Cyber Security for Healthcare

Since the boom of technology in healthcare, doctors and hospitals are slowly being released from the need for physical proximity for care delivery. This has been accelerated by the big move towards remote care and telehealth due to the pandemic. The healthcare industry has also significantly benefited from connected devices such as remote patient monitoring devices, sensors, wearables, and records management software. According to a 2020 Forrester report, the number of connected devices makes up 74% of the devices in the healthcare industry. However, this modernization of healthcare comes with its pitfalls. The threat landscape is growing exponentially, with healthcare organizations moving beyond defined physical boundaries. With the surge in connected devices, medical device security is also now a global concern. For example, the 2017 WannaCry ransomware attack had a widespread impact on National Health Service hospitals in England and Scotland, with as many as 70,000 devices affected.

Recent years have witnessed a significant increase in the number of cyberattacks. It is reported that the healthcare industry is prone to cyberattacks two or three times more than other industries. The US Department of Homeland Security, the FBI, the Interpol, and the United Kingdom’s National Cyber Security Centre have issued several advisories to healthcare organizations on the rise in cyberattacks and ransomware.

Cyberattacks in Healthcare

Cybersecurity in healthcare includes protecting data and electronic assets from unauthorized access, use, or disclosure. Some of the common cyberattack routes that can lead to credentials misuse, data, and/or resource hijack include:

  • Ransomware through which the hacker can use malware to take control over individual devices or servers in exchange for money or other demands
  • Malicious websites that can collect data or hack the device
  • Phishing attacks through emails
  • Blind spots in encryptions that go undetected during inspections
  • Weak passwords and unencrypted devices

Despite the surge in cyberattacks, typically most healthcare organizations allocate only a minuscule portion of the total IT budget for cybersecurity. These attacks affect the delivery of patient care across healthcare facilities. In addition to the fact that sensitive private data gets compromised and can be misused, these incidents can harm patients as tampering of records can result in wrongful diagnoses or delays in treatment.

Cyber Security Strategy

The three goals of cybersecurity, also known as the ‘CIA triad,’ focus on protecting the confidentiality, integrity, and availability of information. Market research leaders such as Gartner & Forrester recommend that organizations within the government and the private sector take a collaborative, layered approach to protect patients and their data from cyber threats. To that end, the various aspects that healthcare industry players must focus on while preparing a cybersecurity strategy are:

  • Architecture analysis
  • Effectiveness of analytics and reporting
  • Preparation for attack
  • Threat research
  • Device visibility
  • Vulnerability management
  • Integrations
  • Vision
  • ­­Roadmap
  • Market approach

To plan an effective cybersecurity strategy companies must involve different teams including the CISO, CIO, infrastructure & application leaders & teams, security & risk management teams, etc. The different steps need to typically include alignment of strategy to organizational security & business goals, development of an action plan based on vulnerability assessment, board buy-in/resource backing, and policy framework, execution leveraging the right tools, technologies, and skillsets, program maturation through critical incident response, advanced analytics, and employee training/enablement, continuous reassessment & realignment through metrics & feedback, and required optimizations.

Cyber Security Planning

Although the above form the base to start a cybersecurity strategy, implementing recommended safety practices depends on the organization’s size, complexity, and type. The key factors can be categorized as health information exchange partners, required IT capabilities, cybersecurity investment required, healthcare service provider size, and service complexity. Once these factors are established, a cybersecurity system with at least the following components must be implemented:

  • Firewall – Build a robust firewall to protect the system from outside threats
  • Access categorization – Regulate admission or access to suspicious and infected websites to protect the system
  • Intrusion Detection System (IDS) – Use IDS to analyze inbound and outbound traffic based on traffic logs
  • Intrusion Prevention System (IPS) – Compliment IDS with IPS to control traffic based on the maliciousness of the user
  • Policy management – Develop a set of rules that helps strengthen the firewall security of the system.
  • Virus scanning capabilities – Implement antivirus systems such as Avast, McAfee, Norton to help improve protection against malware, spam, and phishing.
  • Security Information Event Management (SIEM) – SIEM helps manage and record attacks on the network.
  • Patching – Regular patches for computers and programs must be done without delay to avoid system compromise
  • Continuous end-user education – To build a network defense, the users must have a fair understanding of the different types of threats. Knowledge about trusted networks, password strength, and even email etiquette must be known to all users.
  • System updates – To reduce the risk of hacking and viruses, update the software to the latest version. Keeping software up-to-date will mitigate the attack of malware.

GAVS for Cyber Security

Leveraging the alliances of global technology leaders in Cyber Defense, Endpoint Security, IAM, and others, GAVS delivers superior AI-led cybersecurity services to proactively manage risk. From assessment, operations, and strategy, GAVS offers various services including:

  • Assessment and advisory services
  • Security operations
  • Digital identify services
  • Security project implementation
  • DevSecOps and cloud security

As the dependency on technology increases, robust cybersecurity is imperative to conduct day-to-day operations, protect data, and improve patient safety. The healthcare industry must prioritize cybersecurity initiatives from fiscal, technical, and operational standpoints by upgrading or replacing legacy systems, implementing cybersecurity awareness and training programs, conducting continuous end-to-end security risk assessments, increasing budgets, and most of all, considering cybersecurity an integral part of organizational strategy and not as a stand-alone initiative.

To learn more about GAVS cybersecurity offerings, please visit https://www.gavstech.com/service/security-services/.

Fireside Chat with Dr. Vinita Chauhan-Ramprasath

Dr. Vinita Chauhan

1. Tell us something about your childhood. What values had been instilled in you that helped you excel later in your life?

I think we all have our modest beginnings; I have certainly had mine. Growing up, we were comfortable but never outrageously wealthy. My parents were extremely hard workers and that is something they both instilled in me and my sister. We had everything we needed, but there weren’t a lot of luxuries and we didn’t miss them. Another thing our parents were very unequivocally insistent about was a good education. My father lost his father at a young age and then proceeded to educate himself and ended up getting his doctorate with a scholarship. My mother came from a family that put education above all else. Hard work and the value of education are two things that were instilled in us early in our lives.

2. What have been some of the biggest challenges in your life and how that has shaped you?

When I moved to the US, I lived on my own for the first time and so many things were new and different. Every immigrant has gone through that phase but for me that was especially hard because I was so sheltered before that. Getting a hang of the education system that was so different was also a task. After working in academic research for a while, there was a point when I realized didn’t want to be in academia. I had enrolled in an MBA program that I really enjoyed. When I went back from my maternity leave, I wasn’t willing to give up on my research position yet. There was one semester when my son was still an infant, I was taking 5 classes, working 30 hours a week in my lab, and teaching 2 online courses. It was a result of pure planning, and a lot of support from my husband; my days planned to the minute. It was a very trying time but was extremely rewarding.

3. How did you discover your passion for STEM?

I always enjoyed Biology. I found it fascinating and I was also fortunate enough to have some great Biology teachers. One of my teachers ended up mentoring me and helped me explore various opportunities. That was a big turning point for me. She tried to nurture my interests and talked to me about my options going forward. Studies have shown that school-going girls, lose interest in STEM at an early age, more so than boys, if not nurtured and supported appropriately. Girls take it harder when they make mistakes, and we need to show them to learn from it and continue moving forward.

4. What were the biggest leadership shifts in the past year?

We have all been trying to do our best juggling work and our family’s health. And we’re all in this together. There have been times my sons walked into the room while I was in meetings and no one batted an eyelid. Leaders understand that we are all managing things at home too and allow us the flexibility to do so. People step up to the challenge they are presented if we give them an opportunity to do so and the pandemic has clearly tested all of us.

5. Could you tell us something about how to manage remote teams?

I personally like to have video calls with my team members and know what is happening in their lives even outside of work. Our physical and mental health and well-being makes everything else possible, being mindful of that is important. It is also important to empower our teams to feel confident enough to come up with the best solutions. It is very fulfilling for me to see my team members come up with better ways of doing things and prove me wrong. A manager’s number one priority is to ensure that everyone is working to the best of their ability.

6. How important do you think is Diversity and Inclusion for corporates?

We are resistant to change but change is the only constant. Look at what the last year has taught us. Diversity, inclusion, and equity are considered buzzwords in corporate world, but they are important in every facet of life. There is a story about 4 people looking at a box as a problem but from different angles. So, it is a different problem for each of them, that results in different solution. Being inclusive fosters creativity and innovation.

Valuing our employees empowers them to be better performers. I have been fortunate to have leaders, both male and female, who have shown faith in me. I am particularly proud of working with Premier. Our leaders ensure that everyone is given a seat at the table and is heard and that makes everyone, in turn, want to do a better job.  

7. How would you describe an ideal technology partner?

The number one thing would be for them to understand our business. They must have the capability and resources to fulfill our business needs. Another important thing is clear communication. However, one thing that the pandemic reinforced was that the highest priority should be the ability to transform. Even if we don’t have an immediate need, we must have the capability to learn and adapt.

8. As someone from the healthcare industry, what message would you like to give to our readers especially about vaccination?

India is at a stage right now where US was sometime ago. We’ve had over a year to prepare for this and yet we aren’t adequately organized. On top of it, there is a debate about the vaccines raging on. The technology that these vaccines are based on has been widely researched. I would request people not to be skeptical of them. It will not make you immune from the infection, but it will ensure that you don’t die from COVID. Complications from COVID can have severe, adverse, long-term effects.

Please wear your masks, social distance if you step out of your homes and make the right decision for yourself and your families and get the vaccine when you are eligible.

About Dr. Chauhan –

Vinita Chauhan-Ramprasath was born and raised in India and spent most of her childhood in Mumbai. She graduated with her B.Sc. in Chemistry and Biochemistry from Mumbai and then received her M.Sc. in Biochemistry. Vinita moved to the United States in August 2000 and received her Doctorate in Diagnostic Medicine and Pathobiology. She got married in 2006 and moved to Charlotte where she worked as a research faculty at University of North Carolina at Charlotte before getting her MBA and joining Premier Inc. Currently Vinita works as a Director of ITS Operations where she manages the GAVS-Premier partnership as well as a part of the integration management office within Premier. Vinita lives in Charlotte, NC with her husband Ram and her two sons Neel and Nikhil and their dog Dakota.

Privacy Laws – Friends not Foes!

Barath Avinash

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs

Cyber Security and Compliance Services

However futile a piece of data is today; it might be of high importance tomorrow. Misuse of personal data might lead to devastating consequences for the data owner and possibly the data controller.

Why is Data Privacy important?

For us to understand the importance of data privacy, the consequences of not implementing privacy protection must be understood. A very relevant example to understand this better is the Facebook-Cambridge Analytica scandal which potentially led to canvassing millions of Facebook users for an election without users’ explicit consent. 

To answer one long standing argument against privacy is that “I do not have anything to hide and so I do not care about privacy”. It is true that privacy can provide secrecy, but beyond that, privacy also provides autonomy and therefore freedom, which is more important than secrecy.

How can businesses benefit by being data privacy compliant?

Businesses can have multifold benefits for complying, implementing, and enforcing privacy practice within the organization. Once an organization is compliant with general data privacy principles, they also become mostly compliant with healthcare data protection laws, security regulations and standards. This reduces the effort an organization has to go through to be compliant on several other security and privacy regulations or standards. 

How can businesses use privacy to leverage competition?

With privacy being one of the highly sought out domain after the enactment of GDPR regulation for the EU followed by CCPA for USA and several other data protection laws around the world, businesses can leverage these for competitive advantage rather than looking at privacy regulations as a hurdle for their business and just as a mandatory compliance requirement. This can be achieved by being proactive and actively working to implement and enforce privacy practices within the organization. Establish regulatory compliance with the customers by means of asking for consent, being transparent with the data in use and by providing awareness. Educating people by providing data user centric awareness as compared to providing awareness for the sake of compliance is a good practice and thus will result in increasing the reputation of the business.

