Discovery HealthID: kiss your medical history's privacy goodbye

F

Fudzy

Guest
you need to be registered with disovery as a provider for the app. you'll need a practice number and your hpcsa details. also LOL at the hysteria behind insurance companies stalking doctors to get hold of their ipads to access discovery's data. really.

What I don't get is how fraudulent people are trying to be. If you have existing medical condition and lie about it to get better/cheaper insurance you deserve whatever comes at you if they find out you lied in a legally binding contract.
 

zeridine

Senior Member
Joined
Mar 11, 2007
Messages
966
I have a feeling the whole health ID is a cover for discovery to move into the practice billing space, to bypass 3rd parties like mediswitch and QEDI etc. ...i might be wrong though.
 

2021

Executive Member
Joined
Jan 22, 2012
Messages
9,511
Medical aid is a financial service.

This is what Gnome is trying to get you to understand.

And what I'm trying to get you all to understand is that Discovery Health isn't, the parent company (discovery group) is. It's a nice mess discovery somehow manged to pull off so that it can "steal" money off of the schemes without causing a stir by selling services to itself...

Actually, never mind, it's beyond you all.

/care
 

Kosmik

Honorary Master
Joined
Sep 21, 2007
Messages
21,266
And what I'm trying to get you all to understand is that Discovery Health isn't, the parent company (discovery group) is. It's a nice mess discovery somehow manged to pull off so that it can "steal" money off of the schemes without causing a stir by selling services to itself...

Actually, never mind, it's beyond you all.

/care

Fail troll is well.....fail.
 

eltherza

Expert Member
Joined
Apr 19, 2007
Messages
3,332
I would like to draw everyone's attention to the security flaws in the Discovery Health iPad app: there is no security at all.

Has anyone let Discovery know? As big as discovery is, perhaps it just slipped them by?
 

Kosmik

Honorary Master
Joined
Sep 21, 2007
Messages
21,266
Don't understand how discovery works... call troll.

Fail post is fail.

No, resorting to insulting members is trolling, not the discussion regarding your semantics over a member of the group verses the group.

/added to ignore due to lack of interest.
 

Lycanthrope

Honorary Master
Joined
Oct 26, 2006
Messages
13,279
And what I'm trying to get you all to understand is that Discovery Health isn't, the parent company (discovery group) is. It's a nice mess discovery somehow manged to pull off so that it can "steal" money off of the schemes without causing a stir by selling services to itself...

Actually, never mind, it's beyond you all.

/care

Let's try repeating this, shall we? Medical aid is a financial service. To legally provide medical aid (read: financial insurance) in South Africa, you need to be a registered financial services provider.

It's not "us" who this is clearly beyond.
 

eltherza

Expert Member
Joined
Apr 19, 2007
Messages
3,332
Let's try repeating this, shall we? Medical aid is a financial service. To legally provide medical aid (read: financial insurance) in South Africa, you need to be a registered financial services provider.

It's not "us" who this is clearly beyond.

Easy way to settle this:

Finacial Advisory and Intermediary Services Act defines

----------------------------------------------------
financial product” means, subject to subsection (2)

a health service benefit provided by a medical scheme as defined in
section 1 (1) of the Medical Schemes Act. 1998 (Act No. 131 of
-------------------------------------------------

Medical Schemes are subject to needing to be part of Authorised Financial Services Providers
 

Hemi300c

Honorary Master
Joined
Dec 15, 2009
Messages
23,118
Authorised Financial Service Provider

FSP No 18564
FSP Name DISCOVERY HEALTH (PTY) LIMITED
FSP Type Company - Private
Registration Number 1997/013480/07
Date Authorised 17/08/2005

If you have any enquiries please contact the FSB call centre - 0800 110 443
 

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
Are you sure there is no login procedure?

Only the "doctor" has to log in. You give your "consent" by "signing" the iPad with your finger. You only do this once, and the doctor has up-to-date information on you unless you revoke permission at some point in the future. At no point does the patient have to log in. :wtf:

Centralising the data is never a bad thing, access control is though. I'd wait for the system to be up officially. Have you tried sending these security findings through to them?

The system is already up and running. I tried their call centre on Monday and got the usual runaround for about an hour. :sick: I have managed to email their CEO, who was initially quite smug and condescending, but is now trying to pass me off to their HealthID team. Hopefully something will come of this.

By chance, did Black and White Inc lose the contract to develop this app?
Good question! No, I don't develop anything for the IOS platform, or any other mobile device. I develop database software. I'm not a security consultant, but I am responsible for keeping the information of around 300,000 medical patients from being stolen or disclosed. So I have given this topic a lot of thought over the last 8 years or so.

I have a feeling the whole health ID is a cover for discovery to move into the practice billing space, to bypass 3rd parties like mediswitch and QEDI etc. ...i might be wrong though.

That would make more sense than the PR BS they are using to sell the idea to the public. I don't know whether doctors would want to personally do all the billing, so there is something else going on. I wonder whether they are trying to get the doctor's patient notes stored on the system. They haven't denied this.

Has anyone let Discovery know? As big as discovery is, perhaps it just slipped them by?
That is a terrifying thought. However, Noseweek did an article about it in July, so they know.

"Professor Keymanthri Moodley, head of the Centre for Medical Ethics and Law at Stellenbosch University, believes the electronic consent form fails to meet National Health Act requirements for consent when it comes to full disclosure to patients of the risks, benefits, alternatives and costs." The full text of the article is here

As I pointed out in my blog article, Discovery is a financial service that I trust as far as I trust my bank manager. They have disclosed my personal information in the past.

