Facebook   Twitter    YouTube    RSS Feed    Android App    iPhone and iPad App     BlackBerry App    
Subscribe to Newsletter



Page 4 of 4 FirstFirst 1234
Results 46 to 58 of 58

Thread: Discovery HealthID: kiss your medical history's privacy goodbye

  1. #46
    Resident DJ DJ...'s Avatar
    Join Date
    Jan 2007
    Location
    Joziburg. Home Of Broadband Sloth Racing...
    Posts
    65,044
    Blog Entries
    4

    Default

    Have you taken it up with Discovery yet?
    Internet the way it was meant to be. Launch details will become Crystal Clear very soon...

  2. #47

    Default

    Quote Originally Posted by DJ... View Post
    I missed the part where he looks after 300000 medical records. Linkage?
    I don't work for the military. My customers are FishwisePro, HFPA, Drive Report, AmaYeza and Men's Clinic International. The latter have over 300,000 patient records, which are encrypted. I'm sure if you have ever visited them or phoned their call centre you'll be glad to know your contact details, including your name and telephone number, is stored in encrypted form in their databases, both Access and SQL.

    On the laptops that visit outlying clinics, the database is stored on a TrueCrypt volume. So far several laptops have been stolen, including 2 armed robberies, and the data has not leaked. There are additional security measures as well. It was part of my brief when I started on the project many years ago. Before then their Access97 databases were password protected. That's all. The passwords were easily cracked, so I don't rely on any of the built-in Access or SQL Server security.

    Considering that Men's Clinic is South Africa's largest seller of Viagra, Cialis and Levitra, not to mention injectable medication, you can understand why we go to great lengths to keep that information private, especially since MY name is in there too.

    FWIW, I'm meeting with Discovery on Tuesday 14th. I'll keep y'all posted.
    Last edited by donn_edwards; 08-08-2012 at 01:24 PM.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  3. #48
    Resident DJ DJ...'s Avatar
    Join Date
    Jan 2007
    Location
    Joziburg. Home Of Broadband Sloth Racing...
    Posts
    65,044
    Blog Entries
    4

    Default

    Donn, you're from the states, right?
    Internet the way it was meant to be. Launch details will become Crystal Clear very soon...

  4. #49

    Default

    Quote Originally Posted by DJ... View Post
    Donn, you're from the states, right?
    No. I was born in Joburg. I don't have a passport ;-)
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  5. #50

    Default

    Hi everyone
    Please read my blog post
    "Discovery Health's Electronic Health Record: not good"
    http://donnedwards.openaccess.co.za/...ic-health.html

    I spoke to the COO, CIO and various other executives today. The COO is a doctor with the bedside manner of earthmoving equipment. Either that or he was playing the "bad cop" role; I haven't decided. All I know for sure is that both the CEO and COO don't have a clue about internet security, and are convinced that their HealthID program is safe. It isn't.

    To give you an idea about safety, consider that there are some well-known passwords that you simply should NEVER use: "password" is one of them. In spite of this, the Discovery web site allowed me to change my login password to "passw0rd" (with a zero) without even a beep. And they proudly told me that their web site passed a KPMG security audit 3 months ago.

    And even though the HealthID program is being rolled out with much fanfare and is already being used by over 400 doctors, they are only going to have it audited next month. If there are any loopholes in the meantime, you can kiss your privacy goodbye.

    The "consent" you sign if you agree to allow your doctor to use the HealthID program, basically indemnifies Discovery Health for any "data leakage" that may occur through ignorance or stupidity on behalf of your doctor, or his receptionist. i.e. if they screw up or misuse the data, you can't sue Discovery.

    DO NOT sign a HealthID consent form. EVER. If you do, you are effectively allowing unspecified healthcare providers full access to the most private and gory details of your medical history.

