<div dir="ltr"><div>When I get these survey notices from PAMF, they always contain a unique URL that takes me to a form where I click buttons and fill in the blanks to answer questions about my satisfaction in various areas for a recent visit to a specific doctor. They never require me to enter any personal information as they know who is filling out the form due to the unique URL. I am much more likely to complete these electronic surveys than I am the printed forms that they used to send out for me to snail mail back.<br><br></div>Leo<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 2, 2017 at 5:32 PM, Rick Moen <span dir="ltr"><<a href="mailto:rick@linuxmafia.com" target="_blank">rick@linuxmafia.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So, you know how phishing attacks work, right? You get e-mail that<br>
claims to be from a person or firm you work with, wanting you to visit<br>
a URL and do stuff. This mail below (text portion; there was also an<br>
HTML portion) isn't quite that, but....<br>
<br>
----- Forwarded message from <a href="mailto:kaiser.feedback@ipsos-research.com">kaiser.feedback@ipsos-<wbr>research.com</a> -----<br>
<br>
Date: 25 Jul 2017 19:02:04 -0400<br>
From: <a href="mailto:kaiser.feedback@ipsos-research.com">kaiser.feedback@ipsos-<wbr>research.com</a><br>
To: <a href="mailto:rick@linuxmafia.com">rick@linuxmafia.com</a><br>
Subject: Feedback for Kaiser Permanente<br>
<br>
Kaiser Logo<br>
<br>
Dear Kaiser Permanente Member:<br>
<br>
A week ago you should have received an e-mail invitation to complete our Kaiser<br>
Permanente patient satisfaction survey. If you have already completed your<br>
survey, thank you and please excuse this reminder.<br>
<br>
If you have not yet had a chance to respond, please take a few minutes now to<br>
complete our patient satisfaction survey by clicking here.<br>
<br>
Or, copy and paste this link into your browser:<br>
<a href="https://vckaiser.ipsos.com/KaiserNCAL13/?id=[redacted]&password=[redacted]" rel="noreferrer" target="_blank">https://vckaiser.ipsos.com/<wbr>KaiserNCAL13/?id=[redacted]&<wbr>password=[redacted]</a><br>
<br>
At Kaiser Permanente we want all of our patients to have an excellent care<br>
experience. Your survey ratings tell us where we need to focus our attention,<br>
as well as where our efforts are successful. Ipsos, a national marketing<br>
research company, is our partner in conducting surveys of our members.<br>
<br>
If you have trouble activating this survey, please call <a href="tel:1-800-966-1609" value="+18009661609">1-800-966-1609</a> or<br>
e-mail our helpdesk at <a href="mailto:kaiser.feedback@ipsos-research.com">kaiser.feedback@ipsos-<wbr>research.com</a> and list the subject<br>
in the e-mail as Paperless Feedback.<br>
<br>
Thank you very much for your participation!<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
<br>
This e-mail is being sent to you by Ipsos on behalf of Kaiser Permanente. Ipsos<br>
and Kaiser Permanente attempt to comply with all U.S. Federal and state laws<br>
for commercial e-mail.<br>
<br>
To remove your e-mail address from this survey list and avoid further e-mail<br>
communications from us, please click here<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
<br>
For information about Ipsos, you can visit <a href="http://www.ipsos.com" rel="noreferrer" target="_blank">http://www.ipsos.com</a><br>
Sender:<br>
Ipsos<br>
222 S. Riverside Plaza<br>
Chicago, IL 60606<br>
<br>
----- End forwarded message -----<br>
<br>
It's commendably forthright in that is says it's _not_ Kaiser<br>
Permanente, my HMO, but a company asserting it's acting on Kaiser's<br>
behalf and relaying Kaiser's wish that I visit an outsourced customer<br>
satisfaction survey -- despite the use of the Kaiser logo and the word<br>
"we" used as if they were Kaiser.<br>
<br>
When you are a Kaiser Permanente HMO member, and deal with that<br>
organisation online, all of your substantive communication and<br>
information is via its Web site after authentication, viewed over https.<br>
You have more than adequate reason to believe you are not communicating<br>
with imposters or leaking sensitive health information. The only time<br>
you get e-mail, it's to tell you to login to that Web site to use the secure<br>
messaging system -- because they are carefully mindful of HIPPA<br>
requirements about security.<br>
<br>
But this is, of course, routed with zero authentication across the open<br>
Internet. If you visit the URL (whose unique hash values I've redacted)<br>
you are first asked to prove you're the patient, by providing personally<br>
identifying information. At this point, I balk, say 'Hell no', and<br>
close the browser tab.<br>
<br>
Every time I've gotten one of these survey invitation mails over the<br>
years, I've had the same reaction, which was to write to someone at<br>
Kaiser about why this is a terrible idea and why I cannot in good<br>
conscience participate.<br>
<br>
This time, I carefully researched the right department:<br>
<br>
<br>
Kaiser Permanente Digital Experience Center<br>
4460 Hacienda Drive, Building A, Third Floor<br>
Pleasanton, CA 94588<br>
<br>
Re: [personal stuff redacted] and Ipsos Research’s survey<br>
<br>
Dear Sirs:<br>
<br>
I have a security & privacy concern about the outsourced patient-survey<br>
work handed by Ipsos Research, apparently under contract to Kaiser<br>
Permanente.<br>
<br>
In the computer security business that is part of my profession, we go<br>
to great lengths to coax users towards never giving out sensitive data<br>
to outsiders without extremely good justification. In this case,<br>
following a visit to my personal care physician, [name], I once again<br>
received e-mail from Ipsos Research with a Kaiser logo on top and using<br>
the word "we" as if they were Kaiser Permanente, asking me to visit a<br>
<a href="http://vckaiser.ipsos.com" rel="noreferrer" target="_blank">vckaiser.ipsos.com</a> URL and fill out a patient satisfaction survey.<br>
<br>
