Pharmacare, Harvard Try To Shut Down Security Hole

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

the key question

[edward.virtually@pob]

the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.