Monday, August 06, 2012

Part 1: Discovery HeathID: kiss your confidentiality and privacy goodbye

I no longer trust Discovery Heath with any of my medical information. As far as I'm concerned they are merely a financial institution, about as trustworthy as my bank manager. And I don't discuss my medical conditions with him either.
Discovery knows far too much about me already: where I live, how often I go to the gym, what foods I eat, which doctors I see, and what pills I'm taking. Now through their hair-brained scheme called "HealthId" they want to make this available to anyone in the health care industry who has an iPad and can forge my signature or convince Discovery that I gave my consent.
So my dentist can find out whether I've seen a marriage counsellor and whether I take Viagra or not. My heart doctor can find out how often I get my eyes tested. My GP can see how many times I've been tested for HIV. What's to stop my life insurance company from getting this information, either legally or illegally? Once it's available in a neatly collated form on an iPad, who says a snooper can't just "borrow" an iPad and look up all the details on file and sell it to any number of interested parties, like life insurance companies, say.
There is no facility on the Discovery web site that allows me to pre-emptively block access to this data. There should be. And I'm pretty sure that the iPad software can't be disabled if an iPad is lost or stolen. Discovery can't even tell me what information they are going to tell the doctors, or whether doctors, dentists, optometrists and so on get the same information or different information. I don't think they have given it any thought at all, quite frankly. Which is more alarming than the fact of them even thinking of making this information available.
Another point is what Discovery plans to do with the Doctor's notes and other information captured on the iPad software. Are they going to read the notes to try to second-guess a recommendation for Chronic medication benefits? Are they going to bump up my premiums based on what my GP has written in his files?
What's to stop a hacker reverse-engineering the iPad app and figuring out how to send the "consent" permission to the Discovery servers to get the records of hundreds, if not thousands, of patients? Since there is nothing on the Discovery servers to pre-emptively block them from doing so, Discovery is effectively trusting every iPad out there, without knowing who is using it or what their intentions are. Since iPads can't do biometric identification (thumb prints or retina scans), they have no way of knowing who is using it. Bad move.

Noseweek #153I was first alerted to this problem by an article in Noseweek (pdf) and today I read the July 2012 "Discovery" magazine article on page 38. They do a great job of trying to sell the concept, but they completely
ignore the privacy and security implications. Meanwhile, despite all the questions being asked, they have gone ahead and launched the scheme. So if the hackers find a way of subverting it before they put proper security in place, we're all screwed. And their record of keeping my contact details private is not exactly exemplary, and their dealings with doctors are not exactly ethical. The problem is that if they get sued for this then my premiums will go up. Not that they've ever gone down, but still ...

Part 1 | Part 2 | Part 3

Update: Tuesday 7th August: I managed to get Dr Jonathan Broomberg, CEO of Discovery Health, to read this post. This is what he wrote:
I will call. But it's important to know that your data is blocked by default. No doctor can access your data unless you personally and explicitly give permission. This permission can be given for named doctors or for all doctors you see. It can be withdrawn at any time. If you choose not to give the consent, your data remains entirely private. Does this address your concern?
This is very worrying. I have explained to him that not having a pre-emptive blocking option is different from what the system does now. Hopefully he will get it, because he doesn't seem to understand the difference yet.

Update: Wed 8th August: After some discussion on the MyBroadband forum, I propose a few obvious changes:
  • Every time I log in to I want an email notification of my login, exactly like FNB does.
  • I want to see a list of the date and time of the last 5 logins on the opening screen after login. Just like FNB does.
  • When I go to the HealthID Consent Manager on their web site, at present I can select "I agree to the terms and conditions". I want a further option that says "I do NOT agree to the terms and conditions, and wish to keep my electronic medical history private"
  • I want this option enabled by default.
  • In order for the doctor to obtain my consent, I type my Discovery user name and password to the iPad app. Then Discovery sends an SMS to my phone with an authorisation code. I then fill in the code into the app to allow that particular doctor access. FNB does something similar on their banking site with particular transactions.
  • On subsequent visits to the doctor, Discovery will SMS me an authorisation code that I then give to the doctor so he can view my profile for the rest of that day.
Like Dr Moodley at Stellenbosh University, I think the privacy issues and disclosure issues need to be addressed. But until the security concerns are addressed, there isn't much point.
I would also like
Discovery to warn users not to use the same password that they use on other sites. This is responsible security practice. Right now they don't even warn you if you have a weak password. They allowed me to choose "passw0rd" for their site. What were they thinking?

