Pharmacare, Harvard Try To Shut Down Security Hole

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

I'm impressed

[Quattro+Vezina]

Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.

Re:I'm impressed

[odano]

If this type of reaction to a problem is used in the future, I think it will lead to more secure software.

Think about it. A good guy finds a bug in the software, but in order to test it he ended up breaking into something. For fear of prosecution, he says nothing. Then a bad guy does the same thing, and takes down the system after stealing all the data. If the first guy knew he could contact the administrator without fear of prosecution (if he could prove he has positive intents), then the problem could be patched before the bad guy gets there.

Re:I'm impressed

[jrockway]

Yeah, eventually someone will realize that shooting the messenger won't fix the security problems. It's getting to that "eventually" that's hard.

About a month ago, I found a major flaw in UI-Integrate, the system that does EVERYTHING for the University of Illinois (UIC, UIUC, and UIS). Anyway, I found this blatantly obvious (XSS) hole, and wrote up an advisory. Since it was potentially major, I didn't post it publicly. I made slight mention on my blog ("hey, I found a security hole, cool"). I showed up at work the next day (for the UIC computer center) and the shit hit the fan. Someone had cut-n-pasted my blog entry to the Mac mailing list (of all places), which consists of mostly simple mac users, not really in the position to understand computer security. Word got around to the higher-ups and eventually back to my supervisor. I got yelled at... blah blah this is unethical to talk about that, how can you live with yourself, etc, etc. I told them about my usual full-disclosure policy and how I hadn't disclosed any details yet. Eventually they forced me to write some retraction on my blog. They weren't happy with that, so the blog is gone now!!

I was obviously upset at this time, so I e-mailed professor Bernstein (who was my professor last semester in a security holes class), hoping that he would be on my side. He was; he wrote an e-mail to my supervisor about how they should apologize to me, etc.

Anyway, the rest of that week was bureaucratic meetings and ethics lectures. A whole meeting about how full disclosure is bad, how my duty as an employee is to lie to the users of the university computing system, how DJB is a moron* and how I shouldn't listen to him, etc. I thought the whole thing was quite ridiculous and I calmly told all these people that I believed in full disclosure and that I personally agree with DJB. They seemed upset with my "poor ethics", so I told them that if they had a problem with this I wouldn't work here anymore. (They really couldn't fire me because, 1) I would have taken legal action, and 2) I'm one of about three people that are actually worth the $7.30 an hour they pay us.)

*Not the exact words, but the meeting was mostly about discrediting him. This page was referenced. (obviously if you don't like patents you're a loony, right?)

Eventually the incident got escalated to a tech-type (the provost in charge of UofI technology) and he was very helpful. The hole was fixed within hours. I found a hole in their fix, and they fixed that. Over the course of another week they re-engineered the system, and the vendor pushed a patch to the other users.

As soon as it was in the hands of the higher-ups, I was thanked instead of criticized and demeaned. I think I will finally be able to publish the full advisory next week (less than a month after the initial discovery). Overall, I was impressed that people actually cared about security. Both AITS and the vendor involved (Sungard) were very helpful and supportive. It was just the people that didn't understand security that were upset (and scared, it seemed).

So here's my advice to a University student that discovers a hole in their university's computer system: publish immediately. If you publish immediately, the burden will no longer be on you. Everything will be out in the open, and the University will be responsible for their shoddy security, not you. It is your duty to inform the public that the systems they rely on are not secure. It is your right to publish this information. Never let anyone tell you differently. They are wrong. If it comes down to you being dismissed, you will win in court against the Univeristy. Keep that in mind. Always remember that you are doing the right thing.

Don't do what I did and tie yourself up with red tape, it's not worth the emotional drain. I was totally stressed for a week after this. The only thing that sav

Yes!

[drivinghighway61]

Yet another victory for the blogosphere!

What's that? Oh, you say it was print journalists?

Sorry, never mind everyone!

Raises questions?

[evilviper]

Raises interesting questions about computer security and using ID numbers as passwords.

You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?

Re:Raises questions?

[BandwidthHog]

use non-private ID numbers as passwords

I'm told there's a large, affluent first world country where this is the norm. Every citizen is issued a nine digit identifier, which is then used for the rest of their life as both username and password for various reasons, both important and trivial.

But that's probably just an urban legend.

Re:Raises questions?

[legirons]

"You mean, before this, you would have thought it would be okay to use non-private ID numbers as passwords?"

Please prove you are who you say you are, by revealing your date of birth and your mother's maiden name.

(I'm not joking, that public-record information is used to access my bank account over the phone)

Re:Raises questions?

