[conspire] Who authenticates to whom?

[Leo P]

When I get these survey notices from PAMF, they always contain a unique URL
that takes me to a form where I click buttons and fill in the blanks to
answer questions about my satisfaction in various areas for a recent visit
to a specific doctor.  They never require me to enter any personal
information as they know who is filling out the form due to the unique
URL.  I am much more likely to complete these electronic surveys than I am
the printed forms that they used to send out for me to snail mail back.

Leo

On Mon, Oct 2, 2017 at 5:32 PM, Rick Moen <rick at linuxmafia.com> wrote:

> So, you know how phishing attacks work, right?  You get e-mail that
> claims to be from a person or firm you work with, wanting you to visit
> a URL and do stuff.  This mail below (text portion; there was also an
> HTML portion) isn't quite that, but....
>
> ----- Forwarded message from kaiser.feedback at ipsos-research.com -----
>
> Date: 25 Jul 2017 19:02:04 -0400
> From: kaiser.feedback at ipsos-research.com
> To: rick at linuxmafia.com
> Subject: Feedback for Kaiser Permanente
>
> Kaiser Logo
>
> Dear Kaiser Permanente Member:
>
> A week ago you should have received an e-mail invitation to complete our
> Kaiser
> Permanente patient satisfaction survey. If you have already completed your
> survey, thank you and please excuse this reminder.
>
> If you have not yet had a chance to respond, please take a few minutes now
> to
> complete our patient satisfaction survey by clicking here.
>
> Or, copy and paste this link into your browser:
> https://vckaiser.ipsos.com/KaiserNCAL13/?id=[redacted]&password=[redacted]
>
> At Kaiser Permanente we want all of our patients to have an excellent care
> experience. Your survey ratings tell us where we need to focus our
> attention,
> as well as where our efforts are successful. Ipsos, a national marketing
> research company, is our partner in conducting surveys of our members.
>
> If you have trouble activating this survey, please call 1-800-966-1609 or
> e-mail our helpdesk at kaiser.feedback at ipsos-research.com and list the
> subject
> in the e-mail as Paperless Feedback.
>
> Thank you very much for your participation!
> ------------------------------------------------------------
> -------------------
>
> This e-mail is being sent to you by Ipsos on behalf of Kaiser Permanente.
> Ipsos
> and Kaiser Permanente attempt to comply with all U.S. Federal and state
> laws
> for commercial e-mail.
>
> To remove your e-mail address from this survey list and avoid further
> e-mail
> communications from us, please click here
> ------------------------------------------------------------
> -------------------
>
> For information about Ipsos, you can visit http://www.ipsos.com
> Sender:
> Ipsos
> 222 S. Riverside Plaza
> Chicago, IL 60606
>
> ----- End forwarded message -----
>
> It's commendably forthright in that is says it's _not_ Kaiser
> Permanente, my HMO, but a company asserting it's acting on Kaiser's
> behalf and relaying Kaiser's wish that I visit an outsourced customer
> satisfaction survey -- despite the use of the Kaiser logo and the word
> "we" used as if they were Kaiser.
>
> When you are a Kaiser Permanente HMO member, and deal with that
> organisation online, all of your substantive communication and
> information is via its Web site after authentication, viewed over https.
> You have more than adequate reason to believe you are not communicating
> with imposters or leaking sensitive health information.  The only time
> you get e-mail, it's to tell you to login to that Web site to use the
> secure
> messaging system -- because they are carefully mindful of HIPPA
> requirements about security.
>
> But this is, of course, routed with zero authentication across the open
> Internet.  If you visit the URL (whose unique hash values I've redacted)
> you are first asked to prove you're the patient, by providing personally
> identifying information.  At this point, I balk, say 'Hell no', and
> close the browser tab.
>
> Every time I've gotten one of these survey invitation mails over the
> years, I've had the same reaction, which was to write to someone at
> Kaiser about why this is a terrible idea and why I cannot in good
> conscience participate.
>
> This time, I carefully researched the right department:
>
>
>   Kaiser Permanente Digital Experience Center
>   4460 Hacienda Drive, Building A, Third Floor
>   Pleasanton, CA 94588
>
>   Re: [personal stuff redacted] and Ipsos Research’s survey
>
>   Dear Sirs:
>
>   I have a security & privacy concern about the outsourced patient-survey
>   work handed by Ipsos Research, apparently under contract to Kaiser
>   Permanente.
>
>   In the computer security business that is part of my profession, we go
>   to great lengths to coax users towards never giving out sensitive data
>   to outsiders without extremely good justification.  In this case,
>   following a visit to my personal care physician, [name], I once again
>   received e-mail from Ipsos Research with a Kaiser logo on top and using
>   the word "we" as if they were Kaiser Permanente, asking me to visit a
>   vckaiser.ipsos.com URL and fill out a patient satisfaction survey.
>
>   Yes, surely it was a reasonable guess that Ipsos Research’s survey was
>   authorized by Kaiser management, but nothing whatsoever in that e-mail
