Data Interchange and Interoperability in Healthcare

I recently had to go for x-rays on my hip. The imaging company called saying they’d received the “order” from my chiropractor for a knee arthrogram without contrast.

Apparently, this was both wrong and confusing. It’s wrong, because the “order” said hip, but they couldn’t read it; also it’s confusing because, well something to do with x-ray and contrast.

After a short discussion, it turned out the imaging company received the order by fax. Yes, real actual paper fax. The US medical profession still seems to run on faxes. My prior cardiology hospital sent my medical records to my new cardiology Dr via, yes, paper fax. Hospital-1 printed the records to a fax based printer driver, which sent them uing a fax protocol to Hospital-2. Apparently Hospital-2 receives as images in a variation of the TIFF file format.

In the case of my PT, no such luck. Handwritten, manually faxed, received by paper. Even if there had been no problem this created a HIPPA privacy and security cost. In this instance, the cost to clear up the confusion likely cost almost as much as the actual hip x-ray, as that was all that was needed.

While I know there are data interchange standards in the USA for medical records, or as they are called PHRs, it seems there still nothing that is universally adopted. When I contacted my new cardiology hospital and offered my PHR in (Epic Systems) Lucy format, they declined and asked for them to be faxed.

There are a growing number of apps for both ios and android that support EHRs (electronic health records) however, for the most part these are tied to a specific hospital and/or medical group. A good example is the Epic Systems MyChart app. It can read the data from my former cardiology provider, including details of my ER/and cardio surgery and the prescriptions I was given. I can export the data using the Hospital groups website, and that’s it.

Unless you choose your medical providers not on their medical excellence, but their ability to import your lucy records, this is no use at all.

The Big Boys are doing data interchange

My interest was sparked by the recent announcement from Google, Microsoft, Twitter and Facebook introducing the open-source Data Transfer Project (DTP). For the more technically interested, you can read the DTP Overview here.

Ultimately it doesn’t look that different from the Enterprise Service Bus implementations we were working on 15-18 years ago. Same core concept, n-n interchange and interoperability. Same basic extensability through adapters and shared protocols.

I have to say, the use cases given for DTP are pretty weak. Conceptually, though there is much potential for this architected “Share…” facility. One of the key failings of DTP is that there is no ability to delete data, sure you can share your data to more sites/services but the DTP as specified doesn’t allow you to leave.

However, the most disappointing thing about this announcement is it’s aimed at allowing you to move your videos/photo’s, social media posts, and hopefully subscription platforms among the services supported.

To become a supported platform there are a few fairly simple architecture docs and then you have to build plugins or adapters to interface to the service to be able to send/receive data.

Ho hum. Boring. There is definitely space for big tech co’s to innovate around data interchange, but who cares about social media. I want to be able to pay for a PHR service, where I can store and control my medical record. Where I can grant access rights and authorise medical providers to retrieve my data, where I can see my medical records from across the providers etc.

I’m hoping that someone will point out this already exists, or that Nigel or Tom, who both now work in Helathcare will tell me why this isn’t a good idea. The USA is in desperate need for data interchange but it isn’t for social media.

FURTHER READING:

  1. Paper on moving from paper to electronic records and the associated problems.
  2. Review of numerous leading healthcare records mobile apps.

 

Legislating hacking/data exposure responses

I don’t know enough about the European Union General Data Protection Regulation (GDPR) but at least on basic reading it seems inadequate in meaningful individual action requirements and legislation that benefits the actual user/person whose information has been exposed.

I’ve been signed up for haveibeenpwned an excellent website by Troy Hunt. You enter your email, and it tells you what breaches your personal information has been found in.

I was going to say “if any”. But of course your data will be there, especially after breaches like the River City Media (RCM) “spammer gate” where 1.4 billion peoples’ email accounts, full names, IP addresses, and often physical address, were exposed. Suffice to say, my two primary email addresses have been exposed in more than 20-breaches.

haveibeenpwned was a great start. CapitalOne, at least among my financial providers, has stepped up the game significantly. Their creditwise arm has incorporated Credit & Identity Alerts in to the app and website. Numerous times recently I’ve received alerts, and while initially the alerts didn’t contain enough information to take action, the most recent alerts have had all the detail I needed.

