Posted on

How Have I Been Pwned became the keeper of the internet’s biggest data breaches

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

Read More

Posted on

Four views: How will the work visa ban affect tech and which changes will last?

The Trump administration’s decision to extend its ban on issuing work visas to the end of this year “would be a blow to very early-stage tech companies trying to get off the ground,” Silicon Valley immigration lawyer Sophie Alcorn told TechCrunch this week.

In 2019, the federal government issued more than 188,000 H-1B visas — thousands of workers who live in the San Francisco Bay Area and other startup hubs hold H-1B and H-2B visas or J and L visas, which are explicitly prohibited under the president’s ban. Normally, the government would process tens of thousands of visa applications and renewals in October at the start of its fiscal year, but the executive order all but guarantees new visas won’t be granted until 2021.

Four TechCrunch staffers analyzed the president’s move in an attempt to see what it portends for the tech industry, the U.S. economy and our national image:

Danny Crichton: Trump’s ban is a “self-inflicted” blow to our precarious economy

America’s economic supremacy is increasingly precarious.

Outsourcing and offshoring led to a generational loss of manufacturing skills, management incompetence killed off many of the country’s leading businesses and the nation now competes directly with China and other countries in critical emerging industries like 5G, artificial intelligence and the other alphabet soup of technological acronyms.

We have one thing going for us that no other country can rival: our ability to attract top talent. No other country hosts more immigrants, nor does any other country capture the imagination of a greater portion of the world’s top minds. America — whether Silicon Valley, Wall Street, Hollywood, Harvard Square or anywhere in between — is where smart people congregate.

Or at least, it was.

The coronavirus was the first major blow, partially self-inflicted. Remote work pushed employers toward keeping workers where they are (both domestically and overseas) rather than centralizing them in a handful of corporate HQs. Meanwhile, students — the first step for many talented workers to enter the United States — are taking a pause, fearing renewed outbreaks of COVID-19 in America while much of the rest of the developed world reopens with few cases.

The second blow was entirely self-inflicted. Earlier this week, President Donald Trump announced that his administration would halt processing critical worker visas like the H-1B due to the current state of the American economy.

Read More

Posted on

Volcker Rule reforms expand options for raising VC funds

It’s time to put on our thinking caps so we can discuss an esoteric but important policy change and how it is going to impact the VC world.

The 2008 financial crisis devastated the global economy. One of the reforms that came from the detritus of that situation was a policy known as the Volcker Rule.

The rule, proposed by former Fed chairman Paul Volcker and passed into law with the Dodd-Frank reform bill, was designed to limit the ways that banks could invest their balance sheets to avoid the kind of cataclysmic systemic risks that the world witnessed during the crisis. Many banks faced a liquidity crunch after investing in mortgage-backed securities (MBSs), collateralized debt obligations (CDOs), and other even more arcane speculative financial instruments (like POGs, or Piles Of Garbage) in seeking profits.

A number of reforms are underway to the Volcker Rule, which has been a domestic regulatory priority for the Trump administration since Inauguration Day.

One of the unintended consequences of the Rule is that it limited banks from investing in certain “covered funds,” which was written broadly enough that it, well, covered VC firms as well as hedge funds and other private equity vehicles. Reforms to that policy (and to the Rule in general) have been proposed for a decade with little traction until recently.

Now, a number of reforms are underway to the Volcker Rule, which has been a domestic regulatory priority for the Trump administration since Inauguration Day.

First, a a simplification to some of the Rule’s regulations was passed late last year and went into effect in January. Now, a final rule to reform the Volcker Rule’s applications to VC firms among other issues was agreed to by a group of U.S. regulatory agencies, and will go into effect later this year.

Read More

Posted on

Biased AI perpetuates racial injustice

The murder of George Floyd was shocking, but we know that his death was not unique. Too many Black lives have been stolen from their families and communities as a result of historical racism. There are deep and numerous threads woven into racial injustice that plague our country that have come to a head following the recent murders of George Floyd, Ahmaud Arbery and Breonna Taylor.

Just as important as the process underway to admit to and understand the origin of racial discrimination will be our collective determination to forge a more equitable and inclusive path forward. As we commit to address this intolerable and untenable reality, our discussions must include the role of artificial intelligence (AI) . While racism has permeated our history, AI now plays a role in creating, exacerbating and hiding these disparities behind the facade of a seemingly neutral, scientific machine. In reality, AI is a mirror that reflects and magnifies the bias in our society.

