Archivi autore: Pierfrancesco Ghedini

Machine Learning development platform

To dig a mine you need suitable tools, you cannot dig with your bare hands

To experiment with Machine Learning techniques, you need a suitable platform with all the necessary tools configured and working or you’ll waste your time in trying to set up the tools instead of solving your problem.

In this Jupyter Python Notebook you can find a simple tutorial that will instruct you to set up a suitable platform to work in and an example of use.

The example is the already classic analysis of Titanic shipwreck, we will use the well known RandomForestClassifier to predict the shipwreck survivors.

Download the tutorial at:

https://github.com/pghedini/MLPlatform

Enjoy and let me know if you like it in twitter @pierfghedini.

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

Digging Twitter Users with Python

Digging Twitter Users with Python

Digging Twitter Users with Python

Tanks to the powerful Twitter REST API, it is easy with few lines of python code to extract useful information from the Twitter Engine.

The tool is written in python – it works in Python 2.7 and Python 3 – and it is quite handy to dig Twitter users, in particular it deals with Followers and Friends of a Twitter Account. You can download the code from https://github.com/pghedini/twitter_users

Features

The tool, by means of Twitter REST API, gets Followers and Friends of a given user. it provides the New followers and the Lost followers since the previous run.

It gives also the Not Following Friends: the Friends not following the given user.

Tot: 520 follower.
New follower: 10
Lost follower: 1
Unchanged follower: 509

Tot: 795 friends.
Friends not following: 355

In verbose mode, the tool gives the lists of New Followers, of Lost Followers and Not Following Friends.

Conclusion

The code is straightforward and you will be able to modify it to custom its features.

Enjoy and let me know if you like it in twitter @pierfghedini.

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

Health Information Technology Cybersecurity – the architecture

The cybersecurity of health information systems is a complex issue that requires a systematic approach. 

In this article we will analyze a proposed cybersecurity architecture for a generic Healthcare Authority. Here, Healthcare Authority means a generic Healthcare Organization that deals with primary care, or secondary care, but also home care and community care….

The proposed architecture is designed to fit a University hospital, as well as a country hospital, as well as a local Healthcare  Authority with medical outpatients clinics…

We will indicate the generic Healthcare Authority with the acronym HA.

Architecture schema

Health Systems Cybersecurity Schema

Health Systems Cybersecurity Schema

The  roles

All users can be modeled in only three main roles:

  1. the guests – not authenticated users -;
  2. the professionals – authenticated users who use systems from inside and outside the HA -;
  3. IOTs and other automated systems that needs an interaction with the HA. 

The double role of IoT and IoMT

The IoTs – Internet of Things – and the IoMTs – Internet of Medical Things – devices  comprehend also medical devices that operate outside the HA. 

For simplicity we will map IoTs to unauthenticated users – guests role – if they do not need an access to HA systems – they do not need access to applicative functions -. We will map IoTs to professionals role, if they need access to applicative functions. 

The cyber-security architecture 

The HA infrastructure is segmented in four zones:

  • the sandbox zone;
  • the exposed systems zone;
  • the untrusted systems zone;
  • the isolated systems zone.

The sandbox zone is the only zone the guest can access to. From the sandbox zone is not possible to access other zones. 

Vice versa from other zones you can access the sandbox zone.

In the sandbox zone there is a restricted access area to which only authenticated users can access to. The datas in this area are crypted and they are accessible also offline. This sandboxes zone can be located on a portable devices in order to make sensitive data available when the used devices are offline. 

The exposed system zone is the area where are located the hardenized systems which are accessible by authenticated users, from outside or inside of the HA. The systems in the exposed zone are the only way to reach the systems in the isolated zone or in the untrusted zone. 

The isolated zone and the untrusted systems zone are accessible only by authenticated users who have application grants on servers of the exposed zone. Typically in the isolated zone you can find the most sensitive systems and the DB resources. The isolated zone in segmented by sensitivity or level of trust. 

The untrusted zone is typical of the healthcare domain and contains the Medical Devices and other systems which cannot be considered hardenized to handle a direct access in the exposed zone. Typically, these systems need a network protection. For the same reasons the most sensitive systems are collocated in the isolated zone.

As the exposed zone, the untrusted zone is logically unique, but physically represents a myriad of connected network areas that include only a few or only one equipment.

Test systems and Maintenance activity

In HA, the maintenance activity is often guaranteed by outside partners. These partners must have access to the systems they manage, but only those. In addition, all their activities must be network logged, because HA cannot trust system logging due to the fact that these partners often have administrative rights over the systems they manage. 

Another important issue is the HA need of a test area, or “staging” area, in each zone.

In the test area of each zone there are test systems or pre-production systems. The systems in the test areas cannot access to production systems. The test systems in each zone has the same security restriction and possibilities of analogous production systems. In other words, the test area is specular to the production area, but completely separated.

GDPR orchestration

HA must orchestrate the entire security architecture according the GDPR – GDPR, General Data Protection Regulation, UE 2016/679 – policy and rules. In fact, the GDPR imposes the definition of the security policies the administration has decided to undergo and the periodic verification of the respect of these policies. 

Use case

Access to inpatient datas: in the morning, Doctor Alice orders an entire suite of blood exams for inpatient Bob. Later, in the afternoon, doctor Alice is notified the Bob’s results are ready and Alice access to the the results from her home. 

When Alice is at work, in the morning, she uses a ward mobile device to order the exams, then uses a POCT – point of care testing – analyzer located in the ward the analyze the Bob’s blood. She takes a look at the values the analyzer gives directly, but she needs the pathology department validation. She receives notification a validation is ready when is at home, in the late afternoon. She receives a SMS that says new pathology results are ready – no sensitive data are sent in the SMS -. Alice take a look at the results with her home computer.

From a security perspective several systems in different zones are involved in the process:

A) in the morning, Alice accesses the Order System that is in the Exposed Systems Zone;

B) the analyzer Alice uses is located in the Untrusted Systems Zone;

C) the Bob’s exams results are collected by the Pathology System which is located in the Exposed Systems Zone;

D) from her home, Alice get accesses to the Clinical Data Repository System in order to get the Pathology report; the Clinical Data Repository is in the Exposed Systems Zone. The DB of the Data Repository is in the Isolated Systems Zone.

Key points

  • It doesn’t matter if Alice is at work or at home, she uses the same systems; in other words the systems, in exposed zone, are hardenized to be exposed in internet, even if they are only used from inside HA;
  • the medical device, the POCT, is considered untrusted, by virtu of this the network makes port filtering, web firewalling and so on… the device is isolated in the Untrusted Systems Zone and it can not be directly accessed;
  • sensitive resources are isolated in Isolated Systems Zone and can not be directly accessed;
  • Guests interact with HA safely through a Sandbox Zone.

Conclusion

Security architecture is not the solution. In order to achieve a sufficient level of cybersecurity you have to adopt a conspicuous number of different techniques, but without a security architecture it’s difficult to reach the goal. 

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

FHIR CLI updated to 1.4.0

FHIR_3

Now FHIR CLI is STU 3 compliant. The easy to use Command Line Interface to HL7 FHIR® – Fast Healthcare Interoperability Resources (hl7.org/fhir) – now supports also the latest version of the standard.

In order to use it,  download the libraries from GITHUB: https://github.com/pghedini/fhir-cli and follow the instructions to use the STU 3 compliant client.

Let’s see an example session:

# Import the version STU 3 Candidate compliant
In [1]: from client_v3 import *

In [2]: cli = init_client()
Using FHIR Server: http://fhir3.healthintersections.com.au/open/
Verbosity LOW
No logging file.
No console logging.

# let's see the supported resources

In [3]: RESOURCES

In [3]: RESOURCES
Out[3]: 
[u'Account',
 u'AllergyIntolerance',
 u'Appointment',
 u'AppointmentResponse',
 u'AuditEvent',
 u'Basic',
 u'Binary',
 u'BodySite',
 u'Bundle',
 ...
 u'Patient',
 ...]

# and how much are they
In [4]: len(RESOURCES)
Out[4]: 114

# or make a query
resp = read(cli, "Patient/example")
# ...

HL7® and FHIR® are registered terms of the subject having right (HL7 organization).

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

Sul dare fiducia – Trusting Trust –

Ken_Thompson

Ken Thompson

In un mio articolo pubblicato sul numero 3 della rivista “Reputation Today” trattavo del dibattuto tema della catena di fiducia che si deve instaurare fra fornitore e committente al fine di garantire la sicurezza di una qualsiasi installazione informatica. Per chiarire il concetto citavo un famoso attacco informatico ideato da Kenneth Thompson, il “Trusting Trust Attack“.

Il primo a parlare di questo attacco fu lo stesso Thompson, in occasione del discorso che tenne,  nel  lontano 1983, quando ricevette il Turing Award, uno dei più ambiti premi nella comunità informatica. Da tempo girava voce che Ken, che era uno degli inventori dello Unix, uno dei più diffusi sistemi operativi per computer, potesse entrare in qualsiasi sistema a dispetto del fatto che non possedesse le credenziali di accesso. Per verificare ciò erano state messe in atto analisi anche molto approfondite, ma non si era approdati a nulla e Thompson continuava a sorridere sornione da dietro la sua barba incolta.

Quella sera, nella sala gremita di azzimati professori e di barbuti hacker con camicie a fiori alla moda californiana, Ken spiegò come attraverso un processo di apprendimento progressivo il software potesse inglobare informazioni al proprio interno annegandole in livelli più interni rispetto a quelli che una ordinaria analisi normalmente considera. Le affermazioni di Thompson svelavano, finalmente, come anni di ricerche sul codice sorgente dello Unix non avessero dato esito: semplicemente occorreva andare più a fondo. Ken stava dicendo che il software installato su di una macchina non è semplicemente l’ultimo livello di software installato, ma anche la memoria di tutto quanto si è fatto in precedenza.

Per molti anni da quel lontano ’83, l’attacco di Thompson o “Trusting Trust Attack” sarebbe rimasto senza reali ed effettive contromisure e ancora oggi rappresenta un paradigma concettuale con il quale confrontare la sensatezza dei nostri approcci alla sicurezza informatica.

Ma questi trenta e più anni di storia dell’attacco ci fanno capire che il messaggio di Thompson era forse ancora più sottile: egli ci ha infatti rivelato che il software, come la terra che calpestiamo, ricorda le nostre orme, anche se la pioggia sembra cancellarle. Ogni generazione di software porta con se i lasciti e le tracce di quelle precedenti… Thompson sembra dirci: “Attenzione. Chi è senza memoria è, spesso, anche senza protezione.”

Per una approfondita analisi sul “Trusting Trust Attack” si veda l’articolo “Reflections on Trusting Trust” di Ken Thompson.

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

HP Prime – The missing command

HP Prime Calculator

HP Prime Calculator

The HP Prime Missing Command

Frequently I must inspect the values that a function takes in a list of points or I have to take some samples of the function in a neighborhood of a point X0.

With HP Prime I can enter the function in “Function App” and plot it. I can also inspect the numerical value it assumes by means of NUM, but it isn’t an easy way to do my job…

So I wrote down some lines of code to make my life easier. I write down – my – missing HP Prime command.

My missing command takes three forms: FORCALC, LISTCALC and FORCALCFORM

FORCALC and LISTCALC use the function stored in F0 function variable. in FORCALCFORM you can enter the function you want to sample directly in an input form.

FORCALC takes three parameters in input:

  • X_FR – X FROM Value; the start value of the interval to sample;
  • X_TO – X TO Value; the end value of the interval to sample;
  • X_STEP – the increment to add at each loop.

Usage: FORCALC(1,5,0.2)

Output: FORCALC samples the function stored in F0 variable from X=1,to X=5, 20 times (0.2 increment at each loop)

Source code:

EXPORT FORCALC(X_FR,X_TO,X_STEP)
BEGIN
LOCAL OUT={};
 FOR X FROM X_FR TO X_TO STEP X_STEP DO
 MSGBOX("X="+X+" F0="+F0(X));
 CONCAT(OUT,F0(X))▶OUT;
 END;
RETURN(OUT);
END;

LISTCALC takes one parameter in input:

  • LL – List of value to test. The list contains the points you want to sample.