"P.S. Discovery HealthID was awarded best iOS app for enterprise at MTN’s first ever app of the year awards." They obviously didn't do a security audit of the app. Neither has
Discovery Health.

Update: Discovery has lied to the public and bullied the industry, according to this GP.


James Stapley said...

Donn - great series of posts on this issue.

I encountered the idea of HealthID the other day and wrote a very brief tweet about this - which resulted in Discovery actually phoning me (one of the perils of real names attached to online accounts, I guess). Amazingly, they did this from a real world number and not a private number (which, due to information leakage is generally a sure-fire indicator of someone trying to sell me something I don't want).

The thing which most greatly concerns me is the potential for either 1) profiling actual or potential customers of health insurance schemes 2) resale or other distribution of such information to whomever Discovery elects to sell/share this information with.

Whilst I expect there are probably laws against certain forms of discrimination in the health insurance industry based on certain conditions, I imagine this is not a blanket ban on all forms of discrimination, and of course, legislation is fluid.

Inevitably, such databases will get to be multi-generational and allow companies to build up (undoubtedly not in my interest) "risk models" of how my health is likely to cost them money, based on that of my ancestors and other relatives, and presumably, go on to affect any progeny that might arise and become insured themselves. (That will get a lot worse when whole genome sequencing, or larger scale genetic screening becomes extremely inexpensive). Releasing such information to e.g. life insurance companies, or using it to base their charges or restricting benefits to me are all potential implications.

Whilst Discovery may be able to claim that their current business practices and/or legislation forces them to pursue behaviour X, this is not set in stone and can change. Even an undertaking not to pursue certain behaviours can change (look at how often big Internet companies change their privacy policies, usually eroding such things), and so cannot be realistically expected to safeguard my - or any other person's - most intimate personal details.

It's all too easy to hand over information - it's very hard to get it back. Your analysis of their disclaimers/agreements doesn't inspire a lot of confidence in this regard.

Certainly, I fully understand the benefits of electronic health records, but in a society where healthcare is generally a (presumably profitable) corporate enterprise, and where past experiences suggest that most corporates skate a very thin edge between "ethics" and "profit" (where p>>>e in most cases), such entities being in charge of this is possibly a bad idea. (Indeed, not maximising profit could be considered un-ethical if your purpose is to generate profit for shareholders - which in a capitalist system is the entire point of corporate enterprise). I'm certainly not saying Discovery is or intends to be unethical with my healthcare data - my concern is that such behaviour may change, or insufficient safeguards may be taken with such data. That every single South African corporate seems to think it's OK to use my contact details for direct marketing, or worse, sell them to others for this purpose, doesn't inspire great confidence that medical details would be treated differently.

Unfortunately, looking at the fiasco around things as comparatively simple as national "do not call" registers, I don't think a state organ would be any less of a liability.

I'm surprised the media hasn't made more of a fuss of this issue; it's certainly a public interest story. Presumably they like Discovery's advertising and wouldn't like a phone call from their PR people threatening to withdraw ads! Or perhaps "hmm, this bad thing might happen" isn't solid enough to base a story on.

Forget "Do Not Call", we need a much broader "Do Not Want" button!

Donn Edwards said...

Thanks for some great insights.

I think the problem with mainstream media is that the story is too complicated. They want something much simpler, that can be reduced to a tweet-sized headline.

James Stapley said...

Incidentally, in law, Chapter 12, Section 57, 4 of the Medical Schemes Act (1998) (i) states that the Trustees of the Medical Aid Scheme must:
(i) take all reasonable steps to protect the confidentiality of medical records concerning any member´s state of health.

Of course "reasonable" is a very debatable word, and what different people consider reasonable (tinfoil hat vs. concerned user vs. person who recycles one login for everything) tends to differ somewhat.

I'm not sure exactly what the relationship between Discovery and it's trustees/Medical Scheme(s) is, but my quick scan through that Act suggests they can pretty much tell Discovery where to stick their iPads, if they decide this is not in the interest of their members... That said, I have absolutely no legal training whatsoever!