Real Numeracy

I went home to Denver last week for a stay with my parents for Thanksgiving and was suddenly inundated with diabetes facts. (My wife, Sue, was in Toronto at a conference and didn’t join me.)

While planning the menu for Thanksgiving dinner I learned that my second cousin has been diagnosed with slow-onset type 1 diabetes. Her mother (who is not genetically related to me) also has it. Thus, I don’t think the disease will affect me.

However, I also learned that my father has been diagnosed with type 2 diabetes. He monitors his glucose level one day each week and records it in a notebook. He takes medications (I didn’t ask which ones) and has made minor adjustments to his diet. The diagnosis was made a few years ago, but he never told me. But now I know why my mother switched from serving white rice to brown rice a few years ago. (I’m sure eating brown rice with a Japanese meal is considered a form of Shinto blasphemy.)  I wonder if I had known of my father’s diabetes and told the transplant hospital about it, if that would have made me medically unsuitable to be a kidney donor?

Then, while surfing the web at my parent’s house, I saw an article by Hanna Rosin in Slate Nov 2010 in which she describes her life with slow-onset Type 1 diabetes. In the article, she is upset that needing to monitor her glucose level has made her an obsessive self-quantifier. She goes on to discuss how little is known about the relationship between blood glucose level and cardiovascular disease.

Finally, when I came home, Sue left an article she had clipped from the Nov 23 Globe and Mail on how politics affects the diagnosis of diabetes. Blood tests are used to diagnose diabetes. Both the U.S. and Canada use the overnight fasting glucose test and both use a result above 7.0 millimoles per liter of blood to make a diagnosis. However, in January 2010 the U.S. added the hemoglobin A1C test to the diagnostic list. Now, in the U.S., a HbA1C level greater than 6.5 percent also means you are diabetic. This means more Americans will be diagnosed as diabetic than Canadians. This means more Americans will be treated, changing their diets, monitoring their glucose levels, and taking medication to control their blood pressure. Who knows if, and how, this will affect medical outcomes and total medical costs in the two countries.

In April of this year, Jodi Tamen donated her kidney through a new pay-it-forward program at Loyola University Medical Center. (The novel Loyola program was described in an April 2010 blog post.) Loyola is a participant in the National Kidney Registry which matched Ms. Tamen’s kidney to a patient at the UCLA Medical Center.

The patient that received the kidney was G. Murray Thomas, a writer. His sister then donated a kidney to keep the pay-it-forward chain alive. Since his transplant, Mr. Thomas has penned a collection of poems about his experience. One of them, entitled “Your Kidney Just Arrived at LAX” was published in the Examiner in Jun 2010. It’s funny and gross and poignant. (Go ahead and click the link, read the poem, and come back.)

Last week, Ms. Tamen flew to LA and attended a reading of that poem by Mr. Thomas at Loyola Marymount University. The story of their encounter is covered by columnist Sandy Banks of the LA Times Nov 2010.

In the article, Ms. Banks makes a wonderfully insightful comment, “[t]he kidney transplant process, it seems, is in the midst of an evolution, driven less by medical advances than by a melding of technology and compassion.” She is right. Kidney exchanges have the potential to revolutionize the way live kidney transplants are conducted in the U.S. The process of matching donors and recipients does not require any new medical advances. It relies solely on mathematics, fast computers, and a pool of willing donors. Let’s hope the exchanges meet that potential. (Another column written by Ms. Banks about a kidney chain that started at UCLA is described in another Nov 2010 blog post.)

Yesterday at 4:44 am MST, a criminal organization used my Hotmail account to send emails to most (if not every) person in my online Hotmail address book. Sorry to everyone who received spam from me. I’m not sure how they accessed my account, but I have a good guess.

How I think the break-in happened

First, I doubt the criminals got in by breaking into my Hotmail account directly. I use a strong password, so they would unlikely be able to perform a successful dictionary attack. (For more on strong passwords and dictionary attacks, see this Jul 2010 blog entry.)

Second, I doubt they were able to get me to reveal my username and password to them directly by phishing. I’m pretty careful about what sites I register with. I don’t register unless it is required and I check to ensure the sites are legitimate. Most often, they are well-known media companies or data providers.

Instead, I think they obtained a list of email addresses and passwords stolen from a legitimate third-party website that requires registration with an email address and password. Being lazy and human, I use my main Hotmail account and password whenever a site requires both. I have since changed my Hotmail password to be unique. (More later on why that simple act should be enough to prevent a future breach.)

