Student newspaper finds gaping security loopholes in a Harvard web site

Harvard’s student newspaper, The Crimson, found massive security problems in Harvard’s web site, including the ability to look up prescription records, medical records, and even find people protected by FERPA. The iCommons Poll Tool allowed users with nothing more than a Hotmail account to look up ID numbers that could be used to find all sorts of information that should be kept confidential according to federal law.

- Staff writers

News summary:

  • The confidential drug purchase histories of many Harvard students and employees have been available for months to any internet user, as have the e-mail addresses of high-profile undergraduates whose contact information the University legally must conceal, a Crimson investigation has found.
  • The now-disabled Harvard website, iCommons Poll Tool, required nothing more than a free, anonymous Hotmail account and five minutes to look up the eight-digit ID of any student, faculty or staff member.
  • A list of all three prescription drugs purchased by one student at University Health Services (UHS) Pharmacy was accessed by The Crimson by typing his ID number and birthday into another website, run by Harvard drug insurer PharmaCare.
  • UHS, after being alerted to the security issues on PharmaCare’s website by The Crimson yesterday, said it immediately called the insurer for an explanation.
  • She added she did not yet know whether PharmaCare’s website might violate HIPAA, a federal law prohibiting the unauthorized disclosure of individual medical records.
  • Moreover, from the now-disabled University website, it took under a minute to produce the ID number and e-mail address of a student who told The Crimson he had been granted security status at Harvard under the Family Educational Rights and Privacy Act (FERPA) because his family is prominent in internationalpolitics.
  • The glitch—and the vulnerabilities that remain—underscore the difficulties posed to information privacy by the widespread use of ID numbers to verify identity, even though those numbers are often not kept secret.
  • “The University has a custodial obligation to protect the personal information of its students, its faculty and its employees,” said Marc Rotenberg ’82, executive director of the Electronic Privacy Information Center, after learning of The Crimson’s findings.
  • Bradner said the healthcare industry is under unusually strict requirements to protect sensitive information, in part due to HIPAA.

How do we set the records straight?

In the United Kingdom there are plans to make elements of patients’ electronic health records available to any practitioner with “a legitimate care relationship” anywhere in the country. There is justifiable unease about confidentiality and consent in this new environment. Will patients understand what is happening to information about them, and will that information be secure?

Another cause for concern, which is perhaps even more fundamental, has to do with how a medical record’s context contributes to its meaning.

Half of general practices in the United Kingdom are now minimising their use of paper, with routine record keeping being done on computer rather than on the traditional record card. While appreciating the greater accessibility of information in a computerised record, many GPs still miss the feeling that, just by holding a records envelope in their hand, all sorts of knowledge will seep into their brains. Thickness, weight, state of repair, handwriting, and wee diagrams all contribute. Why can’t electronic records carry more of this context?

What GPs think of as useful context is probably just what patients will wish to be restricted.

Some things have not, so far, been changed by computerised records. In most practices and computerised units in hospitals the record is held on site, and the computer server mimics a filing cabinet. A patient’s continuation notes have a limited readership, and those who do read the record are part of a team and know each other. When communication is with a different social group a specific message is created: a referral
letter from primary to secondary care or a discharge summary or clinic letter in the other direction.

What is proposed in the NHS care records service is that items that are recorded as continuation notes will be extracted and made available across the NHS. Thus another aspect of context – the purpose of the record item – is lost. Berg and Goorman ( International Journal of Medical Informatics 1999;56: 51-60[CrossRef][ISI][Medline]) described the difficulties of reconstructing the meaning of a message sent from a distance, unless all sorts of context came with it. For instance, a summary code of “depression” may be recorded for an episode of severe depression as defined by formal diagnostic criteria; alternatively the same code may be used for a consultation with someone who is not coping with stress and is showing some features of mild depression. This
distinction is important: practitioners local to the author will be able to infer the difference: a remote practitioner, who only has access to the coded summary, will not.

I recently had a consultation with someone who had a problem with alcohol intake in the 1980s and early 1990s. He has had an application for permanent health insurance turned down (on the basis of what was in
the computerised summary of his records) and was somewhat miffed. We talked about the relations between the computer record, the written record, and his current view of his previous condition.

This brings a dilemma. On one hand is the case for including as much context as possible in what goes into the care records service. This is in the hope that the meaning of record entries may survive the distance
travelled. For meaning to be preserved in this way the record has to carry surrogates for the cues that we traditionally pick up by handling a handwritten record and from personal knowledge of the author. On the other hand, what GPs think of as useful context is probably just what the patient (or third parties) are likely to wish to be restricted in distribution. Given the opportunity of granting consent, this is what they may refuse.

