Contractor Folds After Causing Breaches 274
talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."
And that's the problem with corporations (Score:5, Interesting)
(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)
Capitalism Rules! (Score:4, Insightful)
Re:Capitalism Rules! (Score:4, Informative)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Things did get done before corporations (Score:2, Insightful)
Re:Things did get done before corporations (Score:5, Insightful)
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
It's not on me to get into a debate about the efficiencies of historical systems with different problems in different environments, the point is that these technological marvels are not the sole province of modern capitalism and the corporate structure, as you insinuated.
Do you believe that we've achieved Utopia, a state beyond our capacity to surpass?
Do you think there will not be a better system that isn't a stepwise refinement, but a replacement?
This whole syste
Re:Capitalism Rules! (Score:4, Insightful)
I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.
Re: (Score:3, Interesting)
Well, that's not a great thing actually. The vast majority of companies and businesses are SMALL businesses. If you take that shielding away, you'd open up most businesses that are small, mostly private individuals, and you'd have them risking personal bankruptcy and ruin, for even minor problems.
No one is going to risk their families welfare that way, and you'd kill small businesses in the US. For a person to ta
Re:Capitalism Rules! (Score:5, Insightful)
Can he magically make the security breaches un-happen?
At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.
Re:Capitalism Rules! (Score:5, Informative)
Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.
Yes, but nothing's stopping these people from forming a new company and doing the same thing again.
Re:Capitalism Rules! (Score:5, Interesting)
1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).
2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?
3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).
I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.
Re:Capitalism Rules! (Score:4, Insightful)
Of course there is... the fact that they lost their shirts and destroyed their reputations pretty much means they are never going to start another company providing the same services ever again!
Re:Capitalism Rules! (Score:4, Interesting)
The problem with that is that a corporation is kind of an ethereal entity to begin with: it never really existed, except as an abstract concept, so "punishing" it is kind of meaningless.
Here's an analogy. Steve is a plumber. You hire Steve to replace the pipes in your house. Instead, he screws up so badly that you can no longer live in your house. You go to sue him, but he says "sorry, I'm not Steve any more. You can call me Frank, and you can't sue me, 'cause I'm not Steve."
That's basically what's happening here. The people responsible for this cannot be held accountable, because they no longer call themselves Careless, Inc.
IANAL, YMMV, HAND, etc, ad infinitum.
Re:Capitalism Rules! (Score:5, Insightful)
Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).
But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...
Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"
Re:Capitalism Rules! (Score:4, Interesting)
All large social entities: governments, corporations, religions, are above the law, because the concepts of law and justice apply to individuals, not masses of people.
Re: (Score:3, Insightful)
If the hospitals had thought they were on the hook for the results of these systems they'd have demanded far simpler ones they could audit. Instead they buy a more complex system because of lies about its safety. This makes it almost impossible for honest firms to compete. If you discuss security issues you sound like mo
Re:And that's the problem with corporations (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Large corporate decision makers should not be immune from blame for their mistakes -- with great power and all that.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re:And that's the problem with corporations (Score:5, Interesting)
You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.
CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.
Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.
Re: (Score:2)
Check out the Code of Hammaurabi, a Babylonian king, which said that, if a person builds a building for another and the building falls in and kills the owner, the builder shall be put to death. There are other parts as well, but the total is that the builder/engineer is held responsible/liable for the construction done by that builder/engineer.
Not an engineer, but I do watch the discovery channel...
Re: (Score:2)
You are suggesting that all of senior management and many of the engineers at Boeing should all go bankrupt when a plane crashes due to a design flaw (because some jury awarded 10 billion for pain and suffering), then I would no longer invest, work, or serve in the US. I wouldn't be the only one.
Basically, you are suggesting the economic suicide for an entire country.
Re: (Score:2)
I think you missed the point. If Engineers are legally liable for their work that can put people at risk, ....
You could have a Class-C license to code
That is BS, you would get canned right away for not doing what the boss says irregardless of what you think. I am faced with these arguments it seems every 2 weeks. I just make sure I have my CYA in good old fashioned printed emails.
