Part of the HCPlive Healthcare Professionals Network

archives





ADVERTISEMENT

New Media Medicine - Medical Forums:
MCAT
USMLE
Residency
PLAB
UKCAT
MRCP
UMAT
GAMSAT
US Medical Schools
Canadian Medical Schools

Syndication our news feed

Medgadget by Email

Delivered by FeedBurner

Mailing List

Privacy: Your email address will be used by Medgadget editorial team only. We hate spam too.



We comply with the HONcode standard for trustworthy health
information:
verify here.



Thursday, September 20, 2007

Medgadget's Guide to Hacking into Social Networks for Doctors

Filed under: Medgadget Exclusive , Net News

Just in time for the Health 2.0 Conference, here's our guide on how to penetrate ultra-exclusive physician networks. Infected with a case of facebookitis/myspacitis, internet entrepreneurs are setting up an increasingly growing list of networks for MDs and other clinical professionals. The best known one is Sermo.com, an enterprise endorsed by the AMA. Just like other MD networks, it does not rely on invites, but rather on public databases to verify one's identity as a doctor. So, whether you're a patient, journalist, or medical consultant, with the help of public databases you can check and see what's going on behind the closed doors of physicians' networks. (Disclaimer: the following is for "educational purposes only." We do not encourage anyone to break any laws, service agreements, or any other "rules.")

Sermo.com and others require four pieces of information for verification: physician's name, medical school attended, date of graduation, and the DEA number (yes, the Drug Enforcement Agency).

First, here's the easy stuff. Every US state has an online database of its physicians, found on each state's medical board website. They always list each physician's name, medical school attended and the date of graduation. They also display other related info, such as license number, and history of legal problems. An example: head to New York State's Online Verification Site for Professions, choose "Medicine (physician, including MDs & DOs)" and enter a doctor's name. As an example, the search for "Johnson" returns a lengthy list of registered physicians with such last name. In each file, you will find the medical school attended, and the date of graduation.


So, the only missing piece of the puzzle is the DEA number. There are two ways to obtain it: free and for a small fee (usually, $9). The DEA CSA database, while maintained by the DEA, has been outsourced to private companies for distribution. And so they tend to charge money for their services. They charge Sermo.com and others, including your local pharmacy and hospitals, and they want to charge you. Here's a link to a limited query search over at DEANumber.com. Pay up $9 and your favorite MD's DEA number is yours. Now you are all set to register at Sermo.com, or any other social network for physicians.

IF YOU DON'T WANT TO PAY, then head on to DEALookup.com, and try their Free Demo. (DEALookup.com requires you to register, but they don't send a verification email. So you can remain private, if you wish.) The drawback is that they let you search only for physicians with last names starting with the letter A. So, if you don't care what identity you assume, write down one of the DEA numbers there, last and first name, and then head on to the medical board site for that physician's state. Find his/hers medical school and graduation date, and you are all set. That was easy. Welcome to Health 2.0!

Update: Reader Marcus H. notes that the easiest way to obtain a DEA number is to simply look at your doctor's prescription.

More: Confirmed: Sermo Is Not for Physicians Only; New Important Questions Raised ...; Open Letter to Dr. Daniel Palestrant, CEO of Sermo.com...; A Note and a Follow Up On Sermo ...; Sermo Improves Registration Security; Needs to Do More ....

email this article to a friend      print this!           comments and peer reviews (20)




replies: 20 comments
Open comments are not moderated, although abusive and vulgar remarks may be deleted. Opinions expressed do not necessarily reflect the views of Medgadget.com. Please consult our disclaimer.

So other than being professional A--holes,Whats the point in publishing this?


Posted by: William Barrett MD
on September 20, 2007 06:56 PM GMT

If someone gains entry into a site such as Sermo using this technique, I look forward to investigating whether they can be prosecuted for identity theft.


Posted by: M. Saathoff, MD
on September 20, 2007 08:28 PM GMT

To demonstrate security issues; that 'restricted access' is easy to work around.


Posted by: pawel
on September 20, 2007 09:06 PM GMT

Sermo actually requires a physician's date of birth and not, as you incorrectly suggest a year of graduation. it is much more secure than this article suggests.

grisdoc (sermo user)


Posted by:
on September 21, 2007 06:41 AM GMT

grisdoc :

Date of birth is not a security feature in Sermo. And they do check the graduation date.


Posted by: Dr.O
on September 21, 2007 07:33 AM GMT

Obviously the ethics held by doctors are not also held by medgadget. "Educational purposes only" does not justify this post.


Posted by: NoLongerAReader
on September 22, 2007 10:30 AM GMT

The authors of MedGadget have more exemplary ethics than NoLongerAReader, they're uncovering the very dangers of poor authentication of existing sites. I join them (and reminesce from my days as a MedGadget editor) and blogged about it at Doctor Geek, M.D.


Posted by: Enoch Choi
on September 23, 2007 04:59 PM GMT

As a physician, I have nothing but contempt for fellow physicians who place their own egos above with welfare of their physician colleagues. At least 2 of the 3 editors of medgadget are members of Sermo. Yet, their solution to perceived holes in Sermo security was not to contact Sermo or start a post to Sermo members, but instead to post instructions about how to break the law in order to gain access to Sermo. This illustrates to me that their primary purpose isn't Sermo, but the furtherment of their own blog. Now I am not so naive as to think that they revealed any great secrets, but I have no doubts that the would have it they could have.

I know that there are many physicians who read this blog. My question for you is whether you are willing to support a site (medgadget) which gives detailed instructions how to access the DEA and license numbers of fellow physicians, when the only way that people can use this information is by breaking the law through identity theft? Personally, I am not willing to support any such endeavor, nor any company that advertises on their site.


