Thursday, August 16, 2012

Part 3: Discovery Health ducking and diving over HealthID

HealthID QR CodeIn spite of all the press releases and marketing sales pitch, it turns out that Discovery Health wasn't entirely truthful to me: On Tuesday the COO of Discovery Health promised in writing
"I confirm that we will block all and any access to all health records associated with your policy."
During the meeting I was assured that they already had the ability to do so, and I gave one of the executives my Discovery membership number. Today I checked whether my EHR (Electronic Health Record) was still available online, and it is. Bear in mind that I have never given permission for Discovery Health to publish this information, and they have never asked. So I wrote to the CEO:
Dear Jonathan
The meeting with Dr Noach and others on Tuesday has left me with more questions than answers, and I get the distinct impression that I am being stonewalled.
In the meeting I was assured that my Health Record would be removed from your web site. I provided my DH membership number to Ryan in a follow-up email. I attach the health record that I printed out this morning. It looks exactly the same as the one I complained about at the meeting. As you can see, it contains sensitive and embarrassing information that (a) I have never given
Discovery Health permission to publish; and (b) your COO assured me would be removed.
It would appear that "Jonny" is out of the office for a few days, so the reply came from Ryan, the COO:
Donn
Your email to jonny [sic] seems to give the impression that we have not been in constant and regular contact over the past few days. It is important to point out that as per the multiple and ongoing interactions, we remain open to your suggestions and transparent about our attempts to continually improve the security on both our web and HealthID platforms.
We are conforming with international best practice, seeking external audit verification thereof and on a continuous improvement pathway with a view to ongoing enhancements of the security platform, possibly including some of your suggestions.
Insofar as your health record is confirmed, we will honour our undertaking to remove this from the web. Please allow us the time to do so.
Sincerely
Ryan
My reply was:
Ryan
I was under the impression it would be done on Tuesday. You confirmed it would be done. How much time do you need? A week? A month? A year? Please clarify. I get the distinct impression, Dr Noach, that you are being evasive. Please be straight with me: do you currently have the facility to remove my data, or is someone going to have to develop it?
I did not give Discovery Health permission to publish my medical record. Please remember that. My patience is limited.
Donn
The reply:
The health record will be blocked by Monday
So apart from the nauseating corporate double-speak, they have said very little. They "remain open to my suggestions" even though Dr Noach personally dismissed or ignored most of them, and said they would take them "under advisement" since they were only "opinions" and "suggestions". He says they are already "conforming to international best practices" when this is demonstrably not the case: international best practice for password strength does not allow for loopholes like "passw0rd".
Was my meeting with them not an indication of their willingness to listen? Sure, if you discount the fact that I got nothing out of phoning their call centre. After being stonewalled there (I was told to email healthinfo@discovery.co.za; and that it was "impossible" to speak to anyone on the HealthID team) I eventually spoke to a manager who promised to send me answers to my questions; he certainly couldn't answer them.
That's when I contacted the Media Relations department and emailed them a link to the article "Discovery HeathID: kiss your confidentiality and privacy goodbye". They passed this link on to the CEO, Dr Jonathan Broomberg. He promised to call me. Yeah, right. He assured me

If you choose not to give the consent, your data remains entirely private. Does this address your concern?
It didn't. Several emails later, he wrote:
I am not sure that resolving this by email is that constructive. I can only assure you that our intentions in developing HealthID are only positive - we passionately believe that this will improve the quality of care provided by doctors to our members. We are cognisant of the security issues, and continually take advice and review security in order to minimise the risks that you outline in your emails. I would be happy to arrange for you to meet with our team working on this, if you believe that would be worthwhile. We are absolutely open to any feasible suggestions on how to improve the security of this information.
So far, so good. The meeting destroyed most of that. Some of them listened, and I have been assured by the CIO that
"... we are taking our systems security very seriously and we will certainly consider your points in our roadmap."
What does that mean, exactly? I have no idea.


I decided on another tack, and wrote to Ryan:

Can you give me the contact details of the people who did the security audit of the Discovery web site?
How's this for a weird reply?
The audit report is for internal consumption and is presented to the relevant board audit and other sub committees.
All I wanted to ask them was about the "passw0rd" loophole. Stonewalled. They need to get a clue.

