>Understatement of the month: 'Mistakes were made'
Wow that is the phrase I often see when I decide its time to start team killing the early Saturday afternoon elementary school PuGs on COD lol.
The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers. Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint …
Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data in demonstrations and has obtained written consent.
And how many of those customers had freely given consent from their customers to use that data?
<edit> fixed spelling mistake in title
"It is true that we fire people when they don't meet our ethical or performance standards...
Talk of ethical or performance standards doesn't fit well into a company that abuses live medical records. Perhaps he should fire himself.
Alternatively "Ah, this is obviously some strange use of the word ethical that I wasn't previously aware of." (With slight apologies for misquoting Douglas Adams.)
The scenario I've got in mind goes:
Techie: Can we have access to your test system?
Hospital BOFH: We don't have a test, but you can use live.
...Sometime later...
Sales Support Engineer: Can we demo your test system?
Hospital PHB: Don't see why not.
...Sometime much later...
Disgruntled, sacked employee: Have a look at this hospital data on YouTube
Journalist: there might be a story in it
Lawyer: Did you get paperwork to use that demo system?
I wish it could be clearer but the problem is that it's a murky situation. It seems what Tanium calls a demo environment was actually a hospital's network. That meant when sales ppl zoomed in on systems to show off the tool's features, it was zooming on real machines. This happened without permission from the hospital.
From the WSJ, which got the scoop:
"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client ... But Tanium never had permission to present the demos, the hospital said."
So it demo'd the gear using a hospital's IT system without the hospital's permission. I hope that's clear in our story.
And as the hospital and Tanium say, no patient data was exposed - just internal IT info.
C.
If no patient data was used, only "internal IT info", then why the comments and regret that it could have been anonymised better than it was?
Hostnames, possibly IP addresses and server roles, the name of the hospital on a wallpaper, certainly ... stuff like that, what is so hard to understand ... it was a silly mistake as happens sometimes, some sales droids thought they had the green light to do it with that network when in effect they did not.
Given the joy Sales types take in putting their software through extreme functions I'm staggered none of them did "And here's how if necessary you can delete the whole database and all supporting files in one go. It's pretty cool."
I've worked development on systems which had a test environment and ones which didn't, so you had to update the live system.
Those ones always had a significantly larger pucker factor.
> Is it really wrong to call people stupid or fat if they are indeed stupid or fat?
Is it really wrong to call people stupid, fat, skinny, blond, red-haired, arrogant, humble, male if they are indeed just that ?
TFTFY, and no, not necessarily, I think it all depends on HOW you say it.
Oy, fatty, get that stupid blond prima donna from next door into my office, NOW! is not really the best way to start a meeting.
Man, you made a stupid comment during that meeting! I think you should read this book, it covers most of the stuff you did not understand on the matter. Is, imho, perfectly acceptable!
Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.
'Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.'
- from my boss?? Hell no. Not his business. And from the article it doesn't sound like it's nearly as charitable as even that.
> Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.
I get the impression you must be German. :-) It is indeed perfectly acceptable, perhaps even expected in Germany, but it would be very rude in England, even if the intentions are good.
If this isn't the definition of unauthorized network/computer system access then what is?
"The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers.
Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint protection software. The hospital had not given permission for its computers and data to be used in this way."
I expect the key phrase was "in this way". The hospital probably allows Tanium access to their networks for ongoing work. The problem arose when they disclosed the internal structure to third parties. If the tool is so great, though, why does Tanium not demonstrate it on THEIR OWN internal network, for potential customers? Why involve someone else?
"If this isn't the definition of unauthorized network/computer system access then what is?"
I agree; if this happened during a technical demonstration for the hospital itself it would be less be less of an issue but still not best practice. However, to use the hospital's network in real time as a demonstration to third party potential customers without permission is well out of order. This is not the only issue that they're dealing with at the moment as the Bloomberg "Tanium’s Family Empire Is in Crisis" shows.
Yep including:
Slagging each other off behind closed doors in conferences
CEOs calling out other NextGen InfoSec companies tech and strategy in press articles
Poaching each others staff, with younger non-public companies offering large options.
Undercutting each other at tenders
Shameless job hopping around NextGen InfoSec by SEs and Sales leaders
There are laws about medical records. To access medical records is to expose them. Privacy laws were broken and they should be prosecuted. Those records can only be accessed in the interests of patients, accessing them is the criminal act, whether or not the idiots choose to publish them.