Wells Fargo Small Biz acct doesn’t allow password changes!

Okay, from a security perspective, this is insane.

Wells Fargo small business banking supports multiple logins for a single bank account. This is great. It’s role based, meaning you can grant each new login privileges that are either full (including withdrawals) or view-only. In turn, small biz owners can hand out view-only accounts to their accountant, tax preparer, office staff, etc. without worrying about embezzlement or fraud.

Now here is where it gets nutty. Wells Fargo will not allow the view-only login holder to change their password!!!

That’s right. The small biz administrator is the person who sets the original password, so two people know the password. Then, to change the password, the view-only login holder must contact the small biz administrator who again gets to see the password before he/she changes it.

Don’t believe me? Here’s what I received back from Wells Fargo customer support, at bottom.

There are seven  (or more) reasons why this policy is incredibly dumb (sorry, there’s no other way to put it):

1) We in the security industry want to train individuals to be in the habit of regularly changing their password in case a password ever gets unknowingly compromised. Here we have a bank saying that practice isn’t necessary.

2) The small biz administrator is unlikely to select a strong password — and if the password is weak, the login-holder can’t fix it.

3) There is no audit trail for use of the login, because 2 individuals always know the password for every login.

4) Wells Fargo customer support probably gets “a bunch” of customer tickets from confused login-holders. CS has to read/respond  quickly under small biz CS SLA, so the avg cost of a CS support ticket is probably higher than usual offshore support… I’m aware this is easily macro-able, but still…

5) Engineering has to support a bizarre requirement that some accounts are allowed to change password and other accounts aren’t. This leads to (minor) code complexity but more to the point, more complex testing for QA and automation. E.g. I’m sure the main administrator/owner accounts get tested up the wazoo, but the view-only accounts? Probably less love…

6) Increases cost on the small biz owner to support their staff. Makes it more likely the small biz owner will just say, oh, here’s my password, can you login and change it for yourself?

7) The administrator probably gave the view-only login holder the password in writing, and the view-only login holder will probably write the password down because they didn’t make it up themselves. So, the password is on a sticky note pasted to a monitor, or in hackable email…

Unbelievable. To put it differently, when Wells Fargo says “Wells Fargo is partnering with you to help prevent fraud,” I’m not sure I believe it.


Dear Christophe Baer:

Thank you for contacting Wells Fargo. My name is Mara, and it is my
pleasure to assist you today.

I understand that you would like to change your online password. Mr.
Baer, our records show that you are a Wells Fargo Business Online
Banking User, which means that an Administrator manages your online
account access and your User information.

To make changes or updates to your User information, including password,
email address, and username changes, please consult your Administrator.
Your Administrator is the person who originally added you as a User and
granted you online access to view accounts. I apologize for any
inconvenience this may cause you.

If you need further assistance, please call 1-800-956-4442. Business
bankers are available to assist you Monday through Friday from 5:00 a.m.
to 6:00 p.m. and Saturday and Sunday from 7:00 a.m. to 4:00 p.m.,
Pacific Time.

My goal today was to provide you a complete and helpful answer. Thank
you for banking with Wells Fargo.

Mara R
Wells Fargo Business Online Banking

Wells Fargo is dedicated to protecting your information. To learn about
our security measures and what we do to protect your accounts online, go

Wells Fargo is partnering with you to help prevent fraud. To learn more,
go to

If you have another question about this subject, please click the Reply
button at the bottom of the page. To ask a new question, click the
Contact Us link at the top of the page.


Spammy behavior by UBM Medica, LLC, a UBM company

Wow, UBM Medica, LLC, a UBM company. I had a brand new email address and wanted to read some articles on your website. You forced me to register to read the articles, which is fine.

Then, I started getting emails from SearchMedica (sent by UBM Medica) about Oncology news.

Why did you do that? Why! I am not an oncologist! And I never heard of SearchMedica! And it’s not even the same website as the one I registered for with your company! I didn’t give permission to you to do this, as far as I know.

Spammy badness. No points for you.

Update: Just got subscribed by UBM Medica to another thing called “Consultant Live” for PCPs. Again, I’m not a PCP. Why do you do this? Marked as spam.

Update 2: Okay, turns out it is a UBM company-wide problem — see here for an example of UBM’s Information Week doing something similar.

As a side note, after every email I receive from UBM, I am using the “unsubscribe from all newsletters” but they still keep coming. Sometimes there are delays, which is understandable. I believe the different properties of Consultant Live and SearchMedica have different email platforms though, so “unsubscribe all” from one is not sufficient to actually unsubscribe all — you have to do it 3 times for the 3 platforms that have emailed me from UBM.


Chromebook in a solo medical practice

Turns out that the Google Chromebook is fantastic for a small medical practice. Here’s why:

1) Chromebook hard drives are encrypted by default. This may limit your HIPAA liability in the event of a Chromebook with PHI on it being lost/stolen. (Here’s an explanation why.)

2) It’s really hard to do anything locally on the computer, since you can’t actually run any software locally. Therefore, you’re pretty unlikely to save an Excel file containing millions of rows of customer data on a Chromebook. Instead, everything is typically saved in the “Cloud”.

3) The “Cloud” can be HIPAA compliant! Specifically, Google Apps for Business is HIPAA compliant if you sign a BAA with them. Details are here. So, you can save your PHI in Google Drive — which is exactly how the Chromebook is intended to function (everything in the cloud).

4) Chromebooks protect against Malware and fraudulent operating system changes far better than either Windows or Mac OS. Not to trust Google blindly, but here is a description of what they do automatically.

5) You can buy a ton of them very cheaply to put them all over your outpatient clinic (in every patient room, for the receptionist, etc…). A Chromebook is around $200, as opposed to the ~$600-1000 you’d expect to pay for a thick laptop. Since they automatically-update to the latest OS patch, you don’t need to worry about paying an IT person frequently to keep everything kosher.


1) Remember to turn on “Require password from sleep” for safety.

2) Only use trusted wifi networks with strong passwords, etc. Try to use a trusted VPN if possible. One hospital reported only allowing folks to use cellular 3G data in order to avoid needing to audit all the wireless (wifi) networks they had running…


Facebook comments spam

Is it just me, or does Facebook comments seem much spammier than native WordPress comments?

There is a report spam “X” button in grey on hover-over, but it is a little bit hard to find. There are three blue links always displayed, so one wouldn’t really expect there to be any special hover-over action.

facebook comments spam



What’s weird to me is that this comment spam has so many reasons to fail filtering — a website, keywords like “Work, hourly, income, computer”, it comes from Yahoo, etc. I’m going to assume the spam bot passed a CAPTCHA, but still, very poor.

The blog I’m reading is ridden with this stuff on every post, and there are essentially no legit comments. That fact alone is some useful information for a fraud system to see as well — if almost all of the comments on a website are not detected as spam but are from Yahoo, then… you need better spam filters. =D

User behavior should be pretty rich too. How frequently is the Yahoo user leaving posts, logging in, account lifespan, do all posts include URLs, how many people respond in threaded fashion to this post, does Facebook see this user browsing the web (using Beacon or whatever) without leaving comments on comment-enabled pages, etc…

So bizarre. The reason I’m annoyed about this is less the spam itself, but rather that Facebook is intended to be one’s social identity — and here we have fake identities that in my opinion impugn the reputation of Facebook. This is in contrast to WordPress-based comments, which to me, when spammed, impugn the reputation of some random blog — not WordPress. I feel like the blog owner has more of a responsibility for a WordPress-based comments system than a Facebook-based comments system, since Facebook is supposed to be trustworthy and has all of my real-life friends using real names, etc.

Technology and California’s marketplace

Well, it’s not just which is struggling… turns out that in California, you are redirected from to “Covered California”. I just tried to use it, and got these errors.


1. Oracle access manager operation error

Screen Shot 2013-11-21 at 1.30.58 PM


2. Connection reset (while uploading proof of residency image).

Screen Shot 2013-11-21 at 1.53.11 PM

Building software is hard. Building software with government regulations is even harder. I would love to find out what the ratio of lawyers to engineers was on this project.



Cloud solutions that are HIPAA compliant for private practice

HIPAA compliance is a major headache for setting up the tech infrastructure for a new private medical practice. While the intent of the law is great (protect patients!), the regulations of HITECH and HIPAA are really confusing. Simply put, you need to be able to interpret issues at the intersection of medicine, law, and computer science.

Here are three tips to help make sure you’re HIPAA compliant.

1. Google Apps and Amazon AWS are now eligible to be HIPAA compliant as of September 2013!

This is a big deal. Gmail and Google Calendar are clearly the easiest way to set up a small private practice with top notch email/scheduling, and Amazon AWS is the tech infrastructure of choice for many companies. Previously, the two companies refused to sign a “Business Associates Agreement” (BAA) which outright excluded them from being HIPAA compliant. However, they now sign them. So, you can now use Google Calendar for scheduling, hooray! Make sure to get the form signed by Google.

Friendly reminder: I don’t think this means you should just go to and sign up for a new account. For the HIPAA compliant one, make sure to create a Google Apps account and then spend  time locking down privileges and making the overall account  compliant with the parts of HIPAA related to access control, etc.