This implies that the compromised third-party site was probably storing my (and all other users) password in human-readable clear text format. Then a malicious user with admin privileges (e.g., an employee at the website who is probably not a member of the criminal group that sent the emails) made a copy of the database containing the list of usernames, email addresses, and passwords for the site. Many of those website’s passwords (like mine) were probably also being used as the password for the user’s email account. The malicious administrator then sold the list to the criminal group.

Storing passwords in a database as clear text is a big security no-no for the reason described above. To prevent a malicious user (or any user) from learning of a password, it should never be stored. Instead, when a user logs in to a website for the first time, the website should apply a cryptographic hashing function on the password to generate a new value, called a hash. This hash value can be stored in a database without worry (or with less worry, at least).

When a user logs into the website again in the future, she enters her username and password as usual. But instead of comparing the clear text password the user entered to a password stored on the server, the website applies the hashing function to the just entered password and compares the result to the hash value stored in a database. If they match, the authentication is complete.

Use of hashes increases security because good hashing functions have two desirable features. First, it is very fast to compute the hash value from the password, so it doesn’t cost much to implement. That is, the user doesn’t experience a delay waiting for the hash to be computed and the website doesn’t have to spend a lot for computing resources generating a hash each time a user logs in.

Second, although the hash is easy to compute, a good hashing function makes it very hard to discover the original password from the hash. Thus, even if someone has a database of usernames and password hashes, she cannot easily recover the passwords. Note that it is possible for two or more passwords to have the same hash value. Thus, related to the second item above, a good hashing function makes it is difficult to guess or calculate other passwords that have the same hash value as a given password.

To increase security even further, the website can add a few (or many) additional characters to the beginning or end of the password before calculating the hash. This salt value if selected randomly by each website and kept secret, will make it harder to recover the password from the hash. (As Homer Simpson might say, “Mmmm, hash with salt or spam. Can’t I have both?”) Even if the salt value and list of users and hash value for every site is revealed, it will ensure that the hash values for a given user will be different for each site, even if she uses the same password at each one.

What the malicious spam creator did

The criminal organization that sent spam from my account used several clever methods to avoid detection of their message by anti-spam software and increase the likelihood a recipient will click on the link in it.

First, all the messages came from me, so the recipients would be more likely to assume the message was legitimate.

Second, rather than sending a single message with all the names from my address book in the To: line, they sent 14 different emails. The names were selected in non-alphabetical blocks, so it looked like I manually selected a distribution of contacts.

Third, the recipient’s name was included in the To: line rather than the Bcc: line to avoid the recipient’s spam filter. Also, by including several names in the To: line, rather than hidden in the Bcc: line, it could potentially reassure a recipient that others she knows are also receiving this email.

Fourth, to reduce the number of characters that a recipient’s spam filter could use to check for patterns that identify spam, each email contained no subject line and the content was just a hyperlink to a php page.

Finally, to reduce the chance that a recipient’s spam filter would recognize the hyperlink as being associated with a malicious website, each email had a different link and the links pointed to a variety of top-level domains including .com, .br, .ca, .de, .it, etc.

One of the spam mails was sent to me, since my name is in my address book. By inspecting the message header I discovered the originating IP address is 89.73.63.236. Looking it up on Whois traces the IP address to UPC Polska Sp. z o.o. in Poland. I assume this is an ISP, not the criminal organization sending the emails.

What I did in response and why it should work

First, I logged into Windows Live and changed my compromised password to another strong password. The new password I created will be used only on sites that I know to use good security practices like Windows Live, Facebook, and Amazon.

Second, I created a new strong password for use on all noncritical websites. (Only one because I’m still lazy and human.) But, if my password for noncritical websites becomes compromised or I accidentally succumb to a phishing ploy, my critical password should not be revealed. In this way, I only have to remember two passwords. My memory should not be overly taxed while I still maintain pretty good security.

Finally, I contacted abuse@hotmail.com and gave them details of the attack and copies of the emails. I was lucky that the malicious group didn’t change my password, my secret question, and my alternative contact information. If they had done this, I would have no way to maintain control of my account and prevent future breaches. Microsoft would have had to close my account.

Hopefully, these steps are sufficient to stop the problem. I hope I won’t ever again have to apologize to all my contacts for sending them spam.