Posted by: UnbrknCh8n
on September 24, 2007 10:53 PM GMT

UnbrknCh8n:

As a physician, I have nothing but contempt for fellow physicians who believe that... public does not have the right to know how to use public databases...

As a physician, I have nothing but contempt for fellow physicians who believe that... fellow physicians cannot do investigative reporting...

As a physician, I have nothing but contempt for fellow physicians who believe that... Sermo.com did nothing wrong, while Sermo perfectly knew about the gaping hole in their security...

As I've told you in Sermo, please direct your anger elsewhere.


Posted by: DrO
on September 25, 2007 08:19 AM GMT

DrO:

You state "As I've told you in Sermo, please direct your anger elsewhere."

The way I see the situation is that you write and post an article titled, "Medgadget's Guide to Hacking into Social Networks for Doctors."

In this article, you state:
"So, if you don't care what identity you assume, write down one of the DEA numbers there, last and first name, and then head on to the medical board site for that physician's state. Find his/hers medical school and graduation date, and you are all set. That was easy."

It is obvious that instead of trying to trying to bring attention to security issues in Sermo, you are instead encouraging people to assume the identity of physicians.

This does make me angry. And it is with you that I am angry. So what better place is there to bring this discussion than to the comments section of this article?


Posted by:
on September 25, 2007 12:47 PM GMT

It always amazes me when people going around with a haughty, superior and 'holier than thou' attitude while doing unethical, immoral and illegal things. Congratulations writers of medgadget, you really take the cake in the area of hypocritical behavior. No matter how you state your disclaimer "Here's how to do something illegal, now please don't actually do it" you are really just helping people gain private information about others. Why not call the blog what it really is? AmateurHackersWithoutEthics has a nice ring to it. The reason the internet needs better security measures is because of people exactly like you.


Posted by: dcted
on September 26, 2007 06:49 AM GMT

dcted:

Before accusing anyone about unethical, immoral things, ask yourself about Sermo. Who developed flawed system, advertised it as super secure, and fooled thousands of physicians?

In terms of us, public has the right to know how to use public databases.


Posted by: DrO
on September 27, 2007 10:01 AM GMT

This entire discussion is really quite old: apparently people are fighting over this topic since the 19th century. The question of full disclosure is very controversial. More on the topic can be found here: http://en.wikipedia.org/wiki/Full_disclosure

However in my opinion, publishing this literally step by step guide to exploit the system wasn't a very smart thing to do.


Posted by: seb
on September 27, 2007 03:07 PM GMT

Good discussion on http://www.xconomy.com/2007/09/26/sermo-strikes-back-a-physicians-online-community-lashes-out-against-bloggers-who-publicize-security-gap/#comment-1618

about this topic


Posted by: Michael
on September 28, 2007 06:34 PM GMT

When can we start acting like professionals again?

yours hopefully

gd


Posted by: grisdoc
on September 29, 2007 05:45 PM GMT

Quoting from the xconomy site what Bruder, whose name links to this site:

Bruder -

I cannot think of a better statement about the journalism of medgadget.com than to quote your very words as you have said i best:

"As for you claiming that this has something to do with credibility of Medgadget reporting on this, then you're just being silly because in the long run, there is no need for credibility here. The issue is very clear that Sermo is compromised. As I said before, you don't need an expert to see that the door is open. If a ten year old would have noticed this, it would have been just as true."

Being sarcastic, "there is no need for credibility here" might just make a good masthead saying for medgadget.com

Journalism is all about credibility
]


Posted by: Michael
on September 30, 2007 12:54 PM GMT

For the record Bruder of medgadget added to what I said above without any editorial notation [nothing was added to Michael's writing. The quote he attributed to Bruder was inserted how it appeared originally. This was an action to prevent Michael from censoring Bruder] of doing that so the reader should realize that medgadget has edited my comments.

Is there a place on this site where it is stated that medgadget can edit comments - many of the newspapers do state that letters to the editor can be edited so does that apply in these discussion groups. It does say above "Open comments are not moderated, although abusive and vulgar remarks may be deleted. Opinions expressed do not necessarily reflect the views of Medgadget.com. Please consult our disclaimer." and I do not think I have been abusive or vulgar, but obviously there seems to be moderation


Posted by: Michael
on September 30, 2007 01:22 PM GMT

On xconomy.com this is what Bruder posted in regards to my above comment. Should have posted it with the above:

Michael,

I updated your comment on Medgadget to include my whole quote, not out of context like you decided to do. I hope that helps with the credibility and understanding. You can take a look here: http://www.medgadget.com/archives/2007/09/medgadget_guide_to_hacking_into_social_networks_for_doctors.html


Posted by: Michael
on September 30, 2007 01:34 PM GMT

Hmmm .... changing what someone writes in a web page where comments are welcomed and not letting other readers know what has been changed and why, raises the question of how does anyone know what is said in the other comments is what was said by the responder and not people at medgadget to make medgadget look better - isn't that an issue of credibility? If stories on web pages are changed, is there a notation or an addendum like would be done in the print media or does the late reader not know it has been changed.


Posted by: Michael
on September 30, 2007 02:15 PM GMT

One last quick question Bruder and then I think it is time to quit this.

Did you mean to say misrepresent what you said rather than censor what you said because I, unlike you, cannot moderate, edit or delete what others say and cannot even do that to my own posts after sent in.


Posted by: Michael
on September 30, 2007 04:10 PM GMT

add a comment
html tags: <b>, <i>, and <a>
examples: <b>Bold</b> <i>Italic</i>









Remember personal info?
(anonymous comments allowed)



click to make your selection boldclick to make your selection italicclick to add a link


Verification (needed to reduce spam):




Click the "Post" button only once!