I had the privilege of working with Deputy Attorney General Sally Yates to introduce implicit bias training to federal law enforcement at the Department of Justice, which I found to be as educational for those working on the curriculum as it was to those participating. Implicit bias is a fact of humanity that both facilitates (e.g., knowing it’s safe to cross the street) and impedes (e.g., false initial impressions based on race or gender) our activities. This phenomenon is now playing out at scale with AI.

As we have learned, law enforcement activities such as predictive policing have too often targeted communities of color, resulting in a disproportionate number of arrests of persons of color. These arrests are then logged into the system and become data points, which are aggregated into larger data sets and, in recent years, have been used to create AI systems. This process creates a feedback loop where predictive policing algorithms lead law enforcement to patrol and thus observe crime only in neighborhoods they patrol, influencing the data and thus future recommendations. Likewise, arrests made during the current protests will result in data points in future data sets that will be used to build AI systems.

This feedback loop of bias within AI plays out throughout the criminal justice system and our society at large, such as determining how long to sentence a defendant, whether to approve an application for a home loan or whether to schedule an interview with a job candidate. In short, many AI programs are built on and propagate bias in decisions that will determine an individual and their family’s financial security and opportunities, or lack thereof — often without the user even knowing their role in perpetuating bias.

This dangerous and unjust loop did not create all of the racial disparities under protest, but it reinforced and normalized them under the protected cover of a black box.

This is all happening against the backdrop of a historic pandemic, which is disproportionately impacting persons of color. Not only have communities of color been most at risk to contract COVID-19, they have been most likely to lose jobs and economic security at a time when unemployment rates have skyrocketed. Biased AI is further compounding the discrimination in this realm as well.

This issue has solutions: diversity of ideas and experience in the creation of AI. However, despite years of promises to increase diversity — particularly in gender and race, from those in tech who seem able to remedy other intractable issues (from putting computers in our pockets and connecting with machines outside the earth to directing our movements over GPS) — recently released reports show that at Google and Microsoft, the share of technical employees who are Black or Latinx rose by less than a percentage point since 2014. The share of Black technical workers at Apple has not changed from 6%, which is at least reported, as opposed to Amazon, which does not report tech workforce demographics.

In the meantime, ethics should be part of a computer science-related education and employment in the tech space. AI teams should be trained on anti-discrimination laws and implicit bias, emphasizing that negative impacts on protected classes and the real human impacts of getting this wrong. Companies need to do better in incorporating diverse perspectives into the creation of its AI, and they need the government to be a partner, establishing clear expectations and guardrails.

There have been bills to ensure oversight and accountability for biased data and the FTC recently issued thoughtful guidance holding companies responsible for understanding the data underlying AI, as well as its implications, and to provide consumers with transparent and explainable outcomes. And in light of the crucial role that federal support is playing and our accelerated use of AI, one of the most important solutions is to require assurance of legal compliance with existing laws from the recipients of federal relief funding employing AI technologies for critical uses. Such an effort was started recently by several members of Congress to safeguard protected persons and classes — and should be enacted.

We all must do our part to end the cycles of bias and discrimination. We owe it to those whose lives have been taken or altered due to racism to look within ourselves, our communities and our organizations to ensure change. As we increasingly rely on AI, we must be vigilant to ensure these programs are helping to solve problems of racial injustice, rather than perpetuate and magnify them.

Read More

Posted on

How will EC plans to reboot rules for digital services impact startups?

A framework for ensuring fairness in digital marketplaces and tackling abusive behavior online is brewing in Europe, fed by a smorgasbord of issues and ideas, from online safety and the spread of disinformation, to platform accountability, data portability and the fair functioning of digital markets.

European Commission lawmakers are even turning their eye to labor rights, spurred by regional concern over unfair conditions for platform workers.

On the content side, the core question is how to balance individual freedom of expression online against threats to public discourse, safety and democracy from illegal or junk content that can be deployed cheaply, anonymously and at massive scale to pollute genuine public debate.

The age-old conviction that the cure for bad speech is more speech can stumble in the face of such scale. While illegal or harmful content can be a money spinner, outrage-driven engagement is an economic incentive that often gets overlooked or edited out of this policy debate.

Certainly the platform giants — whose business models depend on background data-mining of internet users in order to program their content-sorting and behavioral ad-targeting (activity that, notably, remains under regulatory scrutiny in relation to EU data protection law) — prefer to frame what’s at stake as a matter of free speech, rather than bad business models.

But with EU lawmakers opening a wide-ranging consultation about the future of digital regulation, there’s a chance for broader perspectives on platform power to shape the next decades online, and much more besides.

