Pharmacare, Harvard Try To Shut Down Security Hole

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

I'm impressed

[Quattro+Vezina]

Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.

Re:I'm impressed

[odano]

If this type of reaction to a problem is used in the future, I think it will lead to more secure software.

Think about it. A good guy finds a bug in the software, but in order to test it he ended up breaking into something. For fear of prosecution, he says nothing. Then a bad guy does the same thing, and takes down the system after stealing all the data. If the first guy knew he could contact the administrator without fear of prosecution (if he could prove he has positive intents), then the problem could be patched before the bad guy gets there.

Raises questions?

[evilviper]

Raises interesting questions about computer security and using ID numbers as passwords.

You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?

Re:Raises questions?

[superpulpsicle]

I am not sure which is worse. A single social security number containing too much info about me. Or the need for a million different username and passwords for everything.

No password

[vladd_rom]

>> the difficulties posed to information privacy by the widespread use of ID numbers to verify identity

So they actually used an "username" with the purpose of representing both an username and a password.

That is a security issue by design. What were they thinking?

Re:No password

[dxxt]

You are right. It is always said that the weakest link in security is human beings, which include not only next door neighbors who provides free wireless access to me, but also designers who just wnat to provide functionalities as soon as possible.

Somebody is going to pay. BIG

I smell lawsuits already!

raises interesting questions?

[ScentCone]

interesting questions about computer security and using ID numbers as passwords

Since when has anybody thought that was an acceptable practice? Ever?

It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.

I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.

Re:"Possible?"

[PornMaster]

I think this raises the kind of question like "should HIPAA systems be certified for use?"

Since you deal with it, perhaps you could illuminate the types of auditing that go on, and whether there's the possibility of using a software vendor which will indemnify against security design flaws.

Re:From a Harvard Student... -- patently false

[cowsandmilk]

Choosing your classes isn't a critical system????

Or even just seeing what classes someone is taking and where??????

Imagnine this was NYU and it was people hacking in to see what classes Mary Kate & Ashley are taking so they can stalk them. Or worse, these people under FERPA being kidnapped for money. That's why they keep their info private, having that stuff out there is a major security risk for a lot of people.