Contractor Folds After Causing Breaches 274
talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."
left with no one to sue (Score:5, Insightful)
I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.
Can't pass the buck (Score:5, Insightful)
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.
Capitalism Rules! (Score:4, Insightful)
Re:And that's the problem with corporations (Score:5, Insightful)
HIPPA (Score:2, Insightful)
Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.
Well now... (Score:2, Insightful)
In this day and age, all I can say is BOO HOO.
Re:And that's the problem with corporations (Score:3, Insightful)
Re:Can't pass the buck (Score:2, Insightful)
What's that thing called insurance do?
Re:And that's the problem with corporations (Score:1, Insightful)
Re:Can someone explain (Score:3, Insightful)
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C
Re:Personal liability is not a solution (Score:3, Insightful)
I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if the problems remain, than the mere dissolution of the corporation is not sufficient.
hmm (Score:2, Insightful)
Re:left with no one to sue (Score:1, Insightful)
Not if they're a corporation.
People think that anti-corporation people are all hippies who want every business to be a small business. Not the case at all. I'm very anti-corporation, not because I care about size (which I don't), or care that they're putting small business out of business (because I don't care: the big guys give me a better price).
Rather, it's because when a small business messes up, people are held liable.
When a corporation messes up, NO ONE is held liable, except in extreme cases. The "corporation" is itself a legal entity, just like you or I, which absolves the responsibility for the actions of the people who work for it. This is bullplop. If I personally sell something that has a lethal defect, why can't I just wave my hands and absolve myself of the consequences? Is it because I don't have enough employees or because I don't have stock? Or is it because the government created the legal entity known as the "corporation" for the express purpose of shielding wealthy people from the consequences of bad business?
Re:Capitalism Rules! (Score:2, Insightful)
Knee jerks the wrong way (Score:4, Insightful)
Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.
If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".
Re:And that's the problem with corporations (Score:3, Insightful)
Re:Capitalism Rules! (Score:3, Insightful)
Re:All right IT monkeys.. (Score:2, Insightful)
Re:in a country with the death penalty? (Score:3, Insightful)
Re:Capitalism Rules! (Score:5, Insightful)
Can he magically make the security breaches un-happen?
At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.
No one to sue... (Score:3, Insightful)
The hospitals, which initially reported their breaches separately, were left with no one to sue.
A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?
Things did get done before corporations (Score:2, Insightful)
Re:And that's the problem with corporations (Score:3, Insightful)
Boards of Directors are supposed to be outside overseers who make sure those INSIDE the company are not blinded by internal goals and policies or politics; they are PAID to provide an outside view and unbiased viewpoint.
My point is that there is already several layers of 'leadership' that are supposed to be providing adhearance to standards, rules, and laws, and that those layers are WELL paid for that function. I don't see a hugh additional burden in making them legally responsible for performing (or not performing) their function.
Hold them responsible for Joe Coder's mistake? No, but the company should be responsible for ensuring that Joe Coder can not - through stupidity, incompetence, or accident - do something like the article and destroy the company/corporation. If safeguards are not in place, then SOMEONE should be responsible for the screwup, and the BoD and CEO, COO, CIO, etc SHOULD BE held responsible for not having safeguards in place.
"We hired the best coder minimum wage could buy and turned them loose without any oversight" is not sufficient to absolve them of responsibility, at least in my mind.
I know Tom Lawry (Score:4, Insightful)
Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.
In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).
We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.
I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?
For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.
Re:Capitalism Rules! (Score:5, Insightful)
Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).
But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...
Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"
Not a big thing really (Score:2, Insightful)
With a couple of dollars and a few phone calls you can get mountains of patient data from overseas.
Re:And that's the problem with corporations (Score:3, Insightful)
The lot that makes up the top level management is usually small. You know each other. You see each other on various occasions. Doesn't it strike you as odd that every time some manager needs to "take a break" because his blunders were too obvious that miraculously someone from abroad comes in to take over? Guess what he did there. He needed a break.
The group is small and very selective who it allows into its ranks. You don't just get a ton of degrees from various business schools and then suddenly get an invitation to a talk whether you should be the next CEO of Siemens or Bosch.
This group, now, forms the whole lot. The CEO, the board, the whole levels and circles meant to control each other. And if you behave, next time you may be the CEO.
Re:And that's the problem with corporations (Score:1, Insightful)
No-one to sue? Oh my gosh, it's the end of the world! How can there possibly be no-one to sue? No business or individual is complete if they don't have someone to sue. Oh, the humanity!
Re:And that's the problem with corporations (Score:5, Insightful)
Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?
Re:Capitalism Rules! (Score:2, Insightful)
Forget that! It's a vicious circle. Aside from it not being easy to get funding, investments, loans, etc. as an individual for business purposes, in this sue-happy society we live in, someone would have to be almost crazy to launch a business under their name. I have my own business and I stand behind my products and services and, to-date, no-one has even threatened to sue me. But that doesn't mean it will never happen or that there will never be a complete jerk of a customer that decides to litigate something that should just be worked out between the two parties.
Despite my best intentions and best efforts, there's no way I'm going to bet my family's economic future on whether or not some *sshole is going to launch a frivolous lawsuit. Which is why I have a business to protect me from personal liability. Not because I'm trying to avoid responsibility, but because it's dangerous to do business any other way.
If we could get some reasonable legal reform passed to reduce lawsuit (perhaps as simple as "loser pays, plus some extra amount to the winner for time and trouble"), then perhaps we'd have fewer absurd lawsuits and at that point it'd be reasonable to talk about holding individuals more legally and personally responsible even if there's a corporate shield. But for the time being, no way. The corporate shield might occasionally protect the bad guys, but it also protects millions of well-meaning entrepreneurs from vicious and frivolous lawsuits that could threaten their family which, in turn, would reduce the number of entrepreneurs. And that'd be a BAD thing.
Re:Things did get done before corporations (Score:5, Insightful)
Re:Capitalism Rules! (Score:4, Insightful)
I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.
Re:Capitalism Rules! (Score:4, Insightful)
Of course there is... the fact that they lost their shirts and destroyed their reputations pretty much means they are never going to start another company providing the same services ever again!
Re:External security auditors were needed (Score:3, Insightful)
Re:Capitalism Rules! (Score:3, Insightful)
If the hospitals had thought they were on the hook for the results of these systems they'd have demanded far simpler ones they could audit. Instead they buy a more complex system because of lies about its safety. This makes it almost impossible for honest firms to compete. If you discuss security issues you sound like more of a risk than the people who hand-wave them away.
Well, companies that haven't been burned don't realize the value of proper design. Just like people who've never witnessed a bridge collapse are reluctant to spend more for a sturdier design.