Creditwise Email
Email alert from Creditwise
Creditwise Alert
via website or app

Among the websites my data has been exposed this year include:

  • linkedin.com
  • kickstarter.com
  • ticketfly.com
  • bitly.com
  • myspace.com
  • last.fm
  • zomato.com

Some of these websites did individually send emails disclosing the breach. Of these, only ticketfly had any form of financial data that might have been breached. I have all my emails from them going back to 2012. Not a single word about a data breach or other exposure of my personal data.

The same is true for more sites than not. No notification. When you login to the site to at the very least, change your password to a new unique one, they more often than not also give you no indication. For many of them it’s also nearly impossible to find out how to delete your account. In the case of ticketfly, I submitted a trouble ticket asking how to delete my account but retain tickets for future events, so far nothing but a generic ‘we’ll get back to you’ response.

It’s time for legislation about what websites/businesses are required to do when they find a data breach. They must be held accountable, and not just through financial penalties that mostly just go into government coffers.

I’d like to see at a minimum:

  1. Mandatory requirement to notify by email, and if the business has a real mail address, by mail.
  2. A default opt-out and deletion period. At discovery, if data breached includes significant personal and/or financial data, the account must be deactivated. After notification, if the business has not heard from the user whose data is breached within 14-days, and the account is not already deactivated, it should be deactivated.
  3. Recovery of a deactivated account should NOT depend on any data exposed in the breach.
  4. When the user whose data is breached logs-in to their account following notification or during account recovery, they must be presented with clear information on what data was exposed. Two, they must be given a simple option at this point to permanently delete their account.
  5. If the user opts to delete their account, any consequences of the deletion must be made obvious at that time. For example, in the case of ticketfly, where I’ve already paid for tickets to future events, those tickets must still be available to me, even after my account is deleted.

In the era of “big data” and “everything online” the only way these businesses/websites will really put privacy and security first is not fines. It’s the actual loss of the customer/user and their data. These companies are often over valued, and paying government fines is just moving magic money from one bucket to another. It has a short term impact on their profitability, their quarterly results, not much else.

Privacy: Europe vs the USA

On a day when the likelihood is you’ve been bombarded with GDPR emails from companies you’ve done business with, or just whose websites you’ve registered with, there is no better comparison of the difference between how the European Commision and the USA are dealing with our privacy.

While the new General Data Protection Regulation comes into force tomorrow (May 25th), which isn’t as many think, a reaction to the Facebook privacy scandal, the regulation which took seven years of negotiation, and will force changes in a braod range of industries, including, but not limited to technology, advertising, medicine and banking.

Here in America, we learned this month that a company called LocationSmart is buying the real time cell phone location data obtained from the country’s largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint.

We only learned, because Securus, a prison technology company, who use the data from LocationSmart, had their website tested by a researcher who was able to access the cell phone location of anyone, without consent. Apparently, while the explicit selling of cell phone location data to the Government is banned/illegal, selling it otherwise is not. We don’t even know who they are selling it to, or what it is used for.

Big business is just about making a buck. In the same way as Facebook mostly didn’t care who got your data, and what they did with it, provided facebook got their money, that made it OK. The same has been true for decades for the cable and telephone, cell phone companies.