Why is privacy by design crucial?

Business should also focus on operations where implementing ‘privacy by design’ principle might build a product which would be compliant to privacy regulations as well as security regulations and standards through which a solidly built future proof product could be delivered.

The work doesn’t stop with enforcement and implementation, continual practice is necessary to maintain consistency and establish ongoing trust with customers.

With increasing statutory privacy regulations and laws in developed countries, several other countries have been either planning to enact privacy laws or have already started implementing them. This would be the right time for businesses located in developing countries to start looking into privacy practice so that it would be effortless when a privacy law is enacted and put into enforcement.

What’s wrong with Privacy Laws?

Privacy laws that are in practice come with their fair share of problems since they are relatively new.

  • Consent fatigue is a major issue with GDPR since it requires data owners to consent to processing or use of their data constantly, which tires the data owner and results in them ignoring privacy and consent notices when sent by the data processor or data collector.
  • Another common issue is sending multiple data requests by ill-motivated malicious users or automated computer bots to the data collector in order to bombard them with requests for data owner’s data which is available with the controller, this is a loophole under the ‘right to access’ of GDPR which is being exploited in some cases. This will burden the data protection officer to cause delay in sending requested data to the customer thus inviting legal consequences.
  • Misuse of privacy limitation guidelines are also a major problem in the GDPR space, time and again data collectors provide data processing purpose notice to data owners and subsequently use the same data for a different purpose without receiving proper consent from data owner thus often violating the law.

What the future holds for privacy?

As new privacy laws are in works, better and comprehensive laws will be brought in, learning from inconveniences of existing laws. Amendments for existing laws will also follow to enhance the privacy culture.

Privacy landscape is moving towards better and responsible use of user data, as the concept of privacy and its implementation matures with time, it is high time businesses start implementing privacy strategies primarily for business growth rather than merely for regulatory compliance. That is the goal every mature organization should aim towards and work on.

Privacy is firstly a human right; therefore, privacy laws are enacted on the basis of rights, because laws can be challenged and modified under court of justice, but rights cannot be.

References:

https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.htm

https://iapp.org/news/a/fake-dsars-theyre-a-thing/

About the Author –

Barath Avinash is part of GAVS’ security practice risk management team. He has a master’s degree in cyber forensics and information security. He is an information security and privacy enthusiast and his skillet include governance, compliance and cyber risk management.

Challenges Enable Change and Success

Vijayalakshmi Rajesh

In this hyper-connected digital age, one may misconceive a ‘challenge’ to be a deadlock and associate it with negativity. To me a challenge always implies an opportunity. Opportunity to explore newer ways of reaching success. I strongly believe that without challenges life would be mundane. The rapid improvements and progress we see today were challenges overcome by someone.

To solve any problem, we need to accept its existence and understand its dynamics. Only then can we come up with solutions. When I started my career as a marketing professional, I was the only lady in my team and a fresher too. I had to overcome many challenges. I always had the attitude to keep fighting. At times, I had no support as I was the only one swimming against the tide. But I never gave up!

I salute my mother for raising me to never shy away from challenges. I would like to share my memories of the wonderful days I spent with her. My mother had a charming personality. I admired her patience. She was a multitasker. To me, no one could match her skills at embroidery and knitting. Her zeal and enthusiasm towards life inspire me even today. I remember during my school days, I often found her immersed in her handiwork, which she also taught many women who subsequently started their businesses. After school, I would look at the work she had done that day. While she was busy in the kitchen, I would hold the cloth in my hand and closely examine the artwork. While the front side was beautiful, the backside attracted me more because it would reveal the effort put in to create the masterpiece. For my wedding, my mother gifted me a beautifully embroidered handkerchief. I immediately flipped it to look at the techniques used to keep the backside neat. My mother said something beautiful then. She said, “I noticed how you always check the work behind before looking at the actual finished product on the front. This goes on to show that you are a person who will view challenges first and learn through them. Never give up your attitude to fight and your eye for detail.”

My mother’s values have led me onto a successful path in CSR. I get immense satisfaction whenever I complete projects. I remember a child, about 6 years old, from the school where I built a library. She came to me with a flower in her hand which she had picked on her way to school and told me, “Ma’am we are grateful for all these books. I am going to read all the books and become a doctor one day.” I could feel my mother patting me on my back and my eyes welling up because only I knew the challenges I had to face in delivering the project. But these little things mean a lot to me.

I have recently noticed an interesting paradigm, especially among the younger generation. Some are not only fighting their own problems, but they are also trying to resolve the problems faced by others.

To quote an example. I read about Jayalakshmi from Pudukottai, Tamil Nadu, India, in a leading daily. She was selected to visit NASA’s Kennedy Space Centre in the US after winning a competition. Through her plea for financial support, she secured excess funding. She then channelized the surplus funds to build public toilets in her village. She also convinced her fellow villagers who were hesitant about the idea to build toilets. To me, this is extraordinary because she has challenged the status quo and won the battle for many!

To everyone out there I would say – Challenges are just as difficult as we perceive them to be. We can overcome them if we view them as opportunities. Explore the world of endless possibilities with a fighting spirit. Today we have a vaccine for COVID, created in the shortest span of time by scientists. No vaccine has been readied from scratch in less than a year. The days of “It has always been done this way” are long gone!

About the Author –

Vijayalakshmi comes with 20 years of Marketing and Academic experience. She is the Founder and Managing Trustee at ZRII TRUST. ZRII was formed as a platform to deliver high-impact social projects through Corporate Social Responsibility (CSR) funds.

Her work includes raising awareness about modern-day issues that women and children face. She is actively involved in ensuring safer and improved workspaces for women. Some of her trophy programs are under women empowerment which includes a year-long training program for women of southern Tamil Nadu, a driver training program for women to drive app-based cabs, and placement of women in factories.

Vijayalakshmi is an ombudsperson at GAVS and guides GAVS in our endeavor to be a gender-balanced and respectful workplace.

