July 2010


I did a quick search recently and found several interesting videos (meaning non-medical) related to kidney transplants. A few are described in today’s blog post.

The most in-depth is an hour-long documentary entitled “Triple Kidney Transplant.” It describes the amazingly complex work done at Johns Hopkins Hospital to complete a three-way kidney exchange. The incompatible pairs consisted of a daughter donating on behalf of her father, and two other women donating on behalf of their husbands. All three men have high levels of HLA antibodies which makes it hard for them to find compatible donors. Two of the men are over 50 and have comorbidities that make them unable to meet the standard criteria for a being a transplant recipient. The story has a surprising ending that illustrates how difficult it is to control the outcomes of high-risk transplant surgery. The video is part of a series that airs on the Discovery Channel called “Surgery Saved My Life.”

Discovery

3-way kidney swap at Johns Hopkins. Video still from Discovery Channel

For those of you with shorter attention spans, there is an excellent series of seven video blogs filmed by a kidney recipient in Seattle named Damon Danieli who found a donor using the Matching Donors website. He does an excellent job of describing the dialysis process (2 videos), his surgery, his system for adhering to his immunosuppressant routine, and interviews Sara Denis, his donor (2 videos). Mr. Danieli was also a participant in the World Transplant Games in 2009. In addition to his videos, you can read about his experience on his blog.

DamonDanieli

Mr. Danieli two days after his transplant and feeling good. Video from Damon Danieli

I highly recommend watching Decision to Donate, an inspiring documentary that describes the journey two couples make when one of the husbands, John Backus, realizes that his good friend Larry needs a kidney transplant. This wonderful 16-minute film won the Inspire Film Award at the Donate Life Hollywood Film Festival in 2009. It was produced by Massimo Backus, the donor’s son.

DecisionToDonateJPG

Recipient Larry on left. Video still from Decision to Donate

Finally, this news story from Boston.com also reports on a three-way kidney exchange, this one at Tufts Medical Center in Dec 2009. What makes this story so surprising is that one of the donors is Andrew Levey, the chief of nephrology at Tufts. Dr. Levey entered the exchange on behalf of his wife, Roberta Falke, an oncologist, who needed a transplant but the two were not blood type compatible.

Boston

3-way swap at Tufts. Video still from Boston.com

My Jun 30 blog post discussed the rapid rise in the number of transplants involving unrelated live kidney donors. Today’s post will explore this trend in finer detail by appending two additional pieces of data. First, it looks at the distribution of transplants by transplant center. Then it will look at the distribution by source of donor. That is, did the donor come directly to the hospital (which I call Internal) or did the transplant involve an organ procurement organization (OPO) or a kidney exchange.

About the data

The counts of transplants by donor relation, transplant year (1988-2010), and transplant center name is available from the UNOS website. For each transplant center I appended the city, state, OPO region (11 total), and OPO name (48 total) using data from the Association of OPOs. I appended a hospital type (for profit, non-profit, teaching, children’s, or VA/military) based on hospital name. I appended the name(s) of kidney exchange(s) it participates in using data from the four kidney exchanges that I am aware of (National Kidney Registry, Alliance for Paired Donation, Paired Donation Network, and New England Program for Kidney Exchange). I also assigned all transplant centers in the Washington DC area to a presumed kidney exchange run by the Washington Regional Transplant Community OPO. I did this based on recent newspaper articles describing multi-hospital kidney trades occurring there.

Then for each record, I assigned a donor source using the following criteria. If the donor was deceased, I set the source to be the OPO. If the donor was live and known to the recipient or nondirected, I assigned it to Internal. (This introduces a small error since a few nondirected donors, like me, enter into exchanges.) If the transplant involved a paired exchange in 2008 or later, I assigned the donor to a kidney exchange if there was one. (This introduces an error if the hospital did not join the exchange until a later year or if the trade was conducted outside the exchange.) If the center is not a participant in an exchange, I assigned it to Internal. If the transplant involved a paired trade prior to 2008, I assigned the donor to Internal. (I did this because most hospitals have only joined exchanges recently. However, this introduces a small error since a few kidney exchange mediated transplants did occur prior to 2008.)

I deleted all records with a count of 0, cleaned the transplant center names and appended the new data using the vlookup function in Excel. The final Excel xlsx file contains a total of 27,960 records and is posted on SkyDrive if you want to download it to create your own pivot tables.

