Slashdot Mirror

← Back to Stories (view on slashdot.org)

Contractor Folds After Causing Breaches

Posted by kdawson on from the left-holding-many-bags dept.

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

10 of 274 comments (clear)

  1. And that's the problem with corporations by Overzeetop · · Score: 5, Interesting

    Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.

    (I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:And that's the problem with corporations by Applekid · · Score: 4, Interesting

      I think you missed the point. If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk. Maybe instead of figuring out how to line their pockets with money with their "certifications," Novell, Microsoft, Cisco, et al. could pool resources and lobby for a legally-weighty certification for Software Engineers much conventional Engineers already have. Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

      You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.

      CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.

      Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.

      --
      More Twoson than Cupertino
  2. Start looking at MedSeek by faloi · · Score: 3, Interesting

    I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.

    For that matter, I would the federal government would be all over it for violation of HIPA regulations.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  3. External security auditors were needed by Dekortage · · Score: 5, Interesting

    Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

    What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

    --
    $nice = $webHosting + $domainNames + $sslCerts
  4. See how far you'll get litigiously when... by ahuimanu · · Score: 3, Interesting

    The company is in India, or China, or Indonesia or.... you get the point.

    Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.

    But noooooo...

    We gotta OUTSOURCE because it looks good on a quarteryly statement.

    Stew in it boyos, STEW IN IT!

    --
    shock the monkey
  5. All right IT monkeys.. by __aagbwg300 · · Score: 3, Interesting
    From the FA:

    While reports of the breaches have been issued in dribs and drabs, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another, according to David Levin, vice president of marketing at MedSeek. Can someone explain to me why you would need to open EVERY PORT on a computer to transfer data across two machines? Is there any possible reason why this would be considered? Seriously?
  6. Re:Capitalism Rules! by Draknor · · Score: 4, Interesting

    Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

    1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).

    2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?

    3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).

    I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.

  7. Re:Your reasoning is flawed by jc42 · · Score: 4, Interesting

    Actually, engineers routinely do get out of responsibility for disasters. Part of the reason is that they let their bosses and the prosecutors know about the "paper trail" that they have kept. They threaten to show in court that they knew about the problems, warned their superiors about the problems, and were ordered to ignore the problems. The prosecutors then carefully forget about them.

    The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers ;-) showed that what went wrong was a known possibility during cold-weather launches, and that a lot of the engineers had indeed tried to delay the launch.

    The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.

    In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  8. Re:Capitalism Rules! by RexRhino · · Score: 3, Interesting

    Bullcrap. In a nutshell, corporations are above the law. However, the alternative to corporations: Government controlled monopolies, are also above the law (try suing the Social Security administration or IRS for compromising your data!!). And the police and justice system that is supposed to "regulate" the corporations are above the law (or do you expect the FBI to be abolished and the President to go to prison for those illegal wiretaps they were doing?!).

    All large social entities: governments, corporations, religions, are above the law, because the concepts of law and justice apply to individuals, not masses of people.
  9. Re:Capitalism Rules! by thomas.galvin · · Score: 3, Interesting

    Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!


    Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?


    The problem with that is that a corporation is kind of an ethereal entity to begin with: it never really existed, except as an abstract concept, so "punishing" it is kind of meaningless.

    Here's an analogy. Steve is a plumber. You hire Steve to replace the pipes in your house. Instead, he screws up so badly that you can no longer live in your house. You go to sue him, but he says "sorry, I'm not Steve any more. You can call me Frank, and you can't sue me, 'cause I'm not Steve."

    That's basically what's happening here. The people responsible for this cannot be held accountable, because they no longer call themselves Careless, Inc.

    IANAL, YMMV, HAND, etc, ad infinitum.
    --
    Thomas Galvin