Security firm finds flaws in CELPHIE website
Drew: Information taken down while concerns are addressed
May 17, 2017
By Michael Miller
Flaws in a testing website at the heart of a $1 million state appropriation to administer mental-health screenings in Nassau County schools left the site open to a number of exploits, including the ability to access students’ test results and other personally identifiable information, according to a report by a technology company working in cooperation with the News-Leader.
Florida Psychological Associates, owned by Dr. Catherine Drew, the wife of Nassau County Tax Collector John Drew, received about $600,000 of that state appropriation since August to implement the screenings locally using CELPHIE, an online tool developed by Drew and Dr. Laura Hume, another FPA employee.
Following a recent review of the site, Florida-based UDT produced the report, which details more than a dozen security gaps, most of which it labeled “high” and “critical” in severity.
“Although no exploitation of the vulnerabilities was performed (by UDT), an experienced attacker would be able to find enough clues within the application’s code to easily reach databases containing sensitive information. In short, the likelihood the website can be breached and the negative impact caused by intangible and tangible costs is potentially high,” Mike Sanchez, the chief information security officer for UDT, stated when he delivered the company’s report to the News-Leader.
The company did not use any specialized software to identify the security issues.
Shortly after the News-Leader provided the report to Catherine Drew and Hume on Monday morning, the website – hosted on a subdomain of celphie.org – went offline and continued to be inaccessible as of Tuesday afternoon. The main celphie.org web- site, which presents marketing materials about the mental-health screening tool, remains online. According to American Registry for Internet Numbers records, the two websites are hosted on separate IP addresses belonging to different hosting companies.
Responding to News-Leader requests for comment, Drew wrote Tuesday morning in an email, “Patient safety and privacy are crucial issues for Florida Psychological Associates. FPA senior staff members have reviewed the UDT report provided by the News-Leader, and we share some of the concerns raised about the system’s vulnerability to malicious users and the possibility that hackers could access server side architecture and/or database information through brute force attacks.”
“We have taken the system and its information offline while we work with the owners of the system, American Screener Corporation, to address these concerns to our satisfaction,” she also stated.
According to emails between Drew and officials at Florida State University’s College of Medicine, which received the state appropriation and funneled it to FPA as payment for a study of the CELPHIE screener, Drew and Hume jointly own 20 percent of American Screener. In earlier emails to FSU, Drew stated that she and Hume were the owners of American Screener, which was organized in Nevada, but did not name any others. Nevada allows the names of the owners of companies to remain confidential in most cases.
Drew also stated in her email to the News-Leader, “It is important to know that, to our knowledge, none of the information on the site has been compromised. Also, before any more screenings are conducted, FPA will contract with an independent, third-party internet security firm to review whatever changes are made to address the security concerns raised by UDT and the News- Leader.”
The News-Leader also pro- vided a copy of the report to Nassau County School District officials.
Superintendent Dr. Kathy Burns wrote in an email to the News-Leader, “We have reviewed the report from UDT and believe the findings identify legitimate concerns. We will discontinue access to the Celphie project until all identified vulnerabilities have been mitigated.”
Burns also noted, “The safety and security of students at all levels is a top priority for the Nassau County School District. The District has recently implemented procedures for Vendor Risk Assessment to ensure that software applications meet the highest level of security … We continue to work every day for the success of students and the improvement of our schools.”
Mark Durham, the school district’s executive director of curriculum, instruction and school improvement, said last month that district officials had not reviewed the content of the CELPHIE screener or how it was implemented before granting FPA permission to use it in Nassau County schools.
In addition, School Board member Dr. Kimberly Fahlgren expressed concern at a board meeting in February that the request to screen students district-wide had not come before the board.
According to an interview with Drew earlier this year, retired superintendent Dr. John Ruis asked her to provide a letter explaining the mental-health screening program and then approved the use of the screener in Nassau schools.
The News-Leader sought information from FSU officials about any security reviews the school might have made of the CELPHIE screening tool before approving its use by FPA, but Browning Brooks, the assistant vice president for university communications, issued the following statement instead:
“Florida State University has rigorous policies on the security of research data. We cannot validate the findings of the technology firm hired by the newspaper but will certainly look into the matter immediately. It is important to note that FSU is in the process of ending our contract with FPA as directed by the Florida Legislature.”
According to reports to FSU, FPA staff administered the CELPHIE mental-health screening to up to 400 students ranging in age from 8 to 18 whose parents had signed a permission form handed out in classrooms.
ensued, according to the NCSO report.
“The suspect (Dimaio) then physically engaged (the male victim) in the living room and stabbed him three times to include the neck, left shoulder and left upper back,” the report states. “During the attack and while armed with the knife, the suspect also threatened to kill his estranged wife (victim 2), placing her in fear for her life.”
During the altercation, Dimaio’s estranged wife and two other witnesses came into the living room. Both victims were able to gain control of the knife to disarm Dimaio and then forced him to leave the residence, according to the report.
Dimiao is being held in the Nassau County Jail on a bond of $177,508, according to the NCSO inmate database.