Monday, January 24, 2005

Harvard's Insecure Pharmacare Web Application



Click here for AmazonLast Friday, the Harvard Crimson did yeoman's work in its exposé of an insecure web application that would reveal the pharmaceutical purchases of anyone with prescription coverage under Harvard's plan. The insurer's web site required only a Harvard ID number and a birthday to list the person's drug history.

What makes this especially grievous is that any organization dealing with sensitive, medical information knows that it must work within the constraints of HIPAA. Even the most rudimentary vulnerability assessment (VA) would have noted the lack of adequate authentication on the part of the web app designer.

...A list of all three prescription drugs purchased by one student at University Health Services (UHS) Pharmacy was accessed by The Crimson by typing his ID number and birthday into another website, run by Harvard drug insurer PharmaCare. Birthdates of undergraduates are published to fellow students, and are in many cases more widely available on sites such as anybirthday.com...


One security person quoted in the article blamed the problems on the proliferation of university ID numbers.

After the iCommons Poll Tool was shut down last night, University Technology Security Officer Scott Bradner said that “there’s no condition under which [the ID number] should have been shared…It was not a design feature.”


But that, of course, misses the point. The ID number can certainly be used, but only as a single component of an authentication step used to provide access to this sort of application. It's not rocket science: a pre-established PIN, password or use of a pre-established email address (e.g., "@harvard.edu") to confirm identity -- or other means of reasonable authentication -- is required.

Of course, the primary motivation for businesses to clean up their information security act is simple: the bottom line.

...Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, said... “If an entity [covered by HIPAA] does not have adequate security systems, and it’s very easy for any third party to walk in or log in and obtain pharmaceutical information or other…healthcare information, that may pose liability concerns,” he said...


Until information security is considered an integral part of the application development lifecycle, expect more public -- and costly -- gaffes along these lines.

Harvard Crimson: Drug Records, Confidential Data Vulnerable

No comments: