- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Oh, it is... It is.
Admin
Umm....what?
Your argument is basically like saying "You can't sue Smith&Wesson for making the gun used to kill a person." But I think your analogy is skewed. What if I (client) asked my doctor (the vendor) for the recipe for heroin (for research purposes), then asked for the ingredients, then asked for a syringe; and in each case my doctor just gave me what I needed with only a 'sneaking suspicion' that I was up to something. Should the doctor be held responsible - at least partially - for enabling me to inject myself with heroin? Or would it be completely my fault for doing it 'without the doctor knowing it'? Surely someone who has control of highly sensitive information would hesitant to give it away?
Even if you're a vendor, which I have experience as, you can't just accept a client's requests without fair warning about the implications. According to the WTF, they said they were 'suspicious' of the client asking for all those things, but gave it to them anyway. To me, that's a big WTF considering the implications of violating HIPAA, etc. Giving that data to their client without actually trying to figure out why was just dumb if you ask me.
I think this is a WTF for both parties involved.
Admin
Anyone know a good resource (book/website) where I can get info on the nuts and bolts of HIPAA from a technical standpoint? I am currently involved with a web-based project that is subject to HIPAA and want to make sure I cover my butt. Thank in advance
-Hack-o-matic
Admin
1st reply to "1st reply to "1st"."
And
2nd reply to "1st".
Admin
Let me be the first to call "NO WTF!"
Wait, uh, I mean, WHO SAID THAT! Hey, gimme my phone back! *shnarl* *bam* *click*.
Take that BatMan!
(not...best...day...today. had...to...vent. had...to...utter...incomplete...nonsense.)
Admin
Is "incomplete nonsense" like being "partially pregnant?"
And, for that matter, if "incomplete" means "not done," and "insane" means "not sane," why-TF doesn't "inflammable" mean "not flammable?"
Maybe it's time to go home ...
Admin
Here's the other part, making the "nonsense" complete.
<FONT face="Courier New"> perl -e "print bin2str(q(1010 1010 111100 1110010 1100001 1101110 1110100 111110 1010 100000 100000 1010011 1100001 1110010 1100010 1100001 1101110 1100101 1110011 100000 1001111 1111000 1101100 1100101 1111001 100000 1110010 1100101 1101101 1101001 1101110 1100100 1110011 100000 1101101 1100101 100000 1101111 1100110 100000 1010011 1110100 1100101 1100111 1100001 1101100 1101100 100000 1000111 1101100 1100001 1110011 1110011 100000 1110111 1101000 1101001 1100011 1101000 100000 1110010 1100101 1101101 1101001 1101110 1100100 1110011 100000 1101101 1100101 100000 1101111 1100110 100000 1001010 1010000 100000 1001101 1101111 1110010 1100111 1100001 1101110 101110 1010 100000 100000 1001111 1101111 1101111 1101111 1101000 101100 100000 1100111 1101111 1110100 1110100 1100001 100000 1101000 1100001 1110100 1100101 100000 1110100 1101000 1101111 1110011 1100101 100000 1100010 1100001 1101110 1101011 1100101 1110010 1110011 100001 1010 111100 101111 1110010 1100001 1101110 1110100 111110 1010 1010)); sub str2bin { @arr=split(//,shift); foreach $ch (@arr) { $ch = dec2bin(ord($ch)); } return join(q( ),@arr); } sub bin2str { @arr=split(/ /,shift); foreach $ch (@arr) { $ch = chr(bin2dec($ch)); } return join(q(),@arr); } sub dec2bin { $str=unpack(q(B32),pack(q(N),shift)); $str=~s/^0+(?=\d)//; return $str; } sub bin2dec { return unpack(q(N),pack(q(B32),substr(q(0)x32 . shift,-32))); }"</FONT>
Admin
Wow... I hope the company turned over this client to the proper authorities.
Admin
Wikipedia "HIPAA", start there then check the external links at the bottom ...
Admin
Or saying you can't sue McDonalds for being grossly overweight! Or suing Bic because someone went nuts and stabbed their co-worker in the eye with a ball point pen that clearly should have had a warning that said, "Not intended for use as a weapon."
It is the client's responsibility to protect the data, not the vendor. The client can, and should, require their vendors to adhere to the HIPAA regulations that they themselves are bound by, but it's not the other way around.
Also, you won't get very far as a vendor on work for hire projects where you grill each client when they request their source.
Admin
Check it out .. it comes in 8th! Of course I looked. If anyone here knew anything about XML... WTF?
http://www.acronymfinder.com/af-query.asp?Acronym=SOX&string=exact
Admin
Codeman,
Doing that would be totally slugish...
