Vy Technology :: Blog :: High quality technology innovation in the shortest amount of time

The Blog

SolarWinds Hack Shows Danger Of One Size Fits All IT Security
In 2018 I spent an exceedingly large amount of time arguing with managed care attorneys. I was representing a healthcare company that didn't fit traditional classifications, and in turn, "lively discussions" around traditional security requirements were occurring constantly.

In one particular call, we discussed their requirement for an around the clock, eyes on glass SIEM solution before our $5-million contract could start. This requirement was overkill for the operation, and it was my job to convince them.

Eventually, they backed off the need of around the clock, eyes on glass, but they still insisted for a traditional SIEM solution. Their recommendation was for us to use a company called SolarWinds.

I had concerns for TWO main reasons:

  • We already built top tiered solutions for security monitoring
  • More importantly, I wasn't (and still not) fully comfortable adding additional parties where someone else has control and there is no visibility into their security practices

Their response: "SolarWinds is used by DOD, FBI and almost all Fortune 500 companies, I promise you their security is better than yours."

Recognizing I had to bend on this particular requirement, I agreed. However, I wanted to be on the record noting that I didn't believe SolarWinds solution was better, but more importantly point out that they ARE a bigger target, which made me uncomfortable giving them access to our network and data.

Fast forward to 2020 and SolarWinds is now the source of what in my opinion will be seen as the largest security breach to date. Having Microsoft Source code stolen is hugely problematic in so many ways I'd need a whole other blog post (or ten) to detail. Then came the US Government agencies breached. And the more time and info we uncover, the worse it gets.

This is reminiscent of this summer's SonarQube hack of the FBI (also reminiscent for me because due to other discussions I had with a different set of MCO attorneys over SAST testing requirements and their suggestion to use SonarQube).

This topic will probably be controversial for certain vested interests, so let's get a disclaimer out the way. If you are a Fortune 500 company, a large government agency, or if part of an "IT security company" this post isn't for you. This post will be beneficial for healthcare companies that are not hospitals/doctors offices/pharmacies, generating $50-$200 million in revenue.
Disclaimer out of the way, onto the real controversial statement.

The current unfashionable practice of "security through obscurity" (when combined with other key security measures) is prudent and needs to make a comeback.

If you're still reading you are probably: 1) vehemently opposed to that statement and looking for a pitch fork, 2) you agree with me (very unlikely), or 3) you have no idea what I'm talking about.

So for third group, security through obscurity is the past belief that there was security in no one knowing your source code and your technology apparatus.

For the pitchfork folks, before we go too far, I am not saying that "security through obscurity" should be the only security measure. But rather we increasingly find that attack vectors come through adding services (yes, even security services) to one's network, and maybe as serious IT professionals we should consider limiting the amount of entities on our network for the sake of security. This principal applies doubly to small and medium sized companies.

Blindly adding services on top of one another is like adding more entrances to the White House without ensuring additional security precautions. In short, you're asking for trouble.

You need a solution that thinks through the most cost-effective (emphasis on effective) method of security. You need a solution that will look at your company's entire landscape and make the best decisions to keep your data safe. You need a solution that doesn't just regurgitate industry jargon like "standards" and "best practices" especially since every business is different and has their own specific needs. With these ideals in mind, Vy can not only ensure an effective tailored security solution but we can usually implement at a lower total cost. Truly a win-win.

Maybe your operation needs an incredibly well hardened software that has limited attack vectors. If that is the case, Vy would love to have a conversation with you.

896 MemberID Variation Solution
One of our core values at Vy Technology is that We Know the Difference in Being Right and Doing Right. What we mean by that is, being right is important, but doing right is far more important. When those conflict, choose doing right.

Even though most of our core values reflect what I naturally gravitate to in business, this, in full disclosure, is not one I naturally gravitate to. Out of all our values, this is one that I personally struggle with the most. I think a lot of technology personalities struggle with this. It's why it's important it's there.

Living out this value of course can manifest itself in many ways. One recent way was looking at helping a customer of ours come up with a solution because their customer didn't have the ability to provide consistently formatted data.

This story may get a little complicated so I will go ahead and call our customer Good Food Company and I will name their customer Homestead Insurance Company (neither are their real names).

A standard need for Good Food is being able to process hospital discharge files. This usually entails processing through the discharge file, comparing MemberIDs to a previously loaded eligibility file, and then proceeding on if a match is found.

This match is important because after the member has been served, the reporting needs kick in and there is a lot of metadata associated to that member from the eligibility file that needs to be reported back to Homestead.

The problem lies however in the fact that you would think the MemberIDs in the discharge file would be in the same format as the MemberIDs in the eligibility file. For most MCOs, that is the case. But for Homestead, that wasn't the case.

Now we could have rightly held firm and said, you need to get your two files to match. We would be right saying that. But that isn't necessarily doing right given the situation.

Why? Because we know that Homestead will take months to get this resolved. We know that Good Food will be missing out on revenue while Homestead sorts through that. And most importantly, we know that Homestead's members will be missing out on a benefit they very desperately need when they are at their most vulnerable.

So how does a "doing right" versus "being right" mindset solve this issue? Simple. Vy Technology proposed and then wrote an algorithm that tries 896 different combinations of MemberIDs to find a match.

So if a MemberID is 123456789-01 in a discharge file, then we try 12345678901, and 123456789*01, and 00012345678901, and 123456789, and 892 more variations. The computational impact on the server is measured in milliseconds. The coding effort was measured in 2 to 3 hours. Good Food is happy, Homestead is happy, and Homestead's members are happy.

These are the types of issues you find when doing business in healthcare. And this is the type of creative problem solving you get with Vy Technology.
Need help with creative solutions to complex problems? It would be fun to discuss. Contact us.