In search of cutting-edge standards

For the past two decades, the EU’s legal framework for regulating digital services has been the e-commerce Directive — a cornerstone law that harmonizes basic principles and bakes in liabilities exemptions, greasing the groove of cross-border e-commerce.

In recent years, the Commission has supplemented this by applying pressure on big platforms to self-regulate certain types of content, via a voluntary Code of Conduct on illegal hate speech takedowns — and another on disinformation. However, the codes lack legal bite and lawmakers continue to chastise platforms for not doing enough nor being transparent enough about what they are doing.

Read More

Posted on

FCC set to finalize ‘988’ as the new National Suicide Prevention Hotline phone number

The FCC said Tuesday it will vote next month to designate 988 as the new three-digit U.S. nationwide number to reach the National Suicide Prevention Hotline.

In a notice, the federal regulator overseeing U.S. internet and phone providers said it will vote on the proposal on July 16 to make the number change official. FCC chairman Ajit Pai said the three-digit number, if passed, “will save lives.”

Once approved, U.S. phone companies — including internet calling providers — will have two years to transition 988 calls to the National Suicide Prevention Hotline.

Even after the transition, callers will still be able to reach the hotline through its regular phone number.

Lawmakers and advocates have spent years advocating to shorten the hotline’s 10-digit phone number to just three digits to make it easier for those in a mental health crisis to reach help. Suicide is one of the leading causes of death in the United States.

In December, the FCC voted unanimously to push ahead with the plans to issue the three-digit number, calling it an “echo” of 911, the national number to reach emergency services, recognizing the importance of easy access to the hotline.

Sam Brinton, vice president of advocacy and government affairs for The Trevor Project, a non-profit dedicated to suicide prevention efforts among LGBTQ+ youths, welcomed the news.

“Suicide remains the second leading cause of death among young people, and LGBTQ youth are at increased risk,” said Briton. “Americans in crisis cannot wait. We also applaud the FCC’s continued support for specialized services for LGBTQ youth.”

If you or someone you know is struggling with depression or has had thoughts of harming themselves or taking their own life, get help. The National Suicide Prevention Lifeline (1-800-273-8255) provides 24/7, free, confidential support for people in distress, as well as best practices for professionals and resources to aid in prevention and crisis situations.

Read More

Posted on

Free money for startups? It’s possible with MainStreet’s platform for economic development incentives

Startups need money. State and local governments need startups and the employment growth they offer. It should be obvious that the two groups can work together and make each other happy. Unfortunately, nothing could be further from the truth.

Each year, governments spend tens of billions of dollars on economic development incentives designed to attract employers and jobs to their communities. There are a huge number of challenges, however, for startups and individual contributors trying to apply for these programs.

First, economic development leaders typically focus on massive, flagship projects that are splashy and will drive the news cycle and bring good media attention to their elected official bosses. So, for example, you get a massive, $10 billion Foxconn plant in Wisconsin tied to hundreds of millions of incentives, only to see the project sputter into the ground.

Then there is the paperwork. As you’d expect with any government application process, it can be arduous to find the right incentive programs, apply for credits at the right time and max out the opportunities available.

That’s where MainStreet comes in.

Its CEO and founder Doug Ludlow’s third company. He previously founded Hipster, which sold to AOL, and The Happy Home Company, which sold to Google. After that transaction, Ludlow went on to become chief of staff for SMB ads at the tech giant, where he saw firsthand the challenges that startups and all small companies face in growing outside of major urban hubs like San Francisco.

When he and his co-founders Dan Lindquist and Daniel Griffin first started, they were focused on what Ludlow described as “a network of remote work hubs.” As they were experimenting last November they tried paying people to leave the Bay Area, offering them $10,000 if they moved to other cities. The offer caused a sensation, with outlets like CNN covering the news.

While the interest from customers was great, what ignited Ludlow and his co-founders’ passions was that “literally dozens of cities, states and counties reached out, letting us know that they had an incentive program.” As the team explored further, they realized there was a huge untapped opportunity to connect startups to these preexisting programs.

MainStreet was born, and it’s an idea that has also attracted the attention of investors. The company announced today that it raised a $2.3 million round from Gradient Ventures, Weekend Fund and others.

Startups apply for economic incentives through MainStreet’s platform, and then MainStreet takes a 20% cut of any successful application. Notably, that cut is only taken when the incentive is actually disbursed (there’s no upfront cost), and there is also no on-going subscription fee to use the platform. “If you identify the credit that you’re able to use six months from now, we will charge you six months from now, when you’re actually getting that credit. It seems to be a business model that is aligned well with founders,” Ludlow said.