The counts in the table are annual averages based on the three most recent full-year data available, 2007 to 2009. The counts are rounded to the nearest whole number, but the rankings are based on the raw fractional data (so two centers with the same count may have different ranks).

I want to thank the UNOS, the Association of OPOs, and the kidney exchanges for the use of their data. Any errors in the data append or in the analysis are mine alone. Please contact me if you find any errors.

Total transplants

From 2007 to 2009, there were a total of 246 transplant centers in the U.S. that performed at least one transplant (the lowest count is three), for a total of 49,984 transplants. The ten highest volume kidney transplant centers are shown in the table below.

Rank Transplant center Avg. annual transplants
  1 UCSF Medical Center 339
  2 UCLA Medical Center 298
  3 Univ Wisconsin Hospital and Clinics 277
  4 Univ Alabama Hospital 273
  5 New York-Presbyterian/Columbia Univ 257
  6 Northwestern Memorial Hospital 247
  7 Univ Maryland Medical System 240
  8 Jackson Memorial Medical Center 235
  9 Univ Michigan Medical Center 233
10 Clarian Health-Methodist/Indiana Uni./Riley 217
  – Total for 246 centers 16,661

Data from UNOS for 2007-2009

Live donor transplants

About 37% of all kidney transplants involve a live donor. All transplant centers performed at least one living donor transplant. However, there is a surprisingly large variation in live donor rates between individual centers. Six out of the ten hospitals with the highest live donor rates are children’s hospitals. (Some of the lowest rates are also at children’s hospitals.) Among the centers that performed at least 60 transplants in the past three years, Rochester Methodist Hospital (Mayo Clinic) had the highest proportion at 80% while the Univ Mississippi Medical Center had the lowest at 3%. The table below highlights some of this data. Given the superior outcomes for live donor transplants, this difference can have a significant impact on the outcome by hospital. Plotting this data geographically may reveal if the differences have a regional or urban/rural bias. That might be the subject of a future blog post.

Rank Transplant center Avg. annual live donor transplants Live donors as % of all transplants
    4 Rochester Methodist Hospital (Mayo Clinic) 127 80%
    8 Children’s Hospital of Pittsburgh of UPMC 5 68%
    9 Univ Cincinnati Medical Center 38 67%
  16 Northwestern Memorial Hospital 152 62%
  66 UCLA Medical Center 132 44%
   Average for 246 centers 6,126 37%
112 Univ Wisconsin Hospital and Clinics 100 36%
114 UCSF Medical Center 122 36%
242 Harper Univ Hospital Detroit Medical Center 10 9%
243 Hahnemann Univ Hospital 10 5%
245 Univ Mississippi Medical Center 3 3%

Data from UNOS for 2007-2009

Unrelated donors

A survey described in Amer. J. Transpl. Oct 2007 indicates that possibly all transplant centers permit unrelated persons to be a live donors. However, of the 246 centers that perform live donor transplants, there are 14 that did not perform any with unrelated donors in the past 3 years. All but two are children’s hospitals. Overall, children’s hospitals tend to have much lower rates of unrelated donors. Among transplant centers that performed at least 60 transplants in the past three years, Green Hospital of Scripps Clinic had the highest proportion of unrelated donors at 67%. Rochester Methodist Hospital (Mayo Clinic) performed the highest absolute number of unrelated donor transplants, at 68 annually. The table below highlights some of this data.

Rank Transplant center Avg. annual unrelated donor transplants Unrelated donors as % of live donor transplants
   4 Green Hospital of Scripps Clinic 18 67%
   5 Johnson City Medical Center Hospital 6 67%
   6 Virginia Mason Medical Center 17 65%
   7 Shands Jacksonville 3 63%
   8 Swedish Medical Center 18 61%
  15 Johns Hopkins Hospital 51 54%
  16 Rochester Methodist Hospital (Mayo Clinic) 68 53%
  23 Univ Michigan Medical Center 53 52%
  25 Methodist Specialty & Transplant Hospital 56 52%
  58 UCSF Medical Center 59 46%
  85 Univ Alabama Hospital 52 43%
Average for 232 centers 2,528 41%
103 UCLA Medical Center 54 41%
116 Northwestern Memorial Hospital 61 40%
232 Children’s Hospital of Pittsburgh of UPMC 3 7%
233 tie* Children’s Hospital Los Angeles 0 0%