    At the meeting they agreed to remove my medical history from their web site. Best of luck getting the call centre to do the same for anyone else.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  6. #51
    Super Grandmaster ld13's Avatar
    Join Date
    Oct 2005
    Location
    Helderberg (Cape Town)
    Posts
    9,165
    Blog Entries
    6

    Default

    I don't know what to say. I am going to have to reserve my comments until I've had a go at the app and had a look-see at what functionality it can provide.

    But I would guess that the amount of red tape to get proper access will be quite extensive. Would first need to get our optometrist registered on Discovery using his ID number, practice number and HPCSA number. Hopefully Discovery will get back to us with a username and password before next week.
    ic's back, back again . . .

  7. #52
    Super Grandmaster
    Join Date
    Dec 2009
    Location
    PTA East
    Posts
    6,739

    Default

    Quote Originally Posted by donn_edwards View Post
    Hi everyone
    Please read my blog post
    "Discovery Health's Electronic Health Record: not good"
    http://donnedwards.openaccess.co.za/...ic-health.html

    I spoke to the COO, CIO and various other executives today. The COO is a doctor with the bedside manner of earthmoving equipment. Either that or he was playing the "bad cop" role; I haven't decided. All I know for sure is that both the CEO and COO don't have a clue about internet security, and are convinced that their HealthID program is safe. It isn't.

    To give you an idea about safety, consider that there are some well-known passwords that you simply should NEVER use: "password" is one of them. In spite of this, the Discovery web site allowed me to change my login password to "passw0rd" (with a zero) without even a beep. And they proudly told me that their web site passed a KPMG security audit 3 months ago.

    And even though the HealthID program is being rolled out with much fanfare and is already being used by over 400 doctors, they are only going to have it audited next month. If there are any loopholes in the meantime, you can kiss your privacy goodbye.

    The "consent" you sign if you agree to allow your doctor to use the HealthID program, basically indemnifies Discovery Health for any "data leakage" that may occur through ignorance or stupidity on behalf of your doctor, or his receptionist. i.e. if they screw up or misuse the data, you can't sue Discovery.

    DO NOT sign a HealthID consent form. EVER. If you do, you are effectively allowing unspecified healthcare providers full access to the most private and gory details of your medical history.

    At the meeting they agreed to remove my medical history from their web site. Best of luck getting the call centre to do the same for anyone else.
    Might I suggest you take these matters up with their compliance officer and Key Individual as he/she is accountable and need to ensure that they are compliant. If trading and found not to be compliant mention the FSB and as sure as hell they sure will ensure they are asap.
    ALL POSTS ARE IN MY PERSONAL OPINION
    "Pray for Our President Zuma and his party, Julius Malema, and Zimbabwean Robert Mugabe... Psalm 109:8".

  8. #53
    Super Grandmaster
    Join Date
    Feb 2005
    Location
    Previously this post ->
    Posts
    30,187

    Default Discovery HealthID: kiss your medical history's privacy goodbye

    What exactly are you worried about?
    Every time you make a typo, the errorists win

  9. #54

    Exclamation

    Quote Originally Posted by Fudzy View Post
    What exactly are you worried about?
    Both my wife and I suffer from potentially embarrassing medical conditions. Discovery wants to splab about these conditions to any healthcare provider who asks. I choose to be a little more discreet, and only tell those who actually need to know.

    Given the potential for serious data leakage on this system (as compared to paper files) I think this is not only prudent but essential.

    Quote Originally Posted by Hemi300c View Post
    Might I suggest you take these matters up with their compliance officer and Key Individual as he/she is accountable and need to ensure that they are compliant. If trading and found not to be compliant mention the FSB and as sure as hell they sure will ensure they are asap.
    I took it up with the CEO, Dr Bloomberg, and had a meeting with the COO Dr Ryan Noach and the Chief Information Officer. Who else would you suggest?

    Quote Originally Posted by ld13 View Post
    I don't know what to say. I am going to have to reserve my comments until I've had a go at the app and had a look-see at what functionality it can provide.

