Risk Factor iconRisk Factor

Photograph of caution tape on a tablet surrounded by medical items.

The U.S. Defense Department's Deeply Flawed Electronic Health Records Program

A US $4.3 billion electronic health records program for the U.S. Department of Defense is “neither operationally effective nor operationally suitable,” according to a recently released memo and report from the agency’s director of operational test and evaluation.

Robert Behler pulled no punches in his assessment of the new Military Health System Genesis program, also known as MHS Genesis, and its nascent roll out at three military treatment facilities.

“MHS GENESIS is not operationally effective because it does not demonstrate enough workable functionality to manage and document patient care,” he states. “MHS GENESIS is not operationally suitable because of poor system usability, insufficient training, and inadequate help desk support.”

In his report, Behler indicated that a fourth treatment facility wasn’t assessed because officials wanted a chance to fix the plethora of problems found at the other three sites first.

This may sound like a damning indictment of the program, but according to those in charge of MHS Genesis, everything is going according to plan.

Read More
Women with a medical professional preparing to get a breast exam

450,000 Women Missed Breast Cancer Screenings Due to “Algorithm Failure”

Nearly half a million elderly women in the United Kingdom missed mammography exams because of a scheduling error caused by one incorrect computer algorithm, and several hundred of those women may have died early as a result.

Last week, the U.K. Health Minister Jeremy Hunt announced that an independent inquiry had been launched to determine how a “computer algorithm failure” stretching back to 2009 caused some 450,000 patients in England between the ages of 68 to 71 to not be invited for their final breast cancer screenings.

The errant algorithm was in the National Health System’s (NHS) breast cancer screening scheduling software, and remained undiscovered for nine years.

Read More
A customer using the TSB Online banking app on an iPhone reads a message from TSB CEO Paul Pester apologizing for IT issues which left online customers unable to access their money and some able to see other people's accounts.

New Software System Snags TSB’s Online and Mobile Banking Customers

Paul Pester, chief executive of TSB bank in the United Kingdom, expressed his regret Wednesday during a Parliamentary Treasury Committee inquiry into the service disruptions caused by the bank’s move to a new IT system. Pester was especially remorseful since his decision has severely damaged the bank’s reputation, infuriated tens if not hundreds of thousands of customers who could not access their bank accounts, and so far has cost Pester an “integration bonus” of at least £1.6 million, if not eventually his job.

Read More
An IRS error message appears on a laptop

IRS Warned Congress of “Catastrophic System Failure” Six Months Before Tax Day Outage

On 17 April 2018, the final day for U.S. citizens to file 2017 tax returns, the U.S. Internal Revenue Service (IRS) suffered a major system failure related to the hardware supporting its 58-year old, 20-million line Cobol-based Individual Master File system (pdf) which is still being used today to process the vast majority of individual tax returns. As a result of the failure, the IRS extended by a day the filing due date.

Back in 2016, there was another hardware failure that affected the electronic filing of annual tax returns, but luckily, that event happened in February rather than on the April filing due date when millions of returns are typically sent in.

Read More
A tablet sits on display at a Uber Technologies Inc. office

FTC Puts Uber on a Short Leash for Security Breaches

It’s not nice―or smart―to deceive the U.S. Federal Trade Commission, especially while you’re in negotiations with the agency over penalties it’s going to impose for previously being dishonest.

Last August, the ride-hailing company Uber entered into a consent agreement with the FTC regarding its supposedly “securely stored” and “closely monitored” (pdf) customer and driver information. Uber bragged that it was using “the most up-to-date technology and services to ensure that none of these are compromised,” and promised that information was “encrypted to the highest security standards available.”

Alas, the FTC found these claims were more chimera than reality. As a consequence of its lackadaisical security practices, Uber experienced a data breach in May 2014 that allowed attackers to access the names and driver’s licenses of 100,000 Uber drivers, along with many of the drivers’ bank accounts and Social Security numbers.

Read More
Hands on a computer

Samsung Securities' $105 Billion Fat-Finger Share Error Triggers Urgent Regulator Inquiry

Last week, an employee of Samsung Securities Co., Samsung Group’s stock-trading entity and one of the largest trading companies in South Korea, accidentally issued shares worth some $105 billion to 2,018 of its employees who are members of its stock-owner program. The employees in the program were supposed to receive a dividend totaling 2 billion won (or about $0.93 per share they owned), but were mistakenly issued 2 billion shares instead. The amount issued was more than 30 times the total number of outstanding Samsung Securities’ shares.

Embarrassingly, Samsung Securities admitted that it took 37 minutes to fix what had occurred after it became aware of the problem. Even more humiliating, sixteen Samsung Security employees were able to still sell off some 5 million shares of their payout, despite repeatedly being warned not to do so by their managers. Perhaps the warnings were ignored because they were able to make about 10 billion won ($9.3 million) each. Four other employees tried to sell their shares, but their trades were stopped before being completed.

Read More
Photograph of a man exiting a building labelled with a Commonwealth Bank of Australia sign in Sydney, New South Wales, Australia.

Commonwealth Bank of Australia Tries to Explain Coding Errors Found After 4 Years

The Commonwealth Bank of Australia, the country’s largest bank, finally got around to explaining last week why two software coding errors first disclosed in 2016 laid hidden for more than four years. The errors allowed the approval of personal overdrafts for 9,577 of its customers that should have been declined, while also approving another 1,152 customers for higher overdraft limits than they were qualified for. Many of the customers were in financial distress, and the erroneous approvals allowed them to dig themselves into even deeper financial trouble. The interest rate the bank charged customers on an overdraft was a hefty 16.6 percent.

The coding errors were created in July 2011 when the bank introduced an automated decision tool to process customer overdraft applications, but the problems weren’t discovered until September 2015. During the calculations that decided whether a customer could actually afford an overdraft, one software error in the decision tool’s algorithm failed to count a customer’s rental expenses, while another error accessed a wrong data field that was used for determining a customer’s overall household expenditures. The result was that a customer’s true expenses where likely underestimated or under-assessed. The Australian Securities and Investments Commission (ASIC) fined the bank AU $180,000 for the coding errors on top of the AU $2.5 million the bank had to write off in customer loan balances.

How was the error discovered?

Read More
Illustration of the state of Maine made up of people, on a computer with a pointer arrow.

Maine’s New Unemployment System Frustrates the Public and State Workers Alike

Problems with unemployment insurance IT systems and rollouts are common, as exemplified by the difficulties experienced by Pennsylvania, Florida, and California, to name a few. In an attempt to reduce the frequency and cost of failure, several states, with encouragement and funding from the U.S. Department of Labor [pdf], have formed consortiums aimed at creating a core UI system that can then be minimally tailored to meet each state’s unique requirements.

One of the more noteworthy systems is ReEmployUSA, which was formed by Mississippi, Maine, Rhode Island, and Connecticut. The consortium was the brainchild of the Mississippi Department of Employment Security (MDES), which in 2012 finalized the modernization [pdf] of its UI system called Access Mississippi (Access MS). Mississippi offered Access MS to other states as a way to share development and support costs.

Eleven states initially expressed interest [pdf] in Mississippi’s proposal, with Maine and Rhode Island committing to the idea first, followed by Connecticut. The U.S. Labor Department provided $90 million to the consortium to use Access MS as a baseline to be reengineered into a common, cloud-based system that would allow all four states to use it with only 20 to 25 percent tailoring needed.

Read More
Photograph of a laptop with computer code on the screen, and a gavel and handcuffs on the keyboard.

Georgia’s Intrusive Computer Intrusion Bill

According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.

One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses. According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected.

Read More
A health service technician aboard the Coast Guard Cutter Healy, measures Petty Officer 2nd Class Robert Martin's heart rate during a physical health assessment

U.S. Coast Guard’s $67 Million EHR Fiasco

In late January, the U.S. House of Representatives’ Subcommittee on Coast Guard and Maritime Transportation held a hearing to review the United States Coast Guard’s $14 million, five-year electronic health record (EHR) system project.

The project, which began in September 2010, ballooned into a $67 million fiasco that the USCG finally ended in September 2015. But the Coast Guard didn’t officially confirm its termination until April 2016.  At the time, the USCG public affairs office vaguely explained that there were concerns about whether the project could be completed in a reasonable time and at a reasonable cost. A spokesperson also opaquely added that, “Various irregularities were uncovered, which are currently being reviewed.” Mention of “irregularities” raised a lot of questions that the Coast Guard refused to answer for the last two years.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More