Subject: RISKS DIGEST 11.70 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 22 May 1991 Volume 11 : Issue 70 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Shuttle Columbia delayed (PGN) Patriot Lapse and Software Failure (Marc Rotenberg, Gene Spafford) Let the Games Begin! [Airline discounting practices] (Jerry Leichter) Yet another Push The Button story (Jonathan Rice) HHS malpractice data bank start-up problems (Richard Guy) Re: Scientific American Sidebar (Willis H. Ware) 2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 (Walter Maner) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 22 May 91 19:16:30 PDT From: "Peter G. Neumann" Subject: Shuttle Columbia delayed NASA halted the space shuttle Columbia's launch countdown on 21 May 91 because of ``bad computer parts and fuel sensors''. ``The parts to be replaced include nine fuel temperature sensors, one of the five main computers and one of the 23 units that link the main computers with shuttle components.'' Retry is scheduled for 28 May. [San Francisco Chronicle, 22 May 91, p.A8] ------------------------------ Date: Tue, 21 May 91 17:59:03 PDT From: cdp!mrotenberg@labrea.Stanford.EDU Subject: Patriot Lapse and Software Failure The New York Times reported that computer failure was responsible for the failure of a Patriot missle to stop a scud missle that hit an American military barracks in Dhahran. According to the Times story, the Patriot's radar system was rendered inoperable by the computer failure. According to army officials, "an unforseen combination of `dozens' of variables -- including the Scud's speed, altitude and trajectory -- had caused the radar system's failure. . . . [this case was] an anomaly that never showed up in thousands of hours of testing." The Times article states that "During the war, American military officers were reluctant to discuss any weapon failings. But even after the cease-fire, many officers were averse to say anything that might tarnish the one-sided allied victory over Baghdad's forces." ["Army is Blaming Patriot's Computer For Failure to Stop Dhahran Scud" -- New York Times, May 20, 1991, A6] Marc Rotenberg, CPSR Washington Office. [The NY Times front-page story (Eric Schmitt, 20 May 91) cited 28 dead in a U.S. military barracks in Saudi Arabia on 25 Feb 91, the single worst American casualty in the war. Apparently the radar never saw the incoming missile because of a computer failure, permitting the Scud to land intact. (This latest report corrected an earlier report, which suggested that the Scud had broken up into pieces without a Patriot having been launched.) An AP article on 21 May cited 29 killed and 97 wounded. PGN] ------------------------------ Date: 21 May 91 14:17:00 GMT From: spaf@cs.purdue.edu (Gene Spafford) Subject: AP reports software bug caused Patriot failure [...] The article concludes with: "The Army source said the glitch arose because the computers had been running continuously for four days." FOUR DAYS!? I sure hope that the article is wrong or the person being quoted didn't understand. There is no excuse for a system that fails if it isn't rebooted every few days, especially when it is in such a critical application. And these are the guys who claim they can develop a permanent missile shield for SDI? Just whose side are they on? Gene Spafford, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Tue, 21 May 91 08:02:23 EDT From: Jerry Leichter Subject: Let the Games Begin! [Airline discounting practices] In a recent RISKS, I reported on the airline practice of adjusting the number of discount seats on flights on a continuous basis. This practice, known as yield management (I mistakenly called it load management), allows them to maximize profit. I also noted that some travel agencies were starting to respond to yield management - only possible because of the massive computational resources available to the airlines - with computers of their own, which continuously search for good deals. Well, for every offense there's a defense, and for every defense an offense. The Wall Street Journal (Monday, 20-May, page B1: "Agents Rankle Airlines With Fare-Checking Programs") reports on the next exchange in this battle: The airlines are changing the fee structure for their reservation systems in an attempt to shut down the scanners. Traditionally, access to the systems has been on a flat fee basis. Now, the airlines are beginning to charge per inquiry beyond a certain monthly quota. The fees are about a penny per inquiry, but that adds up - one agency will reportedly run up fees well in excess of $100,000 a year. The airlines, of course, claim the fees are being imposed for a different reason - they say the programs are putting excessive load on their systems and adding to their cost of operation. The developers of the scanners are modifying them to make fewer inquiries, and will also try to pass on the costs to their customers. However, some experts in the business believe the airlines will win this war, and that the scanner programs have no future. Michael Levine, dean of Yale's School of Organization and Management and a former CAB official, is quoted saying "You have to be concerned about the consumer's perspective. Consumers ought to have the right to shop, and nothing should impeded that." I suspect he may have framed one of the next big computer law and regulation issues. -- Jerry ------------------------------ Date: Mon, 20 May 91 9:54:51 CDT From: rice@willow.cray.com (Jonathan Rice) Subject: Yet another Push The Button story Control Data CYBER 170 series mainframes, and at least one generation of their descendants, were watched over by