Yes, surely it was a reasonable guess that Ipsos Research’s survey was<br>
authorized by Kaiser management, but nothing whatsoever in that e-mail<br>
or elsewhere validates it, and essentially it says ‘Go to a third-party<br>
Web site run by people you’ve never heard of and enter personal<br>
information related to medical matters.’ I cannot determine what Ipsos<br>
would do with my answers. All I know is it’s from someone who knows my<br>
name and knows or guesses that I’m a Kaiser member, which is no secret.<br>
Every day, I get phishing mails that guess where I bank, for example.<br>
<br>
Upon visiting that URL, it asks me to confirm I’m [my full formal name],<br>
which is fine, because Ipso Research already knows it, and it’s public<br>
information. Confirming that, I am next asked to provide either my<br>
birth date or my Kaiser Medical Record Number to “verify” my identity –<br>
and my reaction is, sorry, neither of these is public data, you are not<br>
Kaiser Permanente, and I’ve been given no meaningful assurance that<br>
Ipsos has any legitimate purpose for asking. Accordingly, I did not<br>
proceed.<br>
<br>
Now, before you say ‘Don’t worry, the survey is legitimate and you<br>
should fill it out’, please be aware that’s the lesser problem. The<br>
larger one is that (assuming the survey is legit, as seems extremely<br>
likely) you and Ipsos are accustomizing Kaiser patients to give out<br>
personal medical-relevant data (birth date or Kaiser number, at miminum)<br>
to unknown-to-them Internet concerns they have really no reason to trust<br>
at all – and certainly not with a degree of confidentiality typical of<br>
medical matters (and in fact, no confidentiality at all).<br>
<br>
I have written to Kaiser before, some years ago, calling attention to<br>
this ongoing failure to follow best practices for electronic privacy,<br>
and made no impression. It bothers me that I’m (in effect) unable to<br>
praise [doctor's name] and the [office location] staff’s excellent care<br>
while still acting prudently in matters of online information security.<br>
[Doctor's name] and staff deserves better, and so do Kaiser’s patients.<br>
<br>
A sufficient fix, in my estimation, would be for the survey request with<br>
<a href="http://vckaiser.ipsos.com" rel="noreferrer" target="_blank">vckaiser.ipsos.com</a> URL to be sent from within KP HealthConnect’s Message<br>
Center subsystem, rather than just arriving at the patient’s Internet<br>
e-mail mailbox from some unknown Internet site. Or, alternatively, KP<br>
HealthConnect’s Message Center could send the patient a notice saying<br>
“You’ll be receiving soon a survey request from Ipsos Research citing<br>
ticket #nnnnnn. Please fill it out, to give us feedback about customer<br>
satisfaction.” Either would fix the problem.<br>
<br>
As things stand, I can neither participate in your patient satisfaction<br>
surveys nor recommend other Kaiser members do so. It’s bad security and<br>
sets a bad, and in fact dangerous, precedent for communication with<br>
patients.<br>
<br>
Long after sending this overlong letter, I realised the right way to<br>
articulate the central point: They needed to authenticate themselves to<br>
_me_, and not expect me to authenticate myself to _them_.<br>
<br>
An apt analogy would be incoming cold telephone calls from people who<br>
start out by asking you, the person called, questions. These days, I<br>
ignore those questions completely and say<br>
<br>
o Who are you?<br>
o For whom are you calling?<br>
o Please state your business.<br>
<br>
Random callers don't get to ask questions.<br>
<br>
<br>
I most certainly didn't expect Kaiser's massive bureaucracy to respond<br>
to a letter from little ol' me by altering an outsourcing contract<br>
long-ago decided with upper management buy-in. Instead, someone would<br>
obviously be tasked with justifying the iceberg's motion as right and<br>
proper. I was not disappointed. I expected a form letter, but this<br>
was actually substantive and carefully written, if somewhat evasive.<br>
<br>
I won't type in the letter, but can summarise it:<br>
<br>
<br>
1. It's from the Director of Patient Satisfaction at Kaiser HQ,<br>
who is obviously extremely intelligent and fully understands the<br>
issue I raise. (And was entirely cordial.)<br>
<br>
2. The Director blandly ignores and talks around my point about<br>
accustomizing Kaiser patients to give out personal medical-relevant data<br>
to unknown-to-them Internet concerns they have really no reason to trust<br>
at all. Instead, she stresses that Kaiser and Ipsos Reserch are scrupulous<br>
about ensuring HIPPA compliance, and dismisses giving out one's birth<br>
date or last for digits of one's Kaiser medical record number as<br>
'useless to anyone else as a form of identifying you, since only the<br>
complete medical record number is meaningful.<br>
<br>
The Director's implicit point is that, when all is said and done, Kaiser<br>
isn't required to heed a patient's notions of best practices and good<br>
security. Their lawyers and other advisors tell them they're covered,<br>
and the Director is politely telling me so. Fair enough.<br>
<br>
3. She rather cheekily closes by thanking me for taking the time to<br>
complete the surveys -- knowing that I will not under current<br>
conditiosn.<br>
<br>
4. As to my suggestion about how the Ipsos questionaire could be<br>
authenticated to the user with only one or another of some small<br>
improvements, she thanked me for the suggestion and says they will<br>
consider it for the next survey revision cycle.<br>
<br>
<br>
Better than a kick in the pants, I guess. Actually, fairly impressive.<br>
<br>
<br>
______________________________<wbr>_________________<br>
conspire mailing list<br>
<a href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br>
<a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="noreferrer" target="_blank">http://linuxmafia.com/mailman/<wbr>listinfo/conspire</a><br>
</blockquote></div><br></div>