Happy Birthday MLK – My ode to the Free Thinkers, Disruptors, and Iconoclasts

Sumit Ganguli

CEO, GAVS Technologies

While we were gearing up for the weekend, I noticed that Monday, January 18, is Rev. Martin Luther King Jr.’s birth anniversary. This coupled with the overcast sky and cool winter day all conspired to make me sit back and reminisce about the events of the past few months.

Working from home, I have become accustomed to keeping my TV on mute, alternating between CNN and Fox News while I go through my emails, video conferences and other work routines. And that is when I saw the traumatic video of George Floyd’s death in Minneapolis and the massive demonstrations that ensued across the US and in other parts of the world. The Black Lives Matter movement rightfully gained immense momentum and soon #BlackLivesMatter became one of the most trending of all hashtags.

An avid tennis fan, I got to watch the US Open on TV this year, being played without any spectators.  But I was most inspired by the young Japanese tennis player, Naomi Osaka who went on to win the US Open and decided to draw attention to the #BLM by wearing the names of seven black victims who were being memorialized by the BLM movement. She succeeded in persuading me to read more about the movement and many of the victims.    

Cut to the present, we now have our first Black Vice President elect Kamala Harris who is of Jamaican and Indian heritage. Just the other day, my 90-year-old mother who is in Bangalore and is quite a political junkie, challenged me to name the Indian lady who was announced to be a member of Mr. Joe Biden’s economic committee. Convinced that my Mother was mistaken, I told her that Janet Yellen was not Indian. But she insisted and then I recalled that Ms. Neera Tanden has been nominated to head the Office of Management and Budget.

The Indian diaspora has been deservedly proud of the achievements of the Indian leaders in America – Satya Nadella, Microsoft; Arvind Krishna, IBM; Ajay Banga, Mastercard; Nandita Bakshi, Bank of the West & Federal Reserve Bank; Sanat Chattopadhyay, Merck; Niren Chaudhury, Panera Bread – and with Reverend Martin Luther King’s birth anniversary round the corner, I think it is  opportune for us to celebrate the avantgarde Free thinkers, Disruptors, and Iconoclasts, who made this possible for some of this happen.  

In the morning, I bathe my intellect in the stupendous and cosmogonal philosophy of the Bhagvat Geeta, since whose composition years of the Gods have elapsed, and in comparison with which our modern world and its literature seem puny and trivial…The pure Walden water is mingled with the sacred water of the Ganges” (Thoreau, Walden).

In 1854’s Boston, Henry David Thoreau and Ralph Waldo Emerson, derived a lot of their concept of Transcendentalism, Non-Violence, and Civil Disobedience from the concepts of Ahimsa and Dharma from the ancient Indian scriptures, the Upanishads and the Gita. They read this at the Harvard Library and wrote extensively about it.

In 1893, a man got thrown out of a train in South Africa, which led him to take on the mighty British and launch his Satyagraha movement to fight for India’s independence. His movement in turn was highly influenced by Thoreau’s Civil Disobedience. That man, of course is known around the world as Mahatma Gandhi. 

From 1954 to 1968, Rev. Martin Luther King Jr. and other activists launched the Civil Rights Movement in America. He drew inspiration from Gandhi’s philosophy who has been immortalized as the Father of the Nation in India. This is truly a circle of ideas that traversed oceans and continents.

Today, we are all beneficiaries of largesse of the thoughts and visions of these great luminaries. On MLK’s birthday, Monday, January 18, I believe we will be well served to pay our ode to the Reverend and his fellow free thinkers John Lewis, Rosa Parks, and many others for their audacious vision, temerity, and currency of ideas and ideals –  for these disruptors, iconoclasts made it possible for us to live the life of our dreams in America, a country that we have come to love and cherish.  

IAST: A New Approach to Finding Security Vulnerabilities

Roberto Velasco
CEO, Hdiv Security

One of the most prevalent misconceptions about cybersecurity, especially in the mainstream media and also among our clients, is that to conduct a successful attack against an IT system it is necessary to ‘investigate’ and find a new defect in the target’s system.

However, for most security incidents involving internet applications, it is enough to simply exploit existing and known programming errors.

For instance, the dramatic Equifax breach could have been prevented by following basic software security best-practices, such as patching the system to prevent known vulnerabilities. That was, in fact, one of the main takeaways from the forensic investigation led by the US federal government.

One of the most important ways to reduce security risks is to ensure that all known programming errors are corrected before the system is exposed to internet traffic. Research bodies such as the US NIST found that correcting security bugs early on is orders of magnitude cheaper than doing so when the development has been completed.

When composing a text in a text editor, the spelling and grammar corrector highlights the mistakes in the text. Similarly, there are security tools known as AST (Application Security Testing) that find programming errors that introduce security weaknesses. ASTs report the file and line where the vulnerability is located, in the same way, that a text editor reports the page and the line that contains a typo.

In other words, these tools allow developers to build software that is largely free of security-related programming errors, resulting in more secure applications.

Just like it is almost impossible to catch all errors in a long piece of text, most software contains many serious security vulnerabilities. The fact that some teams do not use any automated help at all, makes these security weaknesses all the most prevalent and easy to exploit.

Let’s take a look at the different types of security issue detection tools also known as ASTs, or vulnerability assessment tools, available in the market.

The Traditional Approach

Two mature technologies capture most of the market: static code analysis (SAST) and web scanners (dynamic analysis or DAST). Each of these two families of tools is focused on a different execution environment.

The SAST static analysis, also known as white-box analysis because the tool has access to the source code of the application, scans the source code looking for known patterns that indicate insecure programming that could lead to a vulnerability.

The DAST dynamic analysis replicates the view of an attacker. At this point, the tool executes hundreds or thousands of queries against the application designed to replicate the activity of an attacker to find security vulnerabilities. This is a black-box analysis because the point of view is purely external, with no knowledge of the application’s internal architecture.

