Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pharmacare, Harvard Try To Shut Down Security Hole

Posted by timothy on from the how-many-schools-use-ss-as-student-id dept.

cfusion writes "CVS's drug insurance wing Pharmacare and Harvard University have taken steps to shut down a security hole that would have allowed anyone on the Internet to view any Harvard affiliate's drug history, a possible violation of Federal laws concerning medical records (HIPAA). The Boston Globe has the story, which came after the vulnerabilities were discovered by two reporters for the school newspaper (that story has screenshots that show just how easy it was). Raises interesting questions about computer security and using ID numbers as passwords."

2 of 93 comments (clear)

  1. Harvard? by RobertTaylor · · Score: 5, Funny

    It was probably designed by females... ...as we all know there are biological differences in men's and women's abilities ;)

  2. Re:From a Harvard Student... -- patently false by Anonymous Coward · · Score: 5, Informative

    This is patently false. Though ID/PIN authentication has become more common throughout the university, as the story specifically mentions there are a number of important applications students and faculty access without a PIN, and just an ID or ID+last name.

    For instance, head over to http://www.seo.harvard.edu/students/search.html and note that only ID+last name is required. Or https://www.fas.harvard.edu/computing/utilities/ac tivate/.

    From the Crimson article:

    "But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.

    For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity.

    A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services' MonsterTrak job listings database.

    With a Harvard ID and birthday--obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com--a user can post or download resumés on someone else's eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.

    Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number--often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts."