back to article 'We should have done better' – the feeble words of a CEO caught using real hospital IT in infosec product demos

The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers. Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint …

  1. Anonymous Coward
    Anonymous Coward

    >Understatement of the month: 'Mistakes were made'

    Wow that is the phrase I often see when I decide its time to start team killing the early Saturday afternoon elementary school PuGs on COD lol.

  2. edge_e
    Facepalm

    Who's permission?

    Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data in demonstrations and has obtained written consent.

    And how many of those customers had freely given consent from their customers to use that data?

    <edit> fixed spelling mistake in title

    1. Anonymous Coward
      Anonymous Coward

      Re: Whose permission?

      "fixed spelling mistake in title"

      s/who's/whose

      Sorry, my inner pedant couldn't resist.

  3. Commswonk

    Run that past me again...

    "It is true that we fire people when they don't meet our ethical or performance standards...

    Talk of ethical or performance standards doesn't fit well into a company that abuses live medical records. Perhaps he should fire himself.

    Alternatively "Ah, this is obviously some strange use of the word ethical that I wasn't previously aware of." (With slight apologies for misquoting Douglas Adams.)

  4. Your alien overlord - fear me

    Fire people who don't meet their ethical standards. Sounds like if they they have ethics they get fired?

  5. razorfishsl

    Sorry...... but HOW is that even possible?

    That said you should come to HK, where most of the tech support companies setup secret accounts , then share the PW in emails and store on mobile phones.

  6. John Smith 19 Gold badge
    WTF?

    So company sales staff have live logins to their clients.

    and their business is endpoint security.

    Does anyone (from the company) get why this is wrong, and on how many levels?

  7. JimC

    Its not the clearest of articles, but one interpretation of it would be that they were doing their demos on a demo environment on the live network, and possibly a demo environment with poorly anonymised data, which is bad enough in all conscience, but maybe not as bad as the headline.

    1. Adam 52 Silver badge

      The scenario I've got in mind goes:

      Techie: Can we have access to your test system?

      Hospital BOFH: We don't have a test, but you can use live.

      ...Sometime later...

      Sales Support Engineer: Can we demo your test system?

      Hospital PHB: Don't see why not.

      ...Sometime much later...

      Disgruntled, sacked employee: Have a look at this hospital data on YouTube

      Journalist: there might be a story in it

      Lawyer: Did you get paperwork to use that demo system?

    2. diodesign (Written by Reg staff) Silver badge

      Re: JimC

      I wish it could be clearer but the problem is that it's a murky situation. It seems what Tanium calls a demo environment was actually a hospital's network. That meant when sales ppl zoomed in on systems to show off the tool's features, it was zooming on real machines. This happened without permission from the hospital.

      From the WSJ, which got the scoop:

      "For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client ... But Tanium never had permission to present the demos, the hospital said."

      So it demo'd the gear using a hospital's IT system without the hospital's permission. I hope that's clear in our story.

      And as the hospital and Tanium say, no patient data was exposed - just internal IT info.

      C.

      1. The Nazz

        Still not convinced.

        If no patient data was used, only "internal IT info", then why the comments and regret that it could have been anonymised better than it was?

        No patient data at all is pretty anonymous to start with.

        1. Hans 1
          WTF?

          Re: Still not convinced.

          If no patient data was used, only "internal IT info", then why the comments and regret that it could have been anonymised better than it was?

          Hostnames, possibly IP addresses and server roles, the name of the hospital on a wallpaper, certainly ... stuff like that, what is so hard to understand ... it was a silly mistake as happens sometimes, some sales droids thought they had the green light to do it with that network when in effect they did not.

      2. John Smith 19 Gold badge
        WTF?

        " what Tanium calls a demo environment was actually a hospital's network. "

        Given the joy Sales types take in putting their software through extreme functions I'm staggered none of them did "And here's how if necessary you can delete the whole database and all supporting files in one go. It's pretty cool."

        I've worked development on systems which had a test environment and ones which didn't, so you had to update the live system.

        Those ones always had a significantly larger pucker factor.

