Comment On Hungry, Hungry HIPAA

1st

Alex Papadimoulis:

I get pretty excited whenever a new regulatory framework like HIPPA or SOX is enacted. Not only does it bring the potential to sit on a committee responsible for deciding the procedure needed to formulate a project request to initiate the creation of group responsible for determining the key players on a compliance assessment team, but it brings some pretty interesting stories of non-compliance like this anonymously submitted one ...

I worked on a web project for my company that tracks diagnosis and treatment information for drug addicts. Because this is medical information, it is subject to the many privacy regulations set out in the HIPAA legislation. This law mandates, among many other things, that you stand behind the line at the pharmacy (lest you get a glimse of the computer screen with the prescription information on it.) And ours is medical information about people who are seeking treatment for drug addition - double private!

My company maintains the web application and the servers it runs on, but the client kept requesting install files, documentation, and finally source code, ostensibly for "disaster recovery." We figured they were up to something, but we didn't know what.

So a coworker of mine gets an automated email from the site informing him of an error, which is a feature of course, and immediately begins to investigate. He quickly discovers that the email did not originate with any server we maintain. Where is this server? He opens Google and does a quick search. Bingo, our client has set up a training server on the sly.

On the public internet.

And the person responsible pre-filled the login and password fields, to make it easier to log into the site.

With the admin account information.

And used his own, real, address and university student email when configuring the account. My coworker recognized the address - he used to live in the same apartment complex.

Now for the good part. This training server needed a database, of course. Our client backed up the production database, and sent it to their el-cheepo student programmer to set up their new training server, presumably at a lower hourly rate.

My coworkers were amazed - a few clicks from Google, no typing, no guessing a password, they're looking at what is surely the grossest violation of the HIPAA regulations *ever*. Names, social security numbers, diagnosis and treatment information for drug addicts across the state.

You get what you pay for.

OMG OMG OMG OMG!!!! I would be calling layers at that point! OMG!

GoatCheez:

OMG OMG OMG OMG!!!! I would be calling layers at that point! OMG!

new XMLHTTPRequest(window.layers); ?

Okay... where are my steel boots? Need to kick some a**

This is a really good WTF.....

Would like to know if someone got sued

Seriously they should be reported. Not only for trying to pull a fast one on the software company but for such a gross violation. Not only is medical information on there, but Social Security Numbers!

Sounds like it's time to sue them for their gross negligence.



all around big WTF

Wow.  I sincerely hope this one goes up to the Feds and the client gets nailed to the wall on this.

Is there a way to log in to the application and actually GET drugs?



And if so, can I have the URL?

Fecking forum software.

Anyway, layers or lawyers, I do hope someone reports them; not just for being sneaky about trying to steal the software, but for the privacy violations.  Seriously.  Civil penalties, criminal charges and penalties, loss of accreditation.  This is a cluster fuck on so many different levels, it borders on not funny.  Plus, the double-whammy of it being CD treatment.

Wow.  just, wow.

Alex Papadimoulis:

I get pretty excited whenever a new regulatory framework like HIPPA or SOX is enacted.

Hmmm .... i fail to see anything that HIPPA (or HIPAA) has to do with SOX.

HIPAA is a health information privacy act, SOX (Schema for Object-Oriented XML I assume) is computer related.

http://www.acronymfinder.com/af-query.asp?Acronym=HIPPA&Find=find&string=exact

WTF?

No, you can only POST them.

Names, social security numbers, diagnosis and treatment information for drug addicts across the state.

Q:  And which state are we talking about?

A:  A major one.

Bus Raker:

Hmmm .... i fail to see anything that HIPPA (or HIPAA) has to do with SOX.

HIPAA is a health information privacy act, SOX (Schema for Object-Oriented XML I assume) is computer related.

Summary of Sarbanes-Oxley Act of 2002 anyone?