2. Email should basically never have ePHI / customer information, but sometimes it can. (Confused yet?)

If you use Google Mail, that’s fine — you can send all the emails you want, as long as it doesn’t contain ePHI to start. The one interesting exception is that you can send appointment reminders as long as the patient has agreed to these emails beforehand. Here’s a post from EHR company practicefusion:

So, even though an emailed appointment reminder is, technically, PHI, it can be done routinely if there is consent by both parties to do so. A patient must be allowed the ability to opt-out of email reminders – application developers need to include this, and not build something that forces a blanket approach for everyone. In fact, setting “patient contact preferences” (email, phone, regular mail) is a Meaningful Use and Certification requirement, and addresses this issue. So long as there is mutual understanding and consent to use unencrypted email for certain “non-health data” communications, then such a feature is ok (despite “technically” being PHI).

The clearest governmental document about email is here:

Nuggets in that document:

a) It looks like a physician can email another physician with PHI as long as it is for the purpose of “treatment”.

Yes. The Privacy Rule allows covered health care providers to share PHI
electronically (or in any other form) for treatment purposes, as long as they apply
reasonable safeguards when doing so. Thus, for example, a physician may
consult with another physician by e-mail about a patient’s condition, or health
care providers may electronically exchange PHI to and through a health
information organization (HIO) for patient care.

One note about this: I don’t know if it means that you can email across domains — e.g. the email sender and recipient most likely need to have the same email address domain (like I think this is a grey area.

b) It seems pretty clear that email can never be used by a physician to initiate a discussion with a patient including ePHI.

It’s confusing because the FAQ says that yes, you can use email, but you still have to comply with the “security rule”. I read the security rule as saying that ePHI must always be encrypted, and email isn’t during transmission. So, what I think the FAQ is trying to say is that a physician can use email to send non-PHI info to patients like, “Call me ASAP”, or “You have an appointment coming up.” However, PHI still needs to be kept out of email body text. The one exception seems to be if the patient starts the discussion and includes PHI — then the patient is implicitly waiving their right to the security rule, and so an email discussion can include PHI both ways.

“Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?”

Yes. The Privacy Rule allows covered health care providers to communicate
electronically, such as through e-mail, with their patients, provided they apply
reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example,
certain precautions may need to be taken when using e-mail to avoid
unintentional disclosures, such as checking the e-mail address for accuracy
before sending, or sending an e-mail alert to the patient for address confirmation
prior to sending the message. Further, while the Privacy Rule does not prohibit
the use of unencrypted e-mail for treatment-related communications between
health care providers and patients, other safeguards should be applied to
reasonably protect privacy, such as limiting the amount or type of information
disclosed through the unencrypted e-mail. In addition, covered entities will want
to ensure that any transmission of electronic protected health information is in
compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164,
Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a
covered health care provider communicate with him or her by alternative means
or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For
example, a health care provider should accommodate an individual’s request to
receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a
reasonable, alternative means for that provider to communicate with the patient.
By the same token, however, if the use of unencrypted e-mail is unacceptable to
a patient who requests confidential communications, other means of
communicating with the patient, such as by more secure electronic methods, or
by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this
situation occurs, the health care provider can assume (unless the patient has
explicitly stated otherwise) that e-mail communications are acceptable to the
individual. If the provider feels the patient may not be aware of the possible risks
of using unencrypted e-mail, or has concerns about potential liability, the
provider can alert the patient of those risks, and let the patient decide whether to
continue e-mail communications.

3. Encrypt every computer you can.

Every computer in the office should have operating system-based encryption turned on. Both Mac OS X and Windows 7 & 8 support whole-drive encryption. If you turn this on, you are going to be in a much happier place if the computer ever disappears (stolen/lost). One similar note: Amazon has a new remote desktop application called Amazon Workspaces. This looks really cool and could help make sure that PHI stays secure. The best combination is probably having the thin local computers (your desktops & laptops) have drive encryption turned on, and then have those computers log on to Amazon Workspaces. All PHI is stored safely on Workspaces (you’ll have to encrypt it there too, etc.).

That’s all I have for now about HIPAA. What a mess.

Disclaimer: I am not a lawyer, so you use any information/opinions in this post at your own risk. I take no responsibility for anything. Heh.

Update 2/9/2014: There was a lot in the news about how Box (formerly was signing BAA’s and therefore can be HIPAA compliant. Turns out that they will only sign a BAA for their top two levels of paid service, specifically “Enterprise” or “Elite”. Since I’m working on getting a solo private practice set up, their Enterprise plan doesn’t make any sense — we literally have 1 employee, so buying anything “Enterprise” level is simply out of the question. Then the “Elite” plan is so awesome it doesn’t even have a price on the website. Enterprise costs $35/month, or $420 basically to just sign this BAA document. My recommendation for solo practices is NOT to use Box, but rather to use Google Apps for Business. The cost is $5/month, and Google will sign a BAA at that level. You get not just Google Drive (which is near as makes no difference Box), but also email, calendar, etc. It’s a far better deal.

