Slashdot Mirror
Contractor Folds After Causing Breaches
talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."
Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.
(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)
Is it just my observation, or are there way too many stupid people in the world?
The hospitals, which initially reported their breaches separately, were left with no one to sue."
I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.
This is another of the many advantages of outsourcing...
It's never too late to stop doing something wrong, or to start doing something right.
You can outsource work but you can't outsource responsibility.
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!
Blar.
HIPPA laws are no joke. There are serious fines and even criminal penalties for letting confidential patient records out. It's so serious that companies working with health care data often have special training programs for their employees that handle any sort of hospital data -- even for IT workers.
Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.
My blog
"The hospitals, which initially reported their breaches separately, were left with no one to sue."
In this day and age, all I can say is BOO HOO.
I hate printers.
I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.
For that matter, I would the federal government would be all over it for violation of HIPA regulations.
"It is a miracle that curiosity survives formal education." -Albert Einstein
Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.
What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).
$nice = $webHosting + $domainNames + $sslCerts
The company is in India, or China, or Indonesia or.... you get the point.
Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.
But noooooo...
We gotta OUTSOURCE because it looks good on a quarteryly statement.
Stew in it boyos, STEW IN IT!
shock the monkey
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if the problems remain, than the mere dissolution of the corporation is not sufficient.
When information is power, privacy is freedom.
Enron folded after some financial misdeeds. The investors still had someone to sue. There is always someone to sue.
The game.
The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.
Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
The hospitals, which initially reported their breaches separately, were left with no one to sue
Next time, theyll buy IBM, I guess.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.
Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.
If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".
Is it just my observation, or are there way too many stupid people in the world?
The hospitals, which initially reported their breaches separately, were left with no one to sue.
A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?
Tom Lawry, the CEO of Verus, is someone I've known for over ten years. He used to work for our healthcare organization and was one of the first people to "get it" over the Internet. He pushed for the formation of our web services team and sold the organization on making an Intranet when the whole thing was seen as a big fad.
Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.
In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).
We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.
I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?
For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.
I hate to admit it, but a few years ago I did an update on a Fedora box which renamed protocol 50 from ipv6-crypt to esp or something of the sort. Due to this, the firewall rules failed to load at startup which left the outside portion of the network completely unfirewalled instead of nearly completely firewalled.
Now ordinarily this wouldn't be a huge problem as one should reasonably hope that even an unfirewalled system is secure. And indeed, the Windows 2000 webserver we had was reasonably secure. It was up to date with all the patches and running great. The ultimate attack vector had nothing to do with lack of patches but rather an ultra-weak password. You see, someone else had an account in the administrators group with a password of 121212. With the firewall being down this account could be used to log in to the SMB shares and thus execute anything with that account's privileges.
Fortunately, the webserver had absolutely nothing to do with the rest of the network which was behind a second firewall with a totally different authentication/directory system and a different set of usernames and passwords. So the attacker was able to get access to a webserver with nothing of any interest on it. It is at that point when I began to research how the hell he got in and realized that the firewall was not firewalling anything. Later on, we decided the 121212 password on an Administrators group account was the ultimate culprit.
This just goes to show you that a break-in can happen to anybody. Granted, in this story's case, taking down a firewall on purpose to transfer some data was probably not a good idea and could/should have been avoided. But that's a mistake, not an invitation to burn the perpetrator at the stake.
Ultimately, a security failure should result in a procedural change. In our case, checking that the firewall rules installed correctly at boot became part of the checklist of things to do when upgrading that server. We also changed the passwords on the webserver and implemented several new policies. Prior to the attack, the webserver passwords were a combination of knowable information like birthdate, hire date, and part of SSN. Their purpose was to secure read-only access to a site with company policy information so it wasn't thought they needed to be highly secure. Unfortunately, all of the users were full Windows users so for all we know it might not have been the weak password on the admin account but instead an disgruntled (ex-)employee coupled with a possible privilege elevation bug. Due to this, we changed all of the user's passwords to be random and moved all of the users out of the Users group and into a group that only allowed logins to the website and not on the console.
All that for a measily webserver with some simple read-only access to data that doesn't have to be all that secure. Now consider having a web application with critical data like patient reecords and several thousand users all from different hopsitals. That's basically an accident waiting to happen. If I were a company doing that, I'd be sure to have a huge insurance policy to cover the liabilities and/or make damn sure the contracts with customers indemnified the company against lawsuits for accidental breaches.
While HIPPA and all the other regs apply to the US, the medical industry and insurance companies outsource tons of data services to cheap off-shore companies that don't adhere to the regs.
With a couple of dollars and a few phone calls you can get mountains of patient data from overseas.
Hope is the currency of fools
This Hospital had 30,000 patients data exposed. There is no mention of it in an easy, quick to find location on their website . This is 30,000 patients exposed in a town of about 40,000 people... Our local newspaper had a very, very small article on it that looked like it was written by the hospital PR person.. Good god I hate small towns..
What are we going to do tonight Brain?
Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.
A government regulator at a former job once told me that "You can outsource the work, but not the responsibility". Those are wise words that the managers of that hospital should heed.
Companies seem to think that if they hire someone else to do the work, they are not responsible for the quality of that work.
Take Mattel - they have Chinese companies building their products, but not inspecting their work. Thanks to their lack of vendor controls, kids are choking on parts, and getting lead poisoning.
Companies need to realize that in-house IT is the only way to ensure that your internal standards are met. Outsourcing has its place, but strict quality control / vendor management policies need to be in place to ensure the work is of good quality.
-ted
Make sure everyone's vote counts: Verified Voting
How much was consumed in cold war spending?
It's not on me to get into a debate about the efficiencies of historical systems with different problems in different environments, the point is that these technological marvels are not the sole province of modern capitalism and the corporate structure, as you insinuated.
Do you believe that we've achieved Utopia, a state beyond our capacity to surpass?
Do you think there will not be a better system that isn't a stepwise refinement, but a replacement?
This whole system is optimized towards dealing with scarcity, it uses scarcity to provide the motive force to keep people industrious, and it destroys wealth with artificial scarcity to keep that going.
We've developed the tools necessary to destroy scarcity in a wide range of sectors, but our economic systems equate "plenty for all" with "utterly worthless". That needs to stop if we're going to progress.
That means new political-economic systems with supporting infrastructure, and it's not going to build itself, and no one motivated by the love of money is going to invest because it's going to devalue everything that they have built their power upon, but it's still going to have to be done.
And when it's done, and done right, things will be markedly better than they are now, and more efficient, not less. Any group who competes the old way will lose.
And I'll miss the wintel legacy not at all, I don't imagine.
-1 Uncomfortable Truth
If limited liability only applies to capital, then why do corporations rather than the CEO or board get fined when the corporation commits a crime? People use corporations as a shield against prosecution all the time. It sickens me to see what they get away with, and that's just what we hear about. Corporations don't kill people, the people running corporations kill people, and they get away with it. For instance, why did Warren Anderson go free?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton