This year’s FedHealthIT Magazine included the first part of this latest article by Mike. For those looking to continue the article, look for the *** to resume reading. In case you missed the first part, here is the complete article.

Social networks. Neural networks. Physical networks. Whatever their type, they all follow the same mathematical rules. In this article, Mike Farahbakhshian explores why “six degrees of separation” isn’t quite true, why it’s helpful for AI and Deep Learning, and why it’s a disaster for cyber security.

Bacon: The Number That Keeps On Giving

What’s your Bacon Number? Mine is four.

A Bacon Number derives from the game “Six Degrees of Kevin Bacon.” You may have heard of the “six degrees of separation” concept, which posits that any two people on Earth are six or fewer acquaintance links apart.

In my case, I co-wrote and had a bit part in a 48-Hour Film Festival short named Presence.

The feature starred Ricardo Frederick Evans and Rebecca Herron. Ricardo was also in The Father and the Bear with Star Trek: Voyager alumnus Robert Picardo …

… who has a Bacon Number of two, which gives Ricardo a Bacon Number of three and yours truly a Bacon Number of four.

Now, four isn’t a particularly impressive Bacon Number for those in the Hollywood world, but for someone who spends most of his time futzing around with hot Takes on Health IT, and only dabbles in film, it’s a pretty low number to have. There are other numbers for other industries – for example, in mathematics, the equivalent of a Bacon number is the Erdös number, which links to academic collaboration with famed mathematician Paul Erdös. Since I’ve never been published in academia, I don’t have an Erdös number. (For those rare souls who are both actors and published mathematicians, there is the Erdös-Bacon number, which is a sum of your Bacon and Erdös numbers. Stephen Hawking and Carl Sagan both have Erdös-Bacon numbers of 6. Natalie Portman – yes, that Natalie Portman — has an Erdös-Bacon number of 7.)

In Health IT, I propose the equivalent be called the Grace Number, for degrees of connection with the one and only Joe Grace.

Don’t get out of Joe’s good Graces.

My Grace number is a lot lower than my Bacon number, as I am sure yours would be. This is because social networks tend to cluster: people have stronger connections to people who are physically closer to them, share an interest, or who work together in the same field. Physical networks tend to work in the same way – the majority of network traffic is between local resources and each other, or the closest router. Likewise, neural networks, used by AI and in brain research, tend to use this principle of closeness.

In the mathematical science of graph theory, which is populated by people with astoundingly low Erdös-Bacon numbers, this principle is called locality. Locality makes sense because in the real world, things – subatomic particles, atoms and molecules, organisms and societies – are impacted the most by their immediate surroundings. So it is with networks (and social connections, and brains, and artificial intelligence). This is all cut and dry, right? Networks are just daisy-chained clusters, doing a Hands Across America until you get from point A to point B, right? And Joe Grace aside, what does this have to do with Health IT?

Everything, it seems. You see, folks like Joe enable what are called a small-world network. The concept of a small-world network has incredible implications, both good and bad, for aspects of Health IT as diverse as artificial intelligence and security compliance.

Source: Griff’s Graphs (

Before we discuss a small-world network, let’s talk about “six degrees of separation.” The concept of “six degrees of separation” derives from an experiment Stanley Milgram – yes, that Stanley Milgram, with the electric shocks experiment – performed by randomly sending chain letters to people. Milgram sent several packages to 160 random people living in Omaha, Nebraska, asking them to forward the package to a friend or acquaintance who they thought would bring the package closer to a set final individual, a stockbroker from Boston, Massachusetts. The average number of hops was around six, and repeated experiments tend to reinforce that number.

Here’s the thing: if the only people we spoke to were our close associates (or “cliques”), we’d be nowhere near six hops from most people. Hands Across America would take a long time. Something is allowing quantum leaps between cliques to shorten this chain.

You Are … The Weakest Link

Pictured, famous “hub” Chuck Finley

We all know that guy who knows a guy, right? The “fixer” who has a buddy here and a buddy there and a friend of a friend somewhere else? In graph theory, we call these folks “hubs.” In Federal contracting, we call them “business development.” Whether by design or by chance, these hubs go outside of their comfort zone. Maybe they have a penpal across the world. Maybe they travel a lot. Maybe they hang out with folks outside of their industry, bonding over a hobby or interest that isn’t very common. Whether because of wanderlust or novelty-seeking, these hubs create “weak links” across networks.