Where i work, when we come across wtfs, we are REQUIRED to tell the person who just did it to take a look at it and why whe think its a wtf.
Or, fix it.
If its too big of a wtf to be fixed right away, i have to report it and we actually LOG IT, so that as soon as we have the time to fix it, we do.
If it is REALLY major, we include it in the application version plan. So, of course, it wont get done in the next shipped version, but it'll get done on next one after that, which is still quickly enough for us.
Because you see... quality is king.
Code that is easy to maintain costs less, in the long run.
This help raise the value of the code your doing, in the eye of the person who finances it.
By just putting a note that this part is a serious wtf, you are just adding to it.
I hope we'll never work in the same team. +o(
Admin
There's always one crucial ingredient to make heroin true. It's forbidden to own it, it's forbidden to buy it. Your doctor can tell you how it looks like, even how to do it - but I guess it's not worth it to try to manufacture it at home. You can only learn it to hunt down your children, when they enter the age of assholizm. And believe me, they will. Yet - the doctor shouldn't be held responsible for someone being an asshole. No offence meant, I'm just talking about how it's easy to pass the guilt from the irresponsible idiots to the wise who actually see what's lethal.
Admin
Terrible, terrible stuff. Shocking.
[:)]
Admin
I once almost worked on a similar project. This was pre-HIPAA days. It was a contact management system for state prosecutors. You know, people like informants, undercover cops, DEA agents, all with their home addresses. The system was already nearly complete when my company was tapped to help with the final push. When we were deciding whether to take the job or not, I got a copy of the software. The installation instructions had these steps (among others):
Install MS SQL Server.
Set security to mixed mode.
"sa" password MUST be left blank.
SQL Server MUST be accessible over the Internet (for data replication purposes).
I brought up the potential security ramifications to our sales rep. She didn't want to offend her contact so she wouldn't pass them on. I eventually refused to touch the project. Someone in another office eventually did the project, someone who is far more politically sensitive than I am. Did I mention that this company went out of business..... twice? Not directly due to this incident, but due to 500 boneheaded decisions similar to the above. Funny thing is that our President was responsible for losing $10M a year on $72M in revenue in the IT industry in the mid-to-late 1990's (we never made a profit once during the entire Internet bubble). This person was awarded repeated raises and bonuses, and eventually went on to a better job using the experience of running us into the ground on her resume.
Admin
True, though we do not know whether this case was work for hire.
Sincerely,Gene Wirchenko
Admin
wrong
Sarbanes Oxley - inacted after the Enron debacle
Admin
Familiar, it sounds. Carly Fiorina, your President, was it? [B]
Admin
How did the client get the web server software and a copy of the database? Did the vendor give it to them? Isn;t that really the first part of the WTF?
Admin
Surely a simple
$ chmod 662 formdata.txt
was all that you needed to do.
Admin
HIPAA carries prison terms for violation. You need to retain an attorney and quickly.
Admin
This sounds like what happened to me a couple of years ago in college. A professor needed to know who needed to reschedule their final exams, so he had students send him an email with their name and Student ID number. He then posted them, with their Student ID numbers, on the class website so that "students could be sure that he got the request".
What makes this worse is that the student ID numbers at the time were our SSN, because our university was too stupid to think that it would be an issue putting our student ID numbers on final exam papers (which was required).
Anyway, I emailed the professor and he said that he didn't see what the big issue was, but would take the numbers down if it would make me feel better. I am sooooo glad he is not a Computer Science professor.
Admin
You're absolutely right...but when I read the WTF, the vendor basically said the client was asking for stuff, with lame excuses, and they were only suspicious. I have never grilled my clients for asking about stuff. When they buy my services/software, I clearly state where there is sensitivity and how to be careful with the information. Here's a good example:
I have a client who asked me to write a payment module for OSCommerce. I wrote the module from scratch because his chosen payment gateway doesn't fit well with the other existing gateways (like Authorizenet, paypal, etc). He later asked me for the shopping card source code once everything was finished and working. I sent him the source with a note mentioning that since he paid for the development of the module, it was his and to be careful who he gave it to. Turns out that the payment gateway company wanted the code so they could post it on their website as a downloadable module. He was glad that I gave him the warning because he would have ended up paying for something that everyone else would have gotten for free. He should have to spend his hard-earned money for someone else to take advantage of it, should he?