>   or elsewhere validates it, and essentially it says ‘Go to a third-party
>   Web site run by people you’ve never heard of and enter personal
>   information related to medical matters.’  I cannot determine what Ipsos
>   would do with my answers.  All I know is it’s from someone who knows my
>   name and knows or guesses that I’m a Kaiser member, which is no secret.
>   Every day, I get phishing mails that guess where I bank, for example.
>
>   Upon visiting that URL, it asks me to confirm I’m [my full formal name],
>   which is fine, because Ipso Research already knows it, and it’s public
>   information.  Confirming that, I am next asked to provide either my
>   birth date or my Kaiser Medical Record Number to “verify” my identity –
>   and my reaction is, sorry, neither of these is public data, you are not
>   Kaiser Permanente, and I’ve been given no meaningful assurance that
>   Ipsos has any legitimate purpose for asking.  Accordingly, I did not
>   proceed.
>
>   Now, before you say ‘Don’t worry, the survey is legitimate and you
>   should fill it out’, please be aware that’s the lesser problem.  The
>   larger one is that (assuming the survey is legit, as seems extremely
>   likely) you and Ipsos are accustomizing Kaiser patients to give out
>   personal medical-relevant data (birth date or Kaiser number, at miminum)
>   to unknown-to-them Internet concerns they have really no reason to trust
>   at all – and certainly not with a degree of confidentiality typical of
>   medical matters (and in fact, no confidentiality at all).
>
>   I have written to Kaiser before, some years ago, calling attention to
>   this ongoing failure to follow best practices for electronic privacy,
>   and made no impression.  It bothers me that I’m (in effect) unable to
>   praise [doctor's name] and the [office location] staff’s excellent care
>   while still acting prudently in matters of online information security.
>   [Doctor's name] and staff deserves better, and so do Kaiser’s patients.
>
>   A sufficient fix, in my estimation, would be for the survey request with
>   vckaiser.ipsos.com URL to be sent from within KP HealthConnect’s Message
>   Center subsystem, rather than just arriving at the patient’s Internet
>   e-mail mailbox from some unknown Internet site.  Or, alternatively,  KP
>   HealthConnect’s Message Center could send the patient a notice saying
>   “You’ll be receiving soon a survey request from Ipsos Research citing
>   ticket #nnnnnn.  Please fill it out, to give us feedback about customer
>   satisfaction.”  Either would fix the problem.
>
>   As things stand, I can neither participate in your patient satisfaction
>   surveys nor recommend other Kaiser members do so.  It’s bad security and
>   sets a bad, and in fact dangerous, precedent for communication with
>   patients.
>
> Long after sending this overlong letter, I realised the right way to
> articulate the central point:  They needed to authenticate themselves to
> _me_, and not expect me to authenticate myself to _them_.
>
> An apt analogy would be incoming cold telephone calls from people who
> start out by asking you, the person called, questions.  These days, I
> ignore those questions completely and say
>
> o  Who are you?
> o  For whom are you calling?
> o  Please state your business.
>
> Random callers don't get to ask questions.
>
>
> I most certainly didn't expect Kaiser's massive bureaucracy to respond
> to a letter from little ol' me by altering an outsourcing contract
> long-ago decided with upper management buy-in.  Instead, someone would
> obviously be tasked with justifying the iceberg's motion as right and
> proper.  I was not disappointed.  I expected a form letter, but this
> was actually substantive and carefully written, if somewhat evasive.
>
> I won't type in the letter, but can summarise it:
>
>
> 1.  It's from the Director of Patient Satisfaction at Kaiser HQ,
> who is obviously extremely intelligent and fully understands the
> issue I raise.  (And was entirely cordial.)
>
> 2.  The Director blandly ignores and talks around my point about
> accustomizing Kaiser patients to give out personal medical-relevant data
> to unknown-to-them Internet concerns they have really no reason to trust
> at all.  Instead, she stresses that Kaiser and Ipsos Reserch are scrupulous
> about ensuring HIPPA compliance, and dismisses giving out one's birth
> date or last for digits of one's Kaiser medical record number as
> 'useless to anyone else as a form of identifying you, since only the
> complete medical record number is meaningful.
>
> The Director's implicit point is that, when all is said and done, Kaiser
> isn't required to heed a patient's notions of best practices and good
> security.  Their lawyers and other advisors tell them they're covered,
> and the Director is politely telling me so.  Fair enough.
>
> 3.  She rather cheekily closes by thanking me for taking the time to
> complete the surveys -- knowing that I will not under current
> conditiosn.
>
> 4.  As to my suggestion about how the Ipsos questionaire could be
> authenticated to the user with only one or another of some small
> improvements, she thanked me for the suggestion and says they will
> consider it for the next survey revision cycle.
>
>
> Better than a kick in the pants, I guess.  Actually, fairly impressive.
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20171002/7374d4af/attachment.html>