Monthly Archives: August 2016

The Risk and Security of Connected Healthcare Devices

Photo of a pile of pills and medical devices.A recent Forrester Research report highlighted the security risks of connected healthcare devices and some of the implications of lax policies of manufacturers and care providers. This brings to mind for me all kinds of doomsday scenarios so I want to highlight some of the best practices in the report. These apply to the healthcare industry and other businesses.

Internet of Things

Part of the allure of the internet of things (IoT) is that many devices can be connected, including medical devices. In a recent article, author Yash Mehta highlighted some connected and potentially connected devices. On the list are monitoring devices which allow patients to be at home instead of a hospital. He also mentions companies that are developing edible IoT “smart” pills that will help monitor health issues and medication. This is an area where I would want the tightest security.

Steps for Security Planning

Start from the inside when thinking about security. Is everyone in your organization following best practices? Are you requiring passwords be changed regularly? Is everyone following this requirement or have they developed a workaround? Are there any shared accounts with a shared password? One of the biggest security holes has to do with social engineering. A hacker will pretend to be someone trustworthy to secure passwords or entrance into secure systems, then launch a widespread attack. Make sure everyone in your organization is educated and prepared for such an attempt.

Verify that the new devices have security built in from the manufacturer. This applies to health care IoT and other connected devices. It is hard to build security with no foundation. Push manufacturers to install a minimum level of threat protection in every device.

It is necessary to separate device information from actual customer details. In the case of health care, that means storing data collected from the connected device in a separate data structure than the patient data. In a retail establishment this means storing credit card information away from personally identifiable information such as customer name and address. The two can be linked via a separate ID but it should be difficult for a hacker to connect the two sources of information.

Thoughts

It is exciting to think of all of the possibilities with IoT devices but it is sobering to contemplate the security risks. All of us must consider and mitigate the risks, either as consumers or as part of an IT team building the tightest security possible. IoT devices are coming. Are you ready?

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Avoiding Disasters: The Value of Continuity Planning

Server room represented by several server racks with strong dramatic light.The recent technical problems with the Delta Airlines network got me thinking about the value of business continuity planning. We teach an AIM short course dedicated to business continuity and disaster recovery planning and stress the importance of thinking through all potential scenarios. Consider this a friendly reminder to update and test your plan to make sure it is still valid. Has anything changed since your last test and could it halt your business? What is the worst-case scenario and how will you deal with it?

Delta

Delta is just the latest example of a sophisticated network of hardware and applications that failed and caused disruption to a business. In the case of Delta, a power control module failed in their technology command center in Atlanta. The universal power supply kicked in but not before some applications went offline. The real trouble began when the applications came back up but not in the right sequence. Consider application A that requires data from a database to process information to send to application B. If application B comes up before Application A, it will be looking for input that does not exist and will go into fault mode. In the same vein, if application A comes up before the database is online, it will be looking for data that does not yet exist and will fault.

Any of these scenarios will affect business operations such as ticketing, reservation and flight scheduling processes. Once flights are canceled due to lack of valid information, then the crew in San Francisco cannot get to Atlanta to start work and even more flights are canceled or delayed. In this case, it took four days before flights were fully restored. That is a lot of lost revenue and goodwill just because one power control module failed in a data center.

Disaster Recovery Planning

Information systems and networks are complex and getting more so all the time. In order to develop a plan to cover a potential interruption consider the following steps:

  • Map out your environment. Understand what systems you have, their operating systems, how they are dependent on each other, and how they are connected to each other via the network. Is it critical that all these elements come up in sequence? This map will be crucial in the event you need to rebuild your systems after a disaster.
  • Understand risks and create a plan. Understand your risk for each system and application. A small application that only runs once a month may not need attention whereas a customer order fulfillment application that runs 24/7 should be able to failover without interruption. Create a plan to keep the environment running or to restore it quickly.
  • Test the plan. This may be the most important part of the process. Testing the plan on a regular basis ensures that you have accounted for any changes to the environment and ensures that all people are up to date on their part in the event of a problem. Periodic testing also keeps the plan active and not something that becomes “shelfware.”

Thoughts

Businesses increasingly rely on sophisticated technology in order to sell product, service customers and communicate with partners. Any break in that technology can have a real impact on revenue and the long-term viability of the business. Have you tested your business continuity plan lately?

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Congratulations 2016 AIM Program Graduates!

Kara McFall, UO AIM Program director, speaks at commencement.This week’s post is the transcript of AIM Program Director Kara McFall’s 2016 commencement address. Commencement took place Saturday, August 13 on the University of Oregon main campus in Eugene.

