Sermo Strikes Back: A Physicians’ Online Community Lashes Out Against Bloggers Who Publicize Security Gap

9/26/07

When I saw over the weekend that two different blogs had posted on the apparent ease of hacking into Sermo, the password-protected social network for physicians, my first thought was: “Those docs are going to be pissed.” Sermo, after all, promises physicians a secure, closed environment where they can consult with their peers, and if there’s one thing I know about doctors, it’s that they take the peer part—that whole MD thing—awfully seriously. So I was thinking that the Cambridge, MA-based startup and its founder and CEO, Daniel Palestrant, must be getting inundated with feedback from angry physicians taking them to task for evidently leaving a door open to the riff-raff.

As is my track record with Sermo, I got things partly right. According to Palestrant, “all hell broke loose” when word of the blog entries—one including step-by-step instructions for gaining access to Sermo without having an actual MD, and one claiming to have done so without spelling out exactly how—reached the Sermo community. And from comment threads on Sermo (no I didn’t hack in; Sermo provided screenshots), and on the blogs themselves, it seems that many Sermo users are indeed angry—but at the bloggers, not Sermo.

A comment on Sermo, directed toward the authors of the how-to post, is typical in its sentiment, if not in its relatively mild language: “Why would you publish the method for subverting SERMO to the public? This forum is something I value. How dare you compromise that! Shame on you.” Another asks: “Can’t we meet at least one place as peers, without malpractice lawyers, MD wannabes, and certified dogooders horning in to tell us how we should be doing things?” (Elsewhere, journalists are also singled out as persona non grata. Ouch.)

A few of the Sermo comments defend the bloggers, mainly on the grounds that they’re benefiting the community by exposing an important security loophole, but by and large the contempt for them is eye-popping. One user suggests waging an advertiser boycott against Medgadget, an MD-authored blog on emerging medical technologies, which published the how-to post. Others offer thinly veiled suggestions that the post’s authors be reported to their state medical board and the Drug Enforcement Agency for outlining how non-physicians can “impersonate” a physician on Sermo, in part by obtaining a real doctor’s DEA prescribing number. (Medgadget defends itself in an open letter to Palestrant posted this morning.)

Palestrant swears, by the way, that none of Sermo’s employees are anonymously weighing in to tip the discussion in the company’s favor, a la Whole Foods or Constant Contact. And of the 10 to 20 calls he and his team have fielded so far, he says, “we haven’t had one physician who isn’t supportive of Sermo.” To Palestrant, the fact that many Sermo users have circled the wagons to protect the site is an indicator of the year-old online community’s vitality. “As a scientist,” he says, “one of the signs of life is seeing an organism defending itself.” My sense is that Palestrant is a lemons-to-lemonade sort of guy to begin with, and that he’s really enjoying the fact that, rather than blaming him, Sermo users are helping him squeeze the fruit.

As of yesterday, Palestrant says, Sermo had installed a patch (already in the works before all the drama, evidently) that should render Medgadget’s instructions for gaming Sermo’s physician-authentication system useless. Where the previous system required registrants to provide several publicly available pieces of information to prove that they’re licensed physicians, the new system requires some data that should be available only to the individuals. (Previously registered users will have to be re-authenticated the next time the log in, Palestrant says.) Still, Palestrant says, “there’s no such thing as bulletproof security”—and putting up more roadblocks for poseurs inevitably raises the barrier to entry for legitimate users.

At the risk of drawing fire from the “Sermaphrodites” (their term, not mine), I think all the focus on exposing and patching the security gap misses a key point: there are plenty of people with MDs who are also lawyers, pharma reps, industry consultants, and (heaven forfend!) journalists. Which begs the question of just how closed a closed community needs to be in order to function and thrive. And with Sermo looking to use the information generated by its community in more and more ways—including as the basis of a Wikipedia-like medical reference source and in partnerships with the AMA and FDA—I think it will become increasingly important to understand the influence of those legitimate users whose first priority is not patient care.

By posting a comment, you agree to our terms and conditions.

  • Andrew

    Hi Alice,

    No problem, I’m happy to clarify my perspective and see if you agree with what I’m seeing.

    If we look at the pdf again:

    http://www.fda.gov/ohrms/dockets/dockets/07n0016/07n-0016-ts00028-frost.pdf

    I am specifically referring to the “Watched Physicians” section on page 10 (fairly centrally located on the page) and the “Most Active Authors Tagging with Byetta” on page 11 (the upper left most quadrant). The Watched Physicians section names three individuals – not by alias, but by actual name – you can see for yourself Drs. Adriano Floripa, Michael Rich, and Lydia Shrier. The Most Active Authors Tagging with Byetta shows several aliases – Atheroman, Sermodoc, DocMullen, Priollaud, and nreddy – with a link to “show all 24.”