A “weak link” doesn’t sound very impressive until you realize that weak links make for shortcuts for your little Hands Across America network. Weak links drastically shorten the average number of hops on a network – in short, your Bacon (or Erdös, or Grace) number. Here’s an example. The average degrees of separation between any two people in the world is around six. This includes people who are much farther away than six hops, like isolated villagers in the Andaman Islands or an Afghan tribal warlord in a hidden mountain valley. The only reason we have any connection at all to these folks is due to “weak links” who have been connecting over long distance the old-fashioned way: through trade (legal or illegal), proselytization, crime, war, or humanitarian efforts. But this shortens our average hops from somewhere between twenty and thirty to the well-agreed upon “six.” Technology allows people to connect based on more than geographical proximity: the average degree of connection between any two Twitter users is 3.43 – because you can follow Twitter users based on shared interests, trending hashtags, or random whimsy. The ability for any one user to break out of their local “clique” and forge a connection abroad – even if it is a so-called “weak link” – makes the whole network that much easier to traverse. Each weak link makes the world just a little bit smaller and easier to explore. And that’s why it’s called Small-World Theory.

Small-World Networks (SWNs) are the norm: in our societies, in the way our brains are wired, and in computer networks. Understanding SWNs means optimizing community care efforts, mapping the human genome, understanding the human brain and how it routes around traumatic brain injuries and strokes, development of artificial intelligence, and optimizing telehealth bandwidth and throughput.

However, the nature of SWNs has its downside. Everyone who thinks that security rules don’t apply to them, that person who can make a firewall exception to their favorite website or bring one unpatched machine onto an IoT network that gets compromised – well, that’s a “weak link” to the bad guys. It doesn’t matter how great your perimeter security is if you have a direct connection to Malware Central on the inside.

I’ll cover a few examples below.


Safety Net: How Small-World Networks Help Continuity of Care

Source: Singh Balhara YP. Diabetes and psychiatric disorders. Indian Journal of Endocrinology and Metabolism. 2011:274-283. doi:10.4103/2230-8210.85579.

We in the Health IT community worry a lot about Care Coordination. Care Coordination means organizing all of the various, complex, interacting activities and workflows that are involved in patient care. I covered this in my January article “New Year’s FHIR-Works” in my discussion on FHIR’s CarePlan construct. For those with better sense than to read my column regularly, the Cliff’s Notes version is that patients very rarely have only one condition that is treated in a vacuum. Most people deal with multiple comorbidities, and the treatment for each of these may interfere with the other. In addition to a general practitioner and/or nurse, a patient with diabetes mellitus may need to see their endocrinologist, nephrologist, cardiologist, dietitian, podiatrist, or physical therapist for their condition. Diabetes is often comorbid with psychiatric symptoms and interacts in a number of ways[1], that would take too long to explain here, but suffice it to say you may need to include a mental health professional. On top of this, a care network includes caregivers such as family members or friends, occupational therapists, pharmacists and insurance.

The principles of small-world networking help simplify these complex care networks. When clinicians, clinical support staff, and friends and family members of a patient are connected through alternate ways than just through the patient, it helps smooth operations and prevents the patient and the patient’s needs from slipping between the cracks. Let’s take our hypothetical diabetes patient, who might be on a mood stabilizer that affects blood sugar. If the pharmacist, endocrinologist and mental health professional are all golf buddies with the patient’s spouse, it’s easier to keep track of how impaired glucose metabolism is affecting the efficacy of the psychiatric meds and vice versa. We all can’t be golf buddies, but there are ways to ensure that everyone in the care network is at least acquainted. Much like how LinkedIn enables “introductions” between contacts, a good health information network can enable this social connectivity. Last March, my “B-Side” article discussed the Trusted Exchange Framework and Common Agreement, also known as TEFCA. TEFCA enables Qualified Health Information Networks, a.k.a., QHINs, to exchange patient information between hospital networks, including a master patient index, record location, queries and response of authorized health information, and so forth. Most of the hype about TEFCA has been about providing patient information between providers and specialists, but there’s no reason why it cannot be used to exchange caregiver network information. This enables a “one-stop-shop” for everyone in our diabetic patient’s network to ensure continuous, coordinated care with minimal risk of adverse interactions. The principles of Small-World Networks help TEFCA’s sprawling, disjointed network become just a bit smaller and easier to navigate.

