back to article 'We should have done better' – the feeble words of a CEO caught using real hospital IT in infosec product demos

The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers. Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint …

Anonymous Coward

>Understatement of the month: 'Mistakes were made'

Wow that is the phrase I often see when I decide its time to start team killing the early Saturday afternoon elementary school PuGs on COD lol.

2
1
Facepalm

Who's permission?

Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data in demonstrations and has obtained written consent.

And how many of those customers had freely given consent from their customers to use that data?

<edit> fixed spelling mistake in title

14
0

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

Anonymous Coward

Re: Whose permission?

"fixed spelling mistake in title"

s/who's/whose

Sorry, my inner pedant couldn't resist.

0
0

This post has been deleted by a moderator

Silver badge

Run that past me again...

"It is true that we fire people when they don't meet our ethical or performance standards...

Talk of ethical or performance standards doesn't fit well into a company that abuses live medical records. Perhaps he should fire himself.

Alternatively "Ah, this is obviously some strange use of the word ethical that I wasn't previously aware of." (With slight apologies for misquoting Douglas Adams.)

15
0
Silver badge

Fire people who don't meet their ethical standards. Sounds like if they they have ethics they get fired?

9
0

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

This post has been deleted by a moderator

(Written by Reg staff) Silver badge

Deleted comments

Just wanna stress that, as the article says, no patient data was exposed, according to Tanium and the hospital. So any speculation about fines and privacy invasions and all that is not great.

We've tweaked the story to make it as crystal clear as possible. Apologies for any confusion.

C.

3
1
Silver badge

Re: Deleted comments

That's what the article says now... It's not what it said when all those comments were made. The article being wrong and libellous was what lots of us were pointing out.

1
0
Trollface

Re: Deleted comments

>That's what the article says now... It's not what it said when all those comments were made. The article being wrong and libellous was what lots of us were pointing out.

Well you know. Mistakes were made.

6
0
Bronze badge

Sorry...... but HOW is that even possible?

That said you should come to HK, where most of the tech support companies setup secret accounts , then share the PW in emails and store on mobile phones.

1
0
Gold badge
WTF?

So company sales staff have live logins to their clients.

and their business is endpoint security.

Does anyone (from the company) get why this is wrong, and on how many levels?

12
1
Silver badge

Its not the clearest of articles, but one interpretation of it would be that they were doing their demos on a demo environment on the live network, and possibly a demo environment with poorly anonymised data, which is bad enough in all conscience, but maybe not as bad as the headline.

0
0
Silver badge

The scenario I've got in mind goes:

Techie: Can we have access to your test system?

Hospital BOFH: We don't have a test, but you can use live.

...Sometime later...

Sales Support Engineer: Can we demo your test system?

Hospital PHB: Don't see why not.

...Sometime much later...

Disgruntled, sacked employee: Have a look at this hospital data on YouTube

Journalist: there might be a story in it

Lawyer: Did you get paperwork to use that demo system?

3
0
(Written by Reg staff) Silver badge

Re: JimC

I wish it could be clearer but the problem is that it's a murky situation. It seems what Tanium calls a demo environment was actually a hospital's network. That meant when sales ppl zoomed in on systems to show off the tool's features, it was zooming on real machines. This happened without permission from the hospital.

From the WSJ, which got the scoop:

"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client ... But Tanium never had permission to present the demos, the hospital said."

So it demo'd the gear using a hospital's IT system without the hospital's permission. I hope that's clear in our story.

And as the hospital and Tanium say, no patient data was exposed - just internal IT info.

C.

4
0
Bronze badge

Still not convinced.

If no patient data was used, only "internal IT info", then why the comments and regret that it could have been anonymised better than it was?

No patient data at all is pretty anonymous to start with.

1
0
Silver badge
WTF?

Re: Still not convinced.

If no patient data was used, only "internal IT info", then why the comments and regret that it could have been anonymised better than it was?