The call centre stonewalled me on another issue: what does the consent form say? I was told they "don't have a copy of the consent form, and it changes from doctor to doctor, and the doctor would explain it to me." That's odd: healthinfo@discovery.co.za were happy to send me the PDF, along with another file that "explains" more. An ironic part of this file reads:

When you sign this consent, you acknowledge that you understand that the Electronic Health Record contains details about any chronic condition(s) you may have, as well as pathology results, which includes blood tests.
Notice how they leave out the bit about your HIV status.
Your signature also confirms that you understand how we safeguard this confidential information and how we comply with laws about dealing with confidential information of this kind.
And how do they do this? They make you sign a waiver:
I agree that by making this information available, Discovery Health (Pty) Ltd and the Scheme are not responsible for any loss (whether direct or indirect) that may arise from the use of this information. I agree that I may not hold Discovery Health (Pty) Ltd or the Scheme responsible for any loss that may result from the incorrect use or disclosure of the information by my healthcare provider.
In "media relations" circles this is known as "spin". A more accurate english word is "lies".

Emergency HealthID
"Emergency personnel are able to scan a unique QR code on your car sticker and digitally access your membership and medical information when you’re not able to give it to them."What this actually means is that anyone can read this information from your car sticker in any parking lot. So is the QR code a reference number, or does it contain actual data? I asked:
In the case if the Emergency QR code, who can gain access by using the QR code? Any paramedic? Hospital doctor? Anaesthetist?
The reply was:
The use of QR codes will probably grow over time, but initially the emergency QR is intended for the paramedics to have access to vital (life saving) information, which is often critical during the “golden hour” that has a major influence on the final outcome.
HUH? So I asked:
WHO gets access to the QR Code? Is the QR code some kind of reference number, or does it contain the “Golden Hour” information itself, like a MedicAlert bracelet?
Hopefully the former, and not the latter. Watch this space.


I posed another question:

Doctor A has his own practice for 3 years and signs up 200 patients on HealthID.
Then he gets together with Doctors B and C to form a new practice ABC.
a) Does he have to get consent from those 200 patients again?
b) Are the consenting patients notified that this PR number has changed?
Do Doctors B and C automatically have access to the files of those 200 patients?
If Doctor C leaves the practice does he still have access to any of his patients, or do they all need to consent again?
The reply:
You have outlined a number of scenarios. I think that the following points will address them:
  1. Every individual doctor has to request member consent to gain access to each of our member’s/their patient’s records.
  2. The consent is “doctor-specific”, not “practice-generic”. No doctor gets automatic consent because of his/her practice affiliation.
  3. Doctors have access to the member records until the member revokes the consent, or the doctor no longer uses the HealthID service.
  4. If the member revokes the consent and then visits the doctor again, the doctor will have to ask the member for his consent again.
Please let me know if I missed anything.
So if doctor C leaves the practice, he takes all his HealthID patients with him, whether doctors A and B like it or not. They are powerless to stop him, since although his Practice (PR) number may change, his medical registration (MP) number remains the same, and that is tied to the doctor's
Discovery login.
What happens if the MP number is changed? How do you know if an MP number is still valid?
The reply:
As you will appreciate doctors details are very important to us and we continuously verify the information.
I'm sure they do. After all, not all doctors are ethical.



Update: On a separate note, DiscoveryCard finally apologised for leaking my private contact details for marketing purposes to AutoPage. Nearly six years late ;-)

Update: Discovery has lied to the public and bullied the industry, according to this GP.

Tuesday, August 14, 2012

Part 2: Discovery Health's Electronic Health Record: not good

Today I had a meeting with both the COO and CIO of Discovery Health. Heady stuff, except that the COO, Dr Ryan Noach, has the "bedside manner" of earthmoving equipment. It's not often that I get lectured to for interrupting. He clearly hasn't lost the "God Complex" that afflicts many doctors.
When I pointed out that as far as I was concerned, Discovery Health was a financial services provider, whose job it was to process my medical aid claims, he denied this. Discovery Health, it seems, has delusions of grandeur: they are now a company that provides an online Electronic Health Record (EHR) to unspecified healthcare providers.
And its amazing how evasive he got when I asked for more specific details: My GP can access the scheme, but not my Dentist. What about my Cardiologist? They changed the subject.