a box called the TMPC: Temperature Monitor and Power Control. One pushbutton on this device, usually mounted conveniently close to the operator's console, was labeled "LAMP TEST." Unfortunately, pressing the button not only illuminated each of the failure modes on the diagnostic panel, but actually raised all of the alarm signals -- high temperature, motor/generator failure, etc. The mainframe would shut down to the tune of the world's awfullest buzzer and the curses of the operators. *Every* CDC site I ever visited, and that was a fair number, had a "lamp test" story to tell. And many had ordered a blank keycap to replace the original. To add to the growing collection of morals, then: emergency shutdown switches should not be labeled with the equivalent of "Push Me." Jonathan C. Rice | Internet: rice@cray.com | UUCP: uunet!cray!rice ------------------------------ Date: Mon, 20 May 91 14:48:46 PDT From: Richard Guy Subject: HHS malpractice data bank start-up problems "The malpractice data bank is turning into a Frankenstein" by Mark Holoweiko, Senior Editor, _Medical Economics_, May 6, 1991 [a medical trade journal sent unsolicited to members of the American Medical Association] Despite warnings by the General Accounting Office that it was nowhere near ready to operate, the National Practioner Data Bank was opened last Sept. 1 by the Department of Health and Human Services. By law, medicine's dirty laundry began pouring into a Camarillo, Falif., computer facility run by Unisys Corp., which had contracted with HHS to handle the project. Malpractice insurers, hospitals, state lcensing boards, and other "health-care entities" started mailing in information about doctors and dentists--mostly reports of payouts on professional-liability claims, and adverse credentialing and licensure decisions. Simultaneously, hospitals began querying the data bank for information on medical staff members and applicants. In addition, licensing boards, medical societies, and other oentities, such as certian HMOs and group practices, became eligible to query the data bank. Only six weeks later, it appeared that the GAO's fears had already been borne out. The dirty laundry was piling up at the door. The software that Unisys was supposed to develop either wasn't in place or didn't work, so the company was trying to cope manually with the deluge of information and requests. The backlog of quieries numbered in the tens of thousands, procuding eight- to 10-week delays in response time. In the absence of a data-bank reply, hospitals, licensing boards, and others wondered if they could safely give a doctor the green light to practice. To complicate matter,s both the GAO and the HHS Office of the Inspector General raised concerns about theconfidentiality of the data; hundreds of physicians lodged disputes over the workding of reports about them; and Unisys exp0erienced major cost overruns and demanded more money. Meanwhile, in light of GAO criticisms, Congress threatened to cut off funds that had already been appropriated for 1991. Finally, Unisys had such big problems of its own that its solvency seemed questionable. Will the data bank ever work? "Since we opened Sept. 1, the bank has been operating as we had hoped it would," insists Robert G. Harmon, M.D., administrator of HHS' Health Resources and Services Administration, which oversees the bank. But few share Harmon's view. "They're having a terrible time," says James S. Todd, M.D., executive vice president of the American Medical Association and a member of the data-bank executive committee, which advises Unisys on the project. "The project is really in jeopardy at this point," declares another committee member. EGGS WERE LAID AT THE PLANNING STAGE "The people involved in designing the project didn't know what they were doing," says an executive committee member. "They didn't understand insurance, medical malpractice, computers, the basic components of the whole project. And they got themselves into a real mess." Back in the psring of 1990, the GAO examined the data bank's development by HRSA and Unisys, the npresented a report to HHS bluntly title, "National health practitioner data bank has not been well-managed." AMong other things, the GAO said: >"No one person has been accountable. ... [sic] Instead, accountability is shared by at least 14 HRSA officials." And none of the 14 had "the necessary training and experience" to ensure that the system would meet specifications. COnsequently, HRSA was relying on Unisys "to carry out the critical management functions of establishing plans, schedules, and budgets, and ... [sic] testing computer programs before they are implemented." >The project's total cost might increas from $15.8 million to $25 million. >"HRSA cannot ensure that appropriate security measures will be installed to prevent unauthorized access and manipulation of data-bank information," becuase it hadn't complied with governement regulations and conducted a risk analysis. GAO recommended that the September 1990 opening be postponed. In response, HRSA engaged governement computer experts to evaluate security and test the software. They found several weaknesses. FOr example, the system wasn't equipped to detect aunauthorized changes to the data and trace them back to the culprits. Nevertheless, through the Office of Inspector General, HHS maintained that "the management processes employed by HRSA are both reasonable and adequate," and the confidentiality concerns have been adequately addressed." It pushed for the Sept. 1 launch. Adding that Unisys' request for another $9 million was "out of line" and had "subsequently been withdrawn by