The level of detail provided by the two types of tools is different. SAST tools provide file and line where the vulnerability is located, but no URL, while DAST tools provide the external URL, but no details on the location of the problem within the code base of the application. Some teams use both tools to improve visibility, but this requires long and complex triaging to manage the vulnerabilities.

The Interactive AST Approach

The Interactive Application Security Testing (IAST) tools combine the static approach and the dynamic approach. They have access to the internal structure of the application, and to the way it behaves with actual traffic. This privileged point of view is ideal to conduct security analysis.

From an architecture point of view, the IAST tools become part of the infrastructure that hosts the web applications, because an IAST runs together with the application server. This approach is called instrumentation, and it is implemented by a component known as an agent. Other platforms such as Application Performance Monitoring tools (APMs) share this proven approach.

Once the agent has been installed, it incorporates automatic security sensors in the critical execution points of the application. These sensors monitor the dataflow between requests and responses, the external components that the application includes, and data operations such as database access. This broad-spectrum coverage is much better than the visibility that SAST and DAST rely on.

In terms of specific results, we can look at two important metrics – how many types of vulnerabilities the tool finds, and how many of the identified vulnerabilities are false positives. Well, the best DAST is able to find only 18% of the existing vulnerabilities on a test application. And even worse, around 50% of the vulnerabilities reported by the best SAST static analysis tool are not true problems!

IT Automation with AI

Source: Hdiv Security via OWASP Benchmark public result data

The IAST approach provides these tangible benefits:

  1. Complete coverage, because the entire application is reviewed, both the custom code and the external code, such as open-source components and legacy dependencies.
  2. Flexibility, because it can be used in all environments; development, quality assurance (QA), and production.
  3. High accuracy, because the combination of static and dynamic point of views allow us to find more vulnerabilities with no false positives.
  4. Complete vulnerability information, including the static aspects (source code details) and dynamic aspects (execution details).
  5. Reduction of the duration of the security verification phase, so that the time-to-market of the secure applications is shorter.
  6. Compatible with agile development methodologies, such as DevSecOps, because it can be easily automated, and reduces the manual verification activities

IAST tool can add tons of value to the security tooling of any organization concerned with the security of the software.

In the same way that everyone uses an automated spell checker to find typos in a document, we believe that any team would benefit from an automated validation of the security of an application.

However, the AST does not represent a security utopia, since they can only detect security problems that follow a common pattern.

About the Author –

Roberto Velasco is the CEO of Hdiv Security. He has been involved with the IT and security industry for the past 16 years and is experienced in software development, software architecture and application security across different sectors such as banking, government and energy. Prior to founding Hdiv Security, Roberto worked for 8 years as a software architect and co-founded ARIMA, a company specialized in software architecture. He regularly speaks at Software Architecture and cybersecurity conferences such as Spring I/O and APWG.eu.

Quantum Computing

Vignesh Ramamurthy

Vignesh Ramamurthy

In the MARVEL multiverse, Ant-Man has one of the coolest superpowers out there. He can shrink himself down as well as blow himself up to any size he desires! He was able to reduce to a subatomic size so that he could enter the Quantum Realm. Some fancy stuff indeed.

Likewise, there is Quantum computing. Quantum computers are more powerful than supercomputers and tech companies like Google, IBM, and Rigetti have them.

Google had achieved Quantum Supremacy with its Quantum computer ‘Sycamore’ in 2019. It claims to perform a calculation in 200 seconds which might take the world’s most powerful supercomputer 10,000 years. Sycamore is a 54-qubit computer. Such computers need to be kept under special conditions with temperature being close to absolute zero.

quantum computing

Quantum Physics

Quantum computing falls under a discipline called Quantum Physics. Quantum computing’s heart and soul resides in what we call as Qubits (Quantum bits) and Superposition. So, what are they?

Let’s take a simple example, imagine you have a coin and you spin it. One cannot know the outcome unless it falls flat on a surface. It can either be a head or a tail. However, while the coin is spinning you can say the coin’s state is both heads and tails at the same time (qubit). This state is called Superposition.

So, how do they work and what does it mean?

We know bits are a combination of 0s and 1s (negative or positive states). Qubits have both at the same time. These qubits, in the end, pass through something called “Grover Operator” which washes away all the possibilities, but one.

Hence, from an enormous set of combinations, a single positive outcome remains, just like how Doctor Strange did in the movie Infinity War. However, what is important is to understand how this technically works.

We shall see 2 explanations which I feel could give an accurate picture on the technical aspect of it.

In Quantum Mechanics, the following is as explained by Scott Aaronson, a Quantum scientist from the University of Texas, Austin.

Amplitude – an amplitude of a positive and a negative state. These could also be considered as an amplitude for being 0, and also an amplitude for being 1. The goal for an amplitude here is to make sure that amplitudes leading to wrong answers cancel each other out. Hence this way, amplitude with the right answer remains the only possible outcome.

Quantum computers function using a process called superconductivity. We have a chip the size of an ordinary computer chip. There are little coils of wire in the chip, nearly big enough to see with the naked eye. There are 2 different quantum states of current flowing through these coils, corresponding to 0 and 1, or the superpositions of them.

These coils interact with each other, nearby ones talk to each other and generate a state called an entangled state which is an essential state in Quantum computing. The way qubits interact are completely programmable, so we can send electrical signals to these qubits, and tweak them according to our requirements. This whole chip is placed in a refrigerator with a temperature close to absolute zero. This way superconductivity occurs which makes it to briefly behave as qubits.

Following is the explanation given according to ‘Kurzgesagt — In a Nutshell’, a YouTube channel.

We know a bit is either a 0 or 1. Now, 4 bits mean 0000 and so on. In a qubit, 4 classical bits can be in one of the 2^4 different configurations at once. That is 16 possible combinations out of which we can use just one. 4 qubits in position can be in all those 16 combinations at once.

This grows exponentially with each extra qubit. 20 qubits can hence store a million values in parallel. As seen, these entangled states interact with each other instantly. Hence while measuring one entangled qubit, we can directly deduce the property of its partners.

A normal logic gate gets a simple set of inputs and produces one definite output. A quantum gate manipulates an input of superpositions, rotates probabilities, and produces another set of superpositions as its output.

Hence a quantum computer sets up some qubits, applies quantum gates to entangle them, and manipulates probabilities. Now it finally measures the outcome, collapsing superpositions to an actual sequence of 0s and 1s. This is how we get the entire set of calculations performed at the same time.

What is a Grover Operator?

We now know that while taking one entangled qubit, it is possible to easily deduce properties for all the partners. Grover algorithm works because of these quantum particles being entangled. Since one entangled qubit is able to vouch for the partners, it iterates until it finds the solution with higher degrees of confidence.

What can they do?

As of now, quantum computing hasn’t been implemented in real-life situations just because the world right now doesn’t have such an infrastructure.

Assuming they are efficient and ready to be used. We can make use of it in the following ways: 1) Self-driving cars are picking up pace. Quantum computers can be used on these cars by calculating all possible outcomes on the road. Apart from sensors to reduce accidents, roads consist of traffic signals. A Quantum computer will be able to go through all the possibilities of how traffic signals

function, the time interval, traffic, everything, and feed these self-driving cars with the single best outcome accordingly. Hence, what would result is nothing but a seamless commute with no hassles whatsoever. It’ll be the future as we see in movies.

2) If AI is able to construct a circuit board after having tried everything in the design architecture, this could result in promising AI-related applications.

Disadvantages

RSA encryption is the one that underpins the entire internet. It could breach it and hackers might steal top confidential information related to Health, Defence, personal information, and other sensitive data. At the same time, it could be helpful to achieve the most secure encryption, by identifying the best one amongst every possible encryption. This can be made by finding out the most secure wall to break all the viruses that could infect the internet. If such security is made, it would take a completely new virus to break it. But the chances are very minuscule.

Quantum computing has its share of benefits. However, this would take years to be put to use. Infrastructure and the amount of investment to make is humongous. After all, it could only be used when there are very reliable real-time use cases. It needs to be tested for many things. There is no doubt that Quantum Computing will play a big role in the future. However, with more sophisticated technology, comes more complex problems. The world will take years to be prepared for it.

References:

About the Author –

Vignesh is part of the GAVel team at GAVS. He is deeply passionate about technology and is a movie buff.

Zero Knowledge Proofs in Healthcare Data Sharing

Srinivasan Sundararajan

Recap of Healthcare Data Sharing

In my previous article (https://www.gavstech.com/healthcare-data-sharing/), I had elaborated on the challenges of Patient Master Data Management, Patient 360, and associated Patient Data Sharing. I had also outlined how our Rhodium framework is positioned to address the challenges of Patient Data Management and data sharing using a combination of multi-modal databases and Blockchain.

In this context, I have highlighted our maturity levels and the journey of Patient Data Sharing as follows:

  • Single Hospital
  • Between Hospitals part of HIE (Health Information Exchange)
  • Between Hospitals and Patients
  • Between Hospitals, Patients, and Other External Stakeholders

In each of the stages of the journey, I have highlighted various use cases. For example, in the third level of health data sharing between Hospitals and Patients, the use cases of consent management involving patients as well as monetization of personal data by patients themselves are mentioned.

In the fourth level of the journey, you must’ve read about the use case “Zero Knowledge Proofs”. In this article, I would be elaborating on:

  • What is Zero Knowledge Proof (ZKP)?
  • What is its role and importance in Healthcare Data Sharing?
  • How Blockchain Powered GAVS Rhodium Platform helps address the needs of ZKP?

Introduction to Zero Knowledge Proof

As the name suggests, Zero Knowledge Proof is about proving something without revealing the data behind that proof. Each transaction has a ‘verifier’ and a ‘prover’. In a transaction using ZKPs, the prover attempts to prove something to the verifier without revealing any other details to the verifier.

Zero Knowledge Proofs in Healthcare 

In today’s healthcare industry, a lot of time-consuming due diligence is done based on a lack of trust.

  • Insurance companies are always wary of fraudulent claims (which is anyhow a major issue), hence a lot of documentation and details are obtained and analyzed.
  • Hospitals, at the time of patient admission, need to know more about the patient, their insurance status, payment options, etc., hence they do detailed checks.
  • Pharmacists may have to verify that the Patient is indeed advised to take the medicines and give the same to the patients.
  • Patients most times also want to make sure that the diagnosis and treatment given to them are indeed proper and no wrong diagnosis is done.
  • Patients also want to ensure that doctors have legitimate licenses with no history of malpractice or any other wrongdoing.

In a healthcare scenario, either of the parties, i.e. patient, hospital, pharmacy, insurance companies, can take on the role of a verifier, and typically patients and sometimes hospitals are the provers.

While the ZKP can be applied to any of the transactions involving the above parties, currently the research in the industry is mostly focused on patient privacy rights and ZKP initiatives target more on how much or less of information a patient (prover) can share to a verifier before getting the required service based on the assertion of that proof.

Blockchain & Zero Knowledge Proof

While I am not getting into the fundamentals of Blockchain, but the readers should understand that one of the fundamental backbones of Blockchain is trust within the context of pseudo anonymity. In other words, some of the earlier uses of Blockchain, like cryptocurrency, aim to promote trust between unknown individuals without revealing any of their personal identities, yet allowing participation in a transaction.

Some of the characteristics of the Blockchain transaction that makes it conducive for Zero Knowledge Proofs are as follows:

  • Each transaction is initiated in the form of a smart contract.
  • Smart contract instance (i.e. the particular invocation of that smart contract) has an owner i.e. the public key of the account holder who creates the same, for example, a patient’s medical record can be created and owned by the patient themselves.
  • The other party can trust that transaction as long the other party knows the public key of the initiator.
  • Some of the important aspects of an approval life cycle like validation, approval, rejection, can be delegated to other stakeholders by delegating that task to the respective public key of that stakeholder.
  • For example, if a doctor needs to approve a medical condition of a patient, the same can be delegated to the doctor and only that particular doctor can approve it.
  • The anonymity of a person can be maintained, as everyone will see only the public key and other details can be hidden.
  • Some of the approval documents can be transferred using off-chain means (outside of the blockchain), such that participants of the blockchain will only see the proof of a claim but not the details behind it.
  • Further extending the data transfer with encryption of the sender’s private/public keys can lead to more advanced use cases.

Role of Blockchain Consortium

While Zero Knowledge Proofs can be implemented in any Blockchain platform including totally uncontrolled public blockchain platforms, their usage is best realized in private Blockchain consortiums. Here the identity of all participants is known, and each participant trusts the other, but the due diligence that is needed with the actual submission of proof is avoided.

Organizations that are part of similar domains and business processes form a Blockchain Network to get business benefits of their own processes. Such a Controlled Network among the known and identified organizations is known as a Consortium Blockchain.

Illustrated view of a Consortium Blockchain Involving Multiple Other Organizations, whose access rights differ. Each member controls their own access to Blockchain Network with Cryptographic Keys.

Members typically interact with the Blockchain Network by deploying Smart Contracts (i.e. Creating) as well as accessing the existing contracts.

Current Industry Research on Zero Knowledge Proof

Zero Knowledge Proof is a new but powerful concept in building trust-based networks. While basic Blockchain platform can help to bring the concept in a trust-based manner, a lot of research is being done to come up with a truly algorithmic zero knowledge proof.

A zk-SNARK (“zero-knowledge succinct non-interactive argument of knowledge”) utilizes a concept known as a “zero-knowledge proof”. Developers have already started integrating zk-SNARKs into Ethereum Blockchain platform. Zether, which was built by a group of academics and financial technology researchers including Dan Boneh from Stanford University, uses zero-knowledge proofs.

ZKP In GAVS Rhodium

As mentioned in my previous article about Patient Data Sharing, Rhodium is a futuristic framework that aims to take the Patient Data Sharing as a journey across multiple stages, and at the advanced maturity levels Zero Knowledge Proofs definitely find a place. Healthcare organizations can start experimenting and innovating on this front.

Rhodium Patient Data Sharing Journey

IT Infrastructure Managed Services

Healthcare Industry today is affected by fraud and lack of trust on one side, and on the other side growing privacy concerns of the patient. In this context, the introduction of a Zero Knowledge Proofs as part of healthcare transactions will help the industry to optimize itself and move towards seamless operations.

About the Author –

Srini is the Technology Advisor for GAVS. He is currently focused on Data Management Solutions for new-age enterprises using the combination of Multi Modal databases, Blockchain, and Data Mining. The solutions aim at data sharing within enterprises as well as with external stakeholders.

Design-led Organization: Creative Thinking as a Practice!

Gogul R G

This is the first article in the series of ‘Design-led organization’ writing about creative thinking as a practice in GAVS. It is the first step for the readers to explore the world of design and creativity. So, let’s get started!

First let’s see what is design thinking is all about

There is a common misconception that design thinking is new. But when you look back, people have applied a human-centric creative process to build meaningful and effective solutions. Design has been practiced for ages to build monuments, bridges, automobiles, subway systems, etc. Design is not only limited to aesthetics, it is more of a mindset to think of a solution. Design thinking is a mindset to iteratively think about a complex problem and come up with a viable solution

Thinking outside of the box can provide an innovative solution to a sticky problem. However, thinking outside of the box can be a real challenge as we naturally develop patterns of thinking that are based on the repetitive activities and commonly accessed knowledge surround ourselves. It takes something to detach away from a situation where we’re too closely involved to be able to find better possibilities.

To illustrate how a fresh way of thinking can create unexpectedly good solutions, let’s look at a famous incident. Some years ago, an incident occurred where a truck driver had tried to pass under a low bridge. But, he failed, and the truck became firmly lodged under the bridge.

IT Infrastructure Managed Services

The driver was unable to continue driving through or reverse out. The struck truck caused massive traffic problems, which resulted in emergency personnel, engineers, firefighters, and truck drivers gathering to negotiate various solutions to dislodge the truck.

Emergency workers were debating whether to dismantle parts of the truck or chip away at parts of the bridge. Each of one were looking for a solution with their respective level of expertise. A boy walking by and witnessing the intense debate looked at the truck, at the bridge, then looked at the road and said, “Why not just let the air out of the tires?” to the absolute amazement of all the specialists and experts trying to resolve the issue.

When the solution was tested, the truck could drive with ease, having suffered only the damage caused by its initial attempt to pass underneath the bridge. It symbolizes the struggles we face where often the most obvious solutions are the ones hardest to come by because of the self-imposed constraints we work within.  

“Challenging our assumptions and everyday knowledge is often difficult for us humans, as we rely on building patterns of thinking in order not to have to learn everything from scratch every time.

Let’s come back to our topic “What is Design thinking?” Tim Brown, Executive Chairman of IDEO – an international design and consulting firm quoted design thinking as below.

“Design thinking is a human-centered approach to innovation that draws from the designer’s toolkit to integrate the needs of people, the possibilities of technology, and the requirements for business success.

Now let’s think about our truck example. A boy with his fresh mindset provides a simple solution to address a complex problem. Yeah! this is the sweet spot. Everyone is creative and capable of thinking like a designer, and out of the box, to come up with a solution. This way of inculcating design as a mindset for a solution is known as Design thinking.

Yes, you read it right, everyone is creative…

We forget that back in kindergarten, we were all creative. We all played and experimented with weird things without fear or shame. We didn’t know enough not to. The fear of social rejection is something we learned as we got older. And that’s why it’s possible to regain our creative abilities, even decades later. In the field of design and user experience, there are individuals to stick with a methodology a while, they will end up doing amazing things. They come up with break through ideas or suggestions and work creatively with a team to develop something truly innovative. They surprise themselves with the realization that they are a lot more creative than they had thought. That early success shakes up how they see themselves and makes them eager to do more.

We just need to rediscover what we already have: the capacity to imagine, or build upon, new to the world ideas.  But the real value of creativity doesn’t emerge until you are brave enough to act on those ideas.

