Pharmacare, Harvard Try To Shut Down Security Hole

← Back to Stories (view on slashdot.org)

Pharmacare, Harvard Try To Shut Down Security Hole

Posted by timothy on Saturday January 22, 2005 @11:42AM from the how-many-schools-use-ss-as-student-id dept.

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

4 of 93 comments (clear)

Min score:

Reason:

Sort:

I'm impressed by Quattro+Vezina · 2005-01-22 11:43 · Score: 4, Insightful

Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.

--
I support the Center for Consumer Freedom
1. Re:I'm impressed by odano · 2005-01-22 11:49 · Score: 4, Insightful
  
  If this type of reaction to a problem is used in the future, I think it will lead to more secure software.
  
  Think about it. A good guy finds a bug in the software, but in order to test it he ended up breaking into something. For fear of prosecution, he says nothing. Then a bad guy does the same thing, and takes down the system after stealing all the data. If the first guy knew he could contact the administrator without fear of prosecution (if he could prove he has positive intents), then the problem could be patched before the bad guy gets there.
Raises questions? by evilviper · 2005-01-22 11:46 · Score: 4, Insightful

Raises interesting questions about computer security and using ID numbers as passwords.

You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
raises interesting questions? by ScentCone · 2005-01-22 11:50 · Score: 4, Insightful

interesting questions about computer security and using ID numbers as passwords

Since when has anybody thought that was an acceptable practice? Ever?

It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.

I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.

--
Don't disappoint your bird dog. Go to the range.