SOX in this case is the Sarbanes-Oxley Act. It was passed in 2002, partly in response to the Enron scandal and similar corporate malfeasance.

Among other things, it mandates how companies record and store financial information, so that said information might be easily audited and/or subpoenad in case said company is doing anything dodgy. It spawned a cottage industry of IT experts and consultants who would make sure your data storage facilities were SOX compliant.

jf

Is there a way to log in to the application and actually GET drugs?

No, because the application was coded by someone who wants to avoid the Spider of Doom problem. Instead, you have to log in and POST drugs.

This goes to show that no matter how secure your technology may be, it can be completely circumvented by the simplest (and dumbest) of human actions.

If you are writing an application and your client asks for the source, that is a sign they are going to do something with it. Sell, modify or get someone else to work on it. Never release your source code unless you agreed upon it before working on a project.

And why did they give their customer access to backup the production database? Wouldn't that have been a breach of privacy regulations?

It's hard to say who the WTF was...the person who sent the source code, etc or the people who took it on the sly.  Everyone would get busted for this...badly.

SOX in this case is the Sarbanes-Oxley (http://en.wikipedia.org/wiki/Sarbanes-oxley ) Act that deals with public company's accounting, auditing, privacy and corporate responsability. 

It imposes a lot of compliance checks that need to be enforced by IT systems.

Screwing up code that only makes the application $*#& up internally is one thing, but intentionally posting medical records and worse, SS numbers, should be a federal crime (assuming it isn't - dunno).

Can we create a new category of WTF - perhaps: Supreme-WTF for stuff like this?

So, the moral of the story is that you should just not bother seeking treatment for drug addiction, right?

(Don't do drugs kids because you could end up in jail, and drugs are much more expensive in jail.)

Brillant!

captcha: enterprise

John YaYa:

Fecking forum software.

Anyway, layers or lawyers ...

Are you saying the forum software ate your w's? I'm skeptical.

TheBDF:

Q:  And which state are we talking about?

A:  A major one.

I think we have the same briefcase.

It's hard to say who the WTF was...the person who sent the source code, etc or the people who took it on the sly.  Everyone would get busted for this...badly.

That's like saying that the people who wrote PostgreSQL or MySQL would get busted for some bozo publicly posting a backup of a patient-identifiable-information database on the web.  The software vendor didn't do anything to force the client to publish a free-for-all system.  The client did that all on their own.

OMG OMG OMG OMG!!!! I would be calling layers at that point! OMG!

I'm such a non-spell-checking f00l! I meant lawyers ;-)

RyanD:

This goes to show that no matter how secure your technology may be, it can be completely circumvented by the simplest (and dumbest) of human actions.

If you are writing an application and your client asks for the source, that is a sign they are going to do something with it. Sell, modify or get someone else to work on it. Never release your source code unless you agreed upon it before working on a project.

And why did they give their customer access to backup the production database? Wouldn't that have been a breach of privacy regulations?

Government clients often have full rights to everything, per contract. Not much you can do about it. Trying to tell them what to do with it would likely fall on either the wrong ears or deaf ears.

But yes, they should know better.

When I see things like this I get a real urge to contact the responsible autority and get those idiots removed from the IT genepool. This is actually as scarey as it is funny. There could be muppets like this working at your bank!

Manni:

John YaYa:

Fecking forum software.

Anyway, layers or lawyers ...

Are you saying the forum software ate your w's? I'm skeptical.

Pretty sure he's just angry that he can't edit his post.

Also, this is ridiculous.  I really hope heads rolled after this.

Any computer-literate drug dealer in that state could have had himself a huge new client list.  I've seen some pretty gross malfeasances in information security before, but this has to be the worst.

Alex Papadimoulis:

 Not only does it bring the potential to sit on a committee responsible for deciding the procedure needed to formulate a project request to initiate the creation of group responsible for determining the key players on a compliance assessment team, ...