The WTF that I see is how the vendor, well aware of the security and privacy issues of HIPAA, failed to give fair warning regarding the sensitivity of the information that was being handed over. If the WTF didn't have this statement:
If it weren't for that part of it, I would agree that the vendor wasn't responsible, but in this case, there was no concern until it was too late. Even if there's only partial responsibility, the vendor could have at *least* mentioned something about the data or at least shared some level of concern over what the client was doing?
Admin
You mean...I'm an asshole? ;)
Seriously, my example is a bit flawed that the obvious person at fault is the one who wants to do the heroin and then actually does it. However, the ones who know better and are in a position to influence another's decision are always held at least partially accountable for things like this. The CEO is always held responsible for stock prices. The army general is always held responsible when troops die. The floor supervisor is held responsible when there's a safety violation. Even the manager of a McDonald's is held responsible if an employee pisses off a customer - even if the supervisor had no direct involvement.
I'm just saying that if the vendor had given fair warning, it wouldn't have been a WTF on their part as well....I think we all agree that the client was a dumbass for the blatant HIPAA violation.
Admin
You know, this is one prime example of why they need to require "software engineers" to be 'certified' and have a "Professional Engineer" designation like they do for other engineering disciplines. When a person's work starts to affect other lives (or others' money) there should be a required level of competency required.
I used to work for a company that processed credit card transactions and had seen some very obscene cases of error. It's depressing, but helpful to think that some people have actually lost their lives after having only having a few dollars stolen from their wallets.
Admin
Do you quit any job where you are not allowed to do the above? I've never hear of such a thing!! To be able to report WTFs on a daily basis??!! A dream job!! The only time I was able to do that was at one great client, but WTFs were rarely found. It would be lovely to point out the incompetence of others in an acceptable manner at work. Are you saying that you can do this at every job you've worked at?
I currently work with a software architect that generally requires me to THINK wtf each day about 20 times in response to his ideas which generally violate everything I understand about writing object-oriented, reusable, and consistent code. (I've written an application based on reflection, but using reflection to dispatch events is no good substitution for using interfaces, inheritance, and all those old-fasioned ideas in normal event-driven GUI design.) There is no safety violation of any sort or I would quit on the spot. I submit bug reports almost daily. However, if I were to make note of every time I found bad quality code or became aware of bad design, I would do nothing but complain and submit reports and shortly my contract would mysteriously expire. I'm about ready to quit, but I have been that way at about every job I've had except one exceptional medical device company, which layed me off during their only layoff.
So, where do you work??!! I want to work there. Are they hiring? A dream come true!
Admin
It's called being a consultant. Grab a dictionary of acronyms, learn the latest buzzwords they have printed on BS bingo, learn how to create your own unique "twenty word or less" definition of those 'buzzwords' and sell your services (supreme, regular or unleaded) even better than their own in-house team of salespeople sell their own product. Only then, young Jedi, will you know the 'force'.
Admin
Well, some parts of the application are getting really old and have been ugly for a while, but they are logged as "to redo".
But you see, last week, ive been asked to do stuff that would take 1-2 days, but when i noticed my superior about how bad the code was and that to do it correctly, it would take me 5 days... they gave me the 5 days requested...
Of course, nothing is always perfect, and i do hear wtf while walking down the hallway, but my opinion does matter, so its possible to actually have a discussion and tell why i think it doesnt make any sense.
The fact that we are a rather small company (about 40 employees) and we are making our own products (and not consultingwares) helps alot in this area.
Admin
Some companies (mostly smaller) are slow to evolve --even when they get a hold of new technologies, they use old bad habits in new frontiers without bothering to learn the "lay of the land".
There are some small companies too that believe in "if it ain't broke, don't fix it, but just pile on more crap until it breaks." Imagine having worked with a recent technology where it takes you about two hours to implement a concept, using the distilled wisdom of your forefathers, then asked to implement this "whiz bang" technology into an old "pre-cursor" technology where everything your forefathers did needs to be "re-invented" in an environment using older technology and tools just to keep up, because they won't keep up with the latest.
What's painful are these new startups using the latest development tools to create some impressive "eye candy", requiring those poor developers working for firms that won't upgrade their technology (and understandably so) but still require their team to do all of the same development the latest tools implement just to make sure they "keep up with the Jones'". Then they complain when it takes about ten days to do what they 'saw' another person do in ten minutes. Perception is what seems to be the key.
Admin
The medical software industry is growing rapidly, and as such, there are a lot of startups trying to get in on it. The result? HIPAA violations all over. I've worked at a few of these companies, and the people making the decisions are often ignorant of even the basics of HIPAA or willfully ignore it. Complying with regulations such as HIPAA is very expensive in terms of time, and doing so may jeopardize our every-20-minute release process.
