Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking the US Prescription System

Posted by timothy on from the quite-a-dose-you're-taking dept.

An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.

7 of 78 comments (clear)

  1. Assumptions by dcollins117 · · Score: 4, Informative

    From TFA, regarding a persons prescription history, it says

    It is assumed that this information comes from the various backend systems that interlink the pharmacies as described above.

    I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

    That being said, it is unconscionable how lax PillPack.com security procedures were.

    1. Re:Assumptions by raburton · · Score: 4, Informative

      Very pleased we have a different system in the UK. Drug reps aren't even supposed to give us pens anymore. That said I've had plenty of free lunches from drug reps along with a presentation about their latest drug, but I'm not talking about fancy dinners just a light picnic type spread from the nearest supermarket. There isn't much point them doing it anyway, as a general rule we are only supposed to prescribe things that are approved by NICE (after proper cost/benefit analysis) and/or in our local formulary. If you are prescribing outside that they'll be coming to you for an explanation, not the drug companies. Drug companies are also not allowed to advertise prescription only drugs direct to the public, which I think is probably the most important difference.

    2. Re:Assumptions by Anonymous Coward · · Score: 2, Informative

      They don't sell this information. Instead, the states have set up prescription monitoring programs (PMP) to prevent drug abuse through doctor shopping. Pharmacies are required submit information about the filled prescription for Schedule II, III, or IV drugs. Some states also allow the pharmacist to consult the PMP for recent prescription history to prevent filling duplicate orders. Hospitals and doctors that directly administer these controlled drugs are normally exempt from reporting to the PMP. The data in PMP registries is used by licensing boards and law enforcement to detect suspicious activity.

    3. Re:Assumptions by Alan+Shutko · · Score: 3, Informative

      The US has protection that prevents patients from being identified by the companies that make the drugs. There is no federal law preventing DOCTORS from being identified as prescribing a drug. Maine, New Hampshire, and Vermont have laws to further limit this practice.

  2. Re:Not exactly a hack by arth1 · · Score: 5, Informative

    This is just plain irresponsible behaviour by PillPack, nothing to do with hacking.

    No, this is just plain irresponsible behavior by those who share infomation to PillPack and others.

    Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

    It's clear that the US prescription system leaks like a sieve, and that even spammers have access to people's prescription history.
    Can we go back to paper prescriptions that don't enter a database, please?

  3. HIPPA by Registered+Coward+v2 · · Score: 5, Informative

    would seem that this would be a violation of HIPPA security rules, assume pharmacies are covered entities, which I think they are. Specifically, covered entities must maintain adequate:

    Administrative Safeguards

    Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

    Technical Safeguards

    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

    It would seem simply allowing access via a name and birthdate is a violation of the above requirements.

    Source: http://www.hhs.gov/ocr/privacy...

    --
    I'm a consultant - I convert gibberish into cash-flow.
  4. Re:Not exactly a hack by Anonymous Coward · · Score: 1, Informative

    Can we go back to paper prescriptions that don't enter a database, please?

    Convince your rep, senators, and Obama to get rid of the ACA (Obamacare) because the ACA mandates all electronic records.