The end of summer means going back to school - gathering school supplies, planning after-school activities, and going back to school shopping. It’s a busy time!
Since the early identification of developmental and behavioral disorders is critical to the well-being of children and their families, screening should be an integral function of the primary care medical home. The American Academy of Pediatrics recommends that parents of children be given screening questionnaires at 9, 18, and 30 months, but many doctors choose to instead screen at 24 months since the 30-month visit is not often reimbursable by third party payers.
Most children need help staying organized, keeping belongings neat and being on time. This is because the areas of the brain that help us with these skills are still developing (and may not be finished until we are in our thirties!). Kids with ADHD and/or impaired executive functioning often need even more help, even with seemingly simple tasks like handing in completed homework. Parents often tell me that they are tired of nagging and fighting, but if they don’t, they are afraid their child won’t succeed. If you feel like a broken record, or if you just want some tips for your organization toolbox, these strategies might help.
This week, I'm traveling to Vancouver, BC to attend the Apache Software
Foundation Conference. For several years, Sander Temme from Thales e-Security has given a talk called the "TLS State of the Union", and this year is no exception. (I also happen to be speaking on Monitoring and Security. If you are attending, come say "hi"!). I suspect one of his topics this year will be "SSL Drown", and I'm curious as to how he will present it, because on the one hand it's kind of a big deal, and on the other, it shouldn't really have been a problem for anyone *at all*.
[Quick Network Security Catch-up Guide: SSL stands for Secure Sockets
Layer and is the cryptographic software that protects your communications with secure web and email services. TLS - Transport Layer Security - is the more modern name.]
SSL Drown is an attack that can be used against a server using an outdated protocol known as SSLv2. It is one of the latest attacks to be given a scary name that news outlets love to publicize. Nobody wants to talk about CVE-2016-0800, but "Drown Attack" gets people's attention, even outside of the network security world.
The big issue with the SSL Drown attack is that, while it is "only" an attack against an outdated protocol, it can be used to attack communications using *new* more-secure protocols like the latest-and-greatest TLSv1.2. That's what makes this vulnerability a Really Big Deal: it can make secure protocols insecure merely by its
The SSLv2 protocol was declared insecure and dead way back in 1996 and immediately replaced with SSLv3. Since 1996, 3 new protocols have been
introduced (TLSv1, TLSv1.1, and TLSv1.2), SSLv3 itself has been declared
unsafe, and it's starting to look like TLSv1's days are numbered for the truly security-conscious. The attack described in the SSL Drown announcement is mostly just a re-publication of work done in 1998 by Daniel Bleichenbacher at Bell Labs, with the added detail that newer-protocol connections (that didn't really exist way back in the 1990s) can be broken by attacking SSLv2 on the same server, then using the results of that attack to listen-in on the TLS conversations.
So an attack against SSLv2 announced in 2016 shouldn't have been a big deal, right? Nobody should have been using SSLv2 since 1996 and security-conscious IT workers in high-security fields -- such as health care -- should have already been phasing-out SSLv3 by March 2016 when SSL Drown was announced. So why is SSL Drown actually relevant to anyone but services who died out back in the late 1990s?
Well, it turns out that a shocking number of web and email servers in both protected (internal) networks and on the open Internet were still running SSLv2 for some reason. Any reasonable security audit should have have identified this old, insecure protocol and recommended that it be disabled immediately. There is simply no reason anyone would need to have this protocol enabled. Recent versions of various SSL/TLS implementations such as OpenSSL actually require you to recompile the entire stack in order to support SSLv2. Other implementations are expected to be used in a large number of use-cases, and therefore need
SSLv2 to remain supported.
We recently discovered a service that had this protocol enabled, and the owners were at a loss to explain how the oversight had occurred. The situation was quickly corrected (it's an easy configuration change, and will cause zero disruption to legitimate clients) but who knows how long their service was vulnerable to this particular attack? The solution is constant monitoring for insecure configurations of this nature. That monitoring needs to be kept up-to-date with industry best practices to make sure that you are testing for the right things.
The good news is that it's quite easy to test your TLS configuration against those industry best practices. There's even a publicly-available tool that you can point at your web service and it will tell you everything it can about your service, and give you a letter-grade. The service is Qualys's SSL Labs SSL Server Test. Just enter your URL and it will scan your service the configuration problems. It only takes a minute or two, and won't interrupt any clients or services you have
running. You can even request that your results not be publicly-posted on their leader-board.
If it identifies any problems in your configuration, talk to your IT administrators about those issues and try to get them fixed. Or if you are an IT administrator and aren't sure how to fix those configuration errors, contact someone you trust to give you some help.
So, go scan your web server. Yes, *you*.
The answer to most security problems is "constant vigilance", and SSL Drown is no exception. If more IT administrators used tools like the SSL Server Test, SSL Drown would have been a non-story. I would love it if most network-security attack issues were non-stories like this, where only some super-small segment of the Internet were at risk.
CHADIS is a unique screening, decision support and patient engagement system designed to streamline and optimize healthcare by providing Clinicians with evidence-based data that improves diagnosis and management of health, emotional, developmental and behavioral concerns. CHADIS is the only IT company that has been designated as a “portfolio sponsor” by the American Board of Pediatrics for their Maintenance of Certification program.
Topics: HIT Network Security
Adherence to asthma medications is a major problem in healthcare, with the resulting poor asthma control incurring avoidable costs, emergency room visits,and even death (e.g. Sumino & Cabana, 2013). Read on for four simple tips to help improve asthma medication adherence, derived from the National Heart, Lung, and Blood guidelines (NHBLI, 1997) and a World Health Organization report (WHO, 2003)
- Simplify the medication regimen
- Simplify the medication regimen if possible. For example, consider prescribing an inhaled corticosteroid of a greater strength that can be administered once a day, rather than a lower strength that must be administered at two different times each day.
- Review how to take the medicine
- Using an inhaler or nebulizer can be complex! Ensure that a member of the clinical staff reviews how to use the asthma tools with the child and parent at every visit. Give parents access to handouts and videos to help!
- Explain the importance of taking the medication as prescribed
- Ask the patient and parent how often they miss the medication. Explain to the parent and child why taking the medication every day is so important. Remind them of what can happen when they do not take the medication. Tell them that you will be checking in with them about this at the next visit to encourage compliance.
- Give an asthma treatment plan
- Be sure to give parents and children their tailored asthma treatment plan to ensure they know what to do depending on the severity of their asthma. Point them to where this information is saved online, so that they can always print more copies as needed.
- Suggest a reminder system
- Suggest simple reminder systems that the parent and child can use, like using an alarm on their smartphone. Give them a list of suggestions to try.
Asthma medication adherence in pediatric patients is a major challenge. Try the suggestions above. Need help sending education handouts and videos, checking in on adherence, providing the treatment plan online, or suggesting reminder systems to parents? CHADIS will soon facilitate all of these steps with innovative and automated tools. In development currently with a National Institutes of Health-funded project.
World Health Organization. (2003). Adherence to long-term therapies: evidence for action. World Health Organization.
Sumino, K., & Cabana, M. D. (2013). Medication adherence in asthma patients. Current opinion in pulmonary medicine, 19(1), 49-53.
National Heart, Blood, and Lung Institute. (1997). Expert Panel Report 2: Guidelines for the Management of Asthma. National Institutes of Health Publication Number 97-4051.
Welcome to CHADIS’ inaugural blog post. I’m Dr. Barbara Howard, President of Total Child Health, Inc. Our mission, with this blog, is to bring you useful content on topics related to the management of health, emotional, developmental and behavioral concerns.