Wednesday, November 26, 2014

IDEA Lab Injects Entrepreneurial Tactics into Federal Health Services

The U.S. Department of Health and Human Services creates new lab to test startup techniques with federal health and safety services.

 Health and Human Services CTO Bryan Sivak speaks on open data initiatives at the Health & Human Services Open DataFest on Jan. 21, 2014.

Government can’t be what it used to be. Times have changed. The rote processes, repetitive tasks, drilled in duties — they all represent luxuries (albeit monotonous luxuries) of a fading past.

This is the impetus behind the U.S. Department of Health and Human Services newest enterprise, the HHS IDEA Lab. The name itself is an acronym, “IDEA” meant to encapsulate the motives of Innovation, Design, Entrepreneurship and, above all else, Action. At its most basic, the lab incentivizes to reimagine the department’s bureaucratic processes. Fully realized, it’s hoped to systematize innovative thinking inside HHS for the future.

“In the 21st century, things are changing at such a rapid pace, both from a technology perspective and from a societal perspective, that if we want government to be effective, then we need to have an organization that can be proactive — or immediately reactive — without the constraints and confines bureaucracy places on it,” said Bryan Sivak, HHS chief technology officer and the lab’s founder.

In tangible terms, what this means for Sivak is a lab that lifts those confines with three essential ingredients: education and time, and the money to make things happen.

These are channeled into the lab’s three initiatives.

The first initiative is all about investing in its workforce. This happens through an annual awards program and an internal accelerator for idea development. The awards program, HHS Innovates, recognizes employees who exhibit productive out-of-the-box thinking; the accelerator, HHS Ignites, equips chosen teams with $5,000 and a three-month runway to develop ideas.

The second initiative doesn’t look inside the agency for inspiration and talent, but outside, turning to the private and nonprofit sectors. In-residence programs, such as the HHS Innovators-in-Residence program, enlist outsiders for one to two years to research methods that improve practices. The HHS Entrepreneurs-In-Residence program, the initiative’s other tool, offers HHS employees the opportunity to hire outside talent for year-long “high-risk, high-reward” projects.

The third initiative promotes collaboration by creating groups that are assigned to answer specific problems. And depending the problem, Sivak said, the duration of these varies. Groups may end after they’ve solved a challenge; however, for large-scale undertakings, they can be ongoing.

“Really, when you think about it, the main goal is to provide a new set of incentives for the folks that work here,” Sivak said, “To help people to move us from this world — where we blindly follow process — to one where we’re free to experiment and focus on outcomes,” Sivak said.

As he is fond to reiterate, this often boils down to culture change. Real culture change, not just lip service and buzzwords associated with innovation. In an organization so bureaucratic and complex as HHS, so risk averse and tied in red tape, Sivak said he’s aware that cultural and behavioral shifts will come slowly and by degrees. Yet the lab is meant to incubate growth and serve as a safe haven for entrepreneurial activity.


Igniting Ingenuity

Already in its third installment, the HHS Ignite accelerator is evidence of the lab’s headway. Literally dozens of projects have been funded, and some, such as a redesign of the hospital check-in process, have saved HHS millions through efficiencies.

Taking a page from bootstrapping startups, the accelerator directs teams to submit project concepts that answer a visible need. Winning one of the 12 or so spots is the goal. And if approved, each team goes on to  fashion a “low-res” prototype — essentially a minimum viable product — for their idea. This creation is carefully scrutinized by 15 target customers for input. Finally, with more research, guidance from mentors and their collected customer feedback, teams craft and present a final prototype to HHS judges. The successful projects are deployed inside HHS — additional funding and resources given based on needs.

“It offers a means through which we can bring startup methodologies and the entrepreneurial spirit into operations,” said Read Holman, the lab’s program manager and Sivak’s senior advisor of internal entrepreneurship. “So, regardless of whether these projects move forward or not, the teams themselves leave Ignite with methodologies and problem solving techniques they can apply to their other work.”

As a paragon of Ignite’s methodologies, Sivak showcased the “Hospital Check-in Redesign” project, a system that fast-tracks patients through emergency rooms by prioritizing patients with quick needs. The idea was devised by Marliza Rivera, Alysia Cardona and Jose Burgos at the HHS Indian Health Service (IHS), a federal health-care provider for Native Americans and Alaska Natives. After a few iterations, Sivak said the trio decreased the percentage of unseen emergency room patients at Arizona’s Whiteriver Indian Hospital from 19 percent to just over 1 percent. Similarly the team estimated that, with a relatively small investment — $80,000-$100,000 —  worth of facility renovations, the hospital could see an additional $6 million in added

“I love this story,” Sivak said, “because you’ve got these three people where this isn’t even in their job description, but they had this great idea, and they went for it.”

The lab hopes to breed similarly impactful projects in the near future. In its latest round, Ignite has a total of 28 new finalists from 72 submissions. On Dec. 8, Holman and Sivak will pare these down to 10 or 12 lucky winners.

Monday, November 24, 2014

Retailer-Backed Apple Pay Rival CurrentC Has Been Hacked, Testers’ Email Addresses Stolen


MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC meant to rival newcomer Apple Pay, has been hacked. The data breach involves the theft of email addresses, but the CurrentC mobile application was not affected, the company confirms to TechCrunch.