    But I would guess that the amount of red tape to get proper access will be quite extensive. Would first need to get our optometrist registered on Discovery using his ID number, practice number and HPCSA number. Hopefully Discovery will get back to us with a username and password before next week.
    Before you do so, read the "Consent and Waiver" statement (on my blog article) and decide if you want to subject your patients or your family to such legal irresponsibility. I refuse.

    Why would your optometrist need to know what medication I'm on? I have no way of preventing him from finding out once HealthId is expanded to include optometrists and dentists.

    While you are looking at the functionality, consider the security from a patient point of view: any signature will do, and Discovery will hold you responsible if someone hacks/steals/misuses your iPad. And since the system will allow you to have a password as insecure as the word "passw0rd", good luck to you claiming from your malpractice insurance when you get hacked or your iPad is lost or stolen.

    Consider the case of technology journalist Mat Honan whose Macbook and iPhone was wiped and who lost a year's worth of baby photos in the process: "Mat Homan's Very Bad Weekend" (transcript).
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  10. #55

    Exclamation

    Quote Originally Posted by donn_edwards View Post
    At the meeting they agreed to remove my medical history from their web site. Best of luck getting the call centre to do the same for anyone else.
    On Tuesday the Discovery Health COO confirmed that my health records would not be published:
    Sent: 14 August 2012 20:58

    Hi Donn

    [snip]

    I confirm that we will block all and any access to all health records associated with your policy.

    Regards

    Ryan

    Dr Ryan Noach
    COO
    Discovery Health

    T: +27 11 529 2062 (Cheryl Dex)
    C: +27 82 820 4911
    E: ryann@discovery.co.za
    Web: www.discovery.co.za
    Today I am told that they need more time.

    It seems they don't have to tools to do this, even though I was assured that it could be done. Why am I not surprised?

    Update: Dr Ryan Noach assures me my EMR will be removed by Monday.

    Best of luck to anyone else trying to get their EMR removed by phoning the call centre.
    Last edited by donn_edwards; 16-08-2012 at 10:27 PM. Reason: Update
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  11. #56

    Default

    My "Health Record" is no longer published on the Discovery web site. It remains to be seen whether any doctor can access it.

    The latest Noseweek (#155, Sept 2012) has a story about this: "Discovery's Apple a day won't keep the doctor away"
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  12. #57

    Default

    I got the hard-sell spam from Discovery today.

    I am uneasy about my dentist knowing about my haemorrhoids... (if I had either!)

    Is there any further evidence that Discovery have tightened security on this thing?

  13. #58

    Default

    Quote Originally Posted by scudsucker View Post
    Is there any further evidence that Discovery have tightened security on this thing?
    None. They won't divulge the contact details of the audit team at KPMG. I called KPMG and asked them to call me back. That was two weeks ago.

    The doctor's logon timeout is set to a 3 minutes (if memory serves me correctly). That means the doctor has to log in each time he sees a new patient. If he's doing it that often on an iPad, how simple do you suppose his password will be? How times have we seen that convenience is the enemy of security?

    Don't allow your doctor to access your EMR until he can prove that there is two-factor authentication on the app. And since the app has not been updated since 12 June 2012, you can be sure it isn't there yet.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

Page 4 of 4 FirstFirst 1234

Similar Threads

  1. Replies: 54
    Last Post: 15-08-2012, 08:20 PM
  2. MWEB, you can kiss my money goodbye
    By louiss in forum ADSL ISP Discussions
    Replies: 62
    Last Post: 09-06-2010, 09:36 AM
  3. SA kiss your cheap Xbox goodbye
    By tinman in forum Gaming Consoles: Microsoft XBox 360, Sony PS3, PSP, Wii, PC Vita, Wii U, 3DS, 3DS XL
    Replies: 0
    Last Post: 03-02-2009, 11:36 AM
  4. Discovery Medical Aid
    By Fuma in forum Off Topic
    Replies: 8
    Last Post: 30-08-2007, 08:54 PM
  5. Discovery Medical Aid
    By Angstrom in forum Off Topic
    Replies: 15
    Last Post: 15-01-2006, 10:30 PM

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •