid. But as Facebook has become the de-facto mechanism to connect with friends and family, especially across generations, it has also become a very common place for patients to connect with their care community. Or at least the parts of their care community that are NOT professional clinicians.

The professional clinicians not only fail to connect with patients friend and family network, they also fail to connect digitally with each other. Instead, they are rewarded for hoarding their portion of a patients medical data to themselves, a problem regularly referred to as the “silo” problem in healthcare informatics.

There has been no technical reason why patient data is not regularly shared between healthcare providers for more than three decades. However, our healthcare system continues to financially reward providers who hoard rather than share data. Healthcare technologists like myself do not, despite appearances to the contrary work to make data sharing possible, instead, we spend our careers desperately seeking technical solutions to health data exchange that are politically palatable.

So I hope you can understand that when two parts of the healthcare eco-system start to consider collaborating in a way that helps patients, this is something that we should celebrate with… concerned… optimism.

And I am concerned. I am very concerned that Facebooks basic structure does little to protect those who share healthcare information across its network already.

Just as we should be concerned that Apples recently announced Hospital integrations will serve reduce the investments that hospitals make in other patient-data sharing methods. Which might serve to widen the digital health divide. Poor people in this country have trouble affording iPhones, which could be soon be one of the few ways to conveniently access their own hospital data. But we should cautiously celebrate Apples work in this area.

We should be concerned that Google has recently announced multiple new Health IT API initiatives, despite having unceremoniously shut down its previous healthcare API offering.

We should celebrate Grindr’s efforts to encourage regular STD testing, even if this action has been clearly overshadowed by the news that they were sharing HIV status with third party companies.

Look, if you are this far in the article and thinking that I am defending Facebook’s egregious cybersecurity mistakes, its constantly over-reaching data grabs and generally cavalier (even sometimes malicious) attitude towards personal privacy, then you are missing my point entirely. As twitter user _j3lena_ pointed out correctly, it is only reasonable to assume that there are dozens of other organizations that have Facebook data on the same scale as Cambridge Analytica. That is just the one that we see. (updated to acknowledge _j3lena_’s comments)

Facebook has been a privacy nightmare for years, and I am very hopeful that they might see their failure in these areas as an existential threat to their existence. Because they should go out of business if they cannot ensure that their platform is something more than a monetized privacy-abuse vector. Facebook deserves to go the way of the Dodo, if they cannot help its users differentiate between real and fake news. Make no mistake, Russians advertising on facebook is a big problem, but this pales in comparison to the personal consequences for a person who is convinced not give their child a vaccine because of a facebook group.

My point is just this. We need to give companies credit when they embrace security best-practices as they pursue ethically reasonable goals. Like leveraging a hashing for de-identification scheme in an attempt to do things with patients’ data to help clinicians to improve care they give those patients. We need to criticize, and if needed, boycott and regulate companies that abuse our data. We need to have national policies that create real consequences for companies that abuse their positions of trust.

But we also need to give credit where credit is due, and Facebook was probably trying to do some good work with this hospital collaboration.

I hope this better explains my tweet.


Good Questions:

As per always, the Twitter community has given me new things to think about.

  • First, it is not clear what it means for this to be done “in secret” if this deal included non-disclosure agreements, that is problematic.
  • Second, and this is something that I did not get into, but that CNBC did a good job emphasizing, especially in the video version of the report, is that it is not clear how, or if, explicit patient consent would have been involved.


Added several good points from Twitter, and as @corbinpetro pointed out, its CNBC and not CBS.