*There are 14 hospitals that did not perform any unrelated donor transplants.
Data from UNOS for 2007-2009

Kidney trades

A kidney trade involves an incompatible donor-recipient pair that trades kidneys with another incompatible pair or for a deceased donor kidney. Both type of trades started in mid-1990s, though they are still rare events at most hospitals. Although 159 transplant centers (just under two-thirds) have performed at least one, only 59 have performed 5 or more in the past three years. (This implies that awareness of trades is high and that the practice meets the ethical standards of the hospitals. However most hospitals perform a few opportunistically and are not systematically pursuing them as a strategy. This is a great opportunity for the organized exchanges to offer their services.)

As the table below shows, 111 transplant centers have participated in at least one live pair trade in the past three years, resulting in 665 transplants. 94 transplant centers have participated in a living/deceased donor trades, resulting in 317 transplants (there is overlap as 46 centers perform both). Note that both transplants in a live pair trade is counted as a trade while only one is for a live/deceased trade. The recipient surgery in the live/deceased pair is counted as a deceased donor transplant.

The table below shows the growth in trades from 2007 to 2009 for hospitals that performed only live pair trades, only live/deceased trades, or both. The top two rows show the number of live pair trades and the number of transplant centers involved (in parentheses) while the bottom two rows show the number of live/deceased trades (and centers involved). It appears that both types of trades are becoming more popular and all three groups of hospitals are growing.

  Total*  2009 2008 2007 
Participate in live pair trades only 381 (65) 193 (42) 131 (44)   57 (23)
Participate in both (counts for live pair trades) 284 (46) 111 (30) 109 (29)   64 (21)
Participate in both (counts for live/deceased trades) 185 (46)   75 (30)   50 (21)   60 (22)
Participate in live/deceased trades only 132 (48)   52 (25)   49 (25)   31 (19)

*Number of transplants (number of centers)
Data from UNOS for 2007-2009

As I stated in my Jun 30 blog post, I dislike living/deceased donor trades because the recipients receive a poorer quality kidneys than if they were to enter into live pair trades. Both types of trades are growing, even at hospitals that perform both, despite the advantages of live kidney transplants. I think kidney exchanges should actively assist hospitals that practice living/deceased trades to rely more on live exchanges.

Among transplant centers that performed at least 60 transplants in the past three years, Methodist Univ Hospital in Memphis, Tennessee has the highest proportion of unrelated donor transplants that involve a trade at 79%. All of them were live pair exchanges that appear to have been arranged internally. Methodist Specialty and Transplant Hospital in San Antonio Texas performed the largest number of trades, at 18 per year.

Note that the most active transplant centers perform very few kidney trades. This includes UCSF and UCLA Medical Centers in California, the state with the longest waiting list for organ transplants. This is unfortunate since entering incompatible donor-recipient pairs into an exchange can dramatically shorten wait times. Also note that several hospitals performing the most trades are not members of any of the regional or national kidney exchanges. This indicates there is plenty of opportunities to improve matching. Finally, note that since participation in live pair trades is growing rapidly, the use of a 3-year averages and excluding 2010 data may obscure trends.

Rank Transplant center (Paired exchange) Avg. annual live pair + live/ deceased trades Trades as a % of unrelated donor transplants
  5 Methodist Univ Hospital (Internal) 7  +   0 79%
12 Tufts Medical Center (Internal and NEPKE) 7  +   0 57%
13 Froedtert Mem. Lutheran Hospital (APD and PDN) 2  +   7 51%
20 Medical College of Virginia Hospitals (Internal) 0  +   7 49%
21 Clarian Health-Methodist/Indiana Univ/Riley (APD and PDN) 16  +   0 45%
29 Emory Univ Hospital (Internal and NKR) 4  +   4 36%
41 California Pacific Medical Center (Internal and NKR) 7  +   4 33%
42 Methodist Specialty & Transplant Hospital (Internal) 18  +   0 31%
45 Johns Hopkins Hospital (Internal and NEPKE) 15  +   0 29%
52 Banner Good Samaritan Medical Center (Internal and APD) 8  +   0 27%
  Average for 159 centers 222 + 106 13%
101 UCLA Medical Center (Internal and NKR) 6  +   0 12%
148 Rochester Methodist Hospital (Mayo Clinic) (Internal) 2  +   0 3%
155 UCSF Medical Center (Internal and NKR) 1  +   0 2%
160 tie* Univ Wisconsin Hospital and Clinics 0  +   0 0%

*There are 87 hospitals that did not perform any transplants that involved kidney trades
Data from UNOS for 2007-2009 and from kidney exchanges

Since my counts of transplants mediated by each kidney exchange is not clean, this blog post will not report this data. If I can obtain this data, I will try to make it the subject of a future post.

