So we were right: physicians-only networks are very easy to penetrate. John M. Grohol from PsychCentral reports that a professional security consultant was able to register an account at Sermo.com rather easily: it took him only five minutes. If you have seen our account (Medgadget’s Guide to Hacking into Social Networks for Doctors), then you know that one does not need to be a security consultant to figure out how to use public databases to register with Sermo and others. PsychCentral does not want to reveal its hacking methodology, but we think it probably was based on standard state medical board info, plus the DEA number formula. (FYI, all DEA numbers are not random, but rather based on the Luhn algorithm.)
This is an important story, and we believe it needs to be addressed by Sermo.com, and by other physician networks. Until the following questions are answered, we think that the credibility of these networks is under one big question mark.
1. Will Sermo.com and others come out and address these security issues with their users?
2. Does Sermo.com and others really have a business model that can create a secure network for physicians as long as this model is based on publicly accessible databases?
3. Will member physicians be content with the possibility that some clinical vignettes may be hoaxes?
4. What about the possibility that drug companies/medical device manufacturers are actually creating some of the vignettes to hype up their wares?
4. How big is the extent of the problem? How many physicians’ identities have been stolen? Are there any physicians out there that cannot register because their identities have been taken away?
Finally. We want to know if you are a physician and your identity has been stolen. Please email us at medgadget–at–medgadget–dot–com.
Update: More thoughts from Enoch Choi…
More: Medgadget’s Guide to Hacking into Social Networks for Doctors …; Open Letter to Dr. Daniel Palestrant, CEO of Sermo.com…; A Note and a Follow Up On Sermo…; Sermo Improves Registration Security; Needs to Do More ….
Update: Mexican Medical Student has an excellent overview of the security issues involved in private social networks here.