The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 70

Wednesday 22 May 1991


o Shuttle Columbia delayed
o Patriot Lapse and Software Failure
Marc Rotenberg
Gene Spafford
o Let the Games Begin! [Airline discounting practices]
Jerry Leichter
o Yet another Push The Button story
Jonathan Rice
o HHS malpractice data bank start-up problems
Richard Guy
o Re: Scientific American Sidebar
Willis H. Ware
Walter Maner
o Info on RISKS (comp.risks)

Shuttle Columbia delayed

"Peter G. Neumann" <>
Wed, 22 May 91 19:16:30 PDT
NASA halted the space shuttle Columbia's launch countdown on 21 May 91 because
of ``bad computer parts and fuel sensors''.  ``The parts to be replaced include
nine fuel temperature sensors, one of the five main computers and one of the 23
units that link the main computers with shuttle components.''  Retry is
scheduled for 28 May.  [San Francisco Chronicle, 22 May 91, p.A8]

Patriot Lapse and Software Failure

Tue, 21 May 91 17:59:03 PDT
The New York Times reported that computer failure was responsible for the
failure of a Patriot missle to stop a scud missle that hit an American military
barracks in Dhahran.  According to the Times story, the Patriot's radar system
was rendered inoperable by the computer failure.

According to army officials, "an unforseen combination of `dozens' of variables
-- including the Scud's speed, altitude and trajectory — had caused the radar
system's failure. . . . [this case was] an anomaly that never showed up in
thousands of hours of testing."

The Times article states that "During the war, American military officers were
reluctant to discuss any weapon failings.  But even after the cease-fire, many
officers were averse to say anything that might tarnish the one-sided allied
victory over Baghdad's forces."

["Army is Blaming Patriot's Computer For Failure to Stop Dhahran Scud" --
New York Times, May 20, 1991, A6]

Marc Rotenberg, CPSR Washington Office.

  [The NY Times front-page story (Eric Schmitt, 20 May 91) cited 28 dead in a
  U.S. military barracks in Saudi Arabia on 25 Feb 91, the single worst
  American casualty in the war.  Apparently the radar never saw the incoming
  missile because of a computer failure, permitting the Scud to land intact.
  (This latest report corrected an earlier report, which suggested that the
  Scud had broken up into pieces without a Patriot having been launched.)  An
  AP article on 21 May cited 29 killed and 97 wounded.  PGN]

AP reports software bug caused Patriot failure

Gene Spafford <>
21 May 91 14:17:00 GMT
[...] The article concludes with: "The Army source said the glitch arose
because the computers had been running continuously for four days."

FOUR DAYS!?  I sure hope that the article is wrong or the person being quoted
didn't understand.  There is no excuse for a system that fails if it isn't
rebooted every few days, especially when it is in such a critical application.

And these are the guys who claim they can develop a permanent missile shield
for SDI?  Just whose side are they on?

Gene Spafford, Dept. of Computer Sciences, Purdue University, W. Lafayette
IN 47907-1398 Internet:  phone: (317) 494-7825

Let the Games Begin! [Airline discounting practices]

Jerry Leichter <>
Tue, 21 May 91 08:02:23 EDT
In a recent RISKS, I reported on the airline practice of adjusting the number
of discount seats on flights on a continuous basis.  This practice, known as
yield management (I mistakenly called it load management), allows them to
maximize profit.  I also noted that some travel agencies were starting to
respond to yield management - only possible because of the massive
computational resources available to the airlines - with computers of their
own, which continuously search for good deals.

Well, for every offense there's a defense, and for every defense an offense.
The Wall Street Journal (Monday, 20-May, page B1: "Agents Rankle Airlines With
Fare-Checking Programs") reports on the next exchange in this battle: The
airlines are changing the fee structure for their reservation systems in an
attempt to shut down the scanners.  Traditionally, access to the systems has
been on a flat fee basis.  Now, the airlines are beginning to charge per
inquiry beyond a certain monthly quota.  The fees are about a penny per
inquiry, but that adds up - one agency will reportedly run up fees well in
excess of $100,000 a year.

The airlines, of course, claim the fees are being imposed for a different
reason - they say the programs are putting excessive load on their systems
and adding to their cost of operation.

The developers of the scanners are modifying them to make fewer inquiries, and
will also try to pass on the costs to their customers.  However, some experts
in the business believe the airlines will win this war, and that the scanner
programs have no future.