Europe vs Facebook

The questions that Zuckerberg never answered, including this:

How will you be remembered: As one the three big internet giants along with Steve Jobs and Bill Gates who have enriched our world, or as the genius who created a digital monster that is destroying our democracy and society?

https://gizmodo.com/mark-zuckerberg-played-parliament-for-fools-and-theyre-1826227452

The Popularity Of ‘Westworld’ Points To Our Anxiety About AI

“If things play out with AI the way that they have done with Facebook, we’re in a lot of trouble.” Jonathan Nolan

Source: The Popularity Of ‘Westworld’ Points To Our Anxiety About AI, The Show’s Creators Say | Here & Now

Facebook walking the wrong side of the #GDPR line

The Facebook scramble to rewrite history

As Facebook scramble to try to head off prohibitive legislation in the UK, Europe and the USA, it’s trying to reinvent it’s history and mission.  I’m no Facebook historian, developer, professional watcher but it’s worth remembering some of it’s actual history, bugs, screw-ups and the often terrible defaults it implemented with new features.

I’d long imagined that Mark Zuckerberg was the embodiment of Zeke Hawkins character in the 1993 movie, Sliver. One of the things Hawkins said in the movies about his surveillance was the Google-esq:

We’ll do only good things.

All of the recent disclosures about access to Facebook data isn’t about hacking or other malicious activity, it is about poor design decisions; defaults in privacy that were good for Facebook but not for the user; and ultimately necessary for Facebook’s’ business model. They were not, as Facebook and Zuckerberg oft refer to them as data breaches.

As the voiceover says at the end of the Sliver trailer:

The view from the outside is nothing…. compared to the view…. inside.

My history with Facebook goes back to when it was “thefacebook”. I’d been a regular speaker and panelist at the Silicon Valley World Internet Center between 1998 and 2003 when I gave my last session on Open Source. The center was housed at Stanford University. Over my time there, I made contacts with many professional and personal contacts.

I started using livejournal as an emerging platform for “blogging” and tracking news for my then key triathlon interests in January 2004.  That April, through one of the contacts I’d made at the World Internet Center, I was offered a userid to take a look at “thefacebook”. I didn’t spend much time on it, it was fascile, juvenille and voyeristic. I wasn’t surprised to hear that in 2003, the Harvard University administration had charged Zuckerberg with breach of security, violating copyrights, and violating individual privacy.

That set the path that Facebook has followed since then, their design decisions, their defaults, everything has been aimed at making your information publicly available, searchable and collectable. As I texted a few days ago, none of this need happened if Facebook actually cared about privacy. Each and every time they implemented a new feature, they did so by setting the user privacy to the least private allowed.

While Facebook claimed they were not selling data, which was probably legally true, but they were always selling access to the data. If privacy was really central to Facebooks management of data, then they would have made the defaults very different than they did.

All those infuriating apps and quizzes that your “friends” were playing Farmville, Candy Crush, etc. let alone the apps that wanted to know actual personal information, like where you’d travelled to etc. For a while in 2007 there was even a class at Stanford known as the “Facebook class” where students, many of whom went on to make hundreds of thousands of US Dollars, were instructed on how to make Facebook apps.

As early as 2010, many of us were imploring people not to give companies like OK Cupid and apps like Lover of the Day access to your data, it was only ever going to end badly for someone.

Lover of the Day was installed nearly a million times. If every user that installed it had at least one hundred “friends” on Facebook,  that meant through a single app, four hundred million facebook users data could have been exposed and scraped. Even if “Lover of the Day” hadn’t overtly exploited this, it was totally naive rather than malicious.

By the end of 2010, there were hundreds of website scams that were, as far as I can see, just there to harvest your data, and that of your friends. There were numerous websites set up to track these, of which Facecrooks, was and still is one of the best.

When I got my Facebook data, before #DELETEFACEBOOK, I spent an hour searching through the data and my timeline to find interesting posts, pleas that I’d made to my friends about the lax controls, bad defaults and bad app choices they were making.In 2010 alone, I posted the following on my wall.

January 10th: “Well get used to it, the Facebook founder says your privacy is a relic of the past, everything should be public!”

March 2010: “So, not paying attention to the FB Privacy issue? Well last night the dumb ass’s made a change which made everyone’s email address public for about 30-mins even if you said not to or your settings… “

May 2010: “So yesterday Facebook blew their privacy yet again revealing private friend to friend conversations, allowing one friend to see outstanding friend requests of other friends…”

May 2011: When discussing the Symantec revelation that Facebook was leaking information to Third parties, I ended the post with – friends don’t give their friends personal information to strangers, don’t do the same on facebook!