Nondirected stranger donors

As mentioned in a Sep 2009 blog post, the consensus regarding the ethical acceptability of nondirected and directed stranger organ donations is still developing. The 2007 Amer. J. Transpl. survey shows about 60% of all transplant centers allow nondirected donations. The UNOS data shows 110 centers have completed at least one transplant with a nondirected donor in the past three years.

Only recently have hospitals even encouraged the general public to consider becoming a nondirected donor. For instance see a May 2010 blog post describing a new pay-it-forward program launched by Loyola Univ. Medical Center after 4 nondirected donors walked in with another 21 undergoing evaluation so far this year. Compare that with the 3 or 4 per year recorded by the top hospitals in the table below. As mentioned above, some nondirected stranger donor participate through exchanges.

Rank Transplant Center Avg. annual nondirected donor transplants Nondirected donors as % of unrelated donors
  1 New York-Presbyterian/Weill-Cornell/Rogosin 4 9%
  2 tie Pinnacle Health System at Harrisburg Hospital 4 23%
  2 tie Massachusetts General Hospital 4 17%
  2 tie Univ Minnesota Medical Center 4 8%
  2 tie New York-Presbyterian/Columbia Univ 4 8%
  6 Montefiore Medical Center 4 23%
  7 tie Univ Utah Medical Center 3 25%
  7 tie Banner Good Samaritan Medical Center 3 12%
  7 tie Rochester Methodist Hospital (Mayo Clinic) 3 5%
10 tie Virginia Mason Medical Center 3 17%
10 tie Univ Wisconsin Hospital and Clinics 3 7%
10 tie St. Barnabas Medical Center 3 7%
  Total for 110 transplant centers 115 5%

Data from UNOS for 2007-2009

Directed stranger donors

A directed stranger donation is one that the recipient has solicited though publicity generated by news, advertising, or the web.(See a Sep 2009 blog entry for information about a site called MatchingDonors.) The 2007 Amer. J. Transpl. survey shows that only 30% of all transplant centers allow directed stranger donations, though acceptance is growing.  The UNOS database doesn’t distinguish between unrelated known and stranger donations, so no counts are available. Again, if I am able to find this data, I will try to include it in a future blog post.

My quest to find a restaurant that serves fresh huitlacoche continues unabated. (I’ll admit my so-called quest has been pretty lackadaisical and sporadic.) My latest failure is El Sabor de Oaxaca in Pioneer Square which received a glowing review in the Stranger in Apr 2008. Alas, navigating to its website gives a 404 not found error. And a review on Yelp dated Jun 2009 says, “This place went out of business or moved. Guajillo’s is now at this location…”

And while Guajillo’s menu displays some tasty items, it does not serve huitlacoche. But then I found another Yelp review dated Jan 2010 that says, “This place is now closed :(“ Oh well.

If you’re not sure what huitlacoche is, check this description at Steve, Don’t Eat it!, a feature of a blog called TheSneeze. I think Steve would have liked it better if he tasted the fresh version rather than the canned stuff. I tried canned huitlacoche a few years ago and found it as appealing as canned spinach. It was overcooked and gooey with the texture of mush, and had an odd flavor. It was not firm with a nutty aromatic flavor like good blue corn smut should have. Fresh huitlacoche looks like this and is quite delicious.

Tortilla_Huitlacoche  Delectable huitlacoche. Photo from Wikipedia

I became an aficionado of huitlacoche during a vacation in Mexico City several years ago. I ended up having it at two different restaurants and liked it both times. In each case, it was offered by the waiter when I asked for a recommendation. Given what it is, I’m surprised they offered it to a gringo. But I’m glad they did. (Although, maybe they just wanted to see my reaction.)

****

While perusing TheSneeze blog, I found a fascinating post regarding Steve’s father’s habit of drawing faces on cakes. He investigates his father’s self-taught art ability (or lack thereof) and accidentally discovers the original source materials with the help of several blog readers. This shows just how the Internet has changed everything. That’s right, because of the web, we can connect with complete strangers and learn extensive details about topics we previously would have just considered useless, random time killers. Now, if I could just find that restaurant…

htdafcompare    F cartoon. Image from TheSneeze

by George Taniwaki

For the past several months, every time I log into my bank’s website, there is a reminder that I should change my username to something more secure and change my password since I haven’t changed it recently. I’ve been ignoring both messages and there don’t appear to be any adverse consequences to my inaction. But I’ve decided to do some investigation regarding username and password best practices so that I could decide if my sloth and laziness are justified. I summarize my finding in this blog post.

Login

My bank’s reminder. Image from Charles Schwab

Creating secure usernames

I tend to use the same username on all websites. Should I actually be using a different one for every site? Roberta Bragg, a security consultant, posts a knowledgebase reply that says she knows of no research that shows this increases user safety. On the website administrator side, she says that allowing users to change their usernames after initial registration can be an administrative burden and can actually create a security hole. For an example of the havoc that changing a username can cause, check out Episode 4 at TheWebSiteIsDown (warning NSFW).

Nearly all websites require a username and password combination to access system resources. Websites that use this access protocol require that usernames be unique, but do not require that passwords be unique. Usernames are often made widely available, so that users can contact each other for instance. Thus, I feel safe not changing the username I use to log on to my bank’s website.

Since usernames are widely available, access security is maintained as long as a malicious user cannot easily guess or uncover the password associated with a specific username, or guess or uncover the username(s) associated with a specific password.

Creating secure passwords

Let us assume that a malicious user has obtained a list of all usernames to a system but does not have a list of the corresponding passwords for those users. What can the malicious user do to try to breach the system? What can the system administrator do to mitigate this threat? And what can users do the reduce the threat that they will be the victim of an access breach?

The first thing that a malicious user will do is try different passwords with each username. A brute-force attack would use every possible combination of characters up to the length limit allowed by the website administrator. This would be extremely inefficient.

An excellent best practices paper from Hitachi shows how increasing the size of the character set and length of the password increases the number of possible passwords, making a brute-force attack more difficult. Assuming that passwords are randomly selected (which is not true), this is also the size of the search space for a brute force attack.

Character set (size)* 5 6 7 8 9 10
0-9  (10) 1.00E+05 1.00E+06 1.00E+07 1.00E+08 1.00E+09 1.00E+10
a-z  (26) 1.19E+07 3.09E+08 8.03E+09 2.09E+11 5.43E+12 1.41E+14
a-z, 0-9  (36) 6.05E+07 2.18E+09 7.84E+10 2.82E+12 1.02E+14 3.66E+15
a-z, A-Z  (52) 3.80E+08 1.98E+10 1.03E+12 5.35E+13 2.78E+15 1.45E+17
a-z ,A-Z, 0-9  (62) 9.16E+08 5.68E+10 3.52E+12 2.18E+14 1.35E+16 8.39E+17
a-z, A-Z, 0-9, symbols  (94) 7.34E+09 6.90E+11 6.48E+13 6.10E+15 5.73E+17 5.39E+19

*Number of characters in the set

A much faster method of finding passwords is to obtain a list of common passwords and a rank order of their popularity. This will allow what is called a dictionary attack where each popular password is tried with each username until a correct guess is made.

So how efficient would a dictionary attack be? The data security firm Imperva has published a white paper that provides some statistics on popular passwords. The report is based on an analysis of 32 million passwords that were exposed by a breach of RockYou, a social media site. A dictionary attack using just the single most popular password among RockYou users (123456) would provide access to nearly 1% of accounts. The top 400 passwords would provide access to about 7% of all accounts, while the top 5,000 passwords would yield about 20% of all accounts. The top ten most popular passwords are shown in the table below. (For the moment, we will ignore the question of why RockYou was storing customer passwords in plaintext format.)