  8. Phil Kingston

    Is it really wrong to call people stupid or fat if they are indeed stupid or fat?

    1. Hans 1

      > Is it really wrong to call people stupid or fat if they are indeed stupid or fat?

      Is it really wrong to call people stupid, fat, skinny, blond, red-haired, arrogant, humble, male if they are indeed just that ?

      TFTFY, and no, not necessarily, I think it all depends on HOW you say it.

      Oy, fatty, get that stupid blond prima donna from next door into my office, NOW! is not really the best way to start a meeting.

      Man, you made a stupid comment during that meeting! I think you should read this book, it covers most of the stuff you did not understand on the matter. Is, imho, perfectly acceptable!

      Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.

      1. joeldillon

        'Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.'

        - from my boss?? Hell no. Not his business. And from the article it doesn't sound like it's nearly as charitable as even that.

      2. Anonymous Coward
        Anonymous Coward

        > Well, I think you should eat less and exercise more, you have become fatter recently, is everything Ok with you ? I hate to see what is happening to you these days! Imho, perfectly acceptable.

        I get the impression you must be German. :-) It is indeed perfectly acceptable, perhaps even expected in Germany, but it would be very rude in England, even if the intentions are good.

  9. Stevie

    Bah!

    You dimwitted, fuckfaced twat!

    Sorry, I shouldn't have written that.

    All fixed, eh?

  10. Anonymous Coward
    Anonymous Coward

    Why aren't they being prosecuted?

    If this isn't the definition of unauthorized network/computer system access then what is?

    "The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers.

    Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint protection software. The hospital had not given permission for its computers and data to be used in this way."

    1. EnviableOne

      Re: Why aren't they being prosecuted?

      Because HIPPA and HITECH only apply to personal Health Data

      the access they used was granted to tanium not created by them.

      Now how they used that access was posibly outside of its intended use case, but the access itself is not actually illegal

    2. VanguardG

      Re: Why aren't they being prosecuted?

      I expect the key phrase was "in this way". The hospital probably allows Tanium access to their networks for ongoing work. The problem arose when they disclosed the internal structure to third parties. If the tool is so great, though, why does Tanium not demonstrate it on THEIR OWN internal network, for potential customers? Why involve someone else?

    3. TVU Silver badge

      Re: Why aren't they being prosecuted?

      "If this isn't the definition of unauthorized network/computer system access then what is?"

      I agree; if this happened during a technical demonstration for the hospital itself it would be less be less of an issue but still not best practice. However, to use the hospital's network in real time as a demonstration to third party potential customers without permission is well out of order. This is not the only issue that they're dealing with at the moment as the Bloomberg "Tanium’s Family Empire Is in Crisis" shows.

  11. EJ

    What is it with next-gen AV?

    Between this and Cylance, it seems like it's all bad decisions and knife fights in the land of next-gen AV.

    1. gr00001000
      Mushroom

      Re: What is it with next-gen AV?

      Yep including:

      Slagging each other off behind closed doors in conferences

      CEOs calling out other NextGen InfoSec companies tech and strategy in press articles

      Poaching each others staff, with younger non-public companies offering large options.

      Undercutting each other at tenders

      Shameless job hopping around NextGen InfoSec by SEs and Sales leaders

  12. wolfetone Silver badge
    Trollface

    This post has been deleted by a moderator

    1. VanguardG
      Devil

      "This moderator has been deleted by a post."

  13. Captain Badmouth
    Paris Hilton

    Fuss about nothing?

    They've only been doing it for three years, and no-one complained before.....

    Paris : Been doing it for more than three years.

    ( Is this all right?)

  14. Anonymous Coward
    Anonymous Coward

    Right about now

    > and that figure is unlikely to fall unless customers start fleeing

    Right about now....

  15. rtb61

    Privacy Laws

    There are laws about medical records. To access medical records is to expose them. Privacy laws were broken and they should be prosecuted. Those records can only be accessed in the interests of patients, accessing them is the criminal act, whether or not the idiots choose to publish them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like