Top GP: Medical app Your.MD's data security wasn't my remit

Prof Maureen Baker told tribunal info security and clinical safety are two separate things

The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were "open to anyone who knows the URL", emails seen by a London tribunal have revealed.

Emails read out to the Central London Employment Tribunal in Holborn this morning by former vice-president Randeep Sidhu's barrister, Andrew Hochhauser QC, revealed:

  • Your.MD execs were aware that five key databases were "publicly available to the internet" in June 2017;
  • the firm had no way of validating, at the time, that business-critical microservices "still work[ed] to specification" following changes; and
  • data from Your.MD's medical knowledge database, Alexandria, "can be downloaded worldwide, and modified, without even a password".

In addition, a Facebook chatbot devised by Your.MD allegedly allowed its Facebook page admins direct access to customers' health data.

The vulnerabilities, allegations about which were made in two emails sent by Your.MD Ltd chief product officer Sam Lowe on 12 June 2017, were "first priorities" to be fixed. Lowe also proposed organising an "independent 3rd party penetration test" to check for other vulnerabilities. Your.MD chief operating officer Alessandro Traverso replied in an immediate followup email that he agreed the situation was serious.

Top doc asked about data security

Lowe's emails were read out during cross-examination of Professor Maureen Baker, a former chairwoman of the Royal College of GPs who is Your.MD's chief medical officer (CMO) and also sits on the startup's clinical advisory board. In addition to these posts, she is a visiting professor of general practice at the University of Sheffield.

Professor Baker responded to Hochhauser's early line of questioning about data security by saying: "If I can expand. I'm really focused on the medical and professional aspects. I'm not – I didn't have any discussions about the tech or the presentations and this hasn't come up in the discussions I've had with the medical teams."

Her Scottish lilt remaining level and clear in the well-heated hearing room, she added: "I'm talking here specifically about clinical safety. Clinical safety and data security are not the same thing… that's not my remit."

Sidhu, the claimant, had previously argued during his own cross-examination that the two were very closely connected.

Surely, asked Hochhauser, the Alexandria medical knowledge database being unsecured meant that "a malicious person could make the service misdiagnose dangerous conditions?"

"No," replied Baker, "that's incorrect on two levels."

"So firstly the app does not make a diagnosis. So it cannot misdiagnose. Secondly, the data referred to, steps, etc, none of that would affect the outcome of a consultation on Your.MD," she added.

"What is being suggested," intoned Hochhauser in a deep voice, "and it was looked at in Mr Lowe's email, is that Alexandria could have incorrect information inserted into it because of the lack of security and that posed a problem… I realise you want to assist the company, but would you agree that is an unsatisfactory state of affairs?"

Stung, Baker responded: "Firstly, I have sworn an oath to tell the truth and I am answering your questions; it's not about assisting the company. Secondly, I think you're conflating things."

She continued, pausing occasionally to gather her words. "So there's one issue, which is alteration of the medical knowledge database. That's an issue. If that happened that would be – there are possibilities for things to go wrong. I accept that. However, what I don't accept is the health metrics bit leading to a problem for a user. In terms of a condition outcome."

Facebook, chatbots and people's medical histories

Back in 2017, Your.MD released a Facebook Chat-based bot where users could interact with it and ask it for advice on medical symptoms. Sidhu claimed that Your.MD implemented few privacy controls on who within the company could access customers’ information via Facebook.

In his witness statement, Sidhu asserted that "personally identifiable information was linked to highly sensitive personal information that could compromise the individual, such as abortions, sexual health and/or a pre-existing medical condition". He claimed that "any admin" of Your.MD's Facebook account "could use their personal Facebook profile to find their employer/boyfriend/parents/friends" and use the sensitive medical information "to threaten or blackmail the user".

"Given your background, Professor Baker," asked Hochhauser, "wouldn't you agree that that is a highly unsatisfactory state of affairs?"

Baker said in response that while any abuses like that would be "deplorable and highly unsatisfactory", systems involving medical records do require people to have access to it "in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system".

The tribunal is due to conclude today. Judgment is expected to be handed down in a few weeks' time. ®

Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022