Top GP: Medical app Your.MD's data security wasn't my remit The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were "open to anyone who knows the URL", emails seen by a London tribunal have revealed. What's the case about? Your.MD was taken to the Employment Tribunal by former vice-president Randeep Sidhu, who claims he was …
I wish that I could seem shocked by this, but I'm not. I've dealt with similar cases where things were sitting in some public Google docs thing which could be edited by anyone, without needing to authenticate at all (I know this, because I made such an edit: which edit was still there last time I looked).
I spend a good chunk of my week explaining to doctors why we blocked all personal e-mail, why we block all cloud storage etc.
Yes there are other sites we're probably missing but as ALL accesses are monitored they will be caught irrespective.. but it blocks a vast majority of daft use of the internet with personal information.
I get stick about this every day because it causes them inconvenience, mainly as they need to e-mail something to a group rather than e-mail a link.. "But what if I update it? You mean I need to send SECOND email? That's unacceptable!"
No, it's lazy. Now go back to watching your ******* youtube videos on nightshift and telling people how busy you are mate.
"I get stick about this every day because it causes them inconvenience, mainly as they need to e-mail something to a group rather than e-mail a link."
Have you wondered if providing mutually acceptable users' problems might be part of you job?
This case is pretty embarrassing as Maureen Baker set up the programme for accrediting clinical safety officers who have to be clinically qualified.
As a clinical safety officer I have to review IT in structured way and assess the risk of it causing harm to patients.
As a clinical safety officer, there is no way I would sign off the 'Clinical Safety Case' if I did not have reasonable assurance that any software was compliant with the relevant legislation - in this case
- ISO 27001 (data security)
- ISO 13485 (medical devices)
- OWASP top 10 ( www.owasp.org - web security)
- MHRA - https://www.gov.uk/government/publications/medical-devices-software-applications-apps
And from the description, it sounds as though their app did not tick many (?any) of those boxes.
It sounds like she got away pretty lightly, as a barrister who knew their way around this particular minefield could have made things very uncomfortable.
Baker said in response that while any abuses like that would be "deplorable and highly unsatisfactory", systems involving medical records do require people to have access to it "in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system".
So I must admit to being a little puzzled abut what Sidhu is in court for and the line of questioning. If she had been told and took no action then there is some culpability, if she but the questioning of someone who "is on its on the startup's clinical advisory board"seems innaproptiate (but then lawyers get paid by the hour).
Maybe someone more enlightened can explain?
SNAFU with their 'security' (ho ho - hence the icon) anyway.
I read the side bar and it doesn't.
I for one remain as confused as the OP, and apparently the barrister and the doctor too. It's not clear how these vulnerabilities could be used or for how long they existed.
Wierd incoherent story with weird partial quotes that shed no light.
Did the YTS trainee write this one?
"Wierd incoherent story with weird partial quotes that shed no light."
Don't forget this is a report of a cross-examination. A cross-examination isn't designed to shed light. It's designed to guide the witness into making admissions favourable to whatever side the cross-examiner's working for.
"So I must admit to being a little puzzled abut what Sidhu is in court for and the line of questioning."
You certainly are puzzled if you think Sidhu is in court for anything. As the article says, Randeep Sidhu is the former employee who is taking Your.MD to court for unfair dismissal. Professor Maureen Baker is the one being questioned. She is in court because it is suggested that as Chief Medical Officer of the company, it was at least partially her responsibility to ensure confidential medical information was, in fact, confidential and not open to be viewed and edited by literally anyone with an internet connection.
To be honest, I'm not sure why so many people seem to be having trouble understanding the article, it all seems to be very clear and well explained. The only part that is at all confusing is the fact that Professor Baker's replies appear to bear very little relation to the actual questions, but I suspect that's rather par for the course in a situation like this.
The system itself may not be responsible for diagnosing a patient, but if test results were altered it could surely result in a doctor making the incorrect diagnoses?
The patient him/herself may have a motive for altering their records. e.g. to get cheaper insurance or to avoid having their driving licence revoked.
Yes, but all very confusing. Two questions: The sidebar says, “which he alleges was so bad that anyone could have tampered with Your.MD's medical advice databases to change the diagnoses issued by the app,” but Baker explicitly stated the app does not make the diagnosis. Which statement is correct?
The second question is yours: was the medical history of the patient left vulnerable? That could most definitely lead to a misdiagnosis. The incorrect reporting or fabrication of test results, or altering whether someone had or had not a history of an illness would result in making a wrong diagnosis. Even common illnesses, like chicken pox or mumps, could be misdiagnosed based on history (did he or did he not contract those illness previously?). Moreover, the history of FAMILY illnesses could mislead a doctor’s diagnosis, since the predisposition for acquiring many conditions and illnesses is genetic.
Leaking or loss of patient data would constitute harm. And there is certainly a responsibility under medical ethics to prevent harm to patients. So a reasonable expectation that the person would have some knowledge and oversight of the security of patent data. How the dots are joined is a matter for the lawyers, and this is a court case, so... watch this space.
One the one hand she was chief medial officer, not the CEO, so maybe could leave that stuff to others.
OTOH she was a professor so has had admin responsibility in the past and is always tied to both medical and research ethical standards. So she should been a bloody sight more proactive. At least for ethical if not legal reasons.
A/
I have only contempt for the "senior" medical profession in the UK -- saw nothing but bullshit and VirtueDisplay posturing in the 20yrs I was there, from them. (My favourite was the decision to kill a lot of people nastily because to do otherwise would, and I quote, "send the wrong message".)
But this woman, despite having an equivalent title/status and although coming quite close to the usual redflag wording, is always a little bit off, and in significant ways. Positive, real-person ways.
I'm taking a "wait & see" approach on this. I suspect SHE is in the right, but that this is her first proper experience of serious organisational parasite-bullshit, that this is all a bit startling for her when she had only been told things were being done as agreed (vs done as who-gives-a-fuck). Or she could just be better at imitating a real person than most parasites are. I'll wait & see.
B/
In other, far more important news, has no one else picked up on the STRONG implication in her testimony that the app was essentially useless, did NOT do what it said it would do, could NOT provide diagnoses at all?
Such that any kerfuffle re data-inputs is all quite academic, since they were near meaningless in any IT sense (as most people here are going to assume) .
To be clear: the data was not actually being USED for diagnosis. Despite the money poured down the project drain to do so.
I would have thought that THIS would have been the big story.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
