Pharmacare, Harvard Try To Shut Down Security Hole

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

the key question

[edward.virtually@pob]

the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.

self incrimination

[Doc+Ruby]

And what about the results of mandatory drug tests? Since they're not the property of a powerful insurance corporation, they won't get the same kind of expensive protection. So when you sacrifice your privacy to your employer by submitting to a drug test, you're risking telling the world some of your most private info, even if they fire you - because they very possibly will keep the data after they get rid of you.

Re:"Possible?"

[peacefinder]

"should HIPAA systems be certified for use?"

It is a common misunderstanding to think that software, hardware, or turnkey systems can be made inherently HIPAA compliant. They can't.

HIPAA does not specify technologies, it specifies that a clinic (or whatever) that generates, uses, or stores protected health information have policies in place to protect that data (for several values of "protect") and that it adheres to its own policies.

Like ISO 9000, HIPAA is just a standard framework for creating policies. ISO 9000 compliance, as Dilbert observed, is not affected by how stupid the policy actually is, but how consistently it is followed. In the case of HIPAA, of course, the standard is mandatory, legally binding, and places upper limits on the allowable stupidity of the policies.

However, systems can be made HIPAA capable, meaning they are designed so that it is possible (or maybe even easy) to adapt the system to one's own HIPAA policies. But that's as far as it goes... there is not now and probably never will be such thing as software that is certified to be HIPAA Compliant, no matter what the vendor's marketing department may tell you.

Re:Raises questions?

[legirons]

"You mean, before this, you would have thought it would be okay to use non-private ID numbers as passwords?"

Please prove you are who you say you are, by revealing your date of birth and your mother's maiden name.

(I'm not joking, that public-record information is used to access my bank account over the phone)

Re:Raises questions?

[evilviper]

(I'm not joking, that public-record information is used to access my bank account over the phone)

I suggest you change banks, immediately. It would be a good idea to let them know why, but switching is the most important thing.

People jst accept these things, assuming they will never be the victim, until it happens.

It can take an incredibly long time to recover your money after it is stolen, and if your bank is not FDIC insured, you run the risk of possibly never getting it back (or having to go through a very lengthy court case to get it back).

Do yourself a favor, and switch banks right away.

Re:I'm impressed

[jrockway]

Yeah, eventually someone will realize that shooting the messenger won't fix the security problems. It's getting to that "eventually" that's hard.

About a month ago, I found a major flaw in UI-Integrate, the system that does EVERYTHING for the University of Illinois (UIC, UIUC, and UIS). Anyway, I found this blatantly obvious (XSS) hole, and wrote up an advisory. Since it was potentially major, I didn't post it publicly. I made slight mention on my blog ("hey, I found a security hole, cool"). I showed up at work the next day (for the UIC computer center) and the shit hit the fan. Someone had cut-n-pasted my blog entry to the Mac mailing list (of all places), which consists of mostly simple mac users, not really in the position to understand computer security. Word got around to the higher-ups and eventually back to my supervisor. I got yelled at... blah blah this is unethical to talk about that, how can you live with yourself, etc, etc. I told them about my usual full-disclosure policy and how I hadn't disclosed any details yet. Eventually they forced me to write some retraction on my blog. They weren't happy with that, so the blog is gone now!!

I was obviously upset at this time, so I e-mailed professor Bernstein (who was my professor last semester in a security holes class), hoping that he would be on my side. He was; he wrote an e-mail to my supervisor about how they should apologize to me, etc.

Anyway, the rest of that week was bureaucratic meetings and ethics lectures. A whole meeting about how full disclosure is bad, how my duty as an employee is to lie to the users of the university computing system, how DJB is a moron* and how I shouldn't listen to him, etc. I thought the whole thing was quite ridiculous and I calmly told all these people that I believed in full disclosure and that I personally agree with DJB. They seemed upset with my "poor ethics", so I told them that if they had a problem with this I wouldn't work here anymore. (They really couldn't fire me because, 1) I would have taken legal action, and 2) I'm one of about three people that are actually worth the $7.30 an hour they pay us.)

*Not the exact words, but the meeting was mostly about discrediting him. This page was referenced. (obviously if you don't like patents you're a loony, right?)

Eventually the incident got escalated to a tech-type (the provost in charge of UofI technology) and he was very helpful. The hole was fixed within hours. I found a hole in their fix, and they fixed that. Over the course of another week they re-engineered the system, and the vendor pushed a patch to the other users.

As soon as it was in the hands of the higher-ups, I was thanked instead of criticized and demeaned. I think I will finally be able to publish the full advisory next week (less than a month after the initial discovery). Overall, I was impressed that people actually cared about security. Both AITS and the vendor involved (Sungard) were very helpful and supportive. It was just the people that didn't understand security that were upset (and scared, it seemed).

So here's my advice to a University student that discovers a hole in their university's computer system: publish immediately. If you publish immediately, the burden will no longer be on you. Everything will be out in the open, and the University will be responsible for their shoddy security, not you. It is your duty to inform the public that the systems they rely on are not secure. It is your right to publish this information. Never let anyone tell you differently. They are wrong. If it comes down to you being dismissed, you will win in court against the Univeristy. Keep that in mind. Always remember that you are doing the right thing.

Don't do what I did and tie yourself up with red tape, it's not worth the emotional drain. I was totally stressed for a week after this. The only thing that sav