By 2011, music streaming startup, Spotify, was known to be aggressively using and promoting their business through facebook by exploiting the weak/lax Facebook privacy. If anything, the US Government Federal Trade Commision hearings lead to facebook changes that were in marketing speak “more transparent” but reality, more opaque. They made it easier to stop sharing, but harder to know what was being shared.

In 2015, the scraping of user data was still rampant, I found a number of examples of warnings, mostly in so called “Big company” giveaways.

March 2015: Friends don’t invite friends invite to the SW Airlines ticket give away. It’s scam, they are harvesting Facebook id’s, friends lists and email addresses and who knows what else!

It was followed by a long bullet list of ways you could tell if the giveaway was a scam. My post ended in

If don’t doesn’t have at least two of those it’s a scam… It’s not harmless, it’s like showing up at an orgy and not using a condom.

When Zuckerberg and Facebook try to rewrite history claiming these were a breach of trust, or they didn’t sell data, or they acted as soon as they were notified, I don’t know what the hell they are talking about. They knew, they just didn’t care until the politicians got hurt, and now the optics look really bad.

Next. What should be done.

The Data Linkedin has

While I’m at it, I thought I’d take a look at what data linkedin.com has on me. It’s likely to be much less, since I rarely use the service and it’s been getting less and less as their emails with anything useful, plus new contacts, connect requests etc. always take me to the Google Play app store to install the linkedin app. That’s not happening, and I mostly just delete the emails and make a mental note to login via the website.

If you are interested in your linkedin data, you can get it via the linkedin.com Settings and then Privacy page. Here.

The email that arrived with a link said:

Here’s just the first part of the information we have archived for you, including things like connections, contacts, messages, and profile information.

It seems that will likely be the more interesting part of their archive. The first .zip file seems to mostly include only static data, most of which I’ve provided.

Interestingly, I joined linkedin on April 11th, 2006. I learned that from the registration .csv.

At least in the .zip file I got it had the following structure.

The media files were very limited, just two image files, and a PDF of a presentation that I posted directly to linkedin. This clearly isn’t all my data from linkedin, since it did not contain and links, articles, or images I’ve posted. It didn’t for example even include my profile and profile background pictures.

The spreadsheets were no more than comma seperated variables, but seemed fairly accurate. There is no clue how they came about these, I can only assume from businesses I “liked” etc. Here is the entire contents of the “Causes you care about” .csv

Civil Rights and Social Action
Economic Empowerment
Environment
Human Rights
Politics
Science and Technology

Which seems about right. What I’m sure most people will be interested in are the contacts that linkedin has a mix of my personal contacts, and linkedin connections. For each “connection” it has firstname, surname, physical address, email address,current employment/employer, position, a date and time field(?) and finally a web address.

The physical address doesn’t seem to have come from my contacts, which I’m pretty sure I’ve not given linkedin access to via the app or a website link/upload. The majority of physical addresses are blank, even for people I have work/home addresses in my contacts.

So I think this is pretty much

Move on, nothing to see here!

When the 2nd .zip file arrives, I’ll add another post.

The Data that Google has

In the push-back over the Facebook privacy scandal, many are also asking questions about the data other platforms have. Many commentators draw a parallel to Google. For my part, this is valid at least as far as tracking, visiting locations etc. goes. Since I have a Google Phone, with a Google Fi service, and I use Google Maps, I pretty much expect them to track me.

GoogleIn addition, in my prior home I had Google Fiber, plus add in all the Youtube videos, if you watch movies or listen to music on Google Play; they have my calendar; all my files in Google Drive; as much as I try not to have my photos in the cloud, they’ve almost certainly got some of them in Google Photos. I typically avoid using Google Search directly, as for the most part, my search history seems a definitive list of things I’m interested in, but it’s much more subjective than that. I prefer startpage for search.

