Have you taken it up with Discovery yet?
Have you taken it up with Discovery yet?
FishwisePro, HFPA, Drive Report, AmaYeza and Men's Clinic International. The latter have over 300,000 patient records, which are encrypted. I'm sure if you have ever visited them or phoned their call centre you'll be glad to know your contact details, including your name and telephone number, is stored in encrypted form in their databases, both Access and SQL.
On the laptops that visit outlying clinics, the database is stored on a TrueCrypt volume. So far several laptops have been stolen, including 2 armed robberies, and the data has not leaked. There are additional security measures as well. It was part of my brief when I started on the project many years ago. Before then their Access97 databases were password protected. That's all. The passwords were easily cracked, so I don't rely on any of the built-in Access or SQL Server security.
Considering that Men's Clinic is South Africa's largest seller of Viagra, Cialis and Levitra, not to mention injectable medication, you can understand why we go to great lengths to keep that information private, especially since MY name is in there too.
FWIW, I'm meeting with Discovery on Tuesday 14th. I'll keep y'all posted.
Donn, you're from the states, right?
Please read my blog post
"Discovery Health's Electronic Health Record: not good"
I spoke to the COO, CIO and various other executives today. The COO is a doctor with the bedside manner of earthmoving equipment. Either that or he was playing the "bad cop" role; I haven't decided. All I know for sure is that both the CEO and COO don't have a clue about internet security, and are convinced that their HealthID program is safe. It isn't.
To give you an idea about safety, consider that there are some well-known passwords that you simply should NEVER use: "password" is one of them. In spite of this, the Discovery web site allowed me to change my login password to "passw0rd" (with a zero) without even a beep. And they proudly told me that their web site passed a KPMG security audit 3 months ago.
And even though the HealthID program is being rolled out with much fanfare and is already being used by over 400 doctors, they are only going to have it audited next month. If there are any loopholes in the meantime, you can kiss your privacy goodbye.
The "consent" you sign if you agree to allow your doctor to use the HealthID program, basically indemnifies Discovery Health for any "data leakage" that may occur through ignorance or stupidity on behalf of your doctor, or his receptionist. i.e. if they screw up or misuse the data, you can't sue Discovery.
DO NOT sign a HealthID consent form. EVER. If you do, you are effectively allowing unspecified healthcare providers full access to the most private and gory details of your medical history.
At the meeting they agreed to remove my medical history from their web site. Best of luck getting the call centre to do the same for anyone else.
I don't know what to say. I am going to have to reserve my comments until I've had a go at the app and had a look-see at what functionality it can provide.
But I would guess that the amount of red tape to get proper access will be quite extensive. Would first need to get our optometrist registered on Discovery using his ID number, practice number and HPCSA number. Hopefully Discovery will get back to us with a username and password before next week.
ALL POSTS ARE IN MY PERSONAL OPINION
"Pray for Our President Zuma and his party, Julius Malema, and Zimbabwean Robert Mugabe... Psalm 109:8".
What exactly are you worried about?
Given the potential for serious data leakage on this system (as compared to paper files) I think this is not only prudent but essential.
Consent and Waiver" statement (on my blog article) and decide if you want to subject your patients or your family to such legal irresponsibility. I refuse.
Why would your optometrist need to know what medication I'm on? I have no way of preventing him from finding out once HealthId is expanded to include optometrists and dentists.
While you are looking at the functionality, consider the security from a patient point of view: any signature will do, and Discovery will hold you responsible if someone hacks/steals/misuses your iPad. And since the system will allow you to have a password as insecure as the word "passw0rd", good luck to you claiming from your malpractice insurance when you get hacked or your iPad is lost or stolen.
Consider the case of technology journalist Mat Honan whose Macbook and iPhone was wiped and who lost a year's worth of baby photos in the process: "Mat Homan's Very Bad Weekend" (transcript).
Today I am told that they need more time.
It seems they don't have to tools to do this, even though I was assured that it could be done. Why am I not surprised?
Update: Dr Ryan Noach assures me my EMR will be removed by Monday.
Best of luck to anyone else trying to get their EMR removed by phoning the call centre.
My "Health Record" is no longer published on the Discovery web site. It remains to be seen whether any doctor can access it.
The latest Noseweek (#155, Sept 2012) has a story about this: "Discovery's Apple a day won't keep the doctor away"
I got the hard-sell spam from Discovery today.
I am uneasy about my dentist knowing about my haemorrhoids... (if I had either!)
Is there any further evidence that Discovery have tightened security on this thing?
The doctor's logon timeout is set to a 3 minutes (if memory serves me correctly). That means the doctor has to log in each time he sees a new patient. If he's doing it that often on an iPad, how simple do you suppose his password will be? How times have we seen that convenience is the enemy of security?
Don't allow your doctor to access your EMR until he can prove that there is two-factor authentication on the app. And since the app has not been updated since 12 June 2012, you can be sure it isn't there yet.