Discovery HealthID: kiss your medical history's privacy goodbye

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
173
Reaction score
1
Location
Cresta, Johannesburg
HealthId.jpg


I would like to draw everyone's attention to the security flaws in the Discovery Health iPad app: there is no security at all. Furthermore, Discovery's servers will automatically trust any iPad that claims to provide "permission" from the client, and tell the iPad user anything they want to know about the user's medical history, claims, chonic conditions, and so on.

My blog article gives more details, but essentially the problem is this: Discovery Health will publish your medical history to anyone who requests it, and you can't prevent it from happening. You can authorise it in advance, but you can't stop it in advance.

If the doctor happens to lose his iPad on a plane, or have it stolen from his office, or even just accessed by someone in his office, there is nothing in place to prevent this from happening. And there are plenty of life insurance companies who would be most interested in knowing exactly what medication you claim for, how often you visit a psychologist or psychiatrist, and so on. Not to mention marketing companies.

Right now we are protected because the information is scattered in diverse paper files and offline accounting systems, but the HealthID app aims to centralise it all on Discovery's servers, where they can look at the data captured by your doctor, along with their own.
 
Are you sure there isn't a login required for each users information each time it is needed? Discovery is a smart company, I wouldn't expect them to put out an app with such a serious flaw.
 
And there are plenty of life insurance companies who would be most interested in knowing exactly what medication you claim for, how often you visit a psychologist or psychiatrist, and so on.
I cannot see that this will be a bad thing? Unless you are dishonest and claim fraudulently?

Are you sure there is no login procedure?
 
Centralising the data is never a bad thing, access control is though. I'd wait for the system to be up officially. Have you tried sending these security findings through to them?
 
In terms of the law and being a Financial Services Provider they will need to abide by the law and client information and the allowing of the information to get out will not be looked on lightly by the powers that be.
 
In terms of the law and being a Financial Services Provider they will need to abide by the law and client information and the allowing of the information to get out will not be looked on lightly by the powers that be.

Discovery Health is not a Financial Services Provider.
 
Yes, they are.

Last time I checked, Discovery Health didn't offer any Financial services - they are a medical aid scheme. The financial services are provided by Vitality/FNB.
 
Last time I checked, Discovery Health didn't offer any Financial services - they are a medical aid scheme. The financial services are provided by Vitality/FNB.

Medical Aid = short term insurance -> Financial service.

Check again.
 
Discovery credit card...

Re-branded FNB card

here you go:

In South Africa, we operate in the health insurance market through Discovery Health, the life assurance market through Discovery Life, the financial services market through Discovery Invest and DiscoveryCard and in the wellness arena through Discovery Vitality. All operating subsidiaries are 100% owned by Discovery.
 
Any and all insurance companies are financial service providers or resell insurance policies underwritten by financial service provider. It is a legal requirement to be licensed to underwrite insurance policies of any kind. The license is incredibly expensive.

Furthermore access to medical information is strictly protected. As a software developer for an ex-insurance company, I can tell you now that the medical information is incredible well guarded.

The lady who did lab tests worked in her own office (we had open plan, not even the CEO had his own office), reported directly to the CEO of the business unit, had phone with no recording equipment on it, etc.

We were explicitly told the company could be liable for millions, if say, your HIV status became known because of a security flaw in their system.

EDIT:
LOL can't believe you didn't see this:

http://www.discovery.co.za/portal/

Bottom of the page:
Discovery is an Authorised Financial Services Provider
 
you need to be registered with disovery as a provider for the app. you'll need a practice number and your hpcsa details. also LOL at the hysteria behind insurance companies stalking doctors to get hold of their ipads to access discovery's data. really.
 
Discovery Health, not Discovery, get your divisions right. You guys tend to forget the discovery group is a few companies (life, health, card, vitality)

Medical aid is a financial service.

This is what Gnome is trying to get you to understand.
 
Top
Sign up to the MyBroadband newsletter