Rank Password Number of users
1 123456 290,731 (0.90%*)
2 12345   79,078 (1.14%)
3 123456789   76,790 (1.38%)
4 Password   61,958 (1.57%)
5 iloveyou   51,622 (1.73%)
6 princess   35,231 (1.84%)
7 rockyou   22,588 (1.91%)
8 1234567   21,726 (1.98%)
9 12345678   20,553 (2.04%)
10 abc123   17,542 (2.10%)

*cumulative frequency

According to Imperva, almost all of the top 5,000 most popular passwords were “trivial”. That is, they were names, words, consecutive digits or letters, adjacent keyboard keys, or common phrases. Beyond a dictionary attack, a password guessing algorithm can be expanded by combining a root with a prefix or suffix, or creating a text corpus from the user’s hard drive. These techniques are described in The Guardian Nov 2008.

Notice in the table above that the password 123456 is about three times more popular than 12345. I’m guessing RockYou users know that 5 characters is the minimum length password and so just to be safe choose a 6 character password. Yeah, that will stop those malicious hackers.

So what is a strong password? Microsoft has a TechNet article that suggests a strong password has the following characteristics.

  1. Is at least seven characters long
  2. Does not contain trivial patterns (username, proper names, dictionary words, etc.)
  3. Contains characters from each of the following four groups: uppercase letters, lowercase letters, numerals, and symbols

Note that your responses to the secret question that resets a password should have the same characteristics as above. Your secret pet’s name should not be “fluffy”, your secret high school should not be “jefferson”, and your mother’s maiden name should not be “smith”.

Most people have seen or heard of these recommendation. But many don’t follow them. First some good news (of sorts). The Imperva study shows that among RockYou users, 70% used a password that was 7 characters or longer. Only 4% used a password 5 characters long (the minimum allowed) while 26% used a password 6 characters long. Now for the bad news. Nearly 60% of passwords contain only lower case letters, only upper case letters, or only numerals. Only 3.8% of passwords contain any symbol characters and only 0.2% of password met the requirement of being 8 characters or longer and contain a mix of all four character types.

Changing passwords periodically

A separate Microsoft TechNet article provides the following best practices recommendations:

  1. Always use strong passwords (see above)
  2. Passwords may be written down on a piece of paper, but store the paper in a secure place and destroy it when it is no longer needed
  3. Never share passwords with anyone
  4. Use a different password for each user account (and make each significantly different). Passwords that increment (Password1, Password2, Password3 …) are not strong
  5. Change passwords immediately if they may have been compromised

Note that there is no suggestion to change a password on a regular basis. And yet that is a common requirement for many websites and to log into a computer. The Hitachi best practices paper recommends setting a password expiration policy such that it is shorter than the amount of time for a brute force attack to succeed. This means as computers get faster, we will need to change passwords more frequently. An entry in DailyBlogTips also recommends regularly changing passwords.

However, others disagree. At the end of an entry in Eric Wolfram’s blog, there is a comment from Tim McNerney that argues that users should never be required to change passwords. His logic is that users forced to regularly change their password will pick passwords that of lower quality than if they were only required to create it once. He also says that assuming the malicious hacker is not using the brute force method to break the password, it will take much less time than a reasonable expiration policy period to compromise the system. This same logic is expressed by Daniel Wesemann in a Nov 2009 blog post. Changing passwords regularly does not prevent a breach.

What website administrators can do

Historically, website administrators created rules for the construction of passwords that were based on length and character set used. But as we have seen above, they do not do a good job of protecting the user. An article in the Tech. Rev. Jul 2010 provides a good summary of a paper to be published at USENIX authored by Stuart Schechter et al. to reduce the risk of a dictionary attack by having the website owner ensure that no more than N users have the same password. The test works by using a hash filter called a count-min sketch. By replacing password creation rules with a popularity limit, presumably users will be able to create more memorable passwords without the risk of accidentally creating a password that is vulnerable to a dictionary attack.

The Tech. Rev. article also describes another paper that examines the password policies of 75 websites. The results are quite counterintuitive.

“We find that none of the factors that might require greater security seems a factor. The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site. Some of the largest, highest value and most attacked sites on the Internet such as PayPal, Amazon and Fidelity Investments allow relatively weak passwords. We also examine several factors unrelated to security. We find that sites that accept advertising, purchase adwords, have a revenue opportunity per login, or where the user has choice, tend to have less restrictive policies.

“Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers like Amazon, and advertising supported sites like Facebook, every login event is a revenue opportunity. Anything that interferes with usability affects the business directly. At government sites and universities every login event is, at best, neutral, or, at worst, a cost. The consequences of poor usability decisions are less direct. That simple difference in incentives turns out to be a better predictor of password policy than any security requirement. This in turn suggests that some of stronger policies are needlessly complex: they cause considerable inconvenience for negligible security improvement.”