    Now, let’s go back to Sermo’s Privacy Policy:

    Section 3
    “3. HOW INFORMATION MAY BE SHARED
    a. Sharing
    Sermo may share aggregated demographic information with Sermo’s partners. ***This is not linked to any personal information that can identify any individual person***….
    e. Forums Including Ticket Titles and Posts, Ticket Votes, Discussion Boards and Blog Comments
    When you participate in a http://www.sermo.com Forum including, but not limited to, Ticket Titles, Ticket Posts, Ticket Votes, Discussion Boards, and Blog Comments, Your name or alias and IP address may be recorded for purposes of maintaining Your own account within the Forums and preventing abuses of the forum (see forum or online community rules for more details). ****This information is not used to monitor Your activity within a forum, nor is it used to identify You outside http://www.sermo.com in any way.*** In order to diffuse the information in the Site’s Forums to a wider audience, Sermo may, from time to time, collect some of Your postings and group them together to use in a specific publication, print, electronic mailing or other public dissemination. ***At no point however will Your name, alias or IP address be revealed in any publication.***”

    Given that (all aforementioned security problems aside) the FDA and other Sermo partners and clients do not have access to http://www.sermo.com – they gain access from the sister site AlphaMD – names and aliases (like those used in the sample document) are clearly not supposed to appear in “any publication” outside Sermo’s forums, but they are in fact appearing on client dashboards.

    Also, Sermo tells the physician user that such information “is not used to monitor Your activity within a forum, nor is it used to identify You outside http://www.sermo.com in any way.” Again, the aliases and names of individual physicians are not only being shared outside Sermo (a clear violation, but perhaps physicians aren’t too upset that others may know they use Sermo), but activity of individual physicians is being *monitored* (though Sermo tells us it won’t be) and this activity is being reported to third parties *with individual identifiers* (and I’m sure that physicians who sign up for Sermo’s service would not be pleased if they were aware that their activity – their personal, not aggregate activity – is being tracked and reported to Sermo’s clients).

    And even the section you quote from, Section1, talks about two different types of data that are collected.
    “1. WHAT PERSONALLY IDENTIFIABLE INFORMATION OF YOURS IS COLLECTED
    a. Information collection and use
    Sermo is the sole owner of the information collected on this Site. ***We will not sell, share, transfer or rent any personal information to others in ways different from what is disclosed in this statement.*** Sermo collects information from You on the Profile and Registration pages (“Profile pages”) on our Site. ***Sermo reserves the right to collect, disseminate, sell or otherwise disclose non-personal information provided by You.***”

    Sermo is telling the user that they will sell non-personal information (in the industry, personally identifiable information or PII is defined as information that could perceivable be used to identify an individual – such as name, email address, address, social security number, etc., and in some cases user ids). Therefore, names are still sacrosanct.

    The specific lines you cite are related to the personal profile and come from this paragraph:
    “c. Personal Profile
    Once a registered participant, You may provide additional information in Your personal profile describing your credentials, professional experiences, academic background, biography and the like. Your personal profile shall be available for viewing by other registered participants of Sermo and will be considered non-confidential and non-proprietary. Providing additional information in Your personal profile beyond what is required at registration is entirely optional and can be altered or removed by You at any time.”

    Now, perhaps Sermo is pulling a quick one on us with the loophole that “Your personal profile shall be available for viewing by other registered participants of Sermo and will be considered non-confidential and non-proprietary” IF it would be commonly accepted that “other registered participants of Sermo” includes clients. However, if you look at Sermo’s Terms of Service, paragraph 4, we get a better understand of what a registered participant is:

    “4. CONDITIONS OF USE AND TERMS
    To use any Materials on this Site, You must (a) be a currently licensed physician in the US, (b) be a registered participant of Sermo.com, and (c) be a resident in the 50 states of the United States of America, exclusive of its commonwealths, territories and possessions (“United States”).”

    In sum, the general understanding is that profile information is public to registered, physician users on Sermo – not the paying clients and affiliated accessing portals and dashboards via AlphaMD, a separate site that resides at http://www.alphamd.com/

    I apologize for the long post, but I really think this issue deserves attention, because as I think everyone here will agree – regardless of your position – credibility and honesty in disclosure is very important – not just for journalists, but for companies, too.