[evilviper]

(I'm not joking, that public-record information is used to access my bank account over the phone)

I suggest you change banks, immediately. It would be a good idea to let them know why, but switching is the most important thing.

People jst accept these things, assuming they will never be the victim, until it happens.

It can take an incredibly long time to recover your money after it is stolen, and if your bank is not FDIC insured, you run the risk of possibly never getting it back (or having to go through a very lengthy court case to get it back).

Do yourself a favor, and switch banks right away.

Re:Raises questions?

[superpulpsicle]

I am not sure which is worse. A single social security number containing too much info about me. Or the need for a million different username and passwords for everything.

No password

[vladd_rom]

>> the difficulties posed to information privacy by the widespread use of ID numbers to verify identity

So they actually used an "username" with the purpose of representing both an username and a password.

That is a security issue by design. What were they thinking?

Re:No password

[dxxt]

You are right. It is always said that the weakest link in security is human beings, which include not only next door neighbors who provides free wireless access to me, but also designers who just wnat to provide functionalities as soon as possible.

Harvard?

[RobertTaylor]

It was probably designed by females... ...as we all know there are biological differences in men's and women's abilities ;)

raises interesting questions?

[ScentCone]

interesting questions about computer security and using ID numbers as passwords

Since when has anybody thought that was an acceptable practice? Ever?

It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.

I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.

"Possible?"

[bryanp]

a possible violation of Federal laws concerning medical records (HIPAA)

Speaking as someone who admins boxes with data that falls under HIPAA (as well as IRS data, but those are different servers), there's no "possible" about it. You don't screw around with HIPAA violations. You will get nailed good and hard.

Re:"Possible?"

[PornMaster]

I think this raises the kind of question like "should HIPAA systems be certified for use?"

Since you deal with it, perhaps you could illuminate the types of auditing that go on, and whether there's the possibility of using a software vendor which will indemnify against security design flaws.

Re:"Possible?"

[peacefinder]

"should HIPAA systems be certified for use?"

It is a common misunderstanding to think that software, hardware, or turnkey systems can be made inherently HIPAA compliant. They can't.

HIPAA does not specify technologies, it specifies that a clinic (or whatever) that generates, uses, or stores protected health information have policies in place to protect that data (for several values of "protect") and that it adheres to its own policies.

Like ISO 9000, HIPAA is just a standard framework for creating policies. ISO 9000 compliance, as Dilbert observed, is not affected by how stupid the policy actually is, but how consistently it is followed. In the case of HIPAA, of course, the standard is mandatory, legally binding, and places upper limits on the allowable stupidity of the policies.

However, systems can be made HIPAA capable, meaning they are designed so that it is possible (or maybe even easy) to adapt the system to one's own HIPAA policies. But that's as far as it goes... there is not now and probably never will be such thing as software that is certified to be HIPAA Compliant, no matter what the vendor's marketing department may tell you.

the key question

[edward.virtually@pob]

the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.

Re:the key question

[Cmdr-Absurd]

Because this is higher ed we're talking about. All too often, security is not even an afterthought at higher ed institutions. Richard Clark made this point at a higher ed cybercecurity sumit I attened a few months back (right after the $h!T hit the fan over his book.) Some universities are making progress, but many are totally clueless. Reasons for lax security range from historical perceived lack of need (the small group of people with access were trusted) to bugetary (part time hourly student employees in charge of managing systems full of sensitive data) to political (heavyweights at the univsertity want things done fast, cheap and easy to use -- and we all know "fast, cheap, good pick any two.")

self incrimination

[Doc+Ruby]

And what about the results of mandatory drug tests? Since they're not the property of a powerful insurance corporation, they won't get the same kind of expensive protection. So when you sacrifice your privacy to your employer by submitting to a drug test, you're risking telling the world some of your most private info, even if they fire you - because they very possibly will keep the data after they get rid of you.

From a Harvard Student...

Before everyone crucifies the University for "using ID numbers as both username and password", I will say that although this might have been Pharmacare's policy, it is not widespread policy throughout the university whatsoever.

Attached to our ID numbers we have passwords which the university has strict rules when we select (8 digits, at least 1 letter and 1 number, they're case sensitive, etc). There is no online resource here at Harvard that we can access with only our ID number-- we need the password as well.

And then we also have independant usernames and passwords which we use to access email and log onto networked computers around campus. So the security here is pretty good: visible usernames + secret passwords for email, computer access, etc. coupled with "secret" ID numbers + secret passwords for college resources.

Rob

Only possible. Maybe not likely.

[peacefinder]

Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.

The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.

For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.

The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!

Re:From a Harvard Student... -- patently false

This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.

For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/ac tivate/.

From the Crimson article:

"But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.

For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.

A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.

With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.

Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."