Committee - A group of people who, individually can do nothing and collectively agrree that nothing can be done.

The real WTF here is that it didn't include Drivers License numbers or total family income amounts.

Anonymous:

Manni:

John YaYa:

Fecking forum software.

Anyway, layers or lawyers ...

Are you saying the forum software ate your w's? I'm skeptical.

Pretty sure he's just angry that he can't edit his post.

Also, this is ridiculous.  I really hope heads rolled after this.

 

If whomever submitted this WTF reports it to the appropriate state medical board, heads WILL roll - they take stuff like this seriously!

Bus Raker:

Alex Papadimoulis:

I get pretty excited whenever a new regulatory framework like HIPPA or SOX is enacted.

Hmmm .... i fail to see anything that HIPPA (or HIPAA) has to do with SOX.

HIPAA is a health information privacy act, SOX (Schema for Object-Oriented XML I assume) is computer related.

http://www.acronymfinder.com/af-query.asp?Acronym=HIPPA&Find=find&string=exact

WTF?

Waitaminnit.

You (apparently) used acronymfinder.com for HIP[PA]A, but didn't think to use it for SOX before posting?

Yeeks.

GoatCheez:

OMG OMG OMG OMG!!!! I would be calling layers at that point! OMG!

I'm such a non-spell-checking f00l! I meant lawyers ;-)

Being in the natural farming business, I can tell you that none of my layers would be the slightest bit interestred in anything involving drugs.

Um - I hope it is whistle-blowing time...

This company really needs a lesson in not doing this kind of stupid illegality.

It's HIPAA, no HIPPA about it.

Hungry HIPPA? Why did I have to read this after reading this?

I am a HIPAA consultant and a programmer.

There is a reason why HIPAA consults make so much money, they are basically cheaper than lawyers (those are much more expensive).

Anyone familiar with the Tier I--Privacy and Tier-II Administrative Simplification (probably the most complex part) can attest to.  I am an expert in tier II, which is basically the groundwork for the EDI process for medical billing and enrollment.  It's not a picnic.

You got a hundred thousand different healthcare providers and over a thousand payors.  That's a SH** load of business partners and is much more complex than Wal-Mart EDI with invoices/POs and electronic bill of lading.

HIPAA projects should never be touched by junior people in your administration.  The company that allowed this to happen should be reported.  Anyone can file a HIPAA complaint about any medical company at this website:

http://www.hhs.gov/ocr/privacyhowtofile.htm  <-- this is for filing complaints about a violation just like the one that occured here (you can file anonymously to protect yourself from being fired by your employer.  Your employer CANNOT take retribution on you for filing such complaints)

https://htct.hhs.gov/aset/   <--- this is for filing a complaint about Tier II violations (in regards to EDI business transactions between medical partners)

Manni:

John YaYa:

Fecking forum software.

Anyway, layers or lawyers ...

Are you saying the forum software ate your w's? I'm skeptical.

Maybe he's using a computer at the White House.

http://www.boston.com/news/daily/23/letter_w.htm

Oh boy! Gross privacy violations and blatant theft!

At least this programmer('s company) is going to come out on top; NOT telling the government that they just boldly violated HIPPA has got to be worth $$$

Manni:

John YaYa:

Fecking forum software.

Anyway, layers or lawyers ...

Are you saying the forum software ate your w's? I'm skeptical.

Actually, it was a pre-emptive strike, induced by my general dislike for Community Server, a failed attempt to insert an emoticon to help express my complete disgust (as one who has worked not only in healthcare but specifcally CD/Substance Abuse) at the layers of WTF-ery here, and a gentle poke at how this had affected GoatCheez so badly that he swallowed a 'w.'  Plus, there was a pathological fear that something would get eaten if I didn't have the correct fingers and toes crossed while hitting the 'Post' button.

It's never easy to convey emotions and humor in a forum.  Community Server seems to take 'difficult' and mung it to 'effing impossible.'

