archives






ADVERTISEMENT

New Media Medicine - Medical Forums:
MCAT
USMLE
Residency
PLAB
UKCAT
MRCP
UMAT
GAMSAT
US Medical Schools
Canadian Medical Schools

Syndication our news feed

Medgadget by Email

Delivered by FeedBurner

Mailing List

Privacy: Your email address will be used by Medgadget editorial team only. We hate spam too.



We comply with the HONcode standard for trustworthy health
information:
verify here.



Wednesday, September 26, 2007

Open Letter to Dr. Daniel Palestrant, CEO of Sermo.com

Filed under: Medgadget Exclusive

Dr. Palestrant,

Ever since we published our original post on how to penetrate physicians-only networks, the discussions about our decision and Sermo's vulnerability became the subject of a hot debate inside Sermo.com, which you participated in. Since we were involved in so many discussions there, we are addressing you personally. This letter might as well have been addressed to other physicians-only networks that rely on public databases for membership verification.

We are a group of MDs, some in practice and others in training, running this medtech news website. We are not security experts. When we discovered how easy it is to collect the data to circumvent the registration process, and PsychCentral independently confirmed it, we thought that we were doing a favor to the doctor community. If your site is to become an institution where physicians can exchange frank information about drugs, devices, therapies, and patient care, it is in the interest of both patients and physicians to have such a secure forum. No one wants to realize many months or years from now that competing companies via their trolls and imposters are presenting fake clinical vignettes to your swollen ranks, hyping their wares or denouncing other firms' products. Once again, when we posted what we posted, we were not even thinking about Sermo.com per se, but rather the whole security model based on public databases. That's why it was written on our site, and not sent to you, and a dozen other networks doing the very same.

Since you have participated in some of the discussions, here's our advice to you. To do damage control, first step that you need to take is to acknowledge the problem, as you have not done so far, and address all of your members. They need to know about it. And then, without hinting about some super secret verification protocols that your company is implementing, overhaul the entire registration procedure. You don't have some data about US doctors that others don't have. Whether it is a UPIN number, DEA, or board data, your verification protocol still relies on public databases. And they are called "public" for a reason.

Here's what we know. When our site deals with the secure registration of our domain name, we work with a company called Domains By Proxy. They are network security experts, and they still ask us to fax them our papers. We believe that this is the only way for you to go: ask each one of the members to fax their license (driving, medical, etc.), or some other reliable paper.

And, finally, a word about the ad hominem attacks. Never in our life we could have imagined that our exposé on how to use public information would provoke so many doctors to attack us so viciously. The vitriol is there: we were called "SOBs," "traitors," "a merry band of thieves," and many more. You at one point suggested that we exposed your site's vulnerability because we were envious of your success ("... when you become the largest physician community, ever, people start to set their sites [sic] on you..."). You implied the presence of someone as "waste" that might need flushing. Perhaps it would be wise to spend your time addressing the serious issue that exists with your site, instead of insulting concerned doctors that brought your attention to this matter.

Thank you,

Editors @ Medgadget.com

More: Medgadget's Guide to Hacking into Social Networks for Doctors ...; Confirmed: Sermo Is Not for Physicians Only; New Important Questions Raised ...; Sermo's $9M Weak Security Model ...; A Note and a Follow Up On Sermo ...; Sermo Improves Registration Security; Needs to Do More ....


Update: Mexican Medical Student has an excellent overview of the security issues involved in private social networks here.

email this article to a friend      print this!           comments and peer reviews (7)




replies: 7 comments
Open comments are not moderated, although abusive and vulgar remarks may be deleted. Opinions expressed do not necessarily reflect the views of Medgadget.com. Please consult our disclaimer.

As someone who has an interest in healthcare technology and IT security, I've been paying attention to this. If Sermo's "social engineering exploit" were say, a vulnerability within a Microsoft product, you'd give the vendor a few days to a week plus to respond. If they respond politely and are interested in helping out, then they get disclosed after there's a patch to fix the vulnerability. However, if you as the discoverer of the exploit go unnoticed, then in the interest in security, publicly disclose the vulnerability.

Social networking for physicians sounds like a great idea. It really is. It's a way to keep out neurotic patients like myself and other third parties that would throw such a system into disarray. A lot of good could come from this. However, when you rely on easily accessible information that's in the public domain, it's open for abuse. Yes, it's identity fraud and illegal - I'm not disagreeing with that part and I would fully support the prosecution of someone who claimed to be someone else and besmirching that physician's name and reputation. One could imagine the havoc that masquerading as a high-profile physician and doing stupid things could cause. However, when the authentication mechanism is based on public information, that is a sign that you need to revamp the trust mechanism. That was lost in all of the mud flinging that's been going on between Medgadget, Sermo and the whole blog community.


Posted by: Nick
on September 26, 2007 12:33 AM GMT

This issue has ramifications across several areas. For example, I know of hedge fund managers who actually sign up for confidential clinical trials and participate in the trial in order to glean information about the particular drug that is not available to the public. If the trial is going well, then buy the shares, if not, sell sort.

This is just one example of what could happen in Sermo.

Security is critical and medagadget did everyone a service by exposing Sermo's flaws


Posted by: michael
on September 26, 2007 07:12 AM GMT

Nick, I believe that there is a big difference between a vulnerability within a Microsoft product that is usually a minor issue that Microsoft itself is not aware of and a major design flaw that would be a stretch to assume that Microsoft didn't know about. Now imagine that Microsoft is well aware of the major major problem and still mis-advertises the product to consumers. I think that the proper analogy would be the cigarette makers being well aware that cigarette smoking causes increased chances of lung cancer while hiding that very same fact from the comsummers. People who exposed the issue were hailed as good guys and the cigarette makers were sued for not informing the public of the dangers that one faced.


Posted by: marina
on September 26, 2007 09:32 AM GMT

Thanks for helping all narc seekers out there figure out DEA # and other info for calling in their prescriptions, jerks!


Posted by: joe
on September 26, 2007 05:15 PM GMT

Keep up the good fight. I am a computer security professional (I know better than to call myself an "expert" with all the talent out there I used to work with) who is now a medical student. One of the most common mistakes to warn against is "security through obscurity." Transparency in the process (such as with open-source software) always provides the greatest degree of assurance, period. I have so much more to say and actually have recommendations, but I'll write those through the proper channels. Publicly, I just wanted to voice my support and say you are doing the 100% right thing.


Posted by: enrico
on September 27, 2007 07:42 AM GMT

The name-calling you experienced tends to occur when there is no accountability because of anonymous posting being permitted and when there is no moderation.

More concerning is the possibility that Dr. Palestrant is perpetrating fraud and deception via his corporation:

http://HeartMDPhD.com/SermoExposed


Posted by: HeartMDPhD
on December 5, 2007 12:49 PM GMT

I'm in the process of creating a website for physicians different from sermo's model. does anyone have any recommendations on how to verify physician status online?


Posted by:
on January 9, 2008 05:18 PM GMT

add a comment
html tags: <b>, <i>, and <a>
examples: <b>Bold</b> <i>Italic</i>









Remember personal info?
(anonymous comments allowed)



click to make your selection boldclick to make your selection italicclick to add a link


Hello Human!

Enter the above anti-spambot
Turing code:





Click the "Post" button only once!