Slashdot Mirror
Pharmacare, Harvard Try To Shut Down Security Hole
cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story,
which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."
a possible violation of Federal laws concerning medical records (HIPAA)
Speaking as someone who admins boxes with data that falls under HIPAA (as well as IRS data, but those are different servers), there's no "possible" about it. You don't screw around with HIPAA violations. You will get nailed good and hard.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
Before everyone crucifies the University for "using ID numbers as both username and password", I will say that although this might have been Pharmacare's policy, it is not widespread policy throughout the university whatsoever.
Attached to our ID numbers we have passwords which the university has strict rules when we select (8 digits, at least 1 letter and 1 number, they're case sensitive, etc). There is no online resource here at Harvard that we can access with only our ID number-- we need the password as well.
And then we also have independant usernames and passwords which we use to access email and log onto networked computers around campus. So the security here is pretty good: visible usernames + secret passwords for email, computer access, etc. coupled with "secret" ID numbers + secret passwords for college resources.
Rob
Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.
The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.
For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.
The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Because this is higher ed we're talking about. All too often, security is not even an afterthought at higher ed institutions. Richard Clark made this point at a higher ed cybercecurity sumit I attened a few months back (right after the $h!T hit the fan over his book.) Some universities are making progress, but many are totally clueless. Reasons for lax security range from historical perceived lack of need (the small group of people with access were trusted) to bugetary (part time hourly student employees in charge of managing systems full of sensitive data) to political (heavyweights at the univsertity want things done fast, cheap and easy to use -- and we all know "fast, cheap, good pick any two.")
This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.
c tivate/.
For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/a
From the Crimson article:
"But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.
For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.
A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.
With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.
Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."