back to article Top GP: Medical app Your.MD's data security wasn't my remit

The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were "open to anyone who knows the URL", emails seen by a London tribunal have revealed. What's the case about? Your.MD was taken to the Employment Tribunal by former vice-president Randeep Sidhu, who claims he was …

  1. Anonymous Coward
    Anonymous Coward

    "can be downloaded worldwide, and modified, without even a password"

    I wish that I could seem shocked by this, but I'm not. I've dealt with similar cases where things were sitting in some public Google docs thing which could be edited by anyone, without needing to authenticate at all (I know this, because I made such an edit: which edit was still there last time I looked).

    1. Anonymous Coward
      Anonymous Coward

      Re: "can be downloaded worldwide, and modified, without even a password"

      I spend a good chunk of my week explaining to doctors why we blocked all personal e-mail, why we block all cloud storage etc.

      Yes there are other sites we're probably missing but as ALL accesses are monitored they will be caught irrespective.. but it blocks a vast majority of daft use of the internet with personal information.

      I get stick about this every day because it causes them inconvenience, mainly as they need to e-mail something to a group rather than e-mail a link.. "But what if I update it? You mean I need to send SECOND email? That's unacceptable!"

      No, it's lazy. Now go back to watching your ******* youtube videos on nightshift and telling people how busy you are mate.

      1. Doctor Syntax Silver badge

        Re: "can be downloaded worldwide, and modified, without even a password"

        "I get stick about this every day because it causes them inconvenience, mainly as they need to e-mail something to a group rather than e-mail a link."

        Have you wondered if providing mutually acceptable users' problems might be part of you job?

        1. Doctor Syntax Silver badge

          Re: "can be downloaded worldwide, and modified, without even a password"

          Dammit - mutually acceptable solutions

    2. sad_loser

      Clinical Safety Officer

      This case is pretty embarrassing as Maureen Baker set up the programme for accrediting clinical safety officers who have to be clinically qualified.

      As a clinical safety officer I have to review IT in structured way and assess the risk of it causing harm to patients.

      As a clinical safety officer, there is no way I would sign off the 'Clinical Safety Case' if I did not have reasonable assurance that any software was compliant with the relevant legislation - in this case

      - ISO 27001 (data security)

      - ISO 13485 (medical devices)

      - OWASP top 10 ( www.owasp.org - web security)

      - MHRA - https://www.gov.uk/government/publications/medical-devices-software-applications-apps

      And from the description, it sounds as though their app did not tick many (?any) of those boxes.

      It sounds like she got away pretty lightly, as a barrister who knew their way around this particular minefield could have made things very uncomfortable.

  2. BebopWeBop Silver badge
    Joke

    Baker said in response that while any abuses like that would be "deplorable and highly unsatisfactory", systems involving medical records do require people to have access to it "in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system".

    So I must admit to being a little puzzled abut what Sidhu is in court for and the line of questioning. If she had been told and took no action then there is some culpability, if she but the questioning of someone who "is on its on the startup's clinical advisory board"seems innaproptiate (but then lawyers get paid by the hour).

    Maybe someone more enlightened can explain?

    SNAFU with their 'security' (ho ho - hence the icon) anyway.

    1. Vincent Ballard

      I think you've overlooked the sidebar which explains the context.

      1. Gordon 10 Silver badge

        I read the side bar and it doesn't.

        I for one remain as confused as the OP, and apparently the barrister and the doctor too. It's not clear how these vulnerabilities could be used or for how long they existed.

        Wierd incoherent story with weird partial quotes that shed no light.

        Did the YTS trainee write this one?

        1. Doctor Syntax Silver badge

          "Wierd incoherent story with weird partial quotes that shed no light."

          Don't forget this is a report of a cross-examination. A cross-examination isn't designed to shed light. It's designed to guide the witness into making admissions favourable to whatever side the cross-examiner's working for.

      2. diodesign (Written by Reg staff) Silver badge

        Indeed - anyone confused needs to understand that a) it's an ongoing hearing so all the pieces haven't been joined in the puzzle; and b) see the side-bar and linked-to article for why this is all happening.

        C.

    2. Cuddles Silver badge

      "So I must admit to being a little puzzled abut what Sidhu is in court for and the line of questioning."

      You certainly are puzzled if you think Sidhu is in court for anything. As the article says, Randeep Sidhu is the former employee who is taking Your.MD to court for unfair dismissal. Professor Maureen Baker is the one being questioned. She is in court because it is suggested that as Chief Medical Officer of the company, it was at least partially her responsibility to ensure confidential medical information was, in fact, confidential and not open to be viewed and edited by literally anyone with an internet connection.

      To be honest, I'm not sure why so many people seem to be having trouble understanding the article, it all seems to be very clear and well explained. The only part that is at all confusing is the fact that Professor Baker's replies appear to bear very little relation to the actual questions, but I suspect that's rather par for the course in a situation like this.

  3. Cynic_999 Silver badge

    Misdiagnose?

    The system itself may not be responsible for diagnosing a patient, but if test results were altered it could surely result in a doctor making the incorrect diagnoses?

    The patient him/herself may have a motive for altering their records. e.g. to get cheaper insurance or to avoid having their driving licence revoked.

    1. Jtom Bronze badge

      Re: Misdiagnose?

      Yes, but all very confusing. Two questions: The sidebar says, “which he alleges was so bad that anyone could have tampered with Your.MD's medical advice databases to change the diagnoses issued by the app,” but Baker explicitly stated the app does not make the diagnosis. Which statement is correct?

      The second question is yours: was the medical history of the patient left vulnerable? That could most definitely lead to a misdiagnosis. The incorrect reporting or fabrication of test results, or altering whether someone had or had not a history of an illness would result in making a wrong diagnosis. Even common illnesses, like chicken pox or mumps, could be misdiagnosed based on history (did he or did he not contract those illness previously?). Moreover, the history of FAMILY illnesses could mislead a doctor’s diagnosis, since the predisposition for acquiring many conditions and illnesses is genetic.

      1. Terry 6 Silver badge

        Re: Misdiagnose?

        Leaking or loss of patient data would constitute harm. And there is certainly a responsibility under medical ethics to prevent harm to patients. So a reasonable expectation that the person would have some knowledge and oversight of the security of patent data. How the dots are joined is a matter for the lawyers, and this is a court case, so... watch this space.

  4. Terry 6 Silver badge
    FAIL

    Hmmm

    One the one hand she was chief medial officer, not the CEO, so maybe could leave that stuff to others.

    OTOH she was a professor so has had admin responsibility in the past and is always tied to both medical and research ethical standards. So she should been a bloody sight more proactive. At least for ethical if not legal reasons.

    1. Gordon 10 Silver badge

      Re: Hmmm

      Why? There is no way to tell from those quotes whether she believed the situation was under control or not.

  5. Simon B-52

    Disgraceful

    Disgraceful, but absolutely no surprise whatsoever.

    Of course the NHS has made its/our records available to a crowd of ne'er do wells, so it's just another increment of shitola

  6. W.S.Gosset Bronze badge

    A/ Puzzling . B/ Missing the BIG point?

    A/

    I have only contempt for the "senior" medical profession in the UK -- saw nothing but bullshit and VirtueDisplay posturing in the 20yrs I was there, from them. (My favourite was the decision to kill a lot of people nastily because to do otherwise would, and I quote, "send the wrong message".)

    But this woman, despite having an equivalent title/status and although coming quite close to the usual redflag wording, is always a little bit off, and in significant ways. Positive, real-person ways.

    I'm taking a "wait & see" approach on this. I suspect SHE is in the right, but that this is her first proper experience of serious organisational parasite-bullshit, that this is all a bit startling for her when she had only been told things were being done as agreed (vs done as who-gives-a-fuck). Or she could just be better at imitating a real person than most parasites are. I'll wait & see.

    B/

    In other, far more important news, has no one else picked up on the STRONG implication in her testimony that the app was essentially useless, did NOT do what it said it would do, could NOT provide diagnoses at all?

    Such that any kerfuffle re data-inputs is all quite academic, since they were near meaningless in any IT sense (as most people here are going to assume) .

    To be clear: the data was not actually being USED for diagnosis. Despite the money poured down the project drain to do so.

    I would have thought that THIS would have been the big story.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019