I don’t read ebooks, but they’d have them if I did; of course I use a few Google Groups; and so on. So, it’s a pretty exhaustive list. You do need to take care if you decide to download your Google information from google.com/takeout – It can get pretty big, pretty quickly if you’ve purchased books, films, music and make extensive use of drive, in addition to all the metadata, you’ll also get all the content.

Despite all this, I feel like Google have not crossed the trust boundary. They may be using and aggregating all this data to sell to advertisers, but it’s not all clear how. It certainly isn’t obvious from the adverts. So for now, I trust Google to “Don’t be evil“.

The Data that Facebook has

Much has been written about the facebook data, Cambridge Analytica sh*t show. I was among those years ago who were warning friends not to play games that require users to permit the game access to their friends Facebook profile.

However, even I couldn’t have foreseen how the data would be used. Stunning. I have my Facebook archive from yesterday, and will be going over it in the next few days. I’ll finally #deletefacebook – deleting permanently my Facebook ID later today. In another week or so, I’ll create a new ID, strictly limited to family as friends.

The worst, in privacy terms, aspect of the Facebook data privacy failure, is the accusation that Facebook was collect phone data from android phone for years. Of course, everyone accepted the facebook app permission to access the phone, but again I suspect few thought that the Facebook would track and keep data on all calls made, even those that got a busy signal, or no answer.

I went hunting for a list of all the data Facebook collected, and found this. It appears to only be available to logged in Facebook users. I thought it worth copying over here. It’s a huge list.