Fingers Crossed ...

HIPAA, HIPAA, HOORAY

Please tell me this is ending in criminal prosecution.

Anonymous:

1st

[8-)]

  1st reply to "1st".

Well, if it was just anonymized and not actually anonymous, then theoretically anyone who was included in this list could sue for mad cash...and could probably name this site as complicit in not reporting the incident. That's gotta be worth a few thousand, right?

Mmm...filing suit against everyone who had any contact with this WTF...mmm...

Crap happens all the time, unfortunately. I was working for a state
social services organization once, and the stuff I used to see there
would turn your hair gray.

They routinely threw away hardcopy
social security numbers, their "databases" (not my responsibility
thankfully) were a complete disaster, and poorly secured at best.
They'd download stuff from the state's secured databases, import it
into their own, internet available, insecure databases, fiddle with the
data, then UPLOAD IT BACK INTO THE SECURED DATABASE. Want to do welfare
fraud? Want to "pay" your child support? Want to track down your
estranged spouse and kill 'em?

I even reported some of the stuff
to the state, but nothign came of it. People just don't understand
security. The stuff that gets released into the open boggles the mind.

ParkinT:

Committee - A group of people who, individually can do nothing and collectively agrree that nothing can be done.

That reminds me of this despair poster:

Meetings - None of us is as dumb as all of us.

Anonymous:

Is there a way to log in to the application and actually GET drugs?

No, because the application was coded by someone who wants to avoid the Spider of Doom problem. Instead, you have to log in and POST drugs.

 

  TELNET medi-corp.com 80 

  GET /cgi-bin/need_fix.cgi?customerId=169&drugId=71216

  HTTP/1.1 200 OK

  Content-type: text/html

  

  

  

    Response: File Not Found.


  

  

Not surprising.  At my previous employer we were brought in to support a website for a popular herpes medication.  It had a form where people could enter their name/phone/address to request more information on the product.  Turns out the form handler was just appending the data to an unprotected text file in the website's root.  It was literally as bad as: http://www.herpes????.com/formdata.txt and you could see several hundred people's name/phone/address + personal questions about the product as it related to their condition.

The best part was that the maker of the drug whose initials are S, G and K in some other order, had no idea that this potential customer data was being collected.  Despite the client and the account team not understanding the magnitude of the problem and not budgeting any fixes, I went in and did some moving of files and slight recoding to try and get some security.  Still... horrifying.

BG

codeman:

Screwing up code that only makes the application $*#& up internally is one thing, but intentionally posting medical records and worse, SS numbers, should be a federal crime (assuming it isn't - dunno).

It is a federal crime.  Now, what law was that under....?  Oh, right.  HIPAA.

I propose that the IT folks who know what they are doing, when spotting a major WTF in someones' code, be required to insert the following as a warning to others:

// Quality Control Code Review - Comment Section

// ---------------------------------------------

// .............................................................................................................

// .............................................................................................................

// ......\\\\\.................../////....===========================....[[[==============........???...........

// .......\\\\\................./////.....===========================....|||==============......???.???.........

// ........\\\\\.............../////......[[..........|||..........]]....|||............]]....???.....???.......

// .........\\\\\............./////...................|||................|||..................??.......???......

// ..........\\\\\.....^...../////....................|||................|||...................?.......???......

// ...........\\\\\.../^\.../////.....................|||................|||======.....................???......

// ............\\\\\.//^\\./////......................|||................|||======....................???.......

// .............\\\\V//^\\V////.......................|||................|||........................???.........

// ..............\\\V//^\\V///........................|||................|||.......................???..........

// ...............\\V//.\\V//.........................|||................|||.......................???..........

// ................\V/...\V/..........................|||................|||....................................

// .................V.....V...........................|||................|||........................%...........

// .............................................................................................................

// .............................................................................................................

// The aformentioned logo (TM) is brought to you by the genius that coded this module :(