Business Technology

Technical competency for business teams

My Zite reader recommended an article from Shanley called “Building techincal literacy in business teams” — and I have to say, this really hits home as a critical advantage for technology companies.

There’s a trend in the technology industry these days that “everyone should code”. It goes so far that at some startups, the business guys are given access to the codebase and told to check things in — if you care so much about a bug or feature, then go fix / build it yourself. One friend of a friend is a biz dev guy in an internet startup, but he’s learning Python desperately and actually helping engineer the web presence.

In my opinion, this is all wrong. That biz dev guy is going to be WAY slower at coding then a full-time engineer, and while he can certainly learn to code, he simply doesn’t have the experience under his belt. Why have him learn the hard way on the job, as opposed to putting him in front of clients and going after the biz dev job with 100% of his brain?

All of these skills, whether engineering or business, are learnable. Nothing should stop anyone who wants to do a task from doing it. However, I want the guy with the most passion and most experience to do a job. We don’t typically ask engineers to learn key business skills (e.g. forecasting, procurement negotiation, etc.) even though they certainly could — we want the experienced negotiator or the eagle eyed accountant to go for these tasks.

Yet specialization is only good if there is a common language between teams. And that’s where I 100% agree with Shanley’s assertion that you need to build technical literacy in business teams. It’s simply not smart to have engineering decisions get made by someone with no technical literacy; either the business person needs to learn to be technically literate, or else delegate the responsibility to someone who is.

There are 3 examples of where this can be applied:

1. A biz dev guy who is working to get partnerships that result in technical integrations needs to be aware of what/how a technical integration works — e.g. be able to address scope questions from actually knowing what needs to be built. I don’t think the biz dev guy needs to be able to actually do the work, but they should be able to competently answer simple questions (e.g. where is data going to be, what are the tradeoffs between different types of connectivity, etc.).

2. A business-background COO looking at optimizing the new product development lifecycle needs to understand at a granular level what it means to build software. In other words, it’s impossible to select agile versus waterfall unless you’ve actually seen how these processes work, or else trust someone else who has seen them both in action.

3. A business-background product manager cannot make good product requirements if they cannot envision how a system will work. Again, no need to be able to actually build the system, but awareness of certain engineering tradeoffs can have a massive impact on scope, quality, and features.

There are certainly many more stereotypical examples that everyone’s heard about (the PR person who doesn’t understand what they are pitching, the designer who creates uncodable mockups, the Marketing person who promises unbuildable features, etc.).

The technical literacy of a business person is really a way to help bridge the gap between two different disciplines. When there is a conversation between an business person and a technical person,  and the goals of the two parties aren’t necessarily aligned, then the ability for each party to lean on the other through knowledge of either business or technical concepts can be the only successful (conflict-free) pathway to actually getting something done (and resolving that misalignment).

You can get around this problem with one of those few individuals who are really good at both disciplines (e.g. the application architect who has the MBA, or the VP Marketing who had spent a year fresh out of college building websites).

What’s interesting to me is why I haven’t heard a lot about this problem in other disciplines. I know that when I did a research internship at Gilead Sciences (a pharma company), the business leaders all had originally earned PhDs in science fields…

Closing thought: how can we ensure technical literacy amongst business folks? Well, I think rotating into a project team and shadowing folks for a couple days might help? Codeacademy seems like the wrong direction (again, don’t need to actually code / waste time with the debugger — rather, learn less by doing and more by concept). Sitting in on a data design mtg, moving on to a QA test plan review, attending a PRD review — all of these things help show how the sausage gets made. The key is to make sure the business person is there to “learn” and not to “lead”.



Slightly offended

I’m not sure if I should be slightly offended or not when filing out this lead form for a potential vendor we might use. Why does title even matter all that much … especially to this degree! How do I stack up? Do they not respond to lower ranked employees? What?


E-Z Pass authentication nigh impossible

I just changed my address for E-Z Pass, the highway toll system in Massachusetts. I’m blown away by how hard it was to login.

Not only is the login an arbitrary 7 digit account number, but the password has to honor these rules:

Passwords must contain at least eight (8) characters.

The password must contain at least one of each:

  • upper case letter (A-Z)
  • lower case letter (a-z)
  • number (0-9)
  • special character (~,!,#,%,^,&,*)

This is insane. There is no way that someone can easily remember an arbitrary login plus a password with 4 different types of data. It’s just impossible. What are they thinking??


FlipKey Widgets Demo