Geshe Thupten Jinpa, who has been the Dalai Lama’s chief English translator for more than twenty years, shared an insight about the nature of creativity. Jinpa pointed out that there’s no word in the Tibetan language for ‘creativity’ or ‘being creative’. The closest translation is ‘natural’. In other words, if you want to be more creative, you should be more natural! So…be natural!

At your workplace, the complex problems can be easily sorted out when you find a solution using creativity with the mindset of design thinking. Creativity can be improved by following the below steps.

  1. Go for a walk.
  2. Play your favorite games.
  3. Move your eyes.
  4. Take a break and enjoy yourself.
  5. Congratulate yourself each time you do something well.
  6. Estimate time, distance, and money.
  7. Take a route you never have taken before.
  8. Look for images in mosaics, patterns, textures, clouds, stars…
  9. Try something you have never done before.
  10. Do a creative exercise.
  11. Start a collection (stamps, coins, art, stationery, anything you wish to collect)
  12. Watch Sci-Fi or fantasy films.
  13. Change the way you do things – there are no routine tasks, only routine way of doing things.
  14. Wear a color you do not like.
  15. Think about how they invented equipment or objects you use daily.
  16. Make a list of 10 things you think are impossible to do and then imagine how you could make each one possible.
  17. For every bad thing that happens to you, remember at least 3 good things that happened.
  18. Read something you have not read yet.
  19. Make friends with people on the other side of the world.
  20. When you have an idea, make a note of it, and later check to see if it happened.
  21. Connect a sport with your work.
  22. Try food you never tried before.
  23. Talk to grandparents and relatives and listen to their stories.
  24. Give an incorrect answer to a question.
  25. Find links between people, things, ideas, or facts.
  26. Ask children how to do something and observe their creativity.

Start doing the above-mentioned steps to inculcate a creative mindset and apply it in your day-to-day work. Companies like GE health care, Procter & Gamble, UBER practiced design thinking and implemented in their new product launches and for solving complex problems in their organizations. Be natural to be more creative! When you are more creative, you can apply design thinking for seeking any solution for a complex problem in your work.

This is the first article in the series of Design led Organization in GAVS. Keep watching this space for more articles on design and keep exploring the world of design-thinking!

References:

About the Author –

Gogul is a passionate UX designer with 8+ years of experience into designing experiences for digital channels like Enterprise apps, B2C, B2B apps, Mobile apps, Kiosk, Point of Sale, Endless aisle, telecom products. He is passionate about transforming complex problems into actionable solutions using design.

Center of Excellence – Java

The Java CoE was established to partner with our customers and aid them in realizing business benefits through effective adoption of cutting-edge technologies; thus, enabling customer success.

Objectives

  • Be the go-to team for anything related to Java across the organization and customer engagements.
  • Build competency by conducting training and mentoring sessions, publishing blogs, whitepapers and participating in Hackathons.
  • Support presales team in creating proposals by providing industry best solutions using the latest technologies, standards & principles.
  • Contribute a certain percent of revenue growth along with the CSMs.
  • Create reusable artifacts, frameworks, solutions and best practices which can be used across organization to improve delivery quality.

Focus Areas

  1. Design Thinking: Setting up a strong foundation of “Design Thinking and Engineering Mindset” is paramount for any business. We aim to do so in the following way:
IT Infrastructure Managed Services

2. Solution and Technology: Through our practice, we aim to equip GAVS with solution-oriented technology leaders who can lead us ahead through disruptive times

IT Operations Management Software

3. Customer success

  • Identify opportunities in accounts based on the collaboration with CSMs, understand customer needs, get details about the engagement, understand the focus areas and challenges.
  • Understand the immediate need of the project, provide solution to address the need.
  • Java council to help developers arrive at solutions.
  • Understand architecture in detail and provide recommendation / create awareness to use new technologies
  • Enforce a comprehensive review process to enable quality delivery.

Accomplishments

  • Formed the CoE team
  • Identified the focus Areas
  • Identified leads for every stream
  • Socialized the CoEwithin GAVS
  • Delivered effective solutions across projects to improve delivery quality
  • Conducted trainings on standards and design-oriented coding practices across GAVS
  • Publishedblogs to bring in design-oriented development practices
  • Identified the areas for creating re-usable artefacts (Libraries / Frameworks)
  • Brainstormed and finalized the design for creating Frameworks (For the identified areas)
  • Streamlined the DevOps process which can be applied in any engagement
  • Built reusable libraries, components and frameworks which can be used across GAVS
  • Automated the Code Review process
  • Organized and conducted hackathons and tech meetups
  • Discovered potential technical problems/challenges across teams and offered effective solutions, thereby enabling customer success
  • Supported the presales team in creating customized solutions for prospects

Upcoming Activities

  • Establishing tech governance and align managers / tech leads to the process
  • Setting up security standards and principles across domain
  • Buildingmore reusable libraries, components and frameworks which can be used across GAVS
  • Adopting Design Patterns / Anti-patterns
  • Enforcing a strong review process to bring in quality delivery
  • Enabling discussions with the customers
  • Setting up a customer advisory team

Contribution to Organizational Growth

As we continue our journey, we aim to support the revenue growth of our organization. Customer Success being a key goal of GAVS, we will continue to enable it by improving the quality of service delivery and building a solid foundation across all technology and process streams. We also want to contribute to the organization by developing a core competency around a strategic capability and reduce knowledge management risks.

If you have any questions about the CoE, you may reach out to them at COE_JAVA@gavstech.com

CoE Team Members

  • Lakshminarasimhan J
  • Muraleedharan Vijayakumar
  • Bipin V
  • Meenakshi Sundaram
  • Mahesh Rajakumar M
  • Ranjith Joseph Selvaraj
  • Jagathesewaren K
  • Sivakumar Krishnasamy
  • Vijay Anand Shanmughadass
  • Sathya Selvam
  • Arun Kumar Ananthanarayanan
  • John Kalvin Jesudhason