The ONLY solution is to hold those in power, primarily senior management (hospitals and contractor) accountable. That mean
Re: (Score:2)
Reality check : Most programmers are under commercial pressures from managers and customers. For example, as a programmer I can reccommend using Misra-C and a very thorough testing regime for a project but that doesn't mean the customer is willing to pay for it.
This has always been a real bugbear of mine and I suspect always will be. Given that t
Re:And that's the problem with corporations (Score:5, Insightful)
Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?
Your reasoning is flawed (Score:4, Informative)
Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?
Re: (Score:2)
And so will the engineer, because his responsibility doesn't end once construction starts... part of his job is to monitor the quality of materials, methods and installed equipment and to make necessary adjustments to the design if things can't be worked out in the field.
An engineer's respo
Re:Your reasoning is flawed (Score:5, Interesting)
The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers
The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.
In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?
Re: (Score:2)
Re: (Score:2)
Sounds like something some management-type would tell someone to do. Or maybe the admin saw too many Star Trek reruns and thought the company should lower the shields so they can beam the data up.
Re: (Score:2)
Re: (Score:3, Informative)
No, they're different directors. That lot WAS jailed - and they were jailed because of THEIR decisions, not those of their underlings.
Re: (Score:2)
Re: (Score:3, Insightful)
Boards of Directors are supposed to be outside overseers who make sure those INSIDE the company are not blinded by internal goals and policies or politics; they are PAID to provide an outside view and unbiased viewpoint.
My point is that there is already several layers of 'leadership' that are supposed to be providing adhearance to standards
Re: (Score:3, Insightful)
The lot that makes up the top level management is usually small. You know each other. You see each other on various occasions. Doesn't it strike you as odd that every time some manager needs to "take a break" because his blunders were too obvious that miraculously someone from abroad comes in to take over? Guess what he did there. He needed a break.
The group is small and very selective who it allows into its ranks. You don't just get a ton of degrees fr
Personal liability is not a solution (Score:2, Interesting)
Who would take a job where you could be held personally liable for any mistake your subordinates may do? You have a company where the size is small enough that you can check everything, I guess, or you wouldn't be taking that responsibility, but would you really want to be personally liable if you had 1500 employees? Would you be able to check all their work for flaws?
In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already
Re: (Score:3, Insightful)
In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?
I tend to agree with you, especially since the problem didn't kill anyone. But, some questions remain - we don't know how much influence that primary investor had over operations. What are the chances that he will just open up shop again under a different corporate charter and continue the same sort of poor practices that got his first company in trouble?
I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if th
Re: (Score:2)
Re: (Score:2)
It's not at all clear that they've been punished. And there has been no restitution to the injured parties.
Hypothetically; a company makes a program that makes it super easy to do stock transactions, and makes a billion dollars selling it. Then one day it's discovered that there's a vulnerability that allow
Dissolution and reconstruction, the perfect escape (Score:2)
What you describe is of course an undesirable (to say the least) turn of events. However, I find it unlikely that there is no failsafe for this. How do you "fold" a company and what is involved? Can you dissolve a company if you know a lawsuit is coming? At what point are you unable to dissolve a company so that you lose no money?
Otherwise this seems like the perfect failsafe for any corporation when a large lawsuit is pending. Dissolve the company, reconstruct it in a new name and continue business as usu
Re: (Score:2)
Well, the problem is that when corporations fold, what happens is that the Board Of Directors winds up leaving with multi-million dollar severance packages, while everyone else is thrown into the street. Some of the severance packages are so great as to make it almost more profitable for some individuals to
Re: (Score:2)
Star wars fan heh? I suppose when Darth Vader killed the Emperor, all his sins were forgiven as well? All the people he killed, planets and ship destroyed, all forgotten?
You bastard!!
But really, how is this much punishment? They will just start up another company, slightly different name, and keep doing the s
Restitution (Score:2)
I disagree. Suing individuals for a mistake like this would be revenge and would serve no other purpose than giving some people a misplaced sense of "justice". My question (largely rhetorical in nature) was more regarding the intent of suing someone rather than the purpose of any legal system. The governmental branches mostly have very lofty purposes which just as oft
Re:And that's the problem with corporations (Score:4, Informative)
Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.
