Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pharmacare, Harvard Try To Shut Down Security Hole

Posted by timothy on from the how-many-schools-use-ss-as-student-id dept.

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

10 of 93 comments (clear)

  1. I'm impressed by Quattro+Vezina · · Score: 4, Insightful

    Wow...so Harvard actually did something about the hole instead of going after the people who discovered it? I'm floored.

    --
    I support the Center for Consumer Freedom
    1. Re:I'm impressed by odano · · Score: 4, Insightful

      If this type of reaction to a problem is used in the future, I think it will lead to more secure software.

      Think about it. A good guy finds a bug in the software, but in order to test it he ended up breaking into something. For fear of prosecution, he says nothing. Then a bad guy does the same thing, and takes down the system after stealing all the data. If the first guy knew he could contact the administrator without fear of prosecution (if he could prove he has positive intents), then the problem could be patched before the bad guy gets there.

  2. Yes! by drivinghighway61 · · Score: 4, Funny

    Yet another victory for the blogosphere!

    What's that? Oh, you say it was print journalists?

    Sorry, never mind everyone!

  3. Raises questions? by evilviper · · Score: 4, Insightful
    Raises interesting questions about computer security and using ID numbers as passwords.

    You me, before this, you would have thought it would be okay to use non-private ID numbers as passwords?
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  4. Harvard? by RobertTaylor · · Score: 5, Funny

    It was probably designed by females... ...as we all know there are biological differences in men's and women's abilities ;)

  5. raises interesting questions? by ScentCone · · Score: 4, Insightful

    interesting questions about computer security and using ID numbers as passwords

    Since when has anybody thought that was an acceptable practice? Ever?

    It doesn't raise questions about the practice, it raises questions about the quality of the people dictating the practices. This is 30-years-ago stuff, isn't it? Really, now.

    I will resist any humor related to the gender-based aptitudes of any IT mangement personnel at Harvard, given their recent discomfort in that area. BTW, if you've ever dealt with HIPAA compliance, it's right up there with Sarbanes-Oxley in terms of IT shop burdens. Not that it's any excuse for using people's known ID numbers as passwords. Whew.

    --
    Don't disappoint your bird dog. Go to the range.
  6. "Possible?" by bryanp · · Score: 4, Informative

    a possible violation of Federal laws concerning medical records (HIPAA)

    Speaking as someone who admins boxes with data that falls under HIPAA (as well as IRS data, but those are different servers), there's no "possible" about it. You don't screw around with HIPAA violations. You will get nailed good and hard.

    --
    "An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
  7. the key question by edward.virtually@pob · · Score: 4, Interesting

    the key question is, why was someone with obviously no grasp of proper application security design allowed to use identification numbers as passwords? any competent person in the field will tell you that they ARE NOT PASSWORDS and SHOULD NEVER BE USED AS PASSWORDS. but in a world where dependable unix solutions are replaced with windows solutions that have to be rebooted every two weeks to avoid "data overload" (the reporter's term, not mine) and crash if someone puts a zero in the wrong application entry field, putting 800 planes worth of lives at risk and rendering a navy vessel dead in the water respectively, but NOTHING IS DONE about it except making sure they "DON'T DO THAT, THEN", this article should come as a surprise to NO ONE.

  8. Only possible. Maybe not likely. by peacefinder · · Score: 4, Informative

    Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.

    The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.

    For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.

    The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  9. Re:From a Harvard Student... -- patently false by Anonymous Coward · · Score: 5, Informative

    This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.

    For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/ac tivate/.

    From the Crimson article:

    "But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.

    For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.

    A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.

    With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.

    Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."