A recent column by Sandy Banks of the LA Times documents the ten-year wait by a woman who donated her kidney to a stranger.

The donor, Jackie Gorman, an attorney and former chaplain at the UCLA Medical Center began considering a donation ten years ago but hesitated because of her own concerns about family and career, as well as pressure from relatives. However, she eventually overcame them and entered into the Living Donor Transplant program at UCLA. Her donated kidney will be flown to New York and transplanted into a man whose daughter will then donate one of her kidneys to another stranger as part of a kidney exchange. The story doesn’t say it, but the chain is probably being facilitated by the National Kidney Registry.

Thanks to Harvey Mysel of the Living Kidney Donors Network for pointing out this story to me.

[Update: Another article by Sandy Banks about another kidney chain is featured in this blog post.]

The Dec 2010 issue of The Atlantic contains an investigative report by Robin Fields on dialysis quality and costs in the U.S. and how lessons learned can apply to national health care policy. The story also appears on ProPublica, which includes photos. It is a very good story, though it is unbalanced. (It’s the nature of investigative journalism.) In addition to reading the article, I encourage you to read the comments at the bottom of both versions of the article. I’ll address two points from the article below.

The dialysis business is big and concentrated but there are outliers

As reported in the Economist Apr 2010, the market for dialysis treatment is large. There are about 350,000 patients in the U.S. receiving dialysis therapy. The average cost of dialysis treatment is about $70,000 per patient per year. Further, it is highly concentrated, with one big buyer (called a monopsony) and two big suppliers (called an oligopoly).

In the U.S., the cost of dialysis care is covered mostly by Medicare, and the federal government spends about $24 billion per year, or about 85% of the total cost, which represents about 6% of Medicare’s total budget. End-stage renal disease is the only medical condition that Medicare covers regardless of age. Dialysis reimbursement is the single biggest Medicare cost category and is growing faster than overall medical costs.

There are two major manufacturers of dialysis equipment in the world, Fresenius of Germany and Gambro of Sweden. These manufacturers sell to dialysis service providers that tend to buy all their equipment from one provider or the other. In fact, there are now two major dialysis service providers in the U.S., both of which are for-profit enterprises. The largest is Fresenius Medical Care, a subsidiary of Fresenius and uses only Fresenius equipment. Next is DaVita, an independent company that acquired all of Gambro’s clinics and uses Gambro equipment. Between them, they operate about two-thirds of the 5,000 dialysis clinics in the U.S.

There are also many smaller regional clinic chains, many of which are not-for-profit. Not-for-profit organizations need not be any better run than for-profit ones. In fact, their clinics are often inefficient, poorly maintained, and less likely to used advanced technology. But some of them, like Northwest Kidney Centers in Washington are well run and have clean, comfortable, safe facilities. NKC operates 14 dialysis centers around Seattle, making it the biggest provider in the Puget Sound region. [Disclosure: I am a volunteer for Northwest Kidney Centers and have contributed to it.]

Reimbursement policy affects how dialysis treatment centers are run

Currently, Medicare reimburses dialysis providers a flat amount per patient plus pharmaceutical costs. This has led to several behaviors by the dialysis providers that are unintended, but should have been expected.

1) They use high blood flow rates through the dialysis machines. This reduces the time each patient is in the clinic, which means more patients can be handled per day and less technician labor is needed per patient. However, high blood flow rate causes low blood pressure in the patient during dialysis. This is correlated with higher rates of cardiac events and death.

2) They limit each patient to three visits per week and discourage home hemodialysis (which allows the patients to treat themselves more frequently). However, fewer visits are also correlated with higher rates of cardiac events and death.

3) They prescribe higher doses of drugs such as heparin and especially expensive ones like erythropoietin than dialysis centers in other countries. They also use more injectable drugs, which are more expensive than oral ones. Medication now accounts for one-quarter of the total cost of dialysis treatment.

Medicare will soon switch to bundled reimbursement of $230 per session (indexed for inflation) and institute a 2% bonus system under its Quality Incentive Program. This has been a very controversial change.

First, the change itself will reduce revenues for nearly all dialysis centers, putting even more pressure to reduce costs. In the U.S. there has been considerable pressure to consolidate and cut costs as Medicare keeps reimbursement rates low.

