Discovery HealthID: kiss your medical history's privacy goodbye

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174


I would like to draw everyone's attention to the security flaws in the Discovery Health iPad app: there is no security at all. Furthermore, Discovery's servers will automatically trust any iPad that claims to provide "permission" from the client, and tell the iPad user anything they want to know about the user's medical history, claims, chonic conditions, and so on.

My blog article gives more details, but essentially the problem is this: Discovery Health will publish your medical history to anyone who requests it, and you can't prevent it from happening. You can authorise it in advance, but you can't stop it in advance.

If the doctor happens to lose his iPad on a plane, or have it stolen from his office, or even just accessed by someone in his office, there is nothing in place to prevent this from happening. And there are plenty of life insurance companies who would be most interested in knowing exactly what medication you claim for, how often you visit a psychologist or psychiatrist, and so on. Not to mention marketing companies.

Right now we are protected because the information is scattered in diverse paper files and offline accounting systems, but the HealthID app aims to centralise it all on Discovery's servers, where they can look at the data captured by your doctor, along with their own.
 

Guantanamo

Expert Member
Joined
Dec 8, 2009
Messages
1,855
Are you sure there isn't a login required for each users information each time it is needed? Discovery is a smart company, I wouldn't expect them to put out an app with such a serious flaw.
 

MyWorld

Executive Member
Joined
Mar 24, 2004
Messages
5,001
And there are plenty of life insurance companies who would be most interested in knowing exactly what medication you claim for, how often you visit a psychologist or psychiatrist, and so on.
I cannot see that this will be a bad thing? Unless you are dishonest and claim fraudulently?

Are you sure there is no login procedure?
 
F

Fudzy

Guest
Centralising the data is never a bad thing, access control is though. I'd wait for the system to be up officially. Have you tried sending these security findings through to them?
 

daveza

Honorary Master
Joined
Apr 5, 2004
Messages
36,327
If this is true they should start scheduling court appearances.
 

Hemi300c

Honorary Master
Joined
Dec 15, 2009
Messages
20,212
In terms of the law and being a Financial Services Provider they will need to abide by the law and client information and the allowing of the information to get out will not be looked on lightly by the powers that be.
 

2012

Executive Member
Joined
Jan 22, 2012
Messages
8,526
In terms of the law and being a Financial Services Provider they will need to abide by the law and client information and the allowing of the information to get out will not be looked on lightly by the powers that be.
Discovery Health is not a Financial Services Provider.
 

2012

Executive Member
Joined
Jan 22, 2012
Messages
8,526
Yes, they are.
Last time I checked, Discovery Health didn't offer any Financial services - they are a medical aid scheme. The financial services are provided by Vitality/FNB.
 

Griz

Expert Member
Joined
Sep 15, 2010
Messages
1,199
Last time I checked, Discovery Health didn't offer any Financial services - they are a medical aid scheme. The financial services are provided by Vitality/FNB.
Medical Aid = short term insurance -> Financial service.

Check again.
 

2012

Executive Member
Joined
Jan 22, 2012
Messages
8,526
Discovery credit card...
Re-branded FNB card

here you go:

In South Africa, we operate in the health insurance market through Discovery Health, the life assurance market through Discovery Life, the financial services market through Discovery Invest and DiscoveryCard and in the wellness arena through Discovery Vitality. All operating subsidiaries are 100% owned by Discovery.
 

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
5,779
Any and all insurance companies are financial service providers or resell insurance policies underwritten by financial service provider. It is a legal requirement to be licensed to underwrite insurance policies of any kind. The license is incredibly expensive.

Furthermore access to medical information is strictly protected. As a software developer for an ex-insurance company, I can tell you now that the medical information is incredible well guarded.

The lady who did lab tests worked in her own office (we had open plan, not even the CEO had his own office), reported directly to the CEO of the business unit, had phone with no recording equipment on it, etc.

We were explicitly told the company could be liable for millions, if say, your HIV status became known because of a security flaw in their system.

EDIT:
LOL can't believe you didn't see this:

http://www.discovery.co.za/portal/

Bottom of the page:
Discovery is an Authorised Financial Services Provider
 

zeridine

Senior Member
Joined
Mar 11, 2007
Messages
946
you need to be registered with disovery as a provider for the app. you'll need a practice number and your hpcsa details. also LOL at the hysteria behind insurance companies stalking doctors to get hold of their ipads to access discovery's data. really.
 

Lycanthrope

Honorary Master
Joined
Oct 26, 2006
Messages
13,279
Discovery Health, not Discovery, get your divisions right. You guys tend to forget the discovery group is a few companies (life, health, card, vitality)
Medical aid is a financial service.

This is what Gnome is trying to get you to understand.
 
Top