  • http://www.medgadget.com Bruder

    Michael,

    You do seem to believe in the concept that the more you write the same thing over and over the more meaningful and important it’ll become. In reality that’s a sign of madness on your part.
    Personally, I’d like to hear your opinion on what Medgadget’s role should with regards to credibility. Maybe you can touch upon your credibility, and how that relates to you being a troll.

  • Michael

    Bruder –

    Perhaps studying and taking courses in journalism are good places to start if you do not know.

    Using Google as one starting point and going to Harvard’s Kennedy School:

    Kennedy School Conference: Blogging, Journalism and Credibility

    From the article:

    “For both journalists and bloggers, credibility is key,” said Alex Jones, Laurence M. Lombard lecturer in the press and public policy and director of the Joan Shorenstein Center on the Press, Politics and Public Policy

    http://www.ksg.harvard.edu/news/news/2005/blogging_012105.htm

  • Michael

    Quoting Andrew above:

    “credibility and honesty in disclosure is very important – not just for journalists, but for companies, too.”

    Absolutely!!!!!!!

  • Pingback: Mexico Medical Student » Secure Social Networks: A Possibility

  • Michael

    What Andrew is pointing out is legal jargon and need good legal advice from lawyers experienced in this area, just what that can mean, realizing in the law, there are often different interpretations of words and phrases.

    I am not a lawyer and not claiming to be even remotely qualified to understand legalese or express a legal opinion.

  • Matilda

    Pages you reference are mock ups.

  • http://www.medgadget.com Bruder

    Michael,

    Sounds like you’re not qualified in much of anything, and therefore do not contribute to this conversation. I’m not sure how you go about your life having to have everything translated to you by a lawyer, while the fact that your alarm clock is ringing needs verification from a professional journalist to get you out of bed.
    You obviously can’t trust your own eyes to see and your own head to understand.

  • http://www.medgadget.com Bruder

    Michael,

    I updated your comment on Medgadget to include my whole quote, not out of context like you decided to do. I hope that helps with the credibility and understanding. You can take a look here: http://www.medgadget.com/archives/2007/09/medgadget_guide_to_hacking_into_social_networks_for_doctors.html

  • Chris

    Michael says,
    “I am not a lawyer and not claiming to be even remotely qualified to understand legalese or express a legal opinion.” [or finish a sentence]

    Reading the above and applying your logic, since you aren’t a doctor, a journalist, or a private investigator either, that pretty much takes you out of every facet of this conversation so far. Maybe now sane discussion can continue.

  • Michael

    Bruder –

    Very interesting what you did. Rather than adding a comment below to clarify the situation or noting on my comment what exactly you added so others would know what I said, the public now does not.

    Rather than repeating it here, I will post my response on that page:

    For the record Bruder of medgadget added to what I said above without any editorial notation of doing that so the reader should realize that medgadget has edited my comments.

    Is there a place on this site where it is stated that medgadget can edit comments – many of the newspapers do state that letters to the editor can be edited so does that apply in these discussion groups. It does say above “Open comments are not moderated, although abusive and vulgar remarks may be deleted. Opinions expressed do not necessarily reflect the views of Medgadget.com. Please consult our disclaimer.” and I do not think I have been abusive or vulgar, but obviously there seems to be moderation

  • Michael

    Chris – My comments and concerns have been about credibility issues in the media. If you are incapable of determining that, then how do you evaluate the myriad of conflicting news sources in the old media and the internet. There are certainly those, not accusing anyone but making a statement, who decide on whether what is written or said agrees or disagrees their views.

    Go back and read what I have said about my concerns about Dr O’s credibility and his responses, and give my your opinion of his credibility.

  • http://www.medgadget.com Bruder

    Michael,

    I did not edit your comment. I included my own whole quote which you cut in half. It is my professional journalistic opinion that that was an abusive method on your part to misrepresent what I said.
    You can continue writing whatever opinions you have as before.
    Oh, and again, this discussion is not about Medgadget, but about Sermo. Check out the title of this article. Your comments about credibility interest no one beside yourself.

  • Michael

    Bruder – the way to do that is to let the read know you have changed what they said otherwise how can they know who really said what – comes back to credibility again. You can simply add in CAPs what you have added and note that. The better solution is to add a rebuttal.

    Certainly taking a quote out of context is far less abusive than some of the charges made against me here.

    There are questions about what Sermo says on their web site and what they do, please give me the medgadget web site where it says the medgadget can change what someone writes in without any notation of what exactly was changed and the web site where it says you can edit what is said. All comes back to credibility of can you trust what is written.