To our 2016 AIM graduates, their families and supporters; our AIM faculty and staff; and all others who are here to join in the celebration of our 2016 AIM graduating class—welcome. I’d like to start by asking the graduates, faculty, and staff to stand or raise a glass and join me in honoring the families and friends who supported our graduates throughout the AIM Program. Every one of our AIM graduates has worked hard to achieve the right to stand here today as a graduate of the program; but every graduate also had the help and support of their families and loved ones, who agonized along with them over proper APA citations, assignment deadlines, and their nitpicky Capstone 1 instructor. The role that each of you played—as supporters of our AIM graduates—is an important one, and I would like to say thank you.

You are here today with no looming paper deadlines, no assignments that are due, no need to meet with your classmates to complete a team project. I hope you’ve had time to enjoy your new role as AIM alumni and the transition from your previous role as AIM students. I’ve spent the time since your newfound freedom writing and rewriting this address. I struggled honestly with how to frame my message to you, and I finally decided to take inspiration from the 2016 presidential race. Please bear with me.

The fact is, I love politics, and every election cycle I find myself caught up in the campaigns. As a political fanatic of many years, I’ve noticed over time that while each campaign is different, there are some parallels that are universal. In particular, political candidates have a set of terms that they’ve coopted and, in every election cycle, you’ll hear these terms lobbed at the opposition. For my address today, I will be applying those terms to you, our latest AIM graduates. My fellow Americans, I present you with the following indisputable facts about the AIM graduating class of 2016.

First, I would like to state for the record that AIM graduates are flip floppers. In a political campaign when you hear the term flip flopper, it comes when one candidate accuses the other of changing positions on an issue, oftentimes with videotaped evidence showing a candidate proclaiming to take one side of an issue, and at another time proclaiming to take the exact opposite side. I believe that flip flopping is a virtue, and it is my sincere hope that you as AIM alumni live up to the name. There is a reason why we asked you to research and write so many papers exploring various topics during your time in the AIM Program. The intent was not to encourage you to take a rigid stance, but rather for you to learn to gather evidence from sources; examine the sources critically to ensure they meet the five criteria of being of high quality, authoritative, timely, relevant, and lacking in bias; and then, based upon the information you’ve gathered and assessed, make a determination of your position on a topic. We gave you similar opportunities in discussion boards, where our hope was to provide a forum for the exploration of important and timely topics and to foster debate with your classmates and your instructor. I know through working with all of you that some, if not all of you, are emerging from the AIM Program having changed your positions on different topics – you have engaged in flip flopping, and I am proud of you for doing so. The opposite of a flip flopper is someone who is rigid and refuses to learn and grow, someone who clings to a belief despite overwhelming evidence to the contrary. I hope that you will continue to base your positions not on what you believed yesterday, but rather that you will continue to gather information, examine what you find critically and, when warranted, that you will change your stance and embrace your role as a flip flopper.

Next, I would like to point out, ladies and gentlemen, that AIM graduates are uninformed. This may seem like an odd statement for the director of a master’s program to say to a group of graduates who have spent considerable time and resources in obtaining their degrees, so let me explain what I mean. I hope that your time in the AIM Program has taught you that, however much you think you know about a topic, there is always more to learn. I sincerely hope that each of you who leaves the program as an AIM graduate has nurtured or developed a love of learning. Once you have settled into your role as AIM alumni, I want you to continue to fuel your desire to learn by embracing the fact that you don’t know everything—that there are topics on which you are uninformed. I can think of no worse fate than knowing everything—to be stripped of the opportunity for the joy of discovery. I hope that saying the words “I didn’t know that” come to mean not the admission of ignorance, but instead to represent the opportunity to indulge a continued love of learning.

Finally, I would like to take a moment to talk about failure. Before you get your backs up, let me share my philosophy on failure. Everyone—everyone—fails in achieving a goal at some point in their lives. Those who fail the most are those who have tried the most. Most of us have a hard time when we fail to reach a goal—it’s a horrible feeling and, for goal-oriented people, having to admit that you’ve failed at something can be devastating. Reactions can range from defensiveness—explaining why you didn’t actually fail or why the failure was someone else’s fault—to feelings of negative self worth. I have students every year who view a less than perfect grade on an assignment or in a class as failure, and I understand—grades and what they represent are important, and most of you came into the AIM Program with goals related to your grades. But I hope that one of the lessons you take from the AIM Program is to look at failure to reach a goal as a gift. I want to repeat those words, because the lesson is the single most valuable lesson I have learned in my own life: Failure is a gift. Failure gives you the opportunity to honestly assess why you fell short in your efforts and identify opportunities for you to hone your skills or alter your approach, or even to sometimes let go of one goal for the opportunities represented by another. I want to encourage you to approach failure with grace and with gratitude, and to treat each failure to reach a goal as a gift that provides the opportunity to learn something new about yourself or the world, to improve, and to move in a new direction. I challenge you all to embrace your failures.