As a jobbing practitioner I am not sure how to handle this. It takes shared decision making to new heights if the decision is about what is included in the record. Is it sensible to expect clinical systems to make explicit to the parties in the consultation just what is going to
remain local and what is going to the records service? What is the legal status of information that we choose to keep local? Can we manage consultations in the future without this distinction being explicit?

The government is in the process of spending billions of pounds on the national programme for IT in the NHS. It was explicit in the Department of Health’s 1998 Information for Health that one purpose of electronic
health records was to provide service managers with accurate data about activity in the health service. At this late stage we still do not know how much of the local medical record is going to be exported to the records service. We do not know what control patients will have over what information about them is held there. We do not know if the amount of context required for a remote record to be meaningful exceeds or is less than patients will consent to. We do not know how the passage of
time will affect patients’ and doctors’ interpretations of events. In short, it is not clear how a centralised record system will sit with the dispersed relationships that constitute primary care or whether the government will get any useful return on its investment.

Paul Robinson, general practitioner

Snainton, North Yorkshire Paul01@btconnect.com

Clash over public access rights and patient confidentiality sparks tria

A world expert and two of his university colleagues have been charged with court obstruction by the Swedish parliamentary ombudsman and now face a public criminal trial as a result of a clash over rights to access public data and the need to maintain patient confidentiality.

Christopher Gillberg, professor of child and adolescent psychiatry at the University of Gothenburg, Sweden, and St George’s Hospital, London; Gunnar Svedberg, vice chancellor of the University of Gothenburg; and Arne Wittlõv, chairman of the university’s board of directors, could face fines if found guilty. The trial is scheduled for late spring.

The move follows attempts by community paediatrician Dr Leif Elinder of Uppsala and Eva Karfve, associate professor of sociology at the University of Lund to acquire the legal right to gain access to years of confidential data about patients with the disorder. Professor Karfve claimed that the data gathered in Professor Gillberg’s research had various numerical “inconsistencies.”

A court order granted Professor Karfve access to the data last year. Three of Professor Gillberg’s university colleagues destroyed the data in May, however, to protect patient confidentiality ( BMJ 2004;329: 72[Free Full Text]).

Dr Elinder first approached the parliamentary ombudsman in August 2003, prompting an investigation by the deputy state prosecutor, which began in January 2004, he said.

Dr Elinder said that he had wanted the Swedish Research Council to look at Professor Gillberg’s data; “But the council can’t force the university to [comply] if they refuse.” He said that was why he had taken the matter to the ombudsman.

In an email to the BMJ, Professor Svedberg confirmed that the charge had been brought. The relationship between the principle of public access to official records and the law governing patient confidentiality needed to be clarified, he wrote.

Asked by the BMJ if he had any comments to make on the charge, Professor Gillberg replied, “I have done nothing wrong. I have upheld the ethics that apply to all medical professionals all over the world. For this I [and the two others] have been prosecuted.”

A colleague, Professor Elias Eriksson, of the department of pharmacology, told the BMJ that Professor Gillberg had had “massive support” from clinicians and researchers in Sweden for his stance. “Regardless of the outcome of the forthcoming trial, Gillberg and his coworkers have acted just as they should,” he said.

In a separate legal case, the university has also been forced to bring charges against the perpetrators of the data destruction, in accordance with Swedish law, which forbids destruction of archived material collected with public money.

Online banking victim files suit; $90,000 lifted from account traced to Latvia

A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account in a case that highlights the thorny question of who is responsible when a customer’s computer is hacked into.

Joe Lopez, 42, said in a complaint filed Thursday in Circuit Court in Miami that Bank of America was negligent and failed to protect him from online banking risks it knew about.

Lopez is asking to recover the money lost, plus interest and attorney fees. “For Bank of America, $90,000 is peanuts,” Lopez said. “For me, its my world. The bank has turned its back on me.”

The complaint is believed to be the first legal action by a customer against a U.S. bank to recover money apparently stolen by cybercriminals.

Avivah Litan, an expert on online fraud for Gartner Inc., a Stamford, Conn.-based research firm, called it “a landmark case.”

“This exposes all the holes in the system,” Litan said. “Banks technically aren’t responsible for what happens on your PC. But banks can’t reasonably expect consumers to protect themselves from cybercriminals.” Litan expects that future cases like Lopez’s will eventually pressure banks into adopting stricter security measures for online banking.