If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.
American business law is very interesting.
Nobody ever got fired for chosing ColdFusion (Score:2)
That is the problem (Score:2)
One interesting side note about this is that corporations are suppose to have nearly all the same rights as humans. But they do not have the same responsibility. That is, they can not be jailed f
Re: (Score:2)
in a country with the death penalty? (Score:2)
That's really not going to work too well in a country where you still have the death penalty. Who's going to want to be a director? You are going to have to go round executing a lot of CEOs every time bridges collapse, trains crash, etc. Mind you I suppose that's what happens in China.
Though I take the point you're making in spirit. We had some train crashes in the UK over
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
I know Tom Lawry (Score:4, Insightful)
Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.
In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).
We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.
I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?
For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.
left with no one to sue (Score:5, Insightful)
I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.
Re: (Score:2)
Re: (Score:2)
Well, duh. Limited liability company [wikipedia.org]
Re: (Score:2, Interesting)
If accountability is what you want then why are you looking at the CEO? Shouldn't the technician who left the router down be personally liable? You could say that the CEO had the responsibility for ensuring methods were in place to prevent this. You could also say that the data was the responsibility of the hospital and paying a contractor does not eliminate that responsibility.
Re: (Score:3, Interesting)
Do they really? Remember that the price is rather more than a number written on a ticket - you need to look at the value of what you're buying too. For instance, I buy most of my groceries in small independent shops rather than supermarkets, because I get better value for money. Yes, the number at the bottom of the receipt is a little higher, but the quality of the produce is much higher.
Nice (Score:2, Funny)
Can't pass the buck (Score:5, Insightful)
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.
Re: (Score:2, Insightful)
What's that thing called insurance do?
Re: (Score:2)
As often as they blame a "rogue supplier" everybody is still going to blame them for lack of oversight, and rightfully so.
Re: (Score:2)
You can outsource work but you can't outsource responsibility.
Oh, yeah? Let's ask Karl Rove.
HIPPA (Score:2, Insightful)
Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.
Re:HIPPA (Score:5, Informative)
Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...
Re: (Score:2)
Well now... (Score:2, Insightful)
In this day and age, all I can say is BOO HOO.
Re: (Score:2)
The problem is, people are going to be suing the hospital for allowing their information to be let out into the wild. If Verus is no longer there for the hospitals to sue, then they don't stand to recoup any losses suffered when the plaintiffs win these lawsuits, and as a result the hospitals have to shell out hard-earned cash to make these people go away. End result: medical care costs go up or hospitals may close. Litigation is not always the answer, but in this case, it was the only way to make sure that
Start looking at MedSeek (Score:4, Interesting)
For that matter, I would the federal government would be all over it for violation of HIPA regulations.
External security auditors were needed (Score:5, Interesting)
Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.
What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).
Re: (Score:2)
What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).
I bet you won't. Why? Because their competitors are slapping each other on the back, laughing themselves silly, and convincing themselves it won't happen to them, their IT guys aren't that dumb. Unfortunately, with the given state of IT talent, this is going to happen to one of them next -- not this precise failure, mind you, but something similar. Data security is a joke right now, and not just for hospitals. Until there is a universal outcry and until companies that cause data breaches are hit in the wa
Re: (Score:2)
Yeah, but after all the back-slapping and laughing-themselves-silly, somebody is going to get the bright idea that a security audit would be a great marketing tool. "You should hire us because we're secure. Really -- just ask !" And some customers will notice.
Re: (Score:2)
Oops, that should have been: "just ask <security audit firm>!". Curse those HTML tag interpreters...
Re: (Score:2)
Sometimes you have to take that risk (a redundant colo or something), but in that case you have a secure medium for file transfers and it should happen pretty damn often if not constantly
Re: (Score:3, Insightful)
See how far you'll get litigiously when... (Score:3, Interesting)
Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.
But noooooo...
We gotta OUTSOURCE because it looks good on a quarteryly statement.
Stew in it boyos, STEW IN IT!
Can someone explain (Score:2)
, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another,
I confess, I am not someone who works professionally in the IT field, so I may be off the mark here, but can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? I guess it just sounds a little unusual to me. Is this a systemic flaw in the way these systems were being administered or is this someone leaving out an obviously crucial step in an otherwise routine operation?
Re: (Score:2)
Re: (Score:3, Insightful)
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C
hmm (Score:2, Insightful)
All right IT monkeys.. (Score:3, Interesting)
Re: (Score:2, Insightful)
Next time... (Score:3, Funny)
Next time, theyll buy IBM, I guess.
I am not a lawyer, but... (Score:2)
Granted this may vary a bit from state to state, but directors and executives of a corporation, and sometimes, depending on the circumstances, the investors, do not get total automatic blanket immunity from prosecution by virtue of incorporating. If the hospitals here can show there was willful negligence, and not simply "someone fucked up", they can go after the directors and executives for every penny they have
Knee jerks the wrong way (Score:4, Insightful)
Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.
If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".
No One to Sue? (Score:2)
One factor courts look at to determine whether a corporation's e
I've been in this business for too long... (Score:2)
I think I'll go and lie down.
It's just P.R. (Score:2)
They will reopen after changing their name to "Virus".
No one to sue... (Score:3, Insightful)
The hospitals, which initially reported their breaches separately, were left with no one to sue.
A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?
Re: (Score:2)
It can happen to anybody (Score:3, Interesting)
I hate to admit it, but a few years ago I did an update on a Fedora box which renamed protocol 50 from ipv6-crypt to esp or something of the sort. Due to this, the firewall rules failed to load at startup which left the outside portion of the network completely unfirewalled instead of nearly completely firewalled.
Now ordinarily this wouldn't be a huge problem as one should reasonably hope that even an unfirewalled system is secure. And indeed, the Windows 2000 webserver we had was reasonably secure. It was up to date with all the patches and running great. The ultimate attack vector had nothing to do with lack of patches but rather an ultra-weak password. You see, someone else had an account in the administrators group with a password of 121212. With the firewall being down this account could be used to log in to the SMB shares and thus execute anything with that account's privileges.
Fortunately, the webserver had absolutely nothing to do with the rest of the network which was behind a second firewall with a totally different authentication/directory system and a different set of usernames and passwords. So the attacker was able to get access to a webserver with nothing of any interest on it. It is at that point when I began to research how the hell he got in and realized that the firewall was not firewalling anything. Later on, we decided the 121212 password on an Administrators group account was the ultimate culprit.
This just goes to show you that a break-in can happen to anybody. Granted, in this story's case, taking down a firewall on purpose to transfer some data was probably not a good idea and could/should have been avoided. But that's a mistake, not an invitation to burn the perpetrator at the stake.
Ultimately, a security failure should result in a procedural change. In our case, checking that the firewall rules installed correctly at boot became part of the checklist of things to do when upgrading that server. We also changed the passwords on the webserver and implemented several new policies. Prior to the attack, the webserver passwords were a combination of knowable information like birthdate, hire date, and part of SSN. Their purpose was to secure read-only access to a site with company policy information so it wasn't thought they needed to be highly secure. Unfortunately, all of the users were full Windows users so for all we know it might not have been the weak password on the admin account but instead an disgruntled (ex-)employee coupled with a possible privilege elevation bug. Due to this, we changed all of the user's passwords to be random and moved all of the users out of the Users group and into a group that only allowed logins to the website and not on the console.
All that for a measily webserver with some simple read-only access to data that doesn't have to be all that secure. Now consider having a web application with critical data like patient reecords and several thousand users all from different hopsitals. That's basically an accident waiting to happen. If I were a company doing that, I'd be sure to have a huge insurance policy to cover the liabilities and/or make damn sure the contracts with customers indemnified the company against lawsuits for accidental breaches.
I live in the town with skylakes medical center (Score:3, Informative)
Comment removed (Score:3, Interesting)
Re: (Score:2)
The country where everyone sues everyone else. Also the country that has incredibly restrictive legislation on health care information (HIPAA). Am I getting warmer?
Re: (Score:2)
What if it was worded "none of the responsible parties were there to accept the consequences" or "those that caused the problem escaped without repercussions, while others had to pay for the costs of their negligence"?