  • http://www.medgadget.com Bruder

    Michael,

    The heat in Texas must be getting to you. Again, I did not change a word you wrote. You were the ones that changed what I wrote. I thought I’d fix it back to how it was. Or am I missing something?
    You all of a sudden seem to understand the “legalese” found on Medgadget, but the words at Sermo are just too hard for you. You are a hypocrite, pretending to fight some cause only you care about.

  • Michael

    Bruder -

    Hmmm …. changing what someone writes in a web page where comments are welcomed and not letting other readers know what has been changed and why, raises the question of how does anyone know what is said in the other comments is what was said by the responder and not people at medgadget to make medgadget look better – isn’t that an issue of credibility?

    If stories on your web pages are changed, is there a notation or an addendum like would be done in the print media or does the late reader not know it has been changed.

  • http://www.medgadget.com Bruder

    Michael,

    You must have skipped that section where I said I did not edit a single word of yours. You were the one that edited me, and frankly, I think that only speaks to your methods and your moral code.
    Anything else to discuss Michael? Shall we do another 100 comments?

  • Michael

    Bruder you said above: “I did not edit your comment. I included my own whole quote which you cut in half. It is my professional journalistic opinion that that was an abusive method on your part to misrepresent what I said.”

    The way that should be done is to add an editorial note to my comment, and perhaps add in CAPs what you added or to cite the whole quote or to make a comment below in rebuttal.

    I do not know if Rebecca will get this far in reading this thread, but would like to know just what is xconomy’s policy regarding what is said in these readers comments and how xconomy and sites respond to misquotes or quotes taken out of context that they feel wrongly misrepresent them ?

    Also, if there is a correction to a story on a web page, how is that handled?

  • Michael

    Bruder –

    Editing seems to me to be changing what is said rather than simply taking something out of context.

    All the same, even in an obvious straight forward story, credibility is still the backbone of journalism so credibility does matter.

    Still without my comments on your website, how is the new reader to know that my comments, misquote and all, were changed by medgadget. Should not the reader know that?

  • http://www.medgadget.com Bruder

    Michael,

    You say that “The way that should be done is…” Exactly what are your qualifications to be telling a professional journalist how to edit his publication? What are your qualifications to read and understand our Terms of Use statement? I thought you were after credibility, disclosure, professionalism, and all that? Or do those things again not apply to you?

  • Michael

    Bruder

    Please give me the web site in which your “Terms of Use statement” are and where it says that you can change, with no notification, what a reader writes in the comments section.

    So everyone in the public who is not a “professional journalist” is not qualified to make an opinion about the credibility of a journalist, newspaper, radio/tv station or internet media site.

    Being sarcastic again, “Hi, I am a professional journalist and you can trust me about my credibility” is what is taught to professional journalists.

  • Michael

    This whole issue of credibility could have been avoided if when the first questions about the meaning of being boarded and official name of Dr. O’s second board came up, if Dr, O had immediately looked into and at that time, rather than now much later saying he was not aware of the difference and the name of his second board.

    If Dr O had quickly realized what doctors meant about being boarded and the name of his second board, he could have quickly posted on Sermo, that he misspoke about that, then the discussion might have been more on the message rather than the messenger. He is being portrayed as the victim, but that is of his own doing.

    I am not a political scientist or a professional politician, but it seems in politics politicians get into far more trouble by trying to cover up or dispute things rather than just admitting the error and letting the furor die down and moving on.

    Far be for me to recommend what Dr O should do, but if he now realizes he was mistaken about the issue of boards and sees how what he said could be misinterpreted and posted his correction on his web site (not hidden away on a “back page”) and made a correction on Sermo, that would be a good start – of course as it will be pointed out I have no qualifications my opinion.

  • http://www.medgadget.com Bruder

    Michael, the unverified, anonymous troll without any credibility or qualification for anything: since you haven’t proven yourself to be even human, why should anyone have to answer your question?

  • Michael

    Hmmmm ….. Only qualified journalists should even try to express an opinion above journalism and to carry it further, unless qualified about anything, should not express an opinion. I am not talking about rocket science, but about fields such as the media, politics, etc.

    I keep expressing my view and get insulted back and respond and I am the one accused of being a troll.

    Bruder let me save you time responding and perhaps ending this:

    Michael:

    You evidently do not have qualifications about anything and am not even sure if you know your gluteus maximus from your olecranon so just who are you to even be in the same web site with us professionals, no less for us professionals take the time to respond to your unqualified comments. Become a professional and then make comments

  • http://www.medgadget.com Bruder

    Funny how you switch sides when the spotlight is on you. You, old chap, were the one demanding credentials from us for reporting a story that doesn’t need those credentials to be true. As you said it, its not rocket science.

    Michael, really, do you any longer know what you want, what issue you’re trying to raise?