What Lopez calls his nightmare began April 6, when he logged on to check on a wire transfer he was expecting. As head of Ahlo Inc., a five-person company in the Doral area of Miami-Dade that buys and sells printer ink and toner, Lopez often wires money to and receives transfers from U.S. and Latin American companies.

When he checked his account, Lopez found that $90,348.65 had been wired to Parex Bank in Riga, Latvia — without his approval. “I thought I was going to throw up,” he said.

According to the complaint filed on Thursday, about $20,000 of the money was withdrawn by the fraudulent recipient in Latvia. The rest, roughly $70,000, was frozen by Parex, where it remains.

The U.S. Secret Service, which investigates computer-based attacks on banks, sent Lopez a letter in November saying its “initial examination” had determined that a variant of a virus called coreflood had existed on his computer systems.

The letter noted that coreflood is malicious software code that can give an attacker remote access to the infected system, but it did not explicitly say coreflood was the cause of the loss. Representatives of the Secret Service Miami office were unavailable for comment Friday, and have previously declined to talk about the investigation.

The allegations in Lopez’s complaint against the bank include breach of contract, negligence, breach of fiduciary duty, fraud and deceit, and intentional misrepresentation.

“Bank of America knew of the coreflood virus,” Patino said. “Why not tell their customers?”

Patino cites a letter from Bank of America to customers in July recommending they strengthen their security measures as proof that the bank knew online banking was risky. He and Lopez say a large wire transfer to Latvia, which is known in financial circles for its problems with cybercriminals, should have raised a red flag.

Bank of America spokeswoman Eloise Hale said Friday she was not aware of the complaint. But Hale reiterated comments she made for an article in theSouth Florida Sun-Sentinel in November that the bank’s “internal review of the transaction and documentation confirm all appropriate steps took place.”

Hale said then that Bank of America has in place “stringent” electronic security measures and continually monitors online banking for irregular activity, but she would not say what kind of activity would raise a red flag.

In an e-mail to the Sun-Sentinel in November, Parex compliance official Igor Petrov said Parex was working on the case with “respective authorities and institutions” but couldn’t comment further because of Latvia’s client privacy laws. Internet security experts have estimated that one-third to half of all cybercrimes originate in Russia, Eastern Europe and the Baltic nations, where organized crime is believed to be orchestrating many of the attacks.

In a letter obtained by the Sun-Sentinel, Richard Heilbron Jr., Bank of America’s assistant general counsel, wrote to Lopez’s attorney on April 21 that the bank was not responsible for the loss because no one hacked into its system to initiate the wire transfer.

In a letter exactly one month later, Heilbron wrote that Parex had told Bank of America that any action to recover the funds would require a request to Latvia’s Office of the Prosecutor for a criminal investigation.

“Since we are not responsible for the fraud and have not ourselves sustained a loss, we are not in a position to make such a request,” Heilbron wrote. In yet another letter in July, Heilbron wrote that Bank of America had no legal recourse against Parex because it was not the victim of the fraud. “We too would like Ahlo Inc. to recover its funds,” he wrote.

Since then, to keep his company running, Lopez has taken out a home equity loan of $30,000 and put $20,000 of his savings into the company.

And he no longer does wire transfers online. “Online banking is here to stay,” he said. “But the banks have to step up to the plate.”

Lopez’s lawyer, Ralph Patino of Coral Gables, believes the complaint could become a class-action suit to include others who have had smaller amounts of money vanish from their online banking accounts and may have little recourse.

“If you lost $5,000, you are going to walk away from that $5,000 because there isn’t an attorney in town who will take the case,” Patino said.

Ian Katz can be reached at ikatz@sun-sentinel.com or 954-356-4664.

exas doctors support Bush’s call for electronic medical records

The Texas Medical Association supports President Bush’s push toward electronic medical records — a topic in Wednesday night’s state of the union speech.

“The President and his team have been saying that significant investment in new information technology is imperative,” TMA President Dr. Bohn Allen says. “Electronic medical records improve the quality of care, enhance patient safety, streamline physician office operations and reduce redundant services.”

He adds, however, that these systems are costly, and that doctors shouldn’t have to bear the cost alone.

“We have good reason to share those costs across the entire system because everyone benefits and shares in the savings,” Allen says.

