Sermo Strikes Back: A Physicians’ Online Community Lashes Out Against Bloggers Who Publicize Security Gap
When I saw over the weekend that two different blogs had posted on the apparent ease of hacking into Sermo, the password-protected social network for physicians, my first thought was: “Those docs are going to be pissed.” Sermo, after all, promises physicians a secure, closed environment where they can consult with their peers, and if there’s one thing I know about doctors, it’s that they take the peer part—that whole MD thing—awfully seriously. So I was thinking that the Cambridge, MA-based startup and its founder and CEO, Daniel Palestrant, must be getting inundated with feedback from angry physicians taking them to task for evidently leaving a door open to the riff-raff.
As is my track record with Sermo, I got things partly right. According to Palestrant, “all hell broke loose” when word of the blog entries—one including step-by-step instructions for gaining access to Sermo without having an actual MD, and one claiming to have done so without spelling out exactly how—reached the Sermo community. And from comment threads on Sermo (no I didn’t hack in; Sermo provided screenshots), and on the blogs themselves, it seems that many Sermo users are indeed angry—but at the bloggers, not Sermo.
A comment on Sermo, directed toward the authors of the how-to post, is typical in its sentiment, if not in its relatively mild language: “Why would you publish the method for subverting SERMO to the public? This forum is something I value. How dare you compromise that! Shame on you.” Another asks: “Can’t we meet at least one place as peers, without malpractice lawyers, MD wannabes, and certified dogooders horning in to tell us how we should be doing things?” (Elsewhere, journalists are also singled out as persona non grata. Ouch.)
A few of the Sermo comments defend the bloggers, mainly on the grounds that they’re benefiting the community by exposing an important security loophole, but by and large the contempt for them is eye-popping. One user suggests waging an advertiser boycott against Medgadget, an MD-authored blog on emerging medical technologies, which published the how-to post. Others offer thinly veiled suggestions that the post’s authors be reported to their state medical board and the Drug Enforcement Agency for outlining how non-physicians can “impersonate” a physician on Sermo, in part by obtaining a real doctor’s DEA prescribing number. (Medgadget defends itself in an open letter to Palestrant posted this morning.)
Palestrant swears, by the way, that none of Sermo’s employees are anonymously weighing in to tip the discussion in the company’s favor, a la Whole Foods or Constant Contact. And of the 10 to 20 calls he and his team have fielded so far, he says, “we haven’t had one physician who isn’t supportive of Sermo.” To Palestrant, the fact that many Sermo users have circled the wagons to protect the site is an indicator of the year-old online community’s vitality. “As a scientist,” he says, “one of the signs of life is seeing an organism defending itself.” My sense is that Palestrant is a lemons-to-lemonade sort of guy to begin with, and that he’s really enjoying the fact that, rather than blaming him, Sermo users are helping him squeeze the fruit.
As of yesterday, Palestrant says, Sermo had installed a patch (already in the works before all the drama, evidently) that should render Medgadget’s instructions for gaming Sermo’s physician-authentication system useless. Where the previous system required registrants to provide several publicly available pieces of information to prove that they’re licensed physicians, the new system requires some data that should be available only to the individuals. (Previously registered users will have to be re-authenticated the next time the log in, Palestrant says.) Still, Palestrant says, “there’s no such thing as bulletproof security”—and putting up more roadblocks for poseurs inevitably raises the barrier to entry for legitimate users.
At the risk of drawing fire from the “Sermaphrodites” (their term, not mine), I think all the focus on exposing and patching the security gap misses a key point: there are plenty of people with MDs who are also lawyers, pharma reps, industry consultants, and (heaven forfend!) journalists. Which begs the question of just how closed a closed community needs to be in order to function and thrive. And with Sermo looking to use the information generated by its community in more and more ways—including as the basis of a Wikipedia-like medical reference source and in partnerships with the AMA and FDA—I think it will become increasingly important to understand the influence of those legitimate users whose first priority is not patient care.