A Coverup is a Coverup and it never ends well. The truth will always come to light. Today we look at one such cautionary tale.
Today in health, it we're going to take a look at a cautionary tale, something to keep in the back of your head. My name is bill Russell. I'm a former CIO for a 16 hospital system. And creator this week health set of channels and events dedicated to transform healthcare. One connection. At a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders.
Short tests are decide parlance certified health. Notable and service now, grape companies check them out at this week. health.com. Slash today. We're going to be talking news today. Anytime we talk about a new story on the show, you can check it out at this week. health.com/news, still in beta, but you can take a look at it.
Give me some feedback. Just DME, let me know what you think. All right. Hey, we're still doing our fundraiser for childhood cancer with Alex's lemonade stand we're up around 50. I don't know what we are right around $60,000 for the year. I'm so impressed with the generosity of our community. We still want to go through that number.
If you get a chance to hit the website top right hand corner, you can see a link to the lemonade stand. You can give there. Thank you once again for your great generosity and making this a reality this year. And next year, we are going to set a much higher goal. We'll see what happens. All right.
One last thing, share this podcast with a friend or colleague. I get the conversation going. You said as a foundation for daily or weekly discussions on the topics that are relevant to you in the industry. They can subscribe wherever you listen to podcasts. Alright today. Our cautionary tale, sec charges, solar winds, and chief information security officer with fraud and internal control failures.
Let me get my glasses again. You can get hit this on our. Website, there's a link there. Let's see, October 30th, 2023, the security exchange commission today announced charges against Austin, Texas based software company, solar winds corporation, and its chief. Information security, officer Timothy, G brown, even named wow. For fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The complaint alleges that from at least it's October, 2018. Initial public offering through at least it's December, 2020 announcement. That it was targeted by a massive, nearly two year long cyber attack, dubbed sunburst, solar winds, and brown. Defrauded investors by overstating solar winds. Cybersecurity practices and understating. Or failing to disclose known risks. And it's filings with the sec during this period, solar winds, allegedly misled investors by disclosing only generic in hypothetical risks at a time when the company and brown knew of specific. Deficiencies in solar wind cybersecurity practices, as well as increasingly elevated risks to the company faced at the same time while I, this is a cautionary tale, this is. Exactly what not to do. If you're the S the Cisco. Put it back on the leadership. Tell them the truth. This is what's going on. This is what's happening. And get that in the public record, get it in the board notes, get it in the meeting minutes, get it in, whatever. Here's the presentation I gave to the board.
This is so should not be left out to dry unless they did not do those things. It should not be incumbent on the Cisco to stand in that gap. It should be incumbent upon them to make people aware of the risks. And give them the ability to make the decisions they need to make. Anyway. Could it go on. As the complaint alleges solar winds, public statements about its cybersecurity practices and risks. We're at odds with its internal assessments, including a 2018 presentation prepared by company engineer and shared internally, including with brown that solar winds remote access set up was not very secure. And that someone exploiting the vulnerability can basically do whatever without us detecting it until it's too late. Which could lead to major reputation and financial loss.
Wow. That person's be promoted. For solar winds, similarly as alleged in the sec complaint, 2018. And 2019 presentations by brown stated respectively. That the current state of security leaves us in a very vulnerable state for our critical assets and that access and privilege to critical systems. Data is inappropriate. Let's see, let me skip a little bit here. In addition to the sec, his complaint alleges that multiple communications among solar winds employees, including brown. Throughout a 19 and 20 question, the company's ability to protect its critical assets. From cyber attacks.
For example, according to the sec complaint in June, 2020, while investigating a cyber attack on a solar winds customer brown road. That it was very concerning that the attacker may have been looking to use solar winds or Ryan software and larger attacks because our backends are not that resilient. So maybe he was communicating this out.
It's very interesting. And they, September, 2020. Internal documents shared with brown and other stated the volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve. Wow me and. Let's see, we alleged that for years, solar winds and brown ignored, repeated red flags about solar wind cyber risks, which were well-known throughout the company. And led one of brown subordinates to conclude. We're so far from being a security minded company. Said the director of sec division of enforcement, rather than address these vulnerabilities, solar winds and brown engaged in a campaign to paint a false picture.
That's where they lost it. Right there. I can't paint to paint a false picture of the company's cyber controls environment. You have to admit there's a problem. Address the problem, secure the environment. Make people aware of what's going on. And they created a larger problem for the entire industry. And that's probably the, so what for this, as I try to end these things with this.
So what does this mean for us? First of all, you are not a leader who stands in isolation. It is not your job to defend the entire organization. You are a part of a team. If you work for a health system, you're part of a team. And depending on where you are in that ladder, your job is to communicate the risks. And the things that you see to the level that's appropriate, if that's the next level up and let them do with it, what they may, that's your job.
And if you're the cyst, so you need to communicate it to whoever you report to that could be a board. It could be a joint reporting. If you are a peer of the CIO to maybe a chief security officer or a president or chief operating officer, if you report to the CIO, which you're incumbent upon it. Yourself too. Make that person aware of it and spell out the risks.
Here's what we're seeing. Here's what's going on. Here's what is possible. If we do not address this, make it very clear, as clear as you possibly can. If the CIO decides not to take that to the board, that's the CEO's prerogative. And. And their risk. Not when they should take, if you're a CIO listening to this, you should take that to the board immediately.
In fact, you should take that to the executive team immediately. Take that to the CIO CEO, as soon as you possibly can get on the phone, let them know, Hey, I've got a critical issue. We need to discuss, get over there and have the conversation. Let the organization respond to these things, give them the information they need to respond, give them the path and the risk associated with it.
Be as clear as you possibly can. This is not an indication on you and your ability to do your job. Your job is to let people know. Where we are deficient. And if that's a mistake you made, it's better to make that mistake and fess up to that mistake than it is to Expose the company to huge fines. And potentially other worse consequences. Anyway, that's all for today. Don't forget, share this podcast with a friend or colleague. Keep the conversation going. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Short test artist, site parlance, certified health, notable and 📍 service.
Now check them out at this week. health.com/today. Thanks for listening. That's all for now.