the contractor," HHS asserted that the project was on schedule and within budget. The House appropriations COmmittee temporarily withheld data-bank funds for fiscal 1991 pending assurances from HHS Secretary Louis W. Sullivan that the deficiencies cited by GAO had been corrected. But government computer experts certified the system as secure, the funds were released, and HHS forged ahead and opened the bank. THE FINANCIAL SITUATION IS PRECARIOUS [omitted; operating expense overruns; Unisys losses] BACKLOGS ARE HOLDING UP CREDENTIALS The first order of business was to clear the logjam. As of February, there was a backlog of about 500 reports to enter into the system, and 108,000 queries to answer. "There's been an eight- to 10-week wait for responses to queries from hospitals," says James Todd. "That's a long time when you're talking about credentialing. Take a new physician coming to a hospital. The hospital has to query the bank before it can grant him privileges. Does the physician have to sit and do nothing for two months? Or, if he starts practicing without a response from the data bank, what is the hospital's liability?" According to the AMA, some doctos have, indeed, complained that hospitals refused to grant them privileges until hearing from the data bank. But the law creating the data bank seems to contain a loophole: All it stipulates is that a hospital must *query* [emphasis original] the bank before it grants privileges; it doesn't have to wait for a response. Accordingly, the American Hospital Association's general counsel, Fredric Entin, advised hospitals to proceed with granting or renewing privileges. "I've heard that some hospitals have let the delay paralyze them, but I suspect it's very few," say Entin, who's a member of the executive committee. The situation is similarly discouragin for state licensing boards, says James R. Winn, M.D., executive vice president of the Federation of State Medical Boards: "Most are querying the data bank before issuing licenses, but getting information has been very slow." As this issue went to press, however, Fitzhugh Mullan, M.D., HRSA's project director for the data bank, told us that the backlogs and delays had been reduced to "zero." DOCTORS ARE DISPUTING THE REPORTS Reports to the data bank are supposed to include a description of the practitioner's alledged wrongdoing. This narrative is limited to a maximum of 600 characters, or about 50 words. [... example and further discussion of wording dispute procedures omitted] If the data bank ruins a doctor's reputation by disseminating erroneous information, can the physician sue Unisys or HHS for damages? "I don't believe so," says AHA General Counsel Fred Entin. "The governement has sovereign immunity. That means that you have to get the government's permission before you can sue it. And since Unisys is acting as a government contractor, I think this immunity would extend to the company as well." CONFIDENTIALITY IS HIGHLY QUESTIONABLE "I feel that the data bank is secure," says HRSA's Robert Harmon. "We have numerous safeguards built into the computer systems. The computers themselves are housed in a secure facility that does work for the Pentagon. Personnel have to be cleared. There are stiff penalties for improper use of the information." (Each violation is punishable, via the IG's office, by a civil montary penalty of up to $10,000.) But that's not the issue, says Ronald S. Gass, senior counsel for the American Insurance Association and a data-bank committee member. "The facility in California has ultra-high security, guard dogs, barbed wire, and all that stuff," he agrees. "But is it sending information out the right way?" As of February, according to government figures, about 12,500 organizations had been authorized to query (or, in the case of malpractice insurers, just report to) the data bank. When we added up all the nation's hospitals, HMOs, malprac- tice insurers, and physician and nurse licensing boards, the total fell short of 12,500 by roughly 5,000. Surely, hundreds of these are group practices, professional socities, and preferred provider organizations. But exactly who they are is anyone's guess. Furthermore, so many and varying types of organi- zations are legally entitled to query the bank that leaks seem inevitable. [more discussion of "self-certification" access loopholes; also discussion of an emerging practice of requiring physicians to produce data-bank reports as a part of credentialing process.] THERE ARE OTHER HOLES IN THE SYSTEM [discussion of hospital peer review decisions, confidentiality, liability of peer reviewers ommitted] MORE DEMANDS MAY OVERTAX THE SYSTEM As currently programmed, the bank's computers can't distinguish medical doctors from other practitioners, or tell what percentage of reports concern malpractice payouts and disciplinary actions. A policy analyst with HRSA acknowledges that Unisys "can't even tell us how many hospitals have queried," let alone how many HMOs, insurers, group prac- tices, and others have access. "This is the office that sets the policy," she continues. "Even *we*[emphasis original] don't have access to that information." Insurers for all licensed health practitioners--not just doctors and dentists-- are now supposed to be reporting payouts on malpractice claims. Are they? "At this point, the system is not capable of pulling that out," the analyst admits. [further discussion of which government agencies have access to the data bank; legislation confusion over the extent of data the bank is to contain] THE PROGNOSIS IS GUARDED FOR NOW [complaints about query costs ($3 now, maybe $6 soon), paperwork burden] One big flaw may be the type of information being gathered. "While the data on disciplinary actions is pretty current," notes Larry Smarr, "the stuff on malpractice claims is old because claims are usually paid six or seven years after the events that precipitated them. So I don't know how this is ever going to be of value in identifying problem physicians." A concurring view comes from Sara C. Charls, M.D., who represents the Council of Medical Specialty Societies on the executive committee: "The inclusion of malpractice cases--especially those settled for small amounts-- waters down the whole purpose. The estimate is that malpractice cases comprise 80 percent of the reports to the data bank, and they're the least reliable indication of physician competence. I think an enormous amount of money is going into a system that will be paralyzed by its own weight." ------------------------------ Date: Tue, 21 May 91 10:56:06 PDT From: "Willis H. Ware" Subject: Re: SCIENTIFIC AMERICAN SIDEBAR With respect to the sidebar on page 27 of the June Scientific American which discusses privacy and about which there have been a few messages to RISKS FORUM, I'm afraid that in the process of getting from my remarks during a panel session at the CFP Conference into print some distortions unfortunately occurred. Paul Wallich, by-lined for the article, is someone that I talk with from time to time but it wasn't quite as he reported. Clarification is warranted. I said explicitly that the U.S. had used a piecemeal approach with minimal privacy laws in contrast to the European approach of a comprehensive law that typically creates an all-powerful data protection body of some sort and generally with a data-protection commissioner. I did use the phrase "nickle and dime" as a surrogate for "piecemal and minimal", not as indicative of deliberate actions to stonewall or kill off privacy. The appendage "to death" crept in, is not mine and changed the meaning. I did not say that the commercial sector is THE enemy but rather that it was time to consider it as an additional opponent to privacy along with government, which was the early focus of concern because of its widespread control over entitlement programs. I did say "I've watched nothing happen" because nothing has happened for privacy in 17 years. At best the country has resisted erosion of the positive actions of the 1970s. I think I did not admit to depression but on the contrary, I said explicitly that I would not quit the game and would continue to seek solutions. It is because of the U.S. failure to put in place comprehensive privacy legislation that Simon Davies [Australia] did indeed say [as reported] that the U.S. is an embarrassment to the rest of the world. I wish that Mr. Wallich would have picked up the much more important point that I hope was made clearly to the Conference audience. The only basis that I can think of for structuring the privacy issue is to regard it as a social equity problem in which the stakeholders include not only every individual but also private sector organizations and government. A forum is needed to identify, compare, discuss and balance off the obviously competing interests of the different parties. Where to find such a forum and how to conduct the dialogue is indeed an awkward problem presently without an answer. Willis H. Ware ------------------------------ Date: 21 May 91 06:47:32 GMT From: maner@bgsuvax.UUCP (Walter Maner) Subject: 2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 The National Conference on Computing and Values will convene August 12-16, 1991, in New Haven, CT. N C C V / 91 is a project of the National Science Foundation and the Research Center on Computing and Society. Specific themes (tracks) include - Computer Privacy & Confidentiality - Computer Security & Crime - Ownership of Software & Intellectual Property - Equity & Access to Computing Resources - Teaching Computing & Values - Policy Issues in the Campus Computing Environment The workshop structure of the conference limits participation to approximately 400 registrants, but space *IS* still available at this time (mid-May). Confirmed speakers include Ronald E. Anderson, Daniel Appleman, John Perry Barlow, Tora Bikson, Della Bonnette, Leslie Burkholder, Terrell Ward Bynum, David Carey, Jacques N. Catudal, Gary Chapman, Marvin Croy, Charles E. M. Dunlop, Batya Friedman, Donald Gotterbarn, Barbara Heinisch, Deborah Johnson, Mitch Kapor, John Ladd, Marianne LaFrance, Ann-Marie Lancaster, Doris Lidtke, Walter Maner, Diane Martin, Keith Miller, James H. Moor, William Hugh Murray, Peter Neumann, George Nicholson, Helen Nissenbaum, Judith Perolle, Amy Rubin, Sanford Sherizen, John Snapper, Richard Stallman, T. C. Ting, Willis Ware, Terry Winograd, and Richard A. Wright. The registration fee is low ($175) and deeply discounted air fares are available into New Haven. To request a registration packet, please send your name, your email AND paper mail addresses to ... BITNet MANER@BGSUOPIE.BITNET InterNet maner@andy.bgsu.edu (129.1.1.2) or, by fax (419) 372-8061 or, by phone (419) 372-8719 (answering machine), (419) 372-2337 (secretary) or, by regular mail, Professor Walter Maner Dept. of Computer Science Bowling Green State University Bowling Green, OH 43403 USA Terrell Ward Bynum and Walter Maner, Conference Co-chairs InterNet maner@andy.bgsu.edu (129.1.1.2) | BGSU, Comp Science Dept Relays maner%bgsu.edu@relay.cs.net | Bowling Green, OH 43403 maner%bgsu.edu@nsfnet-relay.ac.uk | 419/372-2337 Secretary BITNet MANER@BGSUOPIE | 419/372-8061 Fax ------------------------------ End of RISKS-FORUM Digest 11.70 ************************