Happtique halts app certification on data security concerns

December 13, 2013 | by | 1 Comment

Health app industry self-policing and ‘trusted sourcing’ credibility at stake?

Updated below. Last week, after Happtique announced its ‘Inaugural Class’ of 19 certified apps [TTA 2 Dec]–certified on their standards of operability, privacy, security and content–a young HIT software developer, Harold Smith III, discovered some major security flaws in two of them: MyNetDiary’s Diabetes Tracker and TactioHealth5. User names and passwords were stored in plain text files–not encrypted–and Mr. Smith then subjected them to a ‘man in the middle attack’ (MITM) which he explains as “…where a nefarious source intercepts your communication from the App to the server. They decrypt the SSL connection, pull out your data, and send the data on to the server.” Both failed. Worse, the ePHI (ePersonal Health Information) of both were not sent in a secured way and not stored in secure, encrypted files. After advising both companies of the problems (including one of these companies in person at the mHealth Summit), as well as Happtique, and receiving no satisfactory response after days passed, Mr. Smith went public Tuesday and Wednesday on his blog mHealth and Mobile Development. Both articles deserve careful reading. Our readers with software development background will appreciate 1) his meticulousness and 2) his ire not only at Happtique but their validator, Intertek, at the poor technical quality of their vetting; the non-techies like your Editor will appreciate the clarity of his writing.

Small blog, big impact today. Happtique has suspended its certification program (website notice) and on its website now has revised certification standards. Regarding the credibility of Mr. Smith, (more…)

Fast takes for Friday

November 15, 2013 | by

Changes at Center for Connected Health, DecaWave’s chip, Happy Hackers  Healthcare.gov

Center for Connected Health executives to head Portuguese ‘body dynamics’ company in US. Associate Director Joseph Ternullo, who over the years was one of the key organizers of the Connected Health Symposium, is leaving Partners HealthCare/CCH after 17 years to lead the US subsidiary of Kinematix (formerly Tomorrow Options) located in Boston. This was announced by email to CCH contacts today. Kinematix in October raised $2.6 million in Series B funding from Portugal Ventures. Heading the US board is another Partners HealthCare alumnus, Jay Pieper, formerly CEO of Partners International Medical Services. Kinematix’s two products focus on sensor-based monitoring for foot health assessment and to prevent pressure sores and falls.  Release. Boston Business Journal….ScenSor senses you to 10 centimeters. A 6 x 6 mm chip (more…)

The sea of security ‘red flags’ that is Healthcare.gov

October 15, 2013 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.

FDA’s discouraging role in medical device security

August 8, 2013 | by

According to a Wall Street Journal report (unfortunately firewalled), hospitals are pointing a very long finger at medical device manufacturers for not updating software and leaving devices open to breaches. Yet the manufacturers readily cite FDA’s most recent guidance as prohibiting software updates and security patches without resubmitting their devices for approval–something a spokesperson for the FDA denies as long as the update is for cybersecurity only. If the draft guidance issued in June is actually finalized, it will go the distance in helping manufacturers and hospitals. Hospitals Say Device Manufacturers Resist Boosting Cybersecurity (iHealthBeat)