The "consent" agreement is clearly a CYA document:
Discovery takes all reasonable steps to protect personal information and maintain confidentiality. By signing below, I give Discovery Health (Pty) Ltd and my medical scheme, being a medical scheme administered by Discovery Health (Pty) Ltd (“Scheme”), permission to release my Electronic Health Record (EHR) to my healthcare provider. This includes details about chronic condition(s), benefit plan details, certain biographical data and pathology and radiology results. This may include information related to HIV/Aids.
I understand that once Discovery Health (Pty) Ltd and the Scheme have handed my records to the healthcare provider, they have no further control over this information and that they will not be accountable for the safeguarding of this information. I do understand that the healthcare provider has confirmed to Discovery Health (Pty) Ltd that he/she will treat my health records as confidential and in line with the relevant legislation.
I agree that by making this information available, Discovery Health (Pty) Ltd and the Scheme are not responsible for any loss (whether direct or indirect) that may arise from the use of this information.
I agree that I may not hold Discovery Health (Pty) Ltd or the Scheme responsible for any loss that may result from the incorrect use or disclosure of the information by my healthcare provider.
So in spite of assurances from the very top that the HealthId iPad app is "secure", the first thing you have to sign is a waiver that says that Discovery is irresponsible not responsible. Most lawyers call this a "Consent and Waiver" agreement. Discovery's BS marketing department leaves out the "waiver" part. We don't want to startle the animals.
Dr Ryan NoachDr Noach asserted that Discovery was "willing to listen" to my concerns, but "would take [my] suggestions under advisement". After all, they are only my opinion, and other people have other opinions. (Did someone say "God Complex"? Maybe he was just playing the "bad cop" role. Who knows, but it certainly didn't come across as sympathetic, just arrogant.) I pointed out that the Discovery web site allows me to choose "passw0rd" as a password without even the slightest hint that it is completely insecure. I mentioned the web site "how secure is my password" for some code on how to warn users of insecure passwords. In the past the Discovery web site only displayed claim details, without stating the medication being claimed for. Now it contains a full Electronic Health Record and Medical History. I hope they will take this suggestion seriously, and also warn users not to use the same password that they use anywhere else.
When I said that I wanted two-factor authentication, they came up with a whole bunch of excuses about why this was "impractical". "We deal with very old and very sick patients who don't have cell phones". This is the reason why they can't send an authentication code as part of the "consent and waiver" process. But in the same breath, I'm assured that this process is secure because the moment I sign the "consent" form, I'll receive both an SMS telling me the dirty deed is done, as well as an email with a copy of the "signature" provided. (I'm not sure how the elderly and very sick check their emails). But now that the horse has already bolted, I can always phone their call centre or log on to the web site to cancel the "consent". I pointed out that this wasn't always practical: the call centre isn't always open, for starters. "If I'm in Antarctica should I worry about this as well" was Dr Noach's sarcastic response. So much for "listening". WTF?
Despite that, they are working on some unspecified cell phone authentication process. In a month's time the iPad app will get an independent security audit from KPMG. These are the same people who verified that the Discovery web site as being "secure" 3 months ago. They got very defensive when I said that I didn't think they were taking security seriously: I pointed out that they have rolled out the HealthID program to over 400 doctors and just sent out an email to all their members extolling its virtues, in spite of my security concerns and the Noseweek article. Dr Noach doesn't think much of my blog or Noseweek. He's happy to listen to KPMG's experts instead. These are the same experts who didn't check for "passw0rd". I have subsequently received details from Vladi Belev (Enterprise Architect at Discovery Health) of the multiple security measures in place on their systems. It is reassuring to know that at least their IT division takes enterprise security seriously.
On a more bizarre note, we had a brief discussion of how there is basically no privacy left in the medical industry. In other parts of the world, doctors regard EHR as a right, not a privilege. Patients basically are expected to sign away their privacy to anyone godlike enough to call himself a doctor. Discovery Health has clearly embraced this model. When I asked them "When did I give you permission to make this information available online?" The reply was: when you sign the "consent". That's another way of saying "No, you haven't given us permission yet, but you will." So when their catchy PR email says: "HealthID: The technology that puts your health records in your doctor's hands" they don't mean that he can hold the iPad in his hands. They mean that they will happily make the doctor responsible for the security of the private, sensitive data they have collected, whether he has the expertise to do so or not.
One important concession I obtained: they agreed to remove my medical history from their web site. This isn't available for everyone (yet), only if you kick up enough fuss. Phone their call centre and ask for it to be done. If they refuse, or duck and dive, then ask to be put through to the COO. And be sure to ask for the name of the luckless call centre agent who refuses, and note the time of your call.