For examples of discretionary costs, consider the Northwest Kidney Centers. It runs kidney fairs to encourage the public to get tested for hypertension and diabetes to avoid end-stage kidney disease. It also works with nephrologists to encourage its most healthy patients to consider getting a kidney transplant. And it partners with the Univ. Washington Medical Center to support the Kidney Research Institute. All of these actions are good social policy, but are expensive, have little benefit to existing patients, and hopefully reduce the total number of patients needing its services in the future. Thus, they are all bad for the bottom line.

Second, even if improved quality reduces costs, the benefit may not reach the dialysis centers. Medicare may pay a small bonus to the dialysis center, but may keep most of the cost savings  for itself. For more on the perverse impact of improved quality on care provider profit, see this article in the Nov 2002 amednews.

Finally, Medicare plans to measure quality via blood tests rather than base it on medical outcomes. Blood tests have the advantage of being fast, cheap, and less prone to measurement errors than other tests. However, blood tests are not a reliable indicator of quality. Some better measures would be mortality rates and morbidity rates. But both are hard to measure and expensive to track. Blood tests may be easy to adjust to meet the QIP goal and may not be closely correlated with desired medical outcomes.

Bill Peckham, who is quoted in the article, is an expert on how bundled reimbursement will affect dialysis centers and their patients. Mr. Peckham is a patient and an advocate for Northwest Kidney Centers. You can read more at his blogs, Dialysis from the Sharp End of the Needle and Fix Dialysis.

Earlier this week, CBS Evening News ran a story by Katie Couric entitled “Chain of Life.” The story, originally scheduled to run in September, focuses on the great work of Garet Hil and National Kidney Registry. The NKR is a kidney exchange that allows more patients with ESRD to find a live donor and receive a transplant.  The story was part of CBS News’ “The American Spirit” series.

Chain of Life. Video still from CBS News

Since the story aired, over 200 people have sent inquiries to NKR on how they can participate in a kidney chain. That compares to one or two on an average day. Says Mr. Hil, “We are currently being inundated with donors and recipients looking for more information. We will refer these people to our member centers as fast a possible.”

CBS News also featured the work of the NKR in an earlier story that aired in Aug 2010 and mentioned in a Sep 2010 blog post.

Economics has been called the dismal science. The term implies that left on their own, individuals will adopt, or retain, behaviors that may be good for them, but will lead to suboptimal social outcomes.

One of the most fascinating areas of economic research today is called behavioral economics. It is the study of how people make decisions and is used to explain why people become addicted to drugs, commit property crimes, or gamble against poor odds. It’s not just used for explaining bad behaviors. Behavioral economists also use their theories to explain why people marry, landscape their yard, or perform altruistic acts.

This research into the effect of behavior on economic decision-making actually has important policy implications. For instance, in 2006 Congress changed the rules for defined-contribution retirement plans known as 401(k)s. Prior to the change, most plans were opt-in, meaning employees had to choose to participate in the plan. The change in rules allowed companies to automatically enroll all new employees in the retirement program (into a safe investment as defined by the U.S. Dept. of Labor) unless they chose to opt-out.

Traditional economic theory says that the desire to invest in a retirement plan should be independent of whether the employee has to choose to opt-in or opt-out of the plan at the time of hire. And yet behavioral studies show people tend to prefer to do what everyone else is doing, or what an authority figure says is best. Data collected from firms that switched from opt-in to opt-out show that participation rates rise, from 40 to 70% when employees had to opt-in, to over 90% after adopting opt-out.

Richard Thaler, a leader in the behavioral economics movement, calls it “libertarian paternalism.” That is, the goal is not to restrict choices, but to offer them in a way that leads to better outcomes. Another way to increase retirement savings that Mr. Thaler promoted, and convinced Congress to accept, is called Save More Tomorrow. He is also one of the coauthors of Nudge, a great book on how to improve your decision-making skills. [Disclosure: I am a graduate of Univ Chicago’s Booth School of Business, where Mr. Thaler teaches.]

Nudge: Improving Decisions About Health, Wealth, and Happiness. Image from Amazon

Last week, my wife pointed me to an article in the New York Times that shows how behavioral economics research is now being used to “improve” the effectiveness of political campaigns. One of the most influential groups in the 2008 presidential campaign by Barack Obama is called the Consortium of Behavioral Scientists. One of the members is Mr. Thaler. You may recall that Mr. Obama taught constitutional law at the Univ. of Chicago and was already quite familiar with Mr. Thaler’s work.