Part 2: Discovery Health's Electronic Health Record: not good

Today I had a meeting with both the COO and CIO of Discovery Health. Heady stuff, except that the COO, Dr Ryan Noach, has the "bedside manner" of earthmoving equipment. It's not often that I get lectured to for interrupting. He clearly hasn't lost the "God Complex" that afflicts many doctors.
When I pointed out that as far as I was concerned, Discovery Health was a financial services provider, whose job it was to process my medical aid claims, he denied this. Discovery Health, it seems, has delusions of grandeur: they are now a company that provides an online Electronic Health Record (EHR) to unspecified healthcare providers.
And its amazing how evasive he got when I asked for more specific details: My GP can access the scheme, but not my Dentist. What about my Cardiologist? They changed the subject.
The "consent" agreement is clearly a CYA document:

Discovery takes all reasonable steps to protect personal information and maintain confidentiality. By signing below, I give Discovery Health (Pty) Ltd and my medical scheme, being a medical scheme administered by Discovery Health (Pty) Ltd (“Scheme”), permission to release my Electronic Health Record (EHR) to my healthcare provider. This includes details about chronic condition(s), benefit plan details, certain biographical data and pathology and radiology results. This may include information related to HIV/Aids.
I understand that once Discovery Health (Pty) Ltd and the Scheme have handed my records to the healthcare provider, they have no further control over this information and that they will not be accountable for the safeguarding of this information. I do understand that the healthcare provider has confirmed to Discovery Health (Pty) Ltd that he/she will treat my health records as confidential and in line with the relevant legislation.
I agree that by making this information available, Discovery Health (Pty) Ltd and the Scheme are not responsible for any loss (whether direct or indirect) that may arise from the use of this information.
I agree that I may not hold Discovery Health (Pty) Ltd or the Scheme responsible for any loss that may result from the incorrect use or disclosure of the information by my healthcare provider.

So in spite of assurances from the very top that the HealthId iPad app is "secure", the first thing you have to sign is a waiver that says that Discovery is irresponsible not responsible. Most lawyers call this a "Consent and Waiver" agreement. Discovery's BS marketing department leaves out the "waiver" part. We don't want to startle the animals.
Dr Noach asserted that Discovery was "willing to listen" to my concerns, but "would take [my] suggestions under advisement". After all, they are only my opinion, and other people have other opinions. (Did someone say "God Complex"? Maybe he was just playing the "bad cop" role. Who knows, but it certainly didn't come across as sympathetic, just arrogant.) I pointed out that the Discovery web site allows me to choose "passw0rd" as a password without even the slightest hint that it is completely insecure. I mentioned the web site "how secure is my password" for some code on how to warn users of insecure passwords. In the past the Discovery web site only displayed claim details, without stating the medication being claimed for. Now it contains a full Electronic Health Record and Medical History. I hope they will take this suggestion seriously, and also warn users not to use the same password that they use anywhere else.
When I said that I wanted two-factor authentication, they came up with a whole bunch of excuses about why this was "impractical". "We deal with very old and very sick patients who don't have cell phones". This is the reason why they can't send an authentication code as part of the "consent and waiver" process. But in the same breath, I'm assured that this process is secure because the moment I sign the "consent" form, I'll receive both an SMS telling me the dirty deed is done, as well as an email with a copy of the "signature" provided. (I'm not sure how the elderly and very sick check their emails). But now that the horse has already bolted, I can always phone their call centre or log on to the web site to cancel the "consent". I pointed out that this wasn't always practical: the call centre isn't always open, for starters. "If I'm in Antarctica should I worry about this as well" was Dr Noach's sarcastic response. So much for "listening". WTF?
Despite that, they are working on some unspecified cell phone authentication process. In a month's time the iPad app will get an independent security audit from KPMG. These are the same people who verified that the Discovery web site as being "secure" 3 months ago. They got very defensive when I said that I didn't think they were taking security seriously: I pointed out that they have rolled out the HealthID program to over 400 doctors and just sent out an email to all their members extolling its virtues, in spite of my security concerns and the Noseweek article. Dr Noach doesn't think much of my blog or Noseweek. He's happy to listen to KPMG's experts instead. These are the same experts who didn't check for "passw0rd". I have subsequently received details from Vladi Belev (Enterprise Architect at Discovery Health) of the multiple security measures in place on their systems. It is reassuring to know that at least their IT division takes enterprise security seriously.
On a more bizarre note, we had a brief discussion of how there is basically no privacy left in the medical industry. In other parts of the world, doctors regard EHR as a right, not a privilege. Patients basically are expected to sign away their privacy to anyone godlike enough to call himself a doctor. Discovery Health has clearly embraced this model. When I asked them "When did I give you permission to make this information available online?" The reply was: when you sign the "consent". That's another way of saying "No, you haven't given us permission yet, but you will." So when their catchy PR email says: "HealthID: The technology that puts your health records in your doctor's hands" they don't mean that he can hold the iPad in his hands. They mean that they will happily make the doctor responsible for the security of the private, sensitive data they have collected, whether he has the expertise to do so or not.
One important concession I obtained: they agreed to remove my medical history from their web site. This isn't available for everyone (yet), only if you kick up enough fuss. Phone their call centre and ask for it to be done. If they refuse, or duck and dive, then ask to be put through to the COO. And be sure to ask for the name of the luckless call centre agent who refuses, and note the time of your call.

Part 1 | Part 2 | Part 3

Update: ITWeb has an article that explains how your Vitality info, pathology results and other info will be made available to doctors, hospitals and emergency personnel.

Broomberg says Discovery was concerned with the growing problems of fragmentation between all the role players within the health system.
“Doctors, hospitals, pathology and radiology are all separate practices, and this results in lack of co-ordination, and limited or no sharing of critical health information that would enable doctors to make more informed decisions or reduce inefficiency in the system,” he explains.

Emergency personnel will scan a QR Code on a car sticker Or other location to access your data. How secure is that going to be? The mind boggles.

According to IOL, they will pay doctors to use the app.

Once the patient reads the consent waiver and agrees to allow the doctor access to their medical records, they can no longer withhold that information from the doctor. It is an all or nothing deal, though Discovery Health may be developing limiting tools in the future.
Doctors use the app at no extra cost to them or their patients. In fact, doctors can earn an additional R15 per consult if they use the app for 50 percent of their Discovery Health consultations daily.

Update: Wednesday 15 Aug: Dr Noach refuses to provide me with the contact details of the KPMG people who did the web site security audit. All I wanted to ask them was why they didn't check for insecure passwords, like "passw0rd".
Discovery has clarified that the "consent" is doctor-specific, not practice specific. That means if a doctor leaves a practice he can take all "his" patients' electronic records with him. I wonder what the other doctors will think of that? Will they know? If the doctor now gets a job at Discovery Life, will they use the information to adjust the policies of those patients?


Some relevant Security Maxims: So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.
Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve.

Update: Discovery has lied to the public and bullied the industry, according to this GP.