Within the last 36 hours, MCX says it learned that unauthorized third parties obtained the email addresses of some of its CurrentC pilot program participants and other individuals who had expressed interest in the app.

The group has now notified its merchant partners about the incident and is communicating directly with those individuals whose email addresses were involved, a company spokesperson tells us.

At this time, it appears that only the emails of these early mobile app testers have been stolen, which is not as significant a data breach as having payment data or other personal information taken, like home addresses or phone numbers, has been the case with other large-scale data breaches, like the one which took place over the last holiday season at Target.

In addition, many of these email address were dummy accounts used for testing purposes, which means there may not be that many end users affected at this point, as the solution was still in its pilot phases.
However, MCX says it’s continuing to investigate the situation and will provide more updates as they arrive.

Below, is the email being shared with these users, in its entirety:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

 In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.

MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.
It’s unclear at this time how exactly the addresses were stolen. As dummy accounts were taken, too, that would seem to rule out a phishing scheme. Phishing requires getting users to click malicious links or taking some other action, and is usually kicked off by sending users a legitimate-sounding email in order to trick them. It’s not likely that the creators of the dummy accounts would have responded to phishing attempts.

CurrentC’s maker MCX, for those unfamiliar, is a group of over 50 retailers who have been working to develop their own mobile wallet technology. Essentially, they want to own the mobile wallet experience for themselves, instead of turning it over to a company like Apple, whose Apple Pay mobile payments solution prevents them from gaining access to customer data. Instead, retailers involved with MCX want to use mobile payments as a way to learn more about their customers’ shopping behavior, which could mean they could better target offers to them in the future.

The system works via a mobile application, live now on the app stores, called CurrrentC. It’s sort of a clunky tool when compared with Apple Pay, as it involves the use of QR codes. But some retailers, like Starbucks, have seen success with QR codes, and these special barcodes aren’t tied to one platform, like Apple’s, so it makes sense that this is the technology the retailers would adopt. (More information on CurrentC is here.)

CurrentC began making headlines recently, when retailers involved with the initiative shut off NFC in their stores. NFC is the technology that makes Apple Pay and other NFC-based payment solutions, including Google Wallet, work. Customers were trying to use Apple Pay at stores like Rite Aid and CVS, where at first Apple Pay-initiated payments were functioning properly, thanks to the retailers NFC-enabled point-of-sale terminals.

But then those retailers disabled NFC at their registers, ending their unofficial support for Apple Pay. The problem, apparently, stemmed from the fact that retailers’ contracts with MCX states they’re not supposed to accept rival mobile payment products. (Walgreens, an Apple Pay partner, has taken advantage of this situation, telling customers via social media that #ChoiceIsEverything.)

With interesting timing, MCX this morning published a blog post to clear up misconceptions about its technology and its aims as a company. One section in the post discussed the security aspects to CurrentC, saying “the technology choices we’ve made take consumers’ security into account at every aspect of their core functionality.”

After a number of high-profile data breaches in recent months, which have seen consumer data stolen from Target, Home Depot, Nieman Marcus, Staples, P.F. Chang’s, Supervalu, and others, there’s a feeling among consumers that retailers should not be trusted with our sensitive information, including payment card data and other personal details any longer.

Perhaps the CurrentC hackers agree, and decided to make that point by way of this latest hack.

Thursday, November 6, 2014

'Trojan Horse' Bug Lurking in Vital US Computers Since 2011

A destructive “Trojan Horse” malware program has penetrated the software that runs much of the nation’s critical infrastructure and is poised to cause an economic catastrophe, according to the Department of Homeland Security

National Security sources told ABC News there is evidence that the malware was inserted by hackers believed to be sponsored by the Russian government, and is a very serious threat. 

The hacked software is used to control complex industrial operations like oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even some nuclear plants. Shutting down or damaging any of these vital public utilities could severely impact hundreds of thousands of Americans. 

DHS said in a bulletin that the hacking campaign has been ongoing since 2011, but no attempt has been made to activate the malware to “damage, modify, or otherwise disrupt” the industrial control process. So while U.S. officials recently became aware the penetration, they don’t know where or when it may be unleashed. 

DHS sources told ABC News they think this is no random attack and they fear that the Russians have torn a page from the old, Cold War playbook, and have placed the malware in key U.S. systems as a threat, and/or as a deterrent to a U.S. cyber-attack on Russian systems – mutually assured destruction. 

The hack became known to insiders last week when a DHS alert bulletin was issued by the agency’s Industrial Control Systems Cyber Emergency Response Team to its industry members. The bulletin said the “BlackEnergy” penetration recently had been detected by several companies. 

DHS said “BlackEnergy” is the same malware that was used by a Russian cyber-espionage group dubbed “Sandworm” to target NATO and some energy and telecommunications companies in Europe earlier this year. “Analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor,” the DHS bulletin said. 

The hacked software is very advanced. It allows designated workers to control various industrial processes through the computer, an iPad or a smart phone, sources said. The software allows information sharing and collaborative control.