Part 1 | Part 2 | Part 3


Update: ITWeb has an article that explains how your Vitality info, pathology results and other info will be made available to doctors, hospitals and emergency personnel.
Broomberg says Discovery was concerned with the growing problems of fragmentation between all the role players within the health system.
“Doctors, hospitals, pathology and radiology are all separate practices, and this results in lack of co-ordination, and limited or no sharing of critical health information that would enable doctors to make more informed decisions or reduce inefficiency in the system,” he explains.
Emergency personnel will scan a QR Code on a car sticker Or other location to access your data. How secure is that going to be? The mind boggles.
According to IOL, they will pay doctors to use the app.
Once the patient reads the consent waiver and agrees to allow the doctor access to their medical records, they can no longer withhold that information from the doctor. It is an all or nothing deal, though Discovery Health may be developing limiting tools in the future.
Doctors use the app at no extra cost to them or their patients. In fact, doctors can earn an additional R15 per consult if they use the app for 50 percent of their Discovery Health consultations daily.

Update: Wednesday 15 Aug: Dr Noach refuses to provide me with the contact details of the KPMG people who did the web site security audit. All I wanted to ask them was why they didn't check for insecure passwords, like "passw0rd".
Discovery has clarified that the "consent" is doctor-specific, not practice specific. That means if a doctor leaves a practice he can take all "his" patients' electronic records with him. I wonder what the other doctors will think of that? Will they know? If the doctor now gets a job at Discovery Life, will they use the information to adjust the policies of those patients?


Some relevant Security Maxims: So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.
Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve.

Update: Discovery has lied to the public and bullied the industry, according to this GP.

Thursday, August 09, 2012

DirectAxis ignores customer privacy laws to send spam

DirectAxis
DirectAxis is a division of business partner with Sanlam*. I am a Sanlam customer. DirectAxis sent me a marketing SMS (i.e. spam) on Wednesday at 9.15am. It read:
As a homeowner 1HOME by DirectAxis offers you SA's premium personal loan of up to R100,000 for any household or personal costs. Reply YES. Stop to opt out
Naturally, I was annoyed because they "know" I'm a homeowner, which is none of their business, and they found out my cell phone number by some devious, unethical or illegal means. So I replied "YES" to get them to call me and explain where they got my details from.
The lady from the call centre called me and asked for my wife. I asked what it was in connection with, and she referred to the SMS. I told her it was my phone she had called, and she said they knew my number because I own property. I asked if they were members of the Direct Marketing Association. She said no; she either lied or didn't know. Direct Axis Sa (Pty) Ltd is a member of the DMA. So told her to put my number on their Do Not Contact database, and told her I don't trust and won't do business with companies who go scurrying around trying to find my details without my permission.
Later, I Googled their name and found their web site www.directaxis.co.za, which states: "Direct Axis (SA) (Pty) Ltd is an authorised Financial Services Provider"*. It says nothing about their connection with
Sanlam, or that they are part-owned by FirstRand. However, when I looked for a photo of the MD of DirectAxis, I found it on the Sanlam web site, in the "Directors" section:
Mark Finlayson
So I wrote the following to Mark Finlayson, the MD:
Dear Mark
I received an unsolicited SMS message from your company today, touting your 1HOME product, whatever that is. Are you not aware that my name and number is on the DMA’s Do Not Contact list?
Please explain
Donn Edwards
His reply was not unexpected:
Hi Donn
I will check on why you received the promotion and revert[sic]** to you.
Regards
Mark Finlayson
DirectAxis
Tel: +27 21 764 3058 | Cell: +27 82 460 1657 | Switchboard: +27 21 764 3000 | Email: mark.finlayson@directaxis.co.za
Today I got an email from another member of the company, in reply to my question about where they got my number. He wrote:
Hi Donn,
I can confirm that we are in fact a member of the DMA and that we definitely would not have got your details from your blog. The guy looking after the 1Home marketing is currently looking into the detail of exactly where your details where obtained and why you received a promotion. I will have this feedback for you by the close of business tomorrow as today is a public holiday.
Regards,
Robert Gwerengwe
DirectAxis
So now we have a registered Financial Services Provider ignoring the Do Not Contact list of the DMA to send me spam. That's already a violation of the ECT Act, and probably the Consumer Protection Act as well.
How trustworthy are these people? To find out, I consulted the
HelloPeter web site, and found the following graph:
DirectAxis SPAM
Note how the industry average for spam complaints is around 2%, yet
DirectAxis is 16% (8 times greater). A browse through their list of complaints found several recent spam complaints among dozens of complaints about bad Billing/Accounts. Just as I suspected: not particularly trustworthy, especially with my data.