Right now, he says that the average MainStreet client saves $51,000, and that MainStreet has crossed the $1 million ARR run rate threshold.

Right now, the company’s core clientele are startups applying for payroll credits and research and development credits, but Ludlow says that MainStreet is working to expand beyond its tech roots to all small businesses such as restaurants. The company also wants to expand the number of economic development programs that startups can apply for. Given the myriad of governments and programs, there are hundreds if not thousands of more programs to onboard onto the platform.

MainStreet’s team. Image Credits: MainStreet

While MainStreet is helping startups and small businesses, it also wants to help governments improve their operations around economic development. With MainStreet, “we can report back to cities and states showing exactly what their tax dollars or tax credits are being utilized for,” Ludlow said. “So the accountability is orders of magnitude greater than they had before. So already, there’s this better system for tracking the success of incentives.”

The big question for MainStreet this year is navigating the crisis around the COVID-19 pandemic. While more small businesses than ever need help navigating credits, state and local governments have suffered huge shortfalls in revenues as taxes have dried up and Washington continues to debate over what, if any aid, to offer. There’s no money for economic development, yet, economic development has never been more important than right now.

Ultimately, MainStreet is pushing the vanguard of economic development thinking forward away from massive checks designed to underwrite industrial factories to a more flexible and dynamic model of incentivizing knowledge workers to move to areas outside the major global cities. It’s an interesting bet, and one that, at the very least, will help many startups get the economic incentives they rightly have access to.

Outside of Gradient and Weekend Fund, Shrug Capital, SV Angel, Remote First Capital, Basement Fund, Basecamp Ventures, Backend Capital and a host of angels participated in the round.

Read More

Posted on

It’s Time for a New Kind of Electronic Health Record

Image Source/Getty Images

We’ve made our coronavirus coverage free for all readers. To get all of HBR’s content delivered to your inbox, sign up for the Daily Alert newsletter.

The Covid-19 pandemic presents the U.S. health care system with a mind-boggling array of challenges. One of the most urgent is coping with a simultaneous glut and dearth of information. Between tracking outbreaks, staying abreast of the latest information on effective treatments and vaccine development, keeping tabs on how each patient is doing, and recognizing and documenting a seemingly endless stream of weird new symptoms, the entire medical community is being chronically overwhelmed.

Sorting through large amounts of information and finding the nuggets that apply to a particular patient’s situation is something that computers ought to be good at. But we still have problems of knowing what data is important and what is the right treatment and prevention plan for each patient.

During the Obama administration, the federal government supplied billions of dollars — and providers kicked in billions more — to speed the adoption of electronic health records. But even though up to 96% of hospitals and 86% of physician offices have adopted them, we still don’t have EHRs that can rise to the information challenges that clinicians face every day, let alone those posed by Covid-19.

Insight Center

Providers still encounter continual frustration on many levels: user interfaces and usability issues, the quality of the data entered, the limited ability of the data to support discovery and interoperability among systems, just to name a few. These limitations have compounded the ability of clinicians to deliver care during the Covid-19 crisis.

An overhaul of the electronic health record is overdue. It must go beyond fixing the user interface or improving interoperability. It must address the fundamental problems exposed by the pandemic. The overhaul must also support the ability of providers to adopt the new value-based-care business model of health care — one that rewards providers for outcomes rather than the volume of services and that shifts their focus from reactive sick care to the proactive management of health.

To address these needs, the electronic health record must transition from an emphasis on a person’s medical record to an emphasis on a person’s plan for health and from a focus on supporting clinical transactions to a focus on delivering information to the provider and the patient.

From the Record to the Plan

A redesign of the EHR is essential, but what should it look like? EHRs are reasonably good at the “record” part — keeping track of what happened to the patient — but they must evolve to address the “health” part by helping providers plan for what they want to happen. EHRs could become tools for making those plans and keeping them on track if we design them with that goal in mind.

Intermountain Healthcare, Virginia Mason, and Kaiser Permanente are pioneers in adopting the new health care business model. Their experiences point the way to the next generation of EHRs.

What would a “plan-centric” EHR system look like? It would include:

  • A library of care plans that covers a wide range of situations. Variations in patient circumstances and preferences would dictate variations in the plans. A patient with well-managed diabetes would have a different plan from one who is still struggling for control. A patient who lived alone would have a different plan from one who lived with a large, supportive family.
  • Algorithms to form a patient’s master plan. Patients hardly ever have just one clear, manageable issue. A master plan would combine appropriate algorithms for treating, say, a patient’s asthma, arthritis, depression, and weight reduction, automatically resolving conflicts and redundancies.
  • Care team support. Each team member — the patient’s primary care provider, specialists, nurse practitioners, pharmacists, case managers and the patient — would see both the master plan and their own to-do list. Team members could assign tasks to one another.
  • The ability to traverse care settings, geographies, and different EHRs. The plan would need to travel seamlessly with the patient. Providers would have interoperable systems that could integrate a patient’s plan regardless of its origin.
  • Decision support and workflow logic. The system must remind team members of upcoming and overdue activities, suggest changes in the plan when patient conditions and care needs change, and route messages to the appropriate team member regarding new test results or patient events.
  • Analytics for both individual patients and populations. The system must be able to assess how well the plan is achieving its goals, both for the individual patient and for the larger population that may be under the provider’s care. It should be able to apply lessons learned in treating one patient to other patients.

Imagine a plan-centric EHR ready to deal with Covid-19, incorporating the latest evidence-based treatments into each patient’s care plan based on their current status and underlying health conditions, and then feeding back data on how each patient responded in order to improve the plan for the next patient. Such capabilities could transform outcomes and save many lives.

From Transaction-Oriented to Intelligence-Oriented

As befits systems with origins in billing, the design focus of EHRs has been transactional: documenting a visit, retrieving a lab result, sending a prescription to the pharmacy. This focus is not all bad: It has reduced some types of errors and made it easier to generate work lists and logic to help ensure that the clinical order is complete.

However, exquisite transaction support is not enough to address the challenges that afflict care delivery: failure to follow the evidence, brittle operational and clinical processes, and the near impossibility of keeping up with advances in medicine. EHRs can compound these limitations by being very difficult to update.

We must reimagine the EHR not as a document but as a system that supports the generation and tracking of multiple documents, events, and processes. It must surround each transaction and clinical process with intelligence to ensure clinical appropriateness and sound execution.

Further Reading

It should help ensure that care follows the evidence, identify treatment options that result from the dazzling pace of medical discovery, and alert providers that care processes have deviated from acceptable levels of performance. This intelligence must detect acts of commission (the choice of an outdated treatment approach) and omission (a patient has failed to keep an appointment to see a specialist).

The EHR must provide the ability for clinicians to easily analyze patient data to discover new treatments, uncover safety issues, and identify unusual clinical findings. Such capabilities would have enabled, for example, the much faster discovery of blood clotting in Covid-19 patients.

Intelligence can be leveraged to help address clinician concerns with EHR usability. Logic that presents the physician with data and potential actions tailored to reflect the patient’s conditions, the physician’s preferences, and the medical evidence can save the physician time and improve the quality of care.

Many of these intelligence and plan capabilities are present to some degree in today’s EHR. However, the old fee-for-service business model has not rewarded their refinement and extensive use.

Some providers — including Kaiser Permanente, Geisinger, Intermountain Healthcare, and UPMC — are using their EHRs in this way, but these organizations share a key characteristic: They insure a significant percentage of their patients as well as providing their care, and therefore their financial incentives are more like those of payers. They have already embraced the new value-based-care business model that the rest of the industry is moving toward.

Achieving the Intelligent, Plan-Centric IT Foundation

We will always need medical record documentation and transaction capabilities. An accurate, comprehensive health record is critical to the delivery of care and is also a required legal document.

How can we preserve these functions of the EHR while migrating it to the new intelligent, plan-centric design?

One major obstacle to fixing the EHR problem is that the health care industry is in the middle of a transition to the new business model. But the change is happening so gradually — in fits and starts, depending on the payer and the political environment — that it’s difficult for providers and EHR vendors alike to gauge the appropriate moment for a system redesign. Consequently, providers will have to juggle two opposing business models for an unknown period of time, and their information technology portfolio will have to support both.

Exasperated users might support the idea of tossing out what we have and starting over from scratch, but that’s not going to happen for a number of reasons: the stupefyingly large cost, the enormous development and implementation time, the disruption of operations, and the potential danger to patients during the transition.