Usage: LISTCALC({1.0, 1.5, 10.0})

Output: LISTCALC samples the function stored in F0 variable in tree points 1.0, 1.5, 10.0.

Source code:

EXPORT LISTCALC(LL)
BEGIN
LOCAL OUT={};
 FOR I FROM 1 TO SIZE(LL) DO
 MSGBOX("X="+LL(I)+" F0="+F0(LL(I)));
 CONCAT(OUT,F0(LL(I)))▶OUT;
 END;
RETURN(OUT);
END;

FORCALCFORM combines the two tools in one.

It takes no parameters in input, but it shows an input form:

SchermoPrime

In FN you have to input the function to sample, in X_FR the start value of the interval to sample, in X_TO the end value of the interval to sample, in X_STEP the increment to add at each loop. In POINT_LIST you can enter the list of points to sample. If you insert something different from {} in POINT_LIST, X_FR, X_TO, X_STEP will be ignored.

Source code:

EXPORT FORCALCFORM()
BEGIN
// Pay attention, it overwrites the variable F0
LOCAL OUT={};
LOCAL FN="";
LOCAL X_FR=0;
LOCAL X_TO=0;
LOCAL X_STEP=0;
LOCAL POINT_LIST={};
INPUT({FN,X_FR,X_TO,X_STEP,POINT_LIST});
 FN▶F0;
IF SIZE(POINT_LIST)==0 THEN
 FOR X FROM X_FR TO X_TO STEP X_STEP DO
 MSGBOX("X="+X+" F0="+F0(X));
 CONCAT(OUT,F0(X))▶OUT;
 END;
ELSE
 FOR I FROM 1 TO SIZE(POINT_LIST) DO
 MSGBOX("X="+POINT_LIST(I)+" F0="+F0(POINT_LIST(I)));
 CONCAT(OUT,F0(POINT_LIST(I)))▶OUT;
 END;
END;
RETURN(OUT);
END;

Simple and useful.

Enjoy.

You may find interesting also this post: http://informaticasanitaria.it/2014/12/06/hacking-hp-prime/

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

FHIR® $everything operator

FHIRIn HL7 FHIR ® is present a useful operator to retrieve all information related to Patients and Encounters.

In order to keep this example simple we will use the FHIR CLI (Command line interface) to build the resources and to interact with the FHIR server.

Use of $everything operator

The $everything operator is used to return all the information related to the resource on which this operation is invoked, Encounter and Patient. The response is a bundle of type “searchset”. At a minimum, the patient/encounter resource itself is returned, along with any other resources that the server has that are related to the patient/encounter, and that are available for the given user. The server also returns whatever resources are needed to support the records – e.g. linked practitioners, medications, locations, organizations etc

Two input parameters are:

  • start_date -> The date range relates to care dates, not record currency dates – e.g. all records relating to care provided in a certain date range. If no start date is provided, all records prior to the end date are in scope.
  • end_date -> The date range relates to care dates, not record currency dates – e.g. all records relating to care provided in a certain date range. If no end date is provided, all records subsequent to the start date are in scope.

Let’s see operator in action

Start FHIR CLI typing in a python interpreter…

from client import *
cli = init_client()

And now, execute the command…

# Basic invocation on a Patient instance
# 
resp = everything(cli, "Patient/example")

If the resource instance “Patient/example” exists will be returned an out put like this:

POST Url: http://fhir3.healthintersections.com.au/open/Patient/example/$everything
Output code: 200

Other possible invocations are:

# Invocation on all Patient resources
# 
resp = everything(cli, "Patient")
# Basic invocation on an Encounter instance 
resp = everything(cli, "Encounter/example")
# Invocation on all Encounter resources
resp = everything(cli, "Encounter")

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

FHIR® Document production from Resource Composition

FHIRAs FHIR documentation says “FHIR resources can be used to build documents that represent a composition: a set of coherent information that is a statement of healthcare information, particularly including clinical observations and services. A document is an immutable set of resources with a fixed presentation that is authored and/or attested by humans, organizations and devices. Documents built in this fashion may be exchanged between systems and also persisted in document storage and management systems, including systems such as IHE XDS. Applications claiming conformance to this framework claim to be conformant to FHIR documents”

The FHIR Document Operator produces a document from a given composition.

In order to keep this example simple we will use the FHIR CLI (Command line interface) to build the resources and to interact with the FHIR server.

Use of document operator

Start FHIR CLI typing in a python interpreter…

from client import *
cli = init_client()

Create a document from a Composition Resource…

resp = document(cli, "Composition/example")
# resp is a bundle to decode
bu = Bundle(resp.obj())
# Now loop over bundle entries
for ent in bu.entry:
    print(html2text(ent.resource["text"]["div"]))

Tying the “resp” variable you can see the executed command

GET Url: http://fhir3.healthintersections.com.au/open/Composition/example/$document?persist=false
Output code: 200

if you want to make the document persistent, set “persist” attribute to True

resp = document(cli, "Composition/example", persist=True)

If you inspect the returned resp variable, you will see something like this

GET Url: http://fhir3.healthintersections.com.au/open/Composition/example/$document?persist=true
Output code: 201

The document was produced and the output code is 201 (OK)

 

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

FHIR® resource validation

FHIRIn HL7 FHIR ® is quite easy to validate – to check the syntactic correctness – a resource by means of a FHIR server.

In order to keep this example simple we will use the FHIR CLI (Command line interface) to build the resources and to interact with the FHIR server.

Validation of a resource in XML format

Start FHIR CLI typing in a python interpreter…

from client import *
cli = init_client()

Store the resource in a variable called “res”

res = '''<Patient xmlns="http://hl7.org/fhir">
<id value="pat1"/>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">

<p>Patient Donald DUCK @ Acme Healthcare, Inc. MR = 654321</p>

</div>
</text>
<identifier>
<use value="usual"/>
<type>
<coding>
<system value="http://hl7.org/fhir/v2/0203"/>
<code value="MR"/>
</coding>
</type>
<system value="urn:oid:0.1.2.3.4.5.6.7"/>
<value value="654321"/>
</identifier>
<active value="true"/>
<name>
<use value="official"/>
<family value="Donald"/>
<given value="Duck"/>
</name>
<gender value="male"/>
</Patient>'''

Now execute the FHIR validate operation

resp = validate(cli, resource="Patient", par=res, format_acc="xml")

See the response code in order to check the operation result

resp.resp_code()

or simply type the variable name “resp” to display the output of the command

resp

You will see something like this:

<?xml version="1.0" encoding="UTF-8"?><OperationOutcome xmlns="http://hl7.org/fhir"><text><status value="generated"/><div xmlns="http://www.w3.org/1999/xhtml"><p><b>Operation Outcome for :Validate resource </b></p><p>All OK</p></div></text></OperationOutcome>
POST Url: http://fhir3.healthintersections.com.au/open/Patient/$validate?async=false
Output code: 200

The operation “POST Url: http://fhir3.healthintersections.com.au/open/Patient/$validate?async=false” was All OK
The resource is validated.

Validation of a resource in json format

In this example we will build a resource using the resource constructor (Patient()), but, if you prefer, you can store directly the json object in a variable and validate it in the previously seen way.

pa = Patient({"resourceType":"Patient", "id": "pat1", "name":[{"family":["Donald"],"given":["TestName"],"use":"official"}]})
# check the content of pa simply entering pa variable
pa

and validate it.
Pay attention: to obtain the json representation from Patient resource stored in “pa” variable, use pa.json

resp = validate(cli, resource="Patient", par=pa.json, format_acc="json")

See the response code in order to check the operation result

resp.resp_code()

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.

HL7® FHIR® CLI – Command Line Interface

FHIRAre you looking for an easy to use Command Line Interface to HL7 FHIR® – Fast Healthcare Interoperability Resources (hl7.org/fhir) – ?

If you answered “YES”, take a look at this python project.

You are not required to be a programmer in order to experiment with FHIR or to test a FHIR server you are implementing.

Read the “README” file for a lot of examples and CLI usage.

Enjoy.

Pierfrancesco Ghedini

Licenza Creative Commons
Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.