“Watson, Come Here, I Want to See You”: How Small-World Networks Help Access to Care

These words, spoken by Alexander Graham Bell, were the first intelligible sounds spoken over a telephone. It’s often misquoted as “Watson, come here, I need you,” but the notorious AGB recorded the words for posterity in his own journal:

The direct line between AGB and his assistant, Thomas A. Watson, was the original Small-World Network, because it was the only network in existence at the time. Since then, that network has spread to become a worldwide sprawl called the Internet, which lets us communicate with people around the world, stream media, find the spiciest memes, and – relevant to Health IT – provide and receive telemedicine. In the past, this networking has been done via a “hub-and-spoke” model: you’d access your Internet Service Provider, they’d access their carrier, and so on and so forth until you got where you needed to be. The model was lifted whole cloth from airline carriers and it’s a great model if you want to prioritize centralized control of traffic. For those of us who do business travel on a per diem, you know how well a model like that works: it’s a slow, high effort, and no fun at all.

Telemedicine using this airline model is equally slow and arduous. Yet what if you could use the principles of small-world networking to change the model? Instead of prioritizing centralized control of traffic, let’s prioritize getting data – real time video, text, and metrics – where they need to be ASAP. We do this by making anyone who is willing and able to handle the load into a hub of their own.

“A hub, you say? I think I know a couple of those.”

Voila: you have (re-)invented peer-to-peer networking. Once the domain of pirating music and movies, this is now actively used in the computing industry to increase the speed of operating system, application, and gaming patches. This approach has already saved lives: after Hurricane Maria, a peer-to-peer telemedicine service was able to route around damage to ensure that patients in a Federal emergency center in Manatí could get the consultations they needed. These consultations included live video chats and virtual visits with specialists via a network called New York Presbyterian On Demand.

The implications of Small-World Networks go beyond helping patients in disaster zones. Surely you can imagine small-world peer-to-peer networks enabling telemedicine in rural areas or combat support hospitals, and you’d be right. Yet what about in an urban area with multiple hospitals, like New York City? Surely there’s no need for Small-World Networks there?

You’re wrong. Small-World Network theory helps there too, because – as I covered last March – the goal of medicine is about closing the gap between the patient and their care. Telemedicine is just one way to do that – but other ways to do that include using Small-World Networks to model and optimize vehicle traffic.[2] This helps ambulances (or Uber Health, or patients driving themselves) travel to and from the appropriate facility in the most efficient way. You may not care much if cutting across 28th to 6th Avenue saves you a minute or two in your commute, but those two minutes mean everything to a patient suffering from a heart attack. When the walls are closing in and it feels like there’s an elephant sitting on your chest, your world might seem smaller and smaller by the second. Yet in this case, a small-world model can help route and re-route you to make sure you get the medical attention you need.

Small-World, Big Data: Epidemiology, AI and Other Research

We move from Alexander Graham Bell’s Watson to another kind of Watson, namely Watson Health. (There is no relation between the two.) Watson, and neural-network based AI in general, use Small-World Network models to achieve the quick flashes of intuition and connection that the human brain can achieve. This is important because an individual patient generates ridiculous amounts of data. From IBM’s own estimate, a patient will generate 0.4 terabytes of clinical data over their lifetime, which doesn’t seem like much. However, they will generate 6 terabytes of genomic data over their lifetime, which accounts for almost a third of the determinants of your health. (I have firsthand experience from this after using my 23andMe data to help save a family member’s life.) What is truly terrifying are all the social, environmental and behavioral determinants of health – you know, the stuff that Accountable Care Organizations are trying to use in the switch to Value-Based Care. That’s over 1100 terabytes, per person, over a lifetime. Multiply that by 7.6 billion people and we’ve gone beyond terabytes, past petabytes and exabytes into sillier SI prefixes like zettabytes and yottabytes. That’s a lot for a bunch of nodes in the cloud to compute – but small-world networking helps shorten that compute time exponentially. In layman’s terms, the Grace number between your question and your answer shortens significantly when a Small-World Network can make quantum leaps through that morass of data.

Our Hub friend Chuck Finley was Patient Zero of the famous zombie epidemic, Restless Hands Syndrome.

Being able to track data using Small-World Networks this way can be used for more than traffic optimization and AI. Small-World Network models are used to form epidemiological models, to track down origins and expansion models. In a world of increased global travel and worldwide supply chains, diseases spread faster than ever thanks to our friends the Hubs. This means that we need these small-world models to predict and shut down disease spread more than ever. This has actually been used to successfully contain the recent Ebola outbreak, in the Democratic Republic of the Congo, of 2018. This outbreak was successfully contained using small-world modeling to inform the quarantine protocol, leading to only 53 cases and 29 deaths. Contrast this to the 2013 and 2016 outbreaks of Sierra Leone, Liberia, and Equatorial Guinea, which led to a combined 28,600 cases and 11,300 deaths.[3] Which leads us to the biggest downside of Small-World Networks:

Hubs are Trouble

Oh boy they are. Not only are Hubs transmission vectors for real-world diseases, skirting containment protocols through their jet setting and extraversion, but Hubs are chinks in the armor of cybersecurity. It matters not one whit how strong your perimeter security is – all it takes is one person to punch a hole in that paradigm. Sometimes it’s an executive who wants to flout some privilege to visit their favorite site. Sometimes it’s a custom or legacy application which needs to phone home. Bottom line, our friends the Hubs and their ability to make the world smaller bring bad actors – be they real viruses or computer viruses – that much closer.

Small-world networking is a double-edged sword: the same connections that make you only a few hops away from anyone else in the world will allow you easy access to information and resources, but it gives the bad guys easy access to you. In the case of containing epidemics, knowledge is power: since we know the small-world model is in effect, we can use it to predict spread of diseases. Since viruses and bacteria aren’t intelligent or malevolent, we can contain their spread with natural choke points. Remember the airline hub-and-spoke model that everyone hates? Remember how I said it was there to prioritize control of traffic? I bet you are glad that air traffic is regulated now, because it means flights with Ebola or Measles can be quarantined or diverted much easier than if everyone had their own personal flying car. While diseases can (and do) spread on foot and by people driving automobiles, the design of roads also means certain choke points that can be blocked or monitored. Those worldly folks with wanderlust that we call Hubs? Their connections are called “weak links” for a reason – because they traverse across certain choke points, they can be monitored and slowed down.

On the cybersecurity front, however, things aren’t so easy. Bad guys are malicious and adapt to find ways to exploit those weak links. Witness the evolution of spam to phishing to spear phishing to IoT malware and ransomware. As people get wise, the bad guys match wits. In addition, the good guys are lazy and overconfident – it’s human nature to believe that your firewall or your intrusion detection system is protecting you, so why not punch a hole in the firewall? People don’t sit around geeking out over graph theory, so they don’t realize that each weak link shortens the degrees of connection between the bad guys and you.

Our small, dangerous world is bad enough when we talk about desktop or laptop computing, where a user may want special privileges for convenience. The small world is extremely problematic with IoT devices. This is because developers often want special privileges for user convenience, so many IoT devices have multiple forms of connectivity. Each form of connectivity is another weak link.

Witness a form of IoT most people don’t realize is IoT: your car’s infotainment system. In addition to the On-Board Diagnostics II (OBD-II) system every car has, most recent cars include:

  • Wireless connectivity between your wheels and the main computer for Anti-Lock Braking, Traction Control and Tire Pressure Monitoring
  • Wireless connectivity between sensors and your high and low Controller Area Network (CAN) bus – including things you might be terrified to know can be remotely hacked into, like braking and throttle control
  • Bluetooth for connectivity with your phone and other apps
  • A hotspot (for newer models) using Wi-Fi
  • A cellular modem that may be used for data and is used for any navigation system
  • A Global Positioning System (GPS) that ties into satellites for weather, traffic and SiriusXM data, as well as push alerts like Amber Alerts or Severe Weather warnings
  • Intelligent monitoring systems for auto-driving, lane-control, collision detection
  • On-call systems such as OnStar, Volvo Connect, etc.