A January 2005 study found that a well-designed system linking patient records among physicians, hospitals, health plans and others could yield $77.8 billion annually, or approximately 5 percent of the projected $1.661 trillion spent on U.S. health care in 2003, Allen says.

TMA, which is based in Austin, is the largest state medical society in the nation. It represents more than 39,500 physician and medical students.

Although many health care experts agree that electronic medical records are the way of the future, many concede that it won’t be easy to get there.

Even a company that specializes in health care information technology says it’s a difficult task to convert hospitals and doctors to electronic medical records.

“We agree with the president that the health care industry needs to use electronic, not paper, medical records. However, physicians have historically resisted the change,” says Richard Kneipper, chief administrative officer of PHNS Inc., a Dallas-based company that provides IT, medical record and electronics medical record services to hospitals.

Kneipper cautioned that the industry still does not have a “silver bullet” to automatically modernize health care systems. Hospitals across the country are spending tens of millions of dollars on new software and new applications without allocating the time and resources to first analyze and redesign their current business processes.

“Ultimately, the answer to the president’s call is not just a new software or hardware quick fix,” Kneipper says. “Unfortunately, the health care industry has a lot to learn and a long way to go to achieve this lofty goal.”

Health IT: Fears and Opportunities

Response to health IT czar David Brailer’s request for feedback on his national health information network has been enthusiastic. The Office of the National Coordinator for Health Information Technology has received hundreds of responses. In addition, eight large technology companies have pledged support for nonproprietary standards that can serve as a common language. IBM, Intel, Microsoft, Oracle, Accenture, Cisco, Hewlett-Packard and Computer Sciences all decided that cooperation is a better bet than competition. They even recommended setting up a non-profit group, with board members appointed by HHS (Health and Human Services), to mediate any disputes.

Also last month, a report was published in Health Affairs estimating that a fully interoperable system of electronic medical records could generate $78 billion of health care savings annually by increasing efficiency and curbing duplicate procedures. The numbers do assume that the systems will be a breeze to interface and free of bugs. Still, the rosy scenario does not include savings from improved health care and fewer medical errors.

Even President Bush came back with renewed zeal, pledging to find $50 million in health IT funding for 2005 to replace a request that didn’t make it into the final budget passed last year, and to more than double the funding in 2006.

Brailer’s new boss, HHS Secretary Michael Levitt, spent part of his first day in office by his side, announcing upcoming electronic prescribing standards for Medicare. Fully implemented, electronic prescribing could cut errors caused by bad handwriting and make sure that a given prescription was in line with safety recommendations for a particular patient. It could alert doctors that a new drug could be dangerous if taken alongside other prescriptions or could remind a doctor to recommend a flu shot or other preventive care.

All this accessible information has a few people worried. In a joke circulating around the Internet, a middle-aged man calls to order an all-meat pizza, but is told that his cholesterol level is too high, so he will be sent a broccoli soy-cheese version instead. When he tries to use a coupon for free soda, he is informed that the offer only applies to households in which no one has diabetes.

Next Page: Appeal for Patient Privacy Foundation speaks out.

Deborah Peel, chairman of the Appeal for Patient Privacy Foundation, thinks a national health information network could very well marginalize patients who fear that their personal information could be shared without their consent or that their consent could be coerced. In an e-mail to eWEEK.com, she said that as a psychiatrist she had seen banks and employers use patients’ medical records to make lending and hiring decisions. Insurance companies have used them to deny benefits and coverage.

In a statement sent to Brailer’s office, her organization stated, “Patients will avoid treatment, lie, omit information, use aliases, and seek totally private black-market health care” to avoid disclosure of sensitive conditions. The organization goes on to recommend against blanket consents for future content of medical records, and that even possession of a medical record without consent should be considered a crime.

Peel also said that HIPAA (Health Insurance Portability and Accountability Act) provided little protection, “The Bush administration flipped the HIPAA privacy rule into a disclosure rule, where patients cannot control any ‘routine’ uses of their medical records.”

Both Brailer and health information technology organizations maintain that patients should be able to view their medical records and have control over the information they contain. But the choice between having an inaccurate medical record and one that leaves a patient susceptible to discrimination is not one that a free and healthy society should force its citizens to make.

Instituting safeguards in how medical data is used is essential but insufficient. Patients must also believe that these safeguards are working and that they are safer with an electronic medical record than without one.

I welcome your thoughts on how to make sure that happens. Please e-mail me at baker@ziffdavis.com.

Check out eWEEK.com’s Health Care Center for the latest news, views and analysis of technology’s impact on health care.