My discussions with their CEO have been "interesting" to say the least. I really think the CEO has no idea how insecure their system is, even after I have spelled it out in detail to him. The security on their web site is decidedly shoddy, and certainly not up to the standard of the FNB banking web site. Yet the information is just as sensitive, if not more so. They have 6-character passwords, and no notification to the client (even via email) of when anyone logs in.
 
Last edited:

ToxicBunny

Oi! Leave me out of this...
Joined
Apr 8, 2006
Messages
95,513
Only the "doctor" has to log in. You give your "consent" by "signing" the iPad with your finger. You only do this once, and the doctor has up-to-date information on you unless you revoke permission at some point in the future. At no point does the patient have to log in. :wtf:

Ummm, thats what your finger print is, your "login"

The system is already up and running. I tried their call centre on Monday and got the usual runaround for about an hour. :sick: I have managed to email their CEO, who was initially quite smug and condescending, but is now trying to pass me off to their HealthID team. Hopefully something will come of this.

Well, surely its something their HealthID team will have to deal with (if your allegations are true), its not like the CEO can fix the problems himself.


Good question! No, I don't develop anything for the IOS platform, or any other mobile device. I develop database software. I'm not a security consultant, but I am responsible for keeping the information of around 300,000 medical patients from being stolen or disclosed. So I have given this topic a lot of thought over the last 8 years or so.

Sounds suspiciously like a jealous competitor who either didn't think of doing what Discovery are doing, or haven't been able to get their product to market yet.

That is a terrifying thought. However, Noseweek did an article about it in July, so they know.

"Professor Keymanthri Moodley, head of the Centre for Medical Ethics and Law at Stellenbosch University, believes the electronic consent form fails to meet National Health Act requirements for consent when it comes to full disclosure to patients of the risks, benefits, alternatives and costs." The full text of the article is here

As I pointed out in my blog article, Discovery is a financial service that I trust as far as I trust my bank manager. They have disclosed my personal information in the past.

Ummm, every company discloses your personal information often....
 

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
Ummm, thats what your finger print is, your "login"
It's not your fingerprint. iPads can't do fingerprints. Watch the video at http://www.discovery.co.za/healthid
They clearly show someone using their fingertip to "write" their signature on the screen.

AFAIK, Discovery doesn't have my signature on file, unless they have scanned my application from 1998. They certainly haven't asked if my signature has changed since then. So I must assume that the "signature" recorded by the iPad is not verified against anything else. It's just a Cover Your Arse move on their part, not a security check.

Well, surely its something their HealthID team will have to deal with (if your allegations are true), its not like the CEO can fix the problems himself.
If the CEO keeps denying there is a problem, who is going to fix it? Everyone I have spoken to at Discovery is blissfully confident that their system is "perfectly safe". This will probably change once they get hacked, but by then it's too late.

Sounds suspiciously like a jealous competitor who either didn't think of doing what Discovery are doing, or haven't been able to get their product to market yet.
Please understand: I do database programming work using Microsoft Access and Microsoft SQL Server. I have more than enough work on my plate. I really don't need any more.

My motivation for raising these concerns is that it is obvious to me how easy it is for the HealthID system to be subverted, and I'm not prepared to allow Discovery to blab all over the internet about my health issues. They are embarrassing, dammit.

What's more, as a financial services provider they are required by law to keep my data confidential. They have violated that law in the past, and seem hell-bent on violating it on an even grander scale now.

Ummm, every company discloses your personal information often....
Precisely. But few companies have the kind of information that can cause public embarrassment or financial loss. My bank is quite keen to ensure my funds aren't stolen. They are required to keep my financial dealings confidential, yet they are quite happy to report my failings to the credit agencies.

Now it seems that my medical aid wants to share all my human weaknesses and problems with the entire medical community, and anyone else clever enough to hack their system. Do you really think I want everyone to know about my health issues?

Privacy has long been a concern of mine. My blog has 69 posts labelled Privacy since 2006.

Until now, the only way someone on the internet could access my health information was to guess my user name and password on their web site. I use a unique password for this site, so even if they tried all the leaked information from LinkedIn or Last.fm, it wouldn't help. Even so, assuming a hacker gained access to my profile on www.discovery.co.za, the web interface is not particularly helpful, except that it lists all my Chronic and day-to-day medication, fortunately without the ICD-10 codes. For some reason it doesn't list my wife's medication, but I'm sure they'll fix that pretty soon.

The web interface is clunky and not particularly fast. But the iPad app, by necessity, needs an API of some sort to access the data. This is far more efficient for data extraction, and since the security model is so weak, the iPad app can be reverse-engineered to access the data far more efficiently. Given Discovery's "denial mode" at present, do you really think they would shut off access to their servers in the event of a weekend hacking exercise? I doubt it. Their call centre closes at midday on Saturday and opens at 8am on Monday. How many records could you retrieve during that 40 hour window?
 
Last edited:

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,287
I'm not seeing the problem here. You authorise access to your doctor. They login to a system to view these details. This login is secure. If the iPad is stolen, the new "owner" will still require the login details to view your details.

What is the big deal here?
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,287
Discovery Health is not a Financial Services Provider.

Discovery Health is most certainly an authorised financial services provider. Absolutely every single business unit of theirs requires that they are. What exactly are you arguing here?
 

ToxicBunny

Oi! Leave me out of this...
Joined
Apr 8, 2006
Messages
95,513
I'm not seeing the problem here. You authorise access to your doctor. They login to a system to view these details. This login is secure. If the iPad is stolen, the new "owner" will still require the login details to view your details.

What is the big deal here?

The big deal is this oke is bitter that Discovery beat him to market on an idea I reckon...
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,287
The big deal is this oke is bitter that Discovery beat him to market on an idea I reckon...

Donn's in the military IT space if memory serves correct. He has, in the past, had valid bitches and moans. Not too sure about this one though...
 
Top