Studies suggest that 30-50 percent of patients are likely to give up treatments early.  Microsoft Research has developed an innovative, hand-held medical device called Anatonme to help patients understand their issue and complete their treatment plan more often.

We’ve been doing research and development into private, controlled social networking to reinforce private communications between doctor and patient. It’s gratifying to see Microsoft Research doing work in this area.

Private social networking for doctors and patients provides highly effective secure data sharing between doctors and patients. It allows patient-mediated input of data before visits to the office, making the clinical data more accurate and complete and boosting the trust between doctor/healthcare worker and patient.

A private social network has a controlled 1 to N (doctor to patients) topology and physiological and emotional context, unlike Facebook that has a distracting social graph and entertainment context.

A private social network for doctors and patients also provides powerful information exchange and search:

1. Capture critical events on a timeline (for example blood pressure, dizziness etc) that enables the doctor to respond in a timely fashion.
2. Reconciles differences between what the doctor ordered and what the patient did.
3. Granular access control for sharing of data between doctor, patient and referrals.

If you’re interested in hearing more – contact us.

My sister-in-law Ella and husband Moshe came over last night for coffee. Moshe and I sat outside on our porch, so he could smoke his cigars and we rambled over a bunch of topics, private networking,  online banking and the Israeli stock market.  Moshe grumbled about his stock broker not knowing about customer segmentation and how he used the same investment policy with all his clients.   A few anecdotes like that and I realized:

Facebook doesn’t segment friends

There is an outstanding presentation from a person in google research discussing this very point – a lack of segmentation in social networks:

http://www.slideshare.net/padday/the-real-life-social-network-v2

Almost every social networking site makes 4 assumptions, despite the fact that there is ample evidence that they’re wrong.

1. Your friends are equally important
2. Your friends are arranged into discrete groups
3. You can manage hundreds of friends
4. Friendship is reciprocal and equal

In fact :

1. People tend to have 4 – 6 groups
2. Each group has 2-10 people
3. There are strong ties and weak ties.
4. Strong ties are always in the physical world are < 6
5. Weak ties in a business context are  < 150

In the course of a security audit/penetration test of a social networking Web site this week that was developed and deployed on Ubuntu, I was reminded yet again that we all have something to learn.  Even Linux geeks.

A common Web 2.0 rich Web application system deployment involves a Web server running php and postfix for delivery of  email notifications to Web site members. There are 4 key system requirements for such a deployment:

• A. Deploy as a null client, i.e as a machine that receives no mail from the network, and does not deliver any mail locally. This is a hugely important requirement to not turning your Web server into a launchpad for spammers.
• B. Rewrite the default Apache www-data@domain with something more meaningful like
  domain@domain.com without changing PHP code.   This is both a usability issue and a security issue, since it is a bad idea to advertise the fact that your Web site operations are clueless to the point of not knowing how to change default LAMP settings.
• C. Provide a human-readable From: in the header so that the users of your great Web 2.0 social media app will see real names instead of your domain. This is definitely a usability issue unrelated to security.
• D. Mask the email addresses of your users so that you don’t disclose personal information. This is a basic data security and privacy requirement.

Here is how you do it:

Configuring Postfix properly will enable you to have a mail server that does not receive mail from the network
and sends mail without the default www-data@domain in the Return-Path:

A. How to configure Postfix as a null client

See Configuring Postfix as a null client
1 /etc/postfix/main.cf:
2     myorigin = example.com
3     relayhost = example.com
4     inet_interfaces = loopback-only
5     local_transport = error:local delivery is disabled
6
7 /etc/postfix/master.cf:
8     Comment out the local delivery agent entry

Translation:
Line 2: Send mail as “user@example.com” (instead of “user@nullclient.example.com”),
so that nothing ever has a reason to send mail to “user@nullclient.example.com”.
Line 3: Forward all mail to the mail server that is responsible for the “example.com” domain.
This prevents mail from getting stuck on the null client if it is turned off while some remote destination is unreachable.
Line 4: Do not accept mail from the network.
Lines 5-8: Disable local mail delivery. All mail goes to the mail server as specified in line 3.

B. How to set Return-Path in mail headers
Rewrite default Apache www-data@domain with something more meaningful like domain@domain.com

We use the Postfix canonical address mapping for local and non-local  addresses. The  mapping  is used  before mail is stored into the queue and replaces all strings found in the header using a simple, yet very powerful find and replace strategy.

Step by step example:
I’m assuming you’re logged into the command line on your Ubuntu box as a non privileged user with sudo privileges
If you don’t know what this means – ask someone to help you.
1) Create a file using your favorite text editor, call it ‘canonical’ (the name is not important) and put in the following:
www-data@domain domain@domain.com
Each line is a /find/replace/ string, so you can use the canonical for almost anything, for example to replace
names like site_manager  with site.manager@corporate_email_domain.com
2) Convert it in db format suitable for Postfix
sudo postmap hash:/etc/postfix/canonical
3) Put the canonical definition into your /etc/postfix/main.cf file like this:
canonical_maps = hash:/etc/postfix/canonical
4) Reload the Postfix server
sudo postfix reload

C. Provide human-readable From:

D. Mask the real email address of the sender

Using PHP mail correctly will enable you to provide a human-readable From and mask the sender email address. In this little PHP code snippet, we assume that  $from is a standard PHP object with a name attribute, $site is a standard PHP object with an email attribute and $to is a valid recipient email address

$f = $from->name.' <'.$site->email.'>';
$headers = 'From: '.$f."rn";
mail($to, $subject, $body, $headers);

This is the minimal code to get the job done. More than this and you may be getting into trouble and certainly working too hard.

Most PHP developers use a framework like Yii or CakePHP or Elgg (if you’re writing a social networking application) that stores site-wide definitions like site email and site domain name. Make sure that you have the right value for the $site object. For example, in Elgg, the Site email address is site entity meta data and is set via the Elgg Administrator interface and not stored in a standard settings.php configuration file.

So, make sure you have the right value for the site email,  e.g. domain@domain.com or whatever else you need it to be, otherwise, you will be spending a few hours wondering why your code is not working.

Have fun and make sure you don’t forget that there are both users and attackers out there.

Business Requirements

• Business Requirements analysis – Describe the business and its it’s customers, suppliers and users, problems, issues and expectations. This is essential when developing a new application, but also crucial when you’’re making significant changes to an application. “Why” do you want to develop the software and “how much” is it going to cost? Is there a ROI (return on investment). Can your team develop and implement the product?
• P.I.E – – Problems Issues and Expectations - Describe current problems and put the issues and expectations that users have in the current environment into separate categories. An expectation may be crucial to success of the project or it may be a “user satisfaction” feature that can be postponed to Revision 9.5
• Causes and Consequences - Discuss causes of current system problems and their consequences. You will discover that a problem’s result is often a problem in it’s own right. You need to drill down to the root cause of the problem peeling away the symptoms.
• Target system tasks - Discuss and observe users as they work with the software application. Remember that the important things are (a) how easy it is to install/start using a product (b) how fast it works and c) how intuitive is the UI. This is particularly relevant to Web-based applications, where the user experience will make or break the application.
• System Design Alternatives Analysis - Very few systems are new. In alternatives analysis you will consider the strengths and weaknesses of existing approaches including not doing the project at all.

Software security requirements

A business requirements analysis is not enough to ensure that a system meets the real needs of its users or that it will ever succeed in the real world as a product. In fact, reducing a system specification to a set of required functions, without regard to how the functions are used or how they will be implemented in real hardware/software by real people is a guarantee for failure . The design of a new system or major change will usually involve the following steps:

• Task Decomposition - Business requirements are broken down and mapped into software and hardware modules and features.
• User stories- A “user story” corresponds to a feature of a system module. Stories are small, typically limited by an estimate to implement the software for a story by one programmer working for one week. The user story needs to stay in sync with the business requirements – and stay away from gold-plating.
• Data Modeling - Data modeling describes the data elements in the assessed system and the relationships between the data elements. Done in parallel to developing the “user stories” and ensures that the data needed to do the job is on the model.
• User Interface Design – The user interface needs to be considered at an early stage in the software security assessment cycle. Functional requirements are combined with the knowledge gathered about users and contexts of use to provide the most appropriate methods of interaction.
• Incremental assessment by prototyping - Assess a little piece of the system with selected routines and a  UI.  Security assessment prototyping allows vulnerability hypotheses to be tested, with resulting feedback incorporated into an iterative process of software defect reduction. Early prototypes may be purely paper-based to test the design or using a the application to test the software in vitro.

WASHINGTON, Nov 29 (Reuters) – The United States said on Monday that it deeply regretted the release of any classified information and would tighten security to prevent leaks such as WikiLeaks’ disclosure of a trove of State Department cables.

More than 250,000 cables were obtained by the whistle-blower website and given to the New York Times and other media groups, which published stories on Sunday exposing the inner workings of U.S. diplomacy, including candid and embarrassing assessments of world leaders.

The U.S. Justice Department said it was conducting a criminal investigation of the leak of classified documents and the White House, State Department and Pentagon all said they were taking steps to prevent such disclosures in future.

While Secretary of State Hillary Clinton said she would not comment directly on the cables or their substance, she said the United States would take aggressive steps to hold responsible those who “stole” them.

In the directive, federal agencies were informed that employees and federal contractors must avoid viewing and/or downloading classified documents that have been leaked via WikiLeaks disclosures. As the information on WikiLeaks is still classified, even if it’s in the public domain, a federal government employee electronically viewing the information from or downloading the information to devices connected to unclassified networks “risks that material still classified will be placed on non-classified systems”

NOTICE TO EMPLOYEES AND CONTRACTORS CONCERNING SAFEGUARDING OF CLASSIFIED INFORMATION AND USE OF GOVERNMENT INFORMATION TECHNOLOGY SYSTEMS”, Office of Management and Budget, December 3, 2010.

Data security vendor Fidelis Security Systems has announced that they will provide policies in their Network DLP product. Fidelis XPS to help ensure that employees cannot view or download classified documents.

Fidelis XPS is extremely powerful network DLP technology for high speed (in excess of 2.5GB) content interception and analysis in real time of data entering or leaving a network.   With all due respect to the power of Fidelis network DLP, the White House Directive is nonsense.  It’s more security theater, not security countermeasures, designed to show that the administration is “doing something”.

The directive is nonsense for a number of reasons:

a) Requiring employees and federal contractors to avoid viewing and/or downloading classified documents that have been leaked via WikiLeaks disclosures is like saying – “well, you will have to disconnect yourself from the Internet, from Facebook, From Gmail and your smart phone”.   It’s not a practical strategy, since it’s impossible to enforce.

b) The network vector is almost certainly not how the information was leaked.  First of all, this means that network DLP solutions are not an appropriate countermeasure against Wikileaks. Releasing custom network DLP policies for Wikileaks is a crude sort of  link-baiting; misdirected, since Federal decision makers don’t evaluate data security technology  using social media like Facebook.

The Wikileaks documents are provided by trusted insiders that have motive (dislike Obama or Clinton), means (physical, electronic or social access) and opportunity (no one is watching).   There is little utility (besides appearing to be doing something) to install network DLP technology to prevent employees from viewing or downloading.

c) And finally it’s nonsense because the OMB directive talks about viewing and downloading documents and not about leaking.

If the White House is serious about preventing more leaks they should start by firing Secretary Clinton.

Then again – perhaps the wikileaks documents were all leaked under tacit direction from the White House.  Since President Obama has a pattern of sticking it to US friends (Israel, Czech Republic, Poland) whatever embarrassment it might cause friendly allies is more than worth the price of issuing a worthless OMB directive.

Security is not about awareness.

A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.

I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money.  I prefer a  CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk.  Making common sense security part of the performance review is more effective than posters and HR training.

Security from this perspective, is indeed an exercise in leadership. Unfortunately, in  many organizations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees. It might be a general manager bringing his new  notebook into the office, jacking into the corporate LAN and then attaching a wireless USB dongle effectively bridging the corporate network to the Internet with a capital I, not understanding and not really caring about the vulnerability he just created.

Security is not an enterprise GRC system

If you take a look at the big enterprise GRC systems from companies like Oracle – you see an emphasis placed on MANAGING THE GRC PROCESSES – document management and signature loops for ISO certification, SOX audits etc. I suppose this makes the auditors and CRO and Oracle salesperson happy but it has nothing to do with making secure software. In my world – most hackers attack  software, not audit compliance processes and GRC documentation. In other words – managing  GRC processes is a non-value add for security.

Security doesn’t improves your bottom line
Have you ever asked yourself why security is so hard to sell?

There are two reasons.

1) Security is  complex stuff and it’s hard to sell stuff people dont understand.

2). Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective.

Note a curious trait of human behavior  (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.

In other words – a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand. Managers are not stupid – they know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money – you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.

Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time – a  hypothesis of return on security investment cannot be proven. Indeed – the converse is true – judging by the behavior of most companies – they do not believe that security saves them money

So what is security?

It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature,  not a vehicle function that improves miles per gallon. It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better return on security investment.

Challenge your assumptions about what makes for effective security in your organization.  Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?

The privacy controls that governments are attempting to impose on social media and the technical safeguards that social networks like Facebook are implementing seem to be band-aids on a larger and much more significant two-part problem

1. How to enable individuals to control the information they disclose?
2. How to enable individuals to put their value in front of their social graph?

I believe that the brunt of the public debate has been on question number 1 – primarily because of the sheer size and entertainment/leisure time/socializing/shmoozing/networking elements of Facebook and LinkedIn and other social media web sites.  As Bruce Schneier has noted in some of his recent essays – privacy on the Net is not necessarily about forbidding disclosure  (like the regulators are trying to do with PII and PHI compliance regulation) but about controlling what you share.

But  entertainment, leisure time, socializing and networking are not everything in life – and as a matter of fact – most people go to work and either create, make, sell or buy for a living.   Question number 2 is about increasing your disclosure in a controlled way and putting your value forward to your customers and not behind the company that you represent. Value backwards (as opposed to value forwards) is the way most information technology and big pharma is sold today – you work for a security integrator and you’re reselling someone else’s product extolling the virtues of Websense DLP (like 10 other resellers in your geography) or you’re a medical sales representative for MSD and you’re extolling the advantages of Remicade for treating Crohn’s disease.

But – we all know that the reason the customer is talking to you is because he values you (or thinks you might have something of value to sell).

Last year we did a private, professional networking project for one of the big 3 innovative pharmas at one of their Central European offices. It was a successful clinical trial of what we thought was a good idea – enabling medical sales representatives to place their value in front of their social graph of doctors.   As we approach release of the beta version of a productized version – it seems time to get some feedback on the notion of private, controlled networking. So here it is – feel free to comment online or email me.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!