Health care should take a lesson from banking. Instead of rewriting legacy systems, the banking community modified current systems, added complementary applications, and “wrapped” legacy systems with newer technologies and capabilities. To transform the EHR from a (quasi) document into the new design, we need a full array of complementary applications that “wrap around” appropriately modified EHRs and provide significant care-plan and intelligence support. Providers can make these investments as needed to match the pace and address the specific needs of their migration to value-based care and measure the return on investment as they go. These applications and capabilities might include the following:

  • Population health management. Providers will be accountable for the health and health care of populations of people with common health conditions such as diabetes and asthma. Population-health-management systems combine data from diverse sources (EHRs, claims, patient-monitoring devices, census, and other demographic databases that can track social determinants of health). The population-health-management systems “surround” the EHR so that the provider can view the plan from the record and the population health management system can send alerts and messages to the EHR inbox.
  • Health information exchanges. Connecting a wide variety of health care organizations in a region or state, the HIE enables them to exchange data about a patient. For example, when a patient presents at an emergency room, the care team can use the exchange to retrieve patient data from other care settings and get a complete clinical picture of the patient. Some HIEs have developed applications that measure regional care quality and costs, portals that enable patients to see their aggregated clinical data, and alert systems that tell a provider when one of its patients has been seen elsewhere.
  • Patient-health-management applications. These enable consumers to aggregate their health data, view their health status, track their appointments and prescription refills, converse with their care team, participate in care communities, view and alter their shared care plan, and research health issues.
  • Big data analytics systems. These aggregate very large amounts of health and health care data to compare the effectiveness of treatments, identify medication and device safety problems, facilitate medical discovery, and analyze shifting patterns of patient characteristics and diseases. Artificial intelligence can be used to support automatic correction of data inconsistencies and extraction of data from images, sound, and free text: for example, going through free text and pulling out quality measures or problems that were not previously in a patient’s problem list.

Many health systems have begun to adopt the strategy of surrounding their EHRs with the next generation of intelligent, plan-centric capabilities. As the health care business model evolves, organizations such as Mass General Brigham (formerly Partners HealthCare), Memorial Hermann, Geisinger, CommonSpirit Health, and Cedars Sinai are vigorously implementing population health, big data analytics, and patient-health-management applications.

Embracing transformation

Health care delivery is in the early stages of an extraordinary change. This change is being driven by the relentless movement to the value-based care model and the problems exposed by the Covid-19 crisis. This ongoing transformation is paving the way for a new EHR design: a platform that fuses the current EHR with complementary systems, capabilities, and technologies.

Achieving the intelligent, plan-centric health care platform will require a level of industry cooperation that is unlike, and in some ways antithetical to, the way we’ve always done things. The pandemic has shown us health care collaboration at its best. In that respect, the response to the pandemic mirrors the new business model that we are trying to build.

If our free content helps you to contend with these challenges, please consider subscribing to HBR. A subscription purchase is the best way to support the creation of these resources.

Read More

Posted on

Microsoft employees call for company to cancel its contracts with law enforcement

In a new letter addressed to executive leadership, a group of Microsoft employees is demanding that the Seattle-area company end its existing law enforcement contracts.

As reported by OneZero, the letter, sent via email, emerged out of a Facebook group for young employees at the company. It addresses Microsoft CEO Satya Nadella and Executive Vice President Kurt DelBene directly and was copied to 250 supporters. In the past, Microsoft employees have organized other kinds of activism through the same Facebook group, which now has almost 10,000 members.

Among the demands, the email calls for the company to pull its contracts with law enforcement agencies, support the “defunding and demilitarization” of the Seattle Police Department and throw its support behind Black Lives Matter Seattle. The letter also requests that managers at the company relax productivity expectations and implement a four-day work week amid the dual crises of COVID-19 and ongoing civil unrest protesting the police killing of George Floyd, an unarmed Black man in Minneapolis.

The letter cites a number of local instances of police brutality and calls for “coworkers, managers, and leaders who live miles away outside of Seattle” to bridge the gap, connecting to the state-sanctioned violence unfolding in Seattle’s urban center, including “24/7 helicopter noise, teargassing, flashbanging, rubber bullets, gun shots, and vans/buses filled with armed law enforcement.”

“We need awareness and empathy across every level of management asap so that the burden of educating our coworkers doesn’t fall on those of us in the middle of a public safety and mental health crisis,” the authors urge.

Last week, Nadella outlined the company’s planned response to ongoing racial injustice in an email to employees, noting that the company would “look inside, examine our organization, and do better.” In the letter, Nadella committed to $1.5 million in additional donations to six racial justice and policing reform initiatives, including the Minnesota Freedom Fund, the Black Lives Matter Foundation and the Innocence Project.

Read More

Posted on

Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

Read More