The description above explains why my bank warns me that I should change my username and password, but doesn’t actually force me to do anything. They want to be helpful, but don’t want to lose me as a customer.

[Update: For more on website security, see this Nov 2010 blog post.]

Today’s Tech. Rev. describes an epaper technology developed by Nemoptic that the company hopes will be cheap and efficient enough to be used as disposable unit price tags, replacing the ubiquitous paper unit price tags currently used on store shelves. Very cool.

unitpriceexample

A paper unit price tag. Image from getrichslowly.org

About 20 years ago, I came up with an idea for wireless shelf tags (just the concept, with no idea how to build a working prototype) and showed it to my mother, who was a manager in a supermarket at the time. Given prices and technology at the time, my thought was the tags would be permanent, not disposable and would require an external power source. I explained to my mother the labor savings from having a tag that could be updated without requiring a clerk to print and attach it. I also explained how the tags would always display the same price as the scanner at the cash register because both would get price information from the same database. (This doesn’t necessarily mean the price is correct though, just consistent.)

Her reaction was interesting.

First, she wanted to know how the tags would be attached to the shelf. I said probably with a couple of screws. She explained to me that the tags had to be easily moved as shelf space needs changed. This is easy to do with paper tags with the current plastic tag holder. She was afraid that securing electronic tags to the shelf would make it too hard to move them.

Then she said the biggest problem with paper tags is not that they need to be updated. It was that they constantly need to be replaced because they are stolen by customers. Really!

Even if my electronic tags were screwed to the shelf and were useless when disconnected from the shelf, they would be an irresistible target for malicious thieves. My mother said that sometimes the only difference between a profitable store and a money losing one (in the same chain) was the amount of shrinkage. So preventing theft and damage is a key consideration in selecting materials used in a retail environment.

In response, I proposed replacing the tag with a bar the full width of the shelf. That way it would never have to be moved. The clerks would “move” a price tag by sliding it along the bar. She then asked how durable the display bar would be. Even if customers couldn’t steal them, she was sure some would attempt to pull them off the shelves.

She also wanted to know how a clerk would move a tag from one shelf to another and how much training the clerks would require to do this. And she wanted to know, how would clerks prevent malicious customers from watching them and then copying those actions themselves throughout the store. The user interface and security issues stopped me from pursuing the idea further.

The advantage of the paper shelf tags was that they were easy to move and cheap to replace. Factors like easy to update and absolute accuracy were not important to her. So even if disposable epaper unit price tags are less expensive than paper ones, they may cost more to implement, if customers take them and you need more of them.

As described in my Jun 23 blog post, I underwent a bone marrow biopsy that day. At the time, the hematologist mentioned it could take a couple of weeks for the results to be available. I replied that I was scheduled for a donor nephrectomy the following week (Jun 30) and thought that the transplant nephrologist had requested a rush on this. She said she would see what could be done, but didn’t make any promises.

On Friday (Jun 25), the transplant nephrologist called and said she had reviewed the preliminary test results. So far, no abnormalities were found, but the complete results were not available yet, so my surgery would need to be postponed.

Well, this is disappointing. The UWMC transplant team schedules elective surgery only once a week, on Wednesdays. Their calendar is booked about two months in advance. My schedule is flexible, but my wife, Susan, travels extensively, so it took a considerable effort to find a two-week period when she is home (I’m not allowed to be unmonitored while on opiate pain meds). And now with less than a week to go, I have to start over.

Even worse, there is a kidney patient who has been waiting several weeks in anticipation for this transplant surgery who will now be told the surgery has been postponed. This patient has AB blood type, meaning they can accept a kidney from a person with any blood type. (I know this because I am AB blood type and I can only donate to someone with the same blood type.) This patient is also at the top of the UNOS organ waiting list, meaning they have a good chance of getting at least one offer of a deceased donor kidney before my surgery is rescheduled.

Transplants from live donors lead to much better outcomes than donations from deceased donors. So this patient may need to make the tough decision whether to take a deceased donor kidney when offered, or pass on it in hopes of receiving a live donor kidney from me. And they need to make this decision without knowing why the original live donor surgery was postponed or how likely it is to get postponed again, or even cancelled. This truly sucks for them. I wish there wasn’t a waiting list and hope that my future volunteer efforts to help patients find donors can help alleviate the shortage.

****

Yesterday (Jul 6), I received an email from the transplant coordinator asking if I’ve had my follow-up appointment with the hematologist. I never scheduled a follow-up appointment with SCCA. I just assumed the biopsy results would be transmitted to the transplant nephrologist at UWMC and I would never need to get involved.

I wonder how many patients go in for a biopsy and then become so distraught that they fail to attend a follow-up appointment in an effort to avoid receiving bad news. Susan says it is pretty unlikely since they already made the decision to undergo the biopsy. If a patient is in denial, they would more likely just ignore the referral to get the biopsy in the first place. Without good tracking software, the referring physician may never know if the patient actually followed through and got the biopsy. Using electronic medical records to drive CRM is probably an area where HMOs and other integrated health providers can outperform standalone physicians.

Once they get the biopsy, Susan is sure most patients would call every day afterwards to find out if test results were available. I, on the other hand, just assumed they would be negative so didn’t bother to follow-up.

I paged the hematologist and left her a message. She called back and left me a message saying my “test results so far are normal.” The attending physician also responded and left a message saying the same thing and added, “your low WBC appears to be clinically unremarkable.” The messages are reassuring, but ambiguous. Do they mean that there are more biopsy test results to come, or that they are done with their tests but can’t speak to additional tests that the UWMC transplant team may want?

After another day of more phone calls and emails, I determined it is the latter case. The transplant nephrologist is satisfied no more tests are needed and I can be a live kidney donor. The earliest that UWMC can schedule the surgery is Wed, Aug 22. Of course, Susan is out-of-town that week and the earliest that she is available for a two-week block that starts on a Wednesday is Sep 29. The UWMC adds me to the schedule and the countdown clock starts again.

****

For those keeping track, Sep 29 is nearly three years after I volunteered to become an nondirected kidney donor. I first contacted the National Kidney Registry and the Alliance for Paired Donation on Nov 25, 2007. I have to admit that having spent all this time waiting has given me the opportunity to research the many complex issues surrounding the kidney disease crisis and develop an action plan to help people facing ESRD.

Gant

My kidney donation timeline

by George Taniwaki

Facebook has a new application (or widget) currently in beta release called Questions that allows users to post questions and wait for another user to answer it. The questions are categorized into groups and users are shown questions that other people who have similar interests have answered. If you know anything about search and recommendation you realize that Facebook is trying to solve two really hard computing problems simultaneously.

First, how do you categorize the questions? What keywords and contexts do you use? For instance, what weight do you give to the interests of the person asking the question? And how do you categorize those interests? What weight do you give to the length of the question? How do you handle misspelled words? Do you give any weight to the fact that any words are misspelled?

Second, how do you decide which questions to show which user? Should you predict if the potential answerer is actually qualified to answer the question? Is it more important to generate lots of responses or to get the correct response quickly? Or is it actually more important to entertain users with a stream of interesting questions, regardless of whether they answer them? (This would be really hard to predict since Facebook will never get any feedback from users regarding the question they don’t answer.)

Community run Q&A sites are not new. Yahoo! Answers and Answers.com have both been around for years and are quite popular. However, I believe that most of the answers are written by a small group of dedicated users who vie for points and recognition. Facebook’s goal is to engage the entire community, since the longer you stay at their site, the more likely you are to click on some ads.

Anyway, I want so show some screenshots. This may violate some promise I made to Facebook. The first shows a few examples of questions from the Questions widget. The widget appears in the right column under the Sponsored links widget. Notice how many of the questions seem to be factual and could be more quickly (and correctly) answered using standard web-based research skills.

FacebookQ1

FacebookQ2

Two examples of the Questions widget. Image from Facebook

If you click on a question in Questions, you will taken to a page showing all the responses for that question. You can then vote yea or nay for any response. The example below shows how introspective Facebook users are.

FacebookQuestion

Question responses. Image from Facebook

Finally, if you click on the Asked about link, you will see a list of all the questions related to that category. Notice the example below for the category “Roots”. As I mentioned above, categorizing questions is tough. And was this question really asked by that Kristin Bell?

FacebookQuestions

Category detail. Image from Facebook