  • Michael

    Bruder –

    Dr O was the one by mentioning his credentials as a doctor, not his qualifications as a journalist or his technical/internet/security qualifications, brought up the issue and now those pointing it out are the enemy.

    Bruder -

    General question: can the average, non-professional journalist, citizen have a legitimate opinion about credibility in the media?

  • Michael

    Bruder –

    Saw on your web site you added in brackets the following editorial comment:

    “[nothing was added to Michael's writing. The quote he attributed to Bruder was inserted how it appeared originally. This was an action to prevent Michael from censoring Bruder]”

    I am not a journalist and trying to learn, so hopefully you can tell me, but just how can a person in the public comments section possible censor someone from the web site. I do not have any control over what is NOT posted on the web site or comments sections?

  • http://www.xconomy.com/author/rzacks/ Rebecca Zacks

    You’ve both raised several thought-provoking issues, and I’m thrilled that you’ve both taken so much of your time to participate in this discussion. Right now, I’m afraid the discussion is no longer moving forward, and I think that the voices of other participants might be drowned out. Any chance you guys could agree to disagree at this point?

  • http://www.medgadget.com Bruder

    Thank you Rebecca,

    I’m done.

    Cheers.

  • Michael

    Good point Rebecca and sorry for my part in drowning others out. I am guilty as these do tend to get going and feed off each other almost by reflex, so I agree to disagree.

  • http://www.medgadgt.com Bruder

    I just wanted to thank whoever is Edward, Andrew, and Judy for your commentary. We coagulated and presented a lot of your findings here:
    http://www.medgadget.com/archives/2007/10/sermo_confidential.html

    If you’d like to be less anonymous, we’ll give full credit for the work.

  • Michael

    Bruder – I guess you were not really done.

    I would have thought as a journalist, you would have wanted to present a “fair and balanced” report on your web site and present some of the postings of those who disagreed with you. I guess your site (which you view as part of the media) is one of advocacy rather than reporting. That is fine, just as long as the readers know that.

    I do not know if you need it, but you have permission to quote me providing you do not edit what I say as you did on your web site. You can add rebuttals, but do not change my words.

  • Jason

    I am a physician and a member of Sermo and have been following this discussion on Sermo and medgadget.com and through a link on Sermo, this site.

    There seems to be a consensus on Sermo that Sermo is like a doctor’s lounge where doctors meet and talk about cases in their field, listen and ask questions and learn about other fields, discuss common non-medical practiced related topics and family and personal things. Doctors were aware of who might be listening in. Doctors know who is who and can evaluate what other doctors say about medicine, their CV and medically related things. This is probably the same as any group of similar professionals, such as journalists, would do. I do not know if, as Dr O said, his press pass and listing on Google puts him in the same class of journalism as the NY Times, Wall Street Journal, Washington Post or CNET.com, HuffingtonPost.com etc or not, but doctors can evaluate other doctors as I am sure journalists can evaluate his journalism.

    Dr O has a problem with Dr. P and Sermo (Dr P is like the doctor-administrator of Sermo) and when Dr O did not get satisfaction, he went public rather than going to the other doctors in the lounge first to tell them of the problem. Add to this that he used his own web site (just as Sermo is a web site), which he wants to grow for his financial gain and that which raises questions coupled with the his medical (not journalism or Internet security) CV which the average doctor saw right through, and so it should not be a surprise that he was not welcomed as the savior but with some skepticism.

    So just who should a doctor on Sermo believe. Dr P or Dr O. Taking into consideration the above, maybe Dr P has no pluses, but Dr O had negatives so it seems Dr P is ahead in credibility at this time

    It seems to me that Dr O and medgadget.com have become part of the story and therefore may not be the best source for the rest of the story. Certainly worth reading what is said on medgadget.com , but I believe there is enough to raise questions of impartiality to justify looking to other sources for the continuing story.

  • http://www.xconomy.com/author/rzacks/ Rebecca Zacks

    Hi all,

    Just wanted to let you know that Sermo CEO Daniel Palestrant has answered many of the questions you folks raised about Sermo’s privacy policies here:

    http://www.xconomy.com/2007/10/02/sermo-ceo-offers-answers-to-xconomy-readers-questions-about-privacy/

  • http://DrJohnWrable.WritersWebPages.com John Wrable, M>D.

    Please e-mail sermo’s address so I can send them some articles I have written.
    Office address:
    20 Hospital Dr. Suite #10
    Toms River, NJ 08755

  • B

    Sermo is a biased community!! You get kicked out for expressing your opinion!! I hope they rot in hell!!!