Epic Systems vs. Tata: Key Security QuestionsProtecting Trade Secrets From Unauthorized Users
A whistleblower paved the way for electronic health records vendor Epic Systems' trade secret theft lawsuit against Indian IT consultancy Tata Consultancy Services, which resulted in the EHR vendor winning nearly $1 billion in damages, pending an appeal.
See Also: You've Got BEC!
The complex case raises a host of important security questions. But the most important is this: What potential indicators of compromise might have been missed by Epic's security team that could've helped the company detect and stop the apparent unauthorized downloading of thousands of sensitive documents much sooner - without the involvement of an external whistleblower?
How might have Epic better secured its sensitive documents containing trade secrets?
In case you haven't heard about the legal battle between Verona, Wis.-based based Epic and Mumbai, India-based TCS, here's a brief synopsis:
At the center of the suit are allegations by Epic, one of the largest U.S. EHR vendors, that TCS consultants - who under a 2005 contract between the two companies were permitted limited access to and use of Epic's software - inappropriately downloaded thousands of confidential Epic documents to benefit "in the development or enhancement" of TCS's competing EHR software, Med Mantra.
Epic claims that a TCS consultant who was working for Epic's customer, Kaiser Hospital Foundation in Portland, Ore., "transferred" his credentials to at least two other TCS employees in India. With those credentials, Epic alleges the other TCS workers downloaded, via Epic' UserWeb web portal, "at least 6,477 documents accounting for 1,687 unique files."
In an amended January 2015 complaint that updates the original complaint Epic filed against TCS in October 2014, Epic said the documents downloaded by TCS personnel included, among other things, "confidential, proprietary and trade secret documents detailing over 20 years of development of Epic's proprietary software and database systems."
According to Epic's lawsuit, that includes programming rules and processes developed to produce optimal functionality of Epic's software, documents that decode the operation of its source code and information regarding Epic's system capabilities and functions.
Epic charges that through "illegally gained" access, TCS "brazenly" stole the trade secrets and confidential information, and that "the theft appears to have been masterminded in Mumbai, then carried out in both India and the U.S. through employees of a U.S. subsidiary of Tata Consultancy Services called Tata America International Corporation."
TCS, in a statement issued after the April 15 jury decision, says it "did not misuse or derive any benefit from downloaded documents from Epic System's user-web portal. TCS plans to defend its position vigorously in appeals to higher courts."
The India-based consultancy adds that it "appreciates the trial judge's announcement from the bench that he is almost certain he will reduce the damages award." TCS says that it "did not misuse or benefit from any of the said information for development of its own hospital management system 'Med Mantra,' which was implemented for a large hospital chain in India in 2009."
Epic says it learned about the alleged inappropriate downloading of documents through an "informant" identified in Epic's amended complaint as a TCS employee who was responsible "for managing all aspects of TCS's contract with Kaiser to provide consulting services and reported directly to TCS executive management."
But why didn't Epic's own internal data security sleuths discover the alleged inappropriate access to intellectual property? That's just one of many questions this fascinating case raises. Others include:
- How might have Epic prevented the credentials of an authorized user - with supposedly limited access - from being used to access and download information that Epic deemed sensitive, as well as irrelevant, to the user's role?
- What steps could Epic have taken to detect that the credentials of an authorized user in the U.S. were being inappropriately shared with unauthorized individuals in India?
- How might have Epic better secured its sensitive documents containing trade secrets? By encrypting the documents? By isolating the documents on a separate network or system? By implementing data loss prevention or other technology that might have stopped the information from flowing outside a perimeter?
These days, the media spotlight is on data breaches that expose individuals' personal information, rather than those that expose intellectual property. Hopefully the Epic System case will call attention to the need to ramp up efforts to protect all information.