To sum up—I hope the AIM Program has provided you with the skills and confidence to pursue the knowledge that will enable you to flip flop on issues rather than remain rigid in your stances, that you will continue to seek out topics on which you are uninformed so that you can indulge a love of learning, and that you will embrace your failures for the opportunities they present. I also hope that you are able to embark on your post-AIM journeys without CNN chronicling your every step. AIM Class of 2016, I am proud of each one of you, and I don’t need an exit poll to tell me that all of you are winners. I hope you will take the opportunity to keep in touch with us as you move into your next phase as AIM graduates. Congratulations to you, AIM Class of 2016!

Technology in Military and Law Enforcement

Photo of a drone in the foreground with the setting sun in the background.Police officers and military personnel face potential danger every day. This week we’ll look at technology that supports them and makes their jobs easier and safer.

Bomb Detecting Drones

According to a recent article, there are an estimated 100 million live land mines in the world. Many of these are from conflicts long past, but some are placed to sway the outcome of a current battle. Unfortunately there are no maps to show exactly where these land mines are planted. The Mine Kafon Drone can detect and destroy land mines and is currently looking for Kickstarter funding. It works by mapping an area and then using a metal detector to locate the mines within that area. When one is found, it is tagged with a GPS detector to mark its location. The drone then returns to the operator to be fitted with a robotic arm so that it can place small detonators on the mine. The mines are then detonated remotely with both the drone and the operator out of harm’s way. This is a great example of technology being applied to a serious and life threatening problem throughout the world.

Robots in Police Work

Police and rescue personnel use robots to find and retrieve missing people. These robots or drones can search for people in dangerous places; once a person is detected, the rescuers can plan a safe way to extract them. This is important in situations where someone is in a collapsed building or in an area where there are toxic chemicals.

Similar robots are now being used to neutralize a threat such as an active shooter. These robots are fitted with cameras and sensors, even guns or explosives when the mission is to eliminate the threat. These are used only as a last resort when negotiations break down or are not possible. As I think about the future of such devices, I wonder if we could apply this technology to war strategy. Can we ever get to a point where we choose an isolated location and each side sends out their best drones and robots to try to destroy the other side? The operators and other humans could be safe, far away from the conflict. Would it mean as much to blow up each other’s devices as to actually harm people? It would certainly be safer for us.

Thoughts

I am grateful for those who are developing technology to improve the safety of the men and women who protect us. I will be watching the development of the Mine Kafon Drone and other devices that detect and remove threats. Let me know of any similar technologies that you are aware of. I think this is a young but growing field.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Rule 41 and Digital Privacy Rights

Photo of wooden gavel on a black computer keyboard.Proposed changes to Rule 41 of the Federal Rules of Criminal Procedure would allow a judge to authorize a search and seizure outside of their jurisdiction. For example, a Massachusetts judge could authorize a search in Alaska or even in a foreign country. This would mainly apply to government electronic hacking efforts into computers and computer networks. The changes have been approved by the Supreme Court and will go into effect on December 1 unless challenged by Congress.

I believe this is a slippery slope that threatens the Fourth Amendment protections against unreasonable searches and seizures. What are the implications of this possible erosion of privacy on our own computers and networks?

The Fourth Amendment

The Fourth Amendment was added as part of the bill of rights in 1791 and deals with the search of homes and private property without a properly executed search warrant. It stems from the almost unlimited powers granted to British tax collectors to search homes and property for contraband that wasn’t being returned to King George in the form of taxes. Those who drafted the Fourth Amendment could not foresee 21st century technologies and interconnected systems. At issue now is whether a warrant can be issued remotely and whether one warrant can be issued for hundreds or even thousands of systems through surveillance and hacking.

No Expectation of Privacy

Senior U.S. District Judge Henry Coke Morgan Jr. recently ruled, “people should have no expectation of privacy on their home PCs because no connected computer ‘is immune from invasion.’” This is a ruling associated with a case of government takeover and surveillance of a site on the dark web for the purpose of collecting networking information of visitors. One warrant was issued for many searches, including those outside of the United States. The judge in this case argued that even that one warrant was not necessary because the defendants were engaged in illegal activity and took measures to hide those activities behind the anonymity of the dark web.

Digital Rights

Advocates such as the Electronic Frontier Foundation are challenging this ruling and filed an amicus brief in this case, but to no avail. My main question is how much privacy should we expect on our personal systems and in our transactions on the web? This case maintains that because there are so many hacking attempts we should have no expectation of privacy, even from our government. This seems like a spurious argument at best. I have written before about the notion of geographical boundaries and how those boundaries are disappearing as we engage in more electronic transactions. This case and the proposed changes to Rule 41 only accelerate the dissolution of boundaries.

Thoughts

My aim is to make you aware of the activities and rulings that could affect your right to privacy, particularly digital privacy. Is there cause for concern? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.