Dr. Palestrant,
Ever since we published our original post on how to penetrate physicians-only networks, the discussions about our decision and Sermo’s vulnerability became the subject of a hot debate inside Sermo.com, which you participated in. Since we were involved in so many discussions there, we are addressing you personally. This letter might as well have been addressed to other physicians-only networks that rely on public databases for membership verification.
We are a group of MDs, some in practice and others in training, running this medtech news website. We are not security experts. When we discovered how easy it is to collect the data to circumvent the registration process, and PsychCentral independently confirmed it, we thought that we were doing a favor to the doctor community. If your site is to become an institution where physicians can exchange frank information about drugs, devices, therapies, and patient care, it is in the interest of both patients and physicians to have such a secure forum. No one wants to realize many months or years from now that competing companies via their trolls and imposters are presenting fake clinical vignettes to your swollen ranks, hyping their wares or denouncing other firms’ products. Once again, when we posted what we posted, we were not even thinking about Sermo.com per se, but rather the whole security model based on public databases. That’s why it was written on our site, and not sent to you, and a dozen other networks doing the very same.
Since you have participated in some of the discussions, here’s our advice to you. To do damage control, first step that you need to take is to acknowledge the problem, as you have not done so far, and address all of your members. They need to know about it. And then, without hinting about some super secret verification protocols that your company is implementing, overhaul the entire registration procedure. You don’t have some data about US doctors that others don’t have. Whether it is a UPIN number, DEA, or board data, your verification protocol still relies on public databases. And they are called “public” for a reason.
Here’s what we know. When our site deals with the secure registration of our domain name, we work with a company called Domains By Proxy. They are network security experts, and they still ask us to fax them our papers. We believe that this is the only way for you to go: ask each one of the members to fax their license (driving, medical, etc.), or some other reliable paper.
And, finally, a word about the ad hominem attacks. Never in our life we could have imagined that our exposé on how to use public information would provoke so many doctors to attack us so viciously. The vitriol is there: we were called “SOBs,” “traitors,” “a merry band of thieves,” and many more. You at one point suggested that we exposed your site’s vulnerability because we were envious of your success (“… when you become the largest physician community, ever, people start to set their sites [sic] on you…”). You implied the presence of someone as “waste” that might need flushing. Perhaps it would be wise to spend your time addressing the serious issue that exists with your site, instead of insulting concerned doctors that brought your attention to this matter.
Thank you,
Editors @ Medgadget.com
More: Medgadget’s Guide to Hacking into Social Networks for Doctors …; Confirmed: Sermo Is Not for Physicians Only; New Important Questions Raised …; Sermo’s $9M Weak Security Model …; A Note and a Follow Up On Sermo …; Sermo Improves Registration Security; Needs to Do More ….
Update: Mexican Medical Student has an excellent overview of the security issues involved in private social networks here.