Hostnames, possibly IP addresses and server roles, the name of the hospital on a wallpaper, certainly ... stuff like that, what is so hard to understand ... it was a silly mistake as happens sometimes, some sales droids thought they had the green light to do it with that network when in effect they did not.

0
0
Gold badge
WTF?

" what Tanium calls a demo environment was actually a hospital's network. "

Given the joy Sales types take in putting their software through extreme functions I'm staggered none of them did "And here's how if necessary you can delete the whole database and all supporting files in one go. It's pretty cool."

I've worked development on systems which had a test environment and ones which didn't, so you had to update the live system.

Those ones always had a significantly larger pucker factor.

2
0
Bronze badge

Is it really wrong to call people stupid or fat if they are indeed stupid or fat?

5
3
Silver badge

> Is it really wrong to call people stupid or fat if they are indeed stupid or fat?

Is it really wrong to call people stupid, fat, skinny, blond, red-haired, arrogant, humble, male if they are indeed just that ?

TFTFY, and no, not necessarily, I think it all depends on HOW you say it.

Oy, fatty, get that stupid blond prima donna from next door into my office, NOW! is not really the best way to start a meeting.

Man, you made a stupid comment during that meeting! I think you should read this book, it covers most of the stuff you did not understand on the matter. Is, imho, perfectly acceptable!

Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.

1
1

'Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.'

- from my boss?? Hell no. Not his business. And from the article it doesn't sound like it's nearly as charitable as even that.

2
1
Anonymous Coward

> Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.

I get the impression you must be German. :-) It is indeed perfectly acceptable, perhaps even expected in Germany, but it would be very rude in England, even if the intentions are good.

0
0
Silver badge

Bah!

You dimwitted, fuckfaced twat!

Sorry, I shouldn't have written that.

All fixed, eh?

6
1
Anonymous Coward

Why aren't they being prosecuted?

If this isn't the definition of unauthorized network/computer system access then what is?

"The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers.

Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint protection software. The hospital had not given permission for its computers and data to be used in this way."

5
1
Bronze badge

Re: Why aren't they being prosecuted?

Because HIPPA and HITECH only apply to personal Health Data

the access they used was granted to tanium not created by them.

Now how they used that access was posibly outside of its intended use case, but the access itself is not actually illegal

0
0

Re: Why aren't they being prosecuted?

I expect the key phrase was "in this way". The hospital probably allows Tanium access to their networks for ongoing work. The problem arose when they disclosed the internal structure to third parties. If the tool is so great, though, why does Tanium not demonstrate it on THEIR OWN internal network, for potential customers? Why involve someone else?

1
0
TVU
Bronze badge

Re: Why aren't they being prosecuted?

"If this isn't the definition of unauthorized network/computer system access then what is?"

I agree; if this happened during a technical demonstration for the hospital itself it would be less be less of an issue but still not best practice. However, to use the hospital's network in real time as a demonstration to third party potential customers without permission is well out of order. This is not the only issue that they're dealing with at the moment as the Bloomberg "Tanium’s Family Empire Is in Crisis" shows.

1
0
EJ

What is it with next-gen AV?

Between this and Cylance, it seems like it's all bad decisions and knife fights in the land of next-gen AV.

1
0
Mushroom

Re: What is it with next-gen AV?

Yep including:

Slagging each other off behind closed doors in conferences

CEOs calling out other NextGen InfoSec companies tech and strategy in press articles

Poaching each others staff, with younger non-public companies offering large options.

Undercutting each other at tenders

Shameless job hopping around NextGen InfoSec by SEs and Sales leaders

1
0
Silver badge
Trollface

This post has been deleted by a moderator

5
0
Devil

"This moderator has been deleted by a post."

0
0
Bronze badge
Paris Hilton

Fuss about nothing?

They've only been doing it for three years, and no-one complained before.....

Paris : Been doing it for more than three years.

( Is this all right?)

0
0
Anonymous Coward

Right about now

> and that figure is unlikely to fall unless customers start fleeing

Right about now....

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017