What info is available? What is it? Where can I find it?
About Me Information you added to the About section of your Timeline like relationships, work, education, where you live and more. It includes any updates or changes you made in the past and what is currently in the About section of your Timeline. Activity Log
Downloaded Info
Account Status History The dates when your account was reactivated, deactivated, disabled or deleted. Downloaded Info
Active Sessions All stored active sessions, including date, time, device, IP address, machine cookie and browser information. Downloaded Info
Ads Clicked Dates, times and titles of ads clicked (limited retention period). Downloaded Info
Address Your current address or any past addresses you had on your account. Downloaded Info
Ad Topics A list of topics that you may be targeted against based on your stated likes, interests and other data you put in your Timeline. Downloaded Info
Alternate Name Any alternate names you have on your account (ex: a maiden name or a nickname). Downloaded Info
Apps All of the apps you have added. Downloaded Info
Birthday Visibility How your birthday appears on your Timeline. Downloaded Info
Chat A history of the conversations you’ve had on Facebook Chat (a complete history is available directly from your messages inbox). Downloaded Info
Check-ins The places you’ve checked into. Activity Log
Downloaded Info
Connections The people who have liked your Page or Place, RSVPed to your event, installed your app or checked in to your advertised place within 24 hours of viewing or clicking on an ad or Sponsored Story. Activity Log
Credit Cards If you make purchases on Facebook (ex: in apps) and have given Facebook your credit card number. Account Settings
Currency Your preferred currency on Facebook. If you use Facebook Payments, this will be used to display prices and charge your credit cards. Downloaded Info
Current City The city you added to the About section of your Timeline. Downloaded Info
Date of Birth The date you added to Birthday in the About section of your Timeline. Downloaded Info
Deleted Friends People you’ve removed as friends. Downloaded Info
Education Any information you added to Education field in the About section of your Timeline. Downloaded Info
Emails Email addresses added to your account (even those you may have removed). Downloaded Info
Events Events you’ve joined or been invited to. Activity Log
Downloaded Info
Facial Recognition Data A unique number based on a comparison of the photos you’re tagged in. We use this data to help others tag you in photos. Downloaded Info
Family Friends you’ve indicated are family members. Downloaded Info
Favorite Quotes Information you’ve added to the Favorite Quotes section of the About section of your Timeline. Downloaded Info
Followers A list of people who follow you. Downloaded Info
Following A list of people you follow. Activity Log
Friend Requests Pending sent and received friend requests. Downloaded Info
Friends A list of your friends. Downloaded Info
Gender The gender you added to the About section of your Timeline. Downloaded Info
Groups A list of groups you belong to on Facebook. Downloaded Info
Hidden from News Feed Any friends, apps or pages you’ve hidden from your News Feed. Downloaded Info
Hometown The place you added to hometown in the About section of your Timeline. Downloaded Info
IP Addresses A list of IP addresses where you’ve logged into your Facebook account (won’t include all historical IP addresses as they are deleted according to a retention schedule). Downloaded Info
Last Location The last location associated with an update. Activity Log
Likes on Others’ Posts Posts, photos or other content you’ve liked. Activity Log
Likes on Your Posts from others Likes on your own posts, photos or other content. Activity Log
Likes on Other Sites Likes you’ve made on sites off of Facebook. Activity Log
Linked Accounts A list of the accounts you’ve linked to your Facebook account Account Settings
Locale The language you’ve selected to use Facebook in. Downloaded Info
Logins IP address, date and time associated with logins to your Facebook account. Downloaded Info
Logouts IP address, date and time associated with logouts from your Facebook account. Downloaded Info
Messages Messages you’ve sent and received on Facebook. Note, if you’ve deleted a message it won’t be included in your download as it has been deleted from your account. Downloaded Info
Name The name on your Facebook account. Downloaded Info
Name Changes Any changes you’ve made to the original name you used when you signed up for Facebook. Downloaded Info
Networks Networks (affiliations with schools or workplaces) that you belong to on Facebook. Downloaded Info
Notes Any notes you’ve written and published to your account. Activity Log
Notification Settings A list of all your notification preferences and whether you have email and text enabled or disabled for each. Downloaded Info
Pages You Admin A list of pages you admin. Downloaded Info
Pending Friend Requests Pending sent and received friend requests. Downloaded Info
Phone Numbers Mobile phone numbers you’ve added to your account, including verified mobile numbers you’ve added for security purposes. Downloaded Info
Photos Photos you’ve uploaded to your account. Downloaded Info
Photos Metadata Any metadata that is transmitted with your uploaded photos. Downloaded Info
Physical Tokens Badges you’ve added to your account. Downloaded Info
Pokes A list of who’s poked you and who you’ve poked. Poke content from our mobile poke app is not included because it’s only available for a brief period of time. After the recipient has viewed the content it’s permanently deleted from our systems. Downloaded Info
Political Views Any information you added to Political Views in the About section of Timeline. Downloaded Info
Posts by You Anything you posted to your own Timeline, like photos, videos and status updates. Activity Log
Posts by Others Anything posted to your Timeline by someone else, like wall posts or links shared on your Timeline by friends. Activity Log
Downloaded Info
Posts to Others Anything you posted to someone else’s Timeline, like photos, videos and status updates. Activity Log
Privacy Settings Your privacy settings. Privacy Settings Downloaded Info
Recent Activities Actions you’ve taken and interactions you’ve recently had. Activity Log
Downloaded Info
Registration Date The date you joined Facebook. Activity Log
Downloaded Info
Religious Views The current information you added to Religious Views in the About section of your Timeline. Downloaded Info
Removed Friends People you’ve removed as friends. Activity Log
Downloaded Info
Screen Names The screen names you’ve added to your account, and the service they’re associated with. You can also see if they’re hidden or visible on your account. Downloaded Info
Searches Searches you’ve made on Facebook. Activity Log
Shares Content (ex: a news article) you’ve shared with others on Facebook using the Share button or link. Activity Log
Spoken Languages The languages you added to Spoken Languages in the About section of your Timeline. Downloaded Info
Status Updates Any status updates you’ve posted. Activity Log
Downloaded Info
Work Any current information you’ve added to Work in the About section of your Timeline. Downloaded Info
Vanity URL Your Facebook URL (ex: username or vanity for your account). Visible in your Timeline URL
Videos Videos you’ve posted to your Timeline. Activity Log
Downloaded Info