This doesn’t take into account being connected to your phone for Android Auto or Apple CarPlay, given that most of these phones in turn have their own location services that constantly scan and ping BlueTooth and WiFi to enhance their GPS triangulation. In 2014, journalist Michael Hastings’ car suspiciously lost control and crashed, killing Hastings. Hastings was working on a big story that he believed brought him under the scrutiny of the intelligence community. Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States from 1998 to 2003 and former Special Advisor to the President on Cybersecurity, is on record as saying:

“There is reason to believe that intelligence agencies for major powers — including the United States — know how to remotely seize control of a car. So if there were a cyber attack on [Hastings’] car — and I’m not saying there was, I think whoever did it would probably get away with it.”

Now I’m not here to reopen speculation on potential conspiracies, but when an expert on these matters says it is possible or probable, it gives me cause for concern. Think about all the IoT we have let into our lives over the past decade: besides cars, we have smartphones, Nests, Amazon Echos, smart TVs, and more.

Medical device IoT is even worse for three key reasons. First, they include devices embedded or attached to human bodies that affect patient safety, including smart pacemakers and infusion pumps. Second, they include devices that are hooked into hospital networks using a variety of wireless communication protocols, including imaging and scanning equipment. Third, many of these devices are difficult to “push” update in the same way that you can update a phone (or even a car infotainment system).

There are a few things that we can do to help increase the gap between the bad guys and your medical devices, with a corresponding tradeoff between security and usability. The most obvious thing to do is to use a medical device isolation network. DISA provides a Virtual Private Network called the Medical Community of Interest (Med-COI) which provides this service for Defense Health Agency and Veterans Affairs. (In full disclosure, my company, By Light, performs Last Half Mile connectivity and network administration of Med-COI). However, this does very little for commercial Healthcare networks who may value functionality over security.

Another tactic is to use a Continuous Monitoring approach to assess risk and trade off between usability and security. A problem here though is that continuous monitoring of an embedded medical device, such as a pacemaker or infusion pump, would require a network to spy on your device. Since people are on the move, that network would almost certainly have to function like a peer-to-peer or cellular network – i.e., a Small-World Network – and that’s one more connection to the bad guys.

Chuck Finley is Forever.

I think, however, the best approach is to let our Hubs do the work for us and leverage their wide-ranging social connections to promote security education. People now are waking up to the reality of ransomware, spyware, malware and state-sponsored cybersecurity attacks. By using folks like our friend Chuck Finley to show medical device developers, clinicians and patients that the easy way is the most dangerous way, we can use improved processes to regulate and protect patient safety and ensure better outcomes.

Grace Under Fire

So, there you have it. For the folks reading this, who likely have a Grace Number under four, you can see that the connectivity of our world has made it a place of wonder and terror alike. Small World Network models have given us incredible power to ensure continuity of care and access to care, whether in-person or virtual. We have the power to solve difficult research problems, including using AI to parse unimaginable amounts of data for value-based care. We have the power to track diseases and hopefully contain them before they become pandemics.

The punchline you were waiting for.

However, with great power comes great responsibility. We must realize that these Small-World Network models give our enemies – be they human or germ – the power to reach us. As the world becomes a smaller place, we have access to information and communication like never before in human history. A a middle schooler in Italy can compare notes on Marco Polo’s journey in real time with friends in China and every stop along the way. I call upon my readers – and their connections, and everyone on that network to Kevin Bacon and beyond – to use this information responsibly. Let’s use our connections to spread the word and make sure we protect ourselves and ensure better outcomes.

[1] Way too much to address in the scope of this article, but I strongly recommend reading Singh Balhara YP. Diabetes and psychiatric disorders. Indian Journal of Endocrinology and Metabolism. 2011:274-283. doi:10.4103/2230-8210.85579.

[2] Again, way too much to put here, but Six Degrees: The Science of a Connected Age by Duncan Watts (co-creator of the Watts–Strogatz model) is a good place to start.

[3] Source: Boseley, Sarah, and Burke, Jason. “Ebola in the DRC: everything you need to know,” The Guardian, May 15, 2019.



Please enter your comment!
Please enter your name here