Michael Levine, dean of Yale's School of Organization and Management and a
former CAB official, is quoted saying "You have to be concerned about the
consumer's perspective.  Consumers ought to have the right to shop, and nothing
should impeded that."  I suspect he may have framed one of the next big
computer law and regulation issues.
                            — Jerry

Yet another Push The Button story

Jonathan Rice <>
Mon, 20 May 91 9:54:51 CDT
Control Data CYBER 170 series mainframes, and at least one generation of their
descendants, were watched over by a box called the TMPC: Temperature Monitor
and Power Control.  One pushbutton on this device, usually mounted conveniently
close to the operator's console, was labeled "LAMP TEST."  Unfortunately,
pressing the button not only illuminated each of the failure modes on the
diagnostic panel, but actually raised all of the alarm signals — high
temperature, motor/generator failure, etc.  The mainframe would shut down to
the tune of the world's awfullest buzzer and the curses of the operators.

*Every* CDC site I ever visited, and that was a fair number, had a "lamp test"
story to tell.  And many had ordered a blank keycap to replace the original.

To add to the growing collection of morals, then: emergency shutdown switches
should not be labeled with the equivalent of "Push Me."

Jonathan C. Rice  |  Internet:  |  UUCP: uunet!cray!rice

HHS malpractice data bank start-up problems

Richard Guy <guy@PRAM.CS.UCLA.EDU>
Mon, 20 May 91 14:48:46 PDT
"The malpractice data bank is turning into a Frankenstein" by Mark Holoweiko,
Senior Editor, _Medical Economics_, May 6, 1991 [a medical trade journal sent
unsolicited to members of the American Medical Association]

Despite warnings by the General Accounting Office that it was nowhere near
ready to operate, the National Practioner Data Bank was opened last Sept. 1 by
the Department of Health and Human Services.  By law, medicine's dirty laundry
began pouring into a Camarillo, Falif., computer facility run by Unisys Corp.,
which had contracted with HHS to handle the project.

Malpractice insurers, hospitals, state lcensing boards, and other "health-care
entities" started mailing in information about doctors and dentists--mostly
reports of payouts on professional-liability claims, and adverse credentialing
and licensure decisions.  Simultaneously, hospitals began querying the data
bank for information on medical staff members and applicants.  In addition,
licensing boards, medical societies, and other oentities, such as certian HMOs
and group practices, became eligible to query the data bank.

Only six weeks later, it appeared that the GAO's fears had already been
borne out.  The dirty laundry was piling up at the door.  The software that
Unisys was supposed to develop either wasn't in place or didn't work, so
the company was trying to cope manually with the deluge of information and

The backlog of quieries numbered in the tens of thousands, procuding eight- to
10-week delays in response time.  In the absence of a data-bank reply,
hospitals, licensing boards, and others wondered if they could safely give a
doctor the green light to practice.

To complicate matter,s both the GAO and the HHS Office of the Inspector General
raised concerns about theconfidentiality of the data; hundreds of physicians
lodged disputes over the workding of reports about them; and Unisys
exp0erienced major cost overruns and demanded more money.  Meanwhile, in light
of GAO criticisms, Congress threatened to cut off funds that had already been
appropriated for 1991.  Finally, Unisys had such big problems of its own that
its solvency seemed questionable.

Will the data bank ever work?  "Since we opened Sept. 1, the bank has been
operating as we had hoped it would," insists Robert G. Harmon, M.D.,
administrator of HHS' Health Resources and Services Administration, which
oversees the bank.  But few share Harmon's view.

"They're having a terrible time," says James S. Todd, M.D., executive vice
president of the American Medical Association and a member of the data-bank
executive committee, which advises Unisys on the project.  "The project is
really in jeopardy at this point," declares another committee member.


"The people involved in designing the project didn't know what they were
doing," says an executive committee member.  "They didn't understand insurance,
medical malpractice, computers, the basic components of the whole project.  And
they got themselves into a real mess."

Back in the psring of 1990, the GAO examined the data bank's development by
HRSA and Unisys, the npresented a report to HHS bluntly title, "National
health practitioner data bank has not been well-managed."  AMong other
things, the GAO said:
>"No one person has been accountable. ... [sic] Instead, accountability is
shared by at least 14 HRSA officials."  And none of the 14 had "the
necessary training and experience" to ensure that the system would meet
specifications.  COnsequently, HRSA was relying on Unisys "to carry out the
critical management functions of establishing plans, schedules, and budgets,
and ... [sic] testing computer programs before they are implemented."
>The project's total cost might increas from $15.8 million to $25 million.
>"HRSA cannot ensure that appropriate security measures will be installed
to prevent unauthorized access and manipulation of data-bank information,"
becuase it hadn't complied with governement regulations and conducted a
risk analysis.

GAO recommended that the September 1990 opening be postponed.

In response, HRSA engaged governement computer experts to evaluate security and
test the software.  They found several weaknesses.  FOr example, the system
wasn't equipped to detect aunauthorized changes to the data and trace them back
to the culprits.

Nevertheless, through the Office of Inspector General, HHS maintained that "the
management processes employed by HRSA are both reasonable and adequate," and
the confidentiality concerns have been adequately addressed."  It pushed for
the Sept. 1 launch.  Adding that Unisys' request for another $9 million was
"out of line" and had "subsequently been withdrawn by the contractor," HHS
asserted that the project was on schedule and within budget.

The House appropriations COmmittee temporarily withheld data-bank funds for
fiscal 1991 pending assurances from HHS Secretary Louis W. Sullivan that the
deficiencies cited by GAO had been corrected.  But government computer experts
certified the system as secure, the funds were released, and HHS forged ahead
and opened the bank.

[omitted; operating expense overruns; Unisys losses]


The first order of business was to clear the logjam.  As of February, there was
a backlog of about 500 reports to enter into the system, and 108,000 queries to

"There's been an eight- to 10-week wait for responses to queries from
hospitals," says James Todd.  "That's a long time when you're talking about
credentialing.  Take a new physician coming to a hospital.  The hospital has to
query the bank before it can grant him privileges.  Does the physician have to
sit and do nothing for two months?  Or, if he starts practicing without a
response from the data bank, what is the hospital's liability?"

According to the AMA, some doctos have, indeed, complained that hospitals
refused to grant them privileges until hearing from the data bank.  But the law
creating the data bank seems to contain a loophole: All it stipulates is that a
hospital must *query* [emphasis original] the bank before it grants privileges;
it doesn't have to wait for a response.

Accordingly, the American Hospital Association's general counsel, Fredric
Entin, advised hospitals to proceed with granting or renewing privileges.
"I've heard that some hospitals have let the delay paralyze them, but I suspect
it's very few," say Entin, who's a member of the executive committee.

The situation is similarly discouragin for state licensing boards, says James
R. Winn, M.D., executive vice president of the Federation of State Medical
Boards: "Most are querying the data bank before issuing licenses, but getting
information has been very slow."

As this issue went to press, however, Fitzhugh Mullan, M.D., HRSA's project
director for the data bank, told us that the backlogs and delays had been
reduced to "zero."


Reports to the data bank are supposed to include a description of the
practitioner's alledged wrongdoing.  This narrative is limited to a maximum of
600 characters, or about 50 words.  [... example and further discussion of
wording dispute procedures omitted]

If the data bank ruins a doctor's reputation by disseminating erroneous
information, can the physician sue Unisys or HHS for damages?  "I don't believe
so," says AHA General Counsel Fred Entin.  "The governement has sovereign
immunity.  That means that you have to get the government's permission before
you can sue it.  And since Unisys is acting as a government contractor, I think
this immunity would extend to the company as well."


"I feel that the data bank is secure," says HRSA's Robert Harmon.  "We have
numerous safeguards built into the computer systems.  The computers themselves
are housed in a secure facility that does work for the Pentagon.  Personnel
have to be cleared.  There are stiff penalties for improper use of the
information." (Each violation is punishable, via the IG's office, by a civil
montary penalty of up to $10,000.)

But that's not the issue, says Ronald S. Gass, senior counsel for the American
Insurance Association and a data-bank committee member.  "The facility in
California has ultra-high security, guard dogs, barbed wire, and all that
stuff," he agrees.  "But is it sending information out the right way?"

As of February, according to government figures, about 12,500 organizations had
been authorized to query (or, in the case of malpractice insurers, just report
to) the data bank.  When we added up all the nation's hospitals, HMOs, malprac-
tice insurers, and physician and nurse licensing boards, the total fell short
of 12,500 by roughly 5,000. Surely, hundreds of these are group practices,
professional socities, and preferred provider organizations.  But exactly who
they are is anyone's guess.  Furthermore, so many and varying types of organi-
zations are legally entitled to query the bank that leaks seem inevitable.

[more discussion of "self-certification" access loopholes; also discussion
 of an emerging practice of requiring physicians to produce data-bank
 reports as a part of credentialing process.]


[discussion of hospital peer review decisions, confidentiality, liability
of peer reviewers ommitted]


As currently programmed, the bank's computers can't distinguish medical
doctors from other practitioners, or tell what percentage of reports
concern malpractice payouts and disciplinary actions.

A policy analyst with HRSA acknowledges that Unisys "can't even tell us how
many hospitals have queried," let alone how many HMOs, insurers, group prac-
tices, and others have access.  "This is the office that sets the policy," she
continues. "Even *we*[emphasis original] don't have access to that information."

Insurers for all licensed health practitioners--not just doctors and dentists--
are now supposed to be reporting payouts on malpractice claims.  Are they? "At
this point, the system is not capable of pulling that out," the analyst admits.

[further discussion of which government agencies have access to the data bank;
 legislation confusion over the extent of data the bank is to contain]


[complaints about query costs ($3 now, maybe $6 soon), paperwork burden]

One big flaw may be the type of information being gathered.  "While the
data on disciplinary actions is pretty current," notes Larry Smarr, "the
stuff on malpractice claims is old because claims are usually paid six or
seven years after the events that precipitated them.  So I don't know how
this is ever going to be of value in identifying problem physicians."

A concurring view comes from Sara C. Charls, M.D., who represents the
Council of Medical Specialty Societies on the executive committee:  "The
inclusion of malpractice cases--especially those settled for small amounts--
waters down the whole purpose.  The estimate is that malpractice cases
comprise 80 percent of the reports to the data bank, and they're the least
reliable indication of physician competence.  I think an enormous amount of
money is going into a system that will be paralyzed by its own weight."


"Willis H. Ware" <>
Tue, 21 May 91 10:56:06 PDT
With respect to the sidebar on page 27 of the June Scientific American which
discusses privacy and about which there have been a few messages to RISKS
FORUM, I'm afraid that in the process of getting from my remarks during a panel
session at the CFP Conference into print some distortions unfortunately
occurred.  Paul Wallich, by-lined for the article, is someone that I talk with
from time to time but it wasn't quite as he reported.  Clarification is

I said explicitly that the U.S. had used a piecemeal approach with minimal
privacy laws in contrast to the European approach of a comprehensive law
that typically creates an all-powerful data protection body of some sort
and generally with a data-protection commissioner.  I did use the phrase
"nickle and dime" as a surrogate for "piecemal and minimal", not as
indicative of deliberate actions to stonewall or kill off privacy.  The
appendage "to death" crept in, is not mine and changed the meaning.

I did not say that the commercial sector is THE enemy but rather that it
was time to consider it as an additional opponent to privacy along with
government, which was the early focus of concern because of its widespread
control over entitlement programs.

I did say "I've watched nothing happen" because nothing has happened for
privacy in 17 years.  At best the country has resisted erosion of the
positive actions of the 1970s.  I think I did not admit to depression but
on the contrary, I said explicitly that I would not quit the game and
would continue to seek solutions.

It is because of the U.S. failure to put in place comprehensive privacy
legislation that Simon Davies [Australia] did indeed say [as reported]
that the U.S. is an embarrassment to the rest of the world.

I wish that Mr.  Wallich would have picked up the much more important
point that I hope was made clearly to the Conference audience.  The only
basis that I can think of for structuring the privacy issue is to regard
it as a social equity problem in which the stakeholders include not only
every individual but also private sector organizations and government.  A
forum is needed to identify, compare, discuss and balance off the
obviously competing interests of the different parties.  Where to find
such a forum and how to conduct the dialogue is indeed an awkward problem
presently without an answer.

                                        Willis H.  Ware


Walter Maner <maner@bgsuvax.UUCP>
21 May 91 06:47:32 GMT
The National Conference on Computing and Values will convene August 12-16,
1991, in New Haven, CT.  N C C V / 91 is a project of the National Science
Foundation and the Research Center on Computing and Society.  Specific themes
(tracks) include

      -  Computer Privacy & Confidentiality
      -  Computer Security & Crime
      -  Ownership of Software & Intellectual Property
      -  Equity & Access to Computing Resources
      -  Teaching Computing & Values
      -  Policy Issues in the Campus Computing Environment

The workshop structure of the conference limits participation to approximately
400 registrants, but space *IS* still available at this time (mid-May).

Confirmed speakers include Ronald E. Anderson, Daniel Appleman, John Perry
Barlow, Tora Bikson, Della Bonnette, Leslie Burkholder, Terrell Ward Bynum,
David Carey, Jacques N.  Catudal, Gary Chapman, Marvin Croy, Charles E. M.
Dunlop, Batya Friedman, Donald Gotterbarn, Barbara Heinisch, Deborah Johnson,
Mitch Kapor, John Ladd, Marianne LaFrance, Ann-Marie Lancaster, Doris Lidtke,
Walter Maner, Diane Martin, Keith Miller, James H. Moor, William Hugh Murray,
Peter Neumann, George Nicholson, Helen Nissenbaum, Judith Perolle, Amy Rubin,
Sanford Sherizen, John Snapper, Richard Stallman, T. C. Ting, Willis Ware,
Terry Winograd, and Richard A. Wright.

The registration fee is low ($175) and deeply discounted air fares are
available into New Haven.

To request a registration packet, please send your name, your email AND paper
mail addresses to ...

or, by fax (419) 372-8061
or, by phone (419) 372-8719  (answering machine), (419) 372-2337  (secretary)
or, by regular mail,  Professor Walter Maner    Dept. of Computer Science
   Bowling Green State University    Bowling Green, OH 43403 USA

Terrell Ward Bynum and Walter Maner, Conference Co-chairs

InterNet  (    | BGSU, Comp Science Dept
Relays         | Bowling Green, OH 43403   | 419/372-2337  Secretary
BITNet   MANER@BGSUOPIE                      | 419/372-8061  Fax

Please report problems with the web pages to the maintainer