« Just Can't Wait | Main | It Burns! »
July 26, 2006
Why Geeks Hate Lawyers #10,321
A software consultant can't download updates for his client. Trying to find a work-around, he FTP's into a server and downloads files so he can locate the updates. (More details here, via Instapundit) Logical, yes?
One little oopsie. One of the (unencrypted) files contained patient demographic information from a major hospital.
So, in light of the multiple HIPAA violations, etc., what's the software company's response?
InstantDx attorney Robert Hudock, an e-health specialist at the Washington, D.C., firm Epstein Becker & Green, says two separate weaknesses conspired to create a security hole for a brief period of time, and that no malicious activity resulted. He emphasizes that Perry couldn't have accessed the data if he hadn't gone poking around in Medisoft.
"Randall is the only player in the deck here," says Hudock. "He was entrusted with a secured copy of the application that had been appropriately licensed and installed, and he was working ... (as) a consultant for this particular physician.
"This vulnerability wouldn't have happened if the consultant to the physician had stuck to his responsibilities as a business associate of the physician," says Hudock.
Yeah, that's right. Someone is paying him a presumably large salary to be totally f*cking clueless about technology & compliance.
But take heart, my geeky friends. There's at least one other attorney besides me who understands both.
Mark Rasch, vice president of Solutionary and a former Justice Department cybercrime lawyer, says the company's response smacks of killing the messenger.
"One of the biggest problems you have is people inadvertently stumble upon security vulnerabilities, and frequently it's because they're trying to get their job done," says Rasch. "And what we do now is say, 'He did something wrong. He shouldn't have been there. Let's go after him.' How does that encourage people to report vulnerabilities and get them fixed? What they should do is give him a $10,000 finder's fee."
Correct.
But unfortunately, until the Justice Department actually prosecutes some of the 20,000+ HIPAA complaints they've received, that's not going to happen.
Posted by Rita at July 26, 2006 08:30 AM
Comments
I don't hate attorneys (in fact, I was a legal assistant before I got my Bachelor's).
But these circumstances certainly create an awkward (and confrontational) situation that further create a chasm between those who want to help and those that need it.
This certainly isn't the first time for me. I once pulled a semi-conscious guy from a wrecked car that was spewing gasoline on a lone country road. The guy ended up dying a few hours later at the hospital (from internal injuries). I got a call the next day to get from me a complete statement. I was told that if the victim had been unconscious and I pulled him out that I might have been sued.
NEVER stop doing the right thing.
Posted by: Randall Perry at July 30, 2006 07:54 PM