Update: *Loans from Sanlam Personal Loans are administered and managed by
DirectAxis, an authorised Financial Services Provider. Sanlam Personal Loans (Pty) Ltd Reg. No. 2001/016316/07, Registered Credit Provider (NCRCP272), is a joint venture between Sanlam Life Insurance Ltd and Direct Axis (SA) (Pty) Ltd. Reg. No. 1995/06077/07.

**On the subject of the usage of the word "revert": look it up, and you will find it means "to come or go back (as to a former condition, period, or subject)". So to say you will "revert to me" means that you will go back (regress?) to being me, which is insulting. It's almost as meaningless as "get back to me" when what you mean to say is "reply" or "respond" or "answer".

Update: Saturday 11th August: I finally received a reply from DirectAxis:
Dear Mr Edwards
Our 1Home offering is focussed on providing home owners with value by offering personal loans for home improvements.
Your details were included on the database of a company called Journey (they have associations with companies which have assisted people obtain home loans or enquire about home loan finance), who provide us with services for our 1Home offering.
As a result of a technical issue our routine daily check against the DMA opt-out records did not run on Wednesday. This is the reason that you were contacted despite being on the DMA's list. This technical issue has been resolved and you will no longer receive messages from us. Your records have been removed from the Journey database.
We have identified the call center agent who incorrectly informed you that we are not members of the DMA and we have ensured that this will not occur again in the future.
I trust the above gives you the clarity you require and apologise sincerely for any inconvenience. I would be very happy to discuss this matter further with you should you require further information.
Regards
Mark
How convenient to be able to blame it on a technical issue. I believe that as much as I believe the sincerity of the apology, given their track record on HelloPeter. It would appear that the "Journey" company mentioned in the reply is also a member of the DMA: Journey Customer Innovation Pty Ltd. So now we have two companies, both members of the DMA, ignoring the Do Not Contact database and spamming potential customers. How dumb is that?Also, none of this claptrap about "associations with companies which have assisted people obtain home loans or enquire about home loan finance" explains how they as a Financial Services Provider could abuse this information in such a way. It just doesn't sound ethical to me. But then I've yet to meet an ethical spammer.

Monday, August 06, 2012

Part 1: Discovery HeathID: kiss your confidentiality and privacy goodbye

I no longer trust Discovery Heath with any of my medical information. As far as I'm concerned they are merely a financial institution, about as trustworthy as my bank manager. And I don't discuss my medical conditions with him either.
Discovery knows far too much about me already: where I live, how often I go to the gym, what foods I eat, which doctors I see, and what pills I'm taking. Now through their hair-brained scheme called "HealthId" they want to make this available to anyone in the health care industry who has an iPad and can forge my signature or convince Discovery that I gave my consent.
So my dentist can find out whether I've seen a marriage counsellor and whether I take Viagra or not. My heart doctor can find out how often I get my eyes tested. My GP can see how many times I've been tested for HIV. What's to stop my life insurance company from getting this information, either legally or illegally? Once it's available in a neatly collated form on an iPad, who says a snooper can't just "borrow" an iPad and look up all the details on file and sell it to any number of interested parties, like life insurance companies, say.
There is no facility on the Discovery web site that allows me to pre-emptively block access to this data. There should be. And I'm pretty sure that the iPad software can't be disabled if an iPad is lost or stolen. Discovery can't even tell me what information they are going to tell the doctors, or whether doctors, dentists, optometrists and so on get the same information or different information. I don't think they have given it any thought at all, quite frankly. Which is more alarming than the fact of them even thinking of making this information available.
Another point is what Discovery plans to do with the Doctor's notes and other information captured on the iPad software. Are they going to read the notes to try to second-guess a recommendation for Chronic medication benefits? Are they going to bump up my premiums based on what my GP has written in his files?
What's to stop a hacker reverse-engineering the iPad app and figuring out how to send the "consent" permission to the Discovery servers to get the records of hundreds, if not thousands, of patients? Since there is nothing on the Discovery servers to pre-emptively block them from doing so, Discovery is effectively trusting every iPad out there, without knowing who is using it or what their intentions are. Since iPads can't do biometric identification (thumb prints or retina scans), they have no way of knowing who is using it. Bad move.

Noseweek #153I was first alerted to this problem by an article in Noseweek (pdf) and today I read the July 2012 "Discovery" magazine article on page 38. They do a great job of trying to sell the concept, but they completely
ignore the privacy and security implications. Meanwhile, despite all the questions being asked, they have gone ahead and launched the scheme. So if the hackers find a way of subverting it before they put proper security in place, we're all screwed. And their record of keeping my contact details private is not exactly exemplary, and their dealings with doctors are not exactly ethical. The problem is that if they get sued for this then my premiums will go up. Not that they've ever gone down, but still ...

Part 1 | Part 2 | Part 3


Update: Tuesday 7th August: I managed to get Dr Jonathan Broomberg, CEO of Discovery Health, to read this post. This is what he wrote:
I will call. But it's important to know that your data is blocked by default. No doctor can access your data unless you personally and explicitly give permission. This permission can be given for named doctors or for all doctors you see. It can be withdrawn at any time. If you choose not to give the consent, your data remains entirely private. Does this address your concern?
This is very worrying. I have explained to him that not having a pre-emptive blocking option is different from what the system does now. Hopefully he will get it, because he doesn't seem to understand the difference yet.

Update: Wed 8th August: After some discussion on the MyBroadband forum, I propose a few obvious changes:
  • Every time I log in to Discovery.co.za I want an email notification of my login, exactly like FNB does.
  • I want to see a list of the date and time of the last 5 logins on the opening screen after login. Just like FNB does.
  • When I go to the HealthID Consent Manager on their web site, at present I can select "I agree to the terms and conditions". I want a further option that says "I do NOT agree to the terms and conditions, and wish to keep my electronic medical history private"
  • I want this option enabled by default.
  • In order for the doctor to obtain my consent, I type my Discovery user name and password to the iPad app. Then Discovery sends an SMS to my phone with an authorisation code. I then fill in the code into the app to allow that particular doctor access. FNB does something similar on their banking site with particular transactions.
  • On subsequent visits to the doctor, Discovery will SMS me an authorisation code that I then give to the doctor so he can view my profile for the rest of that day.
Like Dr Moodley at Stellenbosh University, I think the privacy issues and disclosure issues need to be addressed. But until the security concerns are addressed, there isn't much point.
I would also like
Discovery to warn users not to use the same password that they use on other sites. This is responsible security practice. Right now they don't even warn you if you have a weak password. They allowed me to choose "passw0rd" for their site. What were they thinking?


"P.S. Discovery HealthID was awarded best iOS app for enterprise at MTN’s first ever app of the year awards." They obviously didn't do a security audit of the app. Neither has
Discovery Health.

Update: Discovery has lied to the public and bullied the industry, according to this GP.