In the physician community, there’s been a fair amount of buzz about a physician’s-only community (or “social network,” if you prefer) called Sermo. I was curious as to how strong their registration system was to prevent non-physicians from subscribing to the service, which is free and open to all physicians that have either an M.D. or a D.O. (and a DEA prescribing number). So I asked a technology and security consultant friend of mine to check it out.
His findings didn’t surprise me. It took him five minutes and only two tries to register a valid physician account at Sermo, even though he isn’t a physician. He used information freely available on the Internet to register as someone who was a legitimate physician. He took a few screen shots to show me his success:
The problem appears to be a traditional issue between trading off “ease of use” with “tight security.” The best and tightest security would be to manually verify each and every registration with a human phone call. But, of course, this would require money and manpower, something many startups don’t have.
But Sermo can’t use that excuse, since it just closed on yet another round of VC funding in the $26.7 million range (on top of the existing $9 million they have already raised). So the strongest security possible to protect the integrity of their physician members is to be verifying each member manually, yet they aren’t. When it comes to security of their closed community, Sermo’s FAQ only says:
How do I know that Sermo members are really MDs?
Joining Sermo isn’t easy. In fact, Sermo technology is the first of its kind to authenticate and credential physicians in real-time. Our state-of-the-art technology is working behind the scenes, re-validating physicians every time they sign in, ensuring that only physicians can become members.
Well, in fact, it was incredibly easy. So easy that within 5 minutes, someone who wasn’t a physician did it. And if by chance they close the account my friend created, he can create a new physician account in another 5 minutes. Because Sermo’s authentication process is fundamentally flawed (we won’t tell you how he did it, so don’t ask), the only long-term fix for this problem is asking for registrants for even more personally-identifiable information (stuff many people won’t like to give up, like their social security number), or calling each person who registers to verify they are who they say they are.
We’re all for closed physician communities — we think they have enormous potential. But we hope that such communities really put their members best privacy and security interests above “ease of use” and quick registrations. We also hope that VCs really do a little more hard due diligence before plopping their money into whatever the latest/greatest “social network” is, because it exactly those companies that cut the corners on security that can ruin it for future startups in similar spaces.
We contacted Sermo regarding this issue and discovered that a day before we began investigating this security hole (Friday), MedGadget had already discovered and published their take on it. Their method was slightly different than our consultant’s method, who simply guessed at the correct DEA number (because you get 3 tries out of 6 possible numbers). Of course, Medgadget’s post makes it even easier.
A spokesperson for Sermo replied to our inquiries with,
Sermo actually rotates the authentication questions and DEA is not the only item we use. Nevertheless, we will be taking additional steps to address this. Alas, when you become the largest online physician community, ever, people start to set their sites on you.
True, true. But if you want to gain a professional’s trust by emphasizing how “secure” your community is, you should be prepared to stand by your current registration practices. The fact that their registration is so easy to game at present means their community is less-than-secure.
Sermo also reminded us that impersonating a physician is a federal offense. We’d love to see what amount of federal resources would be expended to go after Sermo violators, however. Sermo can only rely on Sermo to uphold’s Sermo’s security model.
Sermo claims it has 30,000 physician members today. We wonder, how many of them are really physicians?
11 comments
What nefarious purposes would someone have for falsely signing on at Sermo? I know nothing about it, just assuming there’s medical info that some members of the public might be interested in reading.
Well, a closed community is only as good as its gatekeeper. I suspect its members would be saying a lot less than what they are if they knew anyone could read their opinions (instead of just fellow doctors). It’s just the nature of such a community (regardless of the profession).
My point is simple — there’s no reason Sermo needed to go with this weak authentication model for its registration, other than to increase its membership numbers as quickly as possible. I believe Sermo did so at the sacrifice of security, and now has a community where I believe it can legitimately make no guarantees that all of its members are indeed doctors (as they claim).
It’s unfortunate that websites like SERMO have to waste money on things like “internet security”, just like so many of us doctor’s have to waste time and money on wasteful things like defending and protecting ourselves from parisitic lawyer sodomites. We could be doing more important things, like trying to save lives. But instead we spend our days trying to cover our asses (And creating internet security with government money that was supposed to go towards Sermo’s mission: advancing patient care).
Ron,
Sermo has nothing to do with government money, as it is a private company, so i am afraid that you are mistaken.
I think Sermo’s mission is a good one that I believe in. Physicians want a safe place they can go and talk about cases and get free second opinions. I just think they cut some corners in order to increase their registrations, that’s all.
But I believe they are stonewalling and being disingenuous suggesting it’s not really a problem (especially their suggestion that the federal gov’t would go after anyone impersonating a physician on their service, which is just laughable).
That’s not the kind of attitude we’d expect from a company trying to gain physicians’ trust.
I’m frankly rather appalled that (once again) Doc John is so quick to criticise security measures that are taken by other sites.
How easy would it be for a poster who is blocked at psychcentral to re-register and post under a new username completely undetected by the moderators here?
I’d provide the step by step process for doing that, but I personally believe that providing a step by step process to enable people to get around security measures is bordering on the unprofessional.
I wouldn’t expect someone of professional standing to advise others how to hack into a bank or any other system for that matter. I’d also expect the general attitude to online hackers to be one of sympathy for those whose security measures are breeched rather than glee (and outright endorsement) of hacking activities.
> if you want to gain a professional’s trust by emphasizing how “secure†your community is, you should be prepared to stand by your current registration practices. The fact that their registration is so easy to game at present means their community is less-than-secure.
And the fact that it is indeed possible for a blocked poster at your site to reregister under a new posting name without being detected by moderators means that your site is similarly less-than-secure.
My understanding is that doctors like to chat to doctors because they get sick to death of non-doctors asking them for professional advice and then threatening to sue. So long as it cuts down on people asking for advice and / or people threatening to sue for advice received (as it will if people have to at least pretend to be professionals) then I’m happy for them.
I’m not sure if you’re just being argumentative in not seeing the differences between an open, welcome-to-all community like Psych Central and a closed one like Sermo.
I did *not* “advise others” on how one actually goes around their registration process. I pointed out the troubles with using public-knowledge authentication tokens, contacted Sermo about the issue, and received a polite brush off.
Again, as I said in the post (which was apparently read sparingly for content) I like the idea of Sermo. My post isn’t about not liking Sermo or being a fan of their model. My post was about asking how could one have so many resources and not do a security audit to check for this.
> It took him five minutes and only two tries to register a valid physician account at Sermo, even though he isn’t a physician. He used information freely available on the Internet to register as someone who was a legitimate physician.
Inadvertent or otherwise this looks like providing information as to how to get around the security, to me.
It might be the case that it doesn’t take a mastermind to figure it out but then it similarly doesn’t take a mastermind to figure out how to get around being locked out of any other kind of community either.
My point was: How much does it matter to them that only doctors post there? Maybe… It is more of a cursory gesture so that doctors feel freer to say what they think without people insisting on misconstruing it as ‘endorsement’ or ‘advice’. If someone were to attempt to sue then perhaps the defence could be ‘I thought s/he was a doctor hence would not be silly enough to actually try that’. Once it became apparent that the person was, in fact, passing themself off as a doctor and had actually ‘borrowed’ someone elses identity to do so I’m fairly sure a litigation would not be successful. Maybe… It is good enough for their purposes…
Their entire business model is based upon maintaining the security of their closed community. So yes, I think it matters greatly to them to keep it closed. Otherwise they would realize zero revenues, and would be out of business tomorrow.
So yeah, it kinda matters to them.
I thought their ‘terms of service’ looked more like they were setting up the legal turf (prepared to sue individuals who breech security at the level of the courts rather than trying to stay ahead of the technology game by preventing people who are determined to gain entry).
I suppose those most likely to attempt to hack into the site would be people who have a financial investment in a certain medication. I would expect that nothing but glowing reports from a particular person for a certain drug would arouse suspician, however, at which point their status could be looked into.
I guess I’m just not seeing how internet security is something that they are heavily invested in. Sure they have a paragraph talking about security – but I think you would be hard pressed to find a message board site with some professional input that doesn’t mention security.
As a doctor… What does it matter to you if you are thinking you are talking to doctors and it turns out that you aren’t?
– They might misconstrue some thoughts as a medical advice, act on it, experience a negative reaction, then sue you. Given the guidelines of the site lawsuits against you on these grounds are unlikely to be successful.
– They might start asking you for professional opinions. Given the guidelines of the site such a person would be blocked fairly swiftly.
– They might insist on sharing their ‘folk theories’ which go against scientific research. Given the guidelines of the site such a person would be investigated and blocked fairly swiftly.
What more could you want from a site where you want to ask some serious questions about medicine and receive some serious answers from people who know what they are talking about?
I don’t really see how investigating every member manually would provide much more benefit. Unless… People are set to send in a constant stream of identity-stealers, of course.
Perhaps the fact that they didn’t seem concerned that it was possible to breech the site this way… Shows you that… They are not concerned.
Alexandra, they are making their money by charging corporate clients — including fund managers, pharmaceutical companies, etc. — to gain access to these conversations. If the corporate clients and others can fairly readily gain access to this same information without paying hundreds of thousands of dollars, that definitely has implications for their business.
What if someone gained access and started posting some of the comments their doctors were making in private in a more public venue (like a blog)? What if that posting has enough information to identify someone, even tho the doc thinks it doesn’t?
If Sermo had wanted to have an open community with a loose registration process, they would’ve simply asked you to agree to a statement that says, “I verify that I’m a licensed physician.” Since they didn’t do that, that would imply they understand the importance of securing their borders. They certainly wouldn’t add yet another authentication token to their registration process (as they did after this problem was published).
Oh, and yes, Sermo and its investors are concerned. Just because they don’t post a press release doesn’t mean they haven’t been reacting to this issue. In fact, I’ve been contacted privately by someone associated with one of their investors to talk further.
Comments are closed.