| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by pfletcherhill 3601 days ago
	We make it really easy to request medical records, but we also verify requesters' identity before allowing them to view medical records we collect. We actually use an awesome YC company called BlockScore to handle a lot of that (https://blockscore.com/)!

4 comments

aestetix 3601 days ago

"BlockScore complies with the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland"

This Safe Harbor Framework?: https://techcrunch.com/2015/10/06/europes-top-court-strikes-...

link

kaybe 3601 days ago

I wasn't really able to get the details on that page, but it seems like they do verification by checking personal information like name, birthday and address against a database and ask a few multiple choice questions related to them. How is that not easy to circumvent if the attacker has that set of information? (can probably be obtained by a social attack on the victims bank)

I'm assuming there's something I missed there.

link

throwanem 3599 days ago

I don't think there is. Knowledge-based authentication is extremely vulnerable to identity theft.

link

mertcelebi 3601 days ago

In addition to identity verification, there are two more things we do to protect the privacy of our patients!

1) If the electronic signature on a given request doesn't match the name of the patient, we make sure that the patients are who they say they are before moving on with gathering the medical records.

2) If one tries to sign up on behalf of another patient, we require a Power of Attorney (POA) document!

Hope this answers your question!

link

kaybe 3601 days ago

1) What are you using to create the signature? How can you guarantee that the attacker can't create the matching signature?

2) How do you know they're trying to do that if they don't tell you? Your scenario looks like a regular situation, not an attack..

link

jrowley 3601 days ago

I love how y'all seem to be using lots of other YC companies to get the job done. Seems like a great service you provide!

link

pfletcherhill 3601 days ago

Absolutely! YC has been a huge help. Thanks for the feedback!

link