Something like this happening does not surprise me at all.
Admin
Unfortunately, I'm a contractor. Instead of picking up a dictionary and learning a bunch of buzzwords, I picked up a bunch of books and learned the concepts, learned from my elders, learned from my juniors, learned through experience, learned through trial and error, learned through meditation (i.e. thinking), am still learning, and am constantly look at code I wrote 6 weeks ago and wondering WTF was I thinking?! (Don't we all?)
I'll never be a Luke. I'll always be a Leia. I'll always be dealing with those incompetent peasants (who occasionally turn out to be quite smart) and trying to help them out (even twhen they require me to use reflection to dispatch events). Doesn't mean I'll be happy about it. Leia was always kind of pi**y.
So, I live in the real world. You can't always say WTF everytime you think it at work, though it would be nice, and I'd learn more if others would say that to me.
However, this WTF in question is the worst I've seen, and the minute someone at the vendor company became aware of it, they should have determined which authority to call and called them ASAP.
Admin
FONT face=Tahoma size=2>3rd reply to...
uhh, nevermind... [:D]</FONT>
<FONT face=Tahoma color=#000000 size=2>I really hope so...</FONT>
Admin
Heh, misread that as 'ButtHead', which sort of fit in there pretty well too :)
Admin
Internet easter egg hunt!
Admin
That's why I think every B.Sc in computer science / Eng. in software eng. degree should include a mandatory course on information security. You know what's sad? My university doesn't even offer a course like that. So far, the best "school" for me is the dailywtf, as I learn what not to do.
Also, it's very easy to get full listing of citizens and their ID number (at least here - Israel). You have to pry a little, but I've had the full list handed over to me _several times_ in order to build a detail verifier module (which of course meant I was expected to incorparte it into my module). I fuzzly remember some flash about ordering a pizza where the phone clerk knew everything about you (I think it opposed some law about unifying datastores). Well, the day is not far now, and for some, maybe it's already gone past. Only this time, it's not the govenments fault - it's the stupid programmers fault.
------
When in trouble, when in doubt, run in circles, scream and shout.
Admin
It's not about the source, the sourcecodes aren't the violation. The problem is the confidential data that was given to client to play with. They should've generated some sort of mock data with invented clients and ss numbers instead of the real deal. That is the wtf-part here
Admin
The moral of this tale: NEVER release your source code without a whopping great disclaimer.
What an idiot that guy was/is...
Admin
The vendor has done absolutely nothing wrong except maybe in trusting the client not to violate copyright on the source code and possibly in not reporting the client if they didn't.
Admin
The app might be RESTful, then you could PUT and DELETE drugs, too!
Admin
Perhaps my sarcasm was not obvious enough?
Admin
Or you could try http://www.hipaa.org instead.
Admin
Sadly, this isn't too uncommon. You can also thank the current administration for making penalties of this kind of violation a line item expense for companies. It used to be 25000 per instance per type of violation with a cap of (250,000 a year) now it's a one time wammy of 25000 per type of violation capped at 25000 per year. So it's now a line item expense. Companies have no interest in trying to actually meet the requirements set forth in HIPAA when federal penalties are so lax.
Admin
SOX = Sarbaynes Oxley Act
Admin
You said it right!! The use of the word "simplification" in the same sentence as HIPAA should be banned
Admin
That's one of the "great" things about the United States...you can sue anyone for anything! Whether the judge will throw out the case is another matter, but at least you get a chance!
Incidentally, I've never understood suing gun manufacturers for crimes. Imagine suing a pillow maker if someone is murdered by being smothered! ("But the pillow should have been designed so it's more oxygen-permeable.") If someone chooses to use an item with legal uses illegally, that's on the criminal, not the tool-maker.
Admin
Irony and sarcasm seldom are :)
About your idea, even though ironically meant, it's a neat idea methinks... Or something like adding a @WTF tag with a reference to this site... I can imagine the WTF coder scratching her head when seeing it :)
Admin
I'd love to know which company this was. I deal with quite a few different payment gateways in my work, and I'd probably boycott any of them that I thought would pull these kinds of shenanigans.
Admin
So I can create records too for anyone I want (and later publicize them). So in addition to lucrative fraud and blackmail opportunities from reading the data, I can write data to extract revenge and retribution. I'd start with the client's management.
--Rank
Yeah, send layers of lawyers.
Admin
Then we need layers of lawyer slayers...
Admin
Wow, I'm really glad to see there's safeguards in check so stuff like this doesn't happen.
::shiver::