Computer Ethics

Assignment 12

The Killer Virus

A. Summary of the Facts
Two patients at Doctors Hospital died when a computer virus infected the patient record system, corrupting data regarding the administration of life-critical drugs to the two patients. Police tracked down the origin of the virus to a computer at Midstate University. As a result, the county district attorney is bringing charges against several persons who appear to be linked in the trail of the virus.

The persons ("Defendants") to be included in the indictment are;
1. Kevin Violet, a student at the university, who is alleged to have posted the virus on a class bulletin board system;
2. Kathy Vine, also a student at the university, who is alleged to have activated the virus program onto the Internet;
3. Kirk Voltz, the president of the university;
4. Kyle Vetch, the president of the company, Access Plus, Inc., that provides Internet access for the university; and
5. Karen Veal, the Chief Information Officer for Doctors Hospital.

B. Memo:

You will write a memo analyzing , as to EACH DEFENDANT, whether the Defendant's conduct was ethical/unethical or legal/illegal. You will be applying the following laws and policies to the fact pattern:
· Apply the law of the state of Georgia (see here for the Georgia laws that you are to use; do not do separate legal research).
· Apply the Information Technology Computer Usage Policies and Kennesaw State Telecommunications Policies found at http://www.kennesaw.edu/resources/policy.shtml as the policies for "Midstate University."
· As the policies for “Access Plus, Inc”, apply the following policies: Earthlink Internet Service Agreement, Warranties, and all Useage Policies, available at: http://www.earthlink.net/about/policies/.

F. Closing Arguments

In the class on which this assigment is due, you will be assigned to argue either the criminal prosecution or defense of ONE of the Defendants. If there are more than 10 students in the class, you will be assigned to teams. You may be asked to argue a side that was not the conclusion that you reached to balance out the presentations. That means that you should be very familiar with all sides of the arguments as to each Defendant. Yes, this requires you to be "quick on your toes". Your arguments should be in the form of a closing argument to a jury. If you are on the prosecution side, you will state which criminal laws you contend that the defendant violated (using the laws and policies linked above) and the factual basis for your rationale (based on facts below). If you are on the defense side, you will respond to the particular laws argued by the "prosecutor".

F. Specific Facts About the Killer Virus

Q: Have there been any complaints against Kyle Vetch's company, Access Plus, before this most recent issue that related to Internet security and viruses, and if so what were they?

A:  Yes, Access Plus receives complaints and reports every day from subscribers who believe their computers have been infected with computer viruses and similar types of problems.  Access Plus offers to all its e-mail service subscribers virus protection from the server side. It works by scanning all incoming e-mail to its subscribers for viruses. If there is a large-scale virus outbreak, Access Plus can turn the virus scanner on for all customers to make sure that everyone stays protected. When this has been done, customers who already had  the virus scanner activated will continue to be protected in the same manner as before. The virus scanner will simply delete messages infected by the specific virus causing the outbreak for customers who did not have the virus scanner activated. These users will not receive an administrative message that this has been done. Once the outbreak is over, the virus scanner options will revert back to its original settings.  The virus scanner does not scan out-going e-mail.  Access Plus advises its e-mail subscribers to use another virus protection software on their personal computers.

Q: What kind of educational degree does Kyle Vetch have?

A:  Kyle Vetch has an undergraduate degree from the University of Georgia in business administration (with a major in finance) and an Executive MBA from Emory University.

Q: What were the circumstances of how and why Kevin Violet posted a virus to a Midstate college class bulletin board? In others words, was creating a virus part of a required activity for the class, was it a deliberate act for purposes of fun or harm, or was the virus unknowingly embedded in a document that was attached to Kevin’s post?

A: Kevin Violet has declined to answer any questions, based on his First Amendment right not to incriminate himself. The college class bulletin board was sponsored and maintained by Kevin’s professor, who has testified that at the time of the incident, the class was studying computer viruses related to an upper level IT class on computer security.  The bulletin board was available to students in the class to post questions and arrange for study groups.  The professor usually reviewed the postings to the bulletin board twice per week, in the morning, on the days he taught the class.  The computer virus was apparently posted sometime between Saturday and Sunday, neither which days the professor taught the class.The records of the IT department for the university show that a computer file was posted that contained the virus that infected the hospital system on the day before the deaths at the hospital.  The computer file was posted by someone with the login and password of Kevin Violet. Although no one remembers specifically seeing Kevin in the lab at the time the computer file was posted, Kevin has signed into the computer lab at the university during that time. 

Q. How was the virus designed or reported to release its payload and propagate itself?

A: The virus appears to be a variant in the family of the W32.Sober.l@mm mass-mailing worm.  For details, see: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html.  The virus, once in the computer network at Doctors Hospital downloaded a remote file that corrupted the patient data (we do not have the details on how this remote file worked).

Q: Was there any kind of safeguard in place to protect the integrity of the hospital's computers and computer networks either though hardware/software firewalls, antivirus software, or any other kind of intrusion detection/security system?

A. At the time of the incident, the IT department did have a firewall in place and used commercially-available virus protection software. The IT department checks for new virus definitions every day at 3:00 am.  There was no virus definition available through their vendor for the virus at issue at 3:00 am on the morning before the patients’ deaths.  However, there were other vendors that did release a virus definition for the W32.Sober.l@mm worm prior to the patients’ deaths. The IT Department of Doctors Hospital does have a security policy that has been in place for about 8 years. It appoints the IT Director in charge of IT security. The policy states that the IT department will have in place security measures for preventing unauthorized access to its computer systems, including fire walls. It also requires the IT department to maintain virus protection software on the firewall. The IT department has been undertaking an update to its IT security policies, but the results were still in draft form at the time of the alleged “incidents”.  The IT Security Policy requires all newly hired employees to read the “Acceptable User Policy” that reminds the employee about not using his/her computer for anything other than business purposes, not to load unauthorized software, and not to allow any unauthorized person to have access to his/her computer or account.

Q: How did Kathy Vine gain access to the Bulletin Board and consequentially activate the file on the internet?

A: Kathy Vine has not given any testimony (pleading her rights under the 5th Amendment). All of the other students (other than Kevin Violet) and the professor in the class have provided statements. One of the students in the class, Kelly Village, a friend of Kathy Vine, has admitted to telling Kathy what his password and login were to the class bulletin board, because she was interested in taking the class the next year and wanted to see what the class was about. None of the other students or professor know Kathy Vine and none (other than Kelly) said that they disclosed their passwords and logins to anyone else. The other students and professor also each stated that they did not click on any executable file posted by Kevin on the bulletin board. Kathy Vine was observed to be in one of the University computer labs, using a computer in the lab, around the time the virus appeared to be launched. 

Q. Explain how the virus was spread throught the hospital? for example did Kathy Vine know someone at the hospital. (This is meant to be one question, we're just clarifying the question.)

A. The virus appeared to enter the hospital’s system through a pc running Windows NT that was connected to the Internet and was also on the network that connected to the servers hosting the patient record database system.

Q. Has either Kevin Violet or Kathy Vine ever been in trouble with Midstate in regards to the university's telecommunications policies, and if so what was the problem?

A. No.

Q. What measures does the university have in detecting and dealing with viruses on their network?

A. Once per year, Kirk Voltz receives an annual report from the CIO of the University that contains a summary of activities in the IT Department and the proposed budget for the next school year.  The Trustees of the University have directed Voltz to obtain a security audit by an outside firm on the security of the administrative computer systems (including the payroll and student records) every 2 years. The first one was obtained in 2000. Voltz delegates the task of obtaining the audit to the CIO.  The outside audit reports on measures taken by the IT department to protect against viruses.  Voltz reviews the Executive Summary of the report, but does not review the detailed report (his background is in education, not IT).  The last report, obtained in 2004, reflected that the University IT department did use commercially-available virus protection software to screen all incoming email.  The audit report did reflect that because of the nature of student labs, websites maintained by students and faculty, and the nature of college students, that there is some difficulty in filtering all transmissions that come in and out of the University network, despite the fact that the University had a fairly rigorous acceptable use policy.

Q. What steps for security had Karen Veal implemented prior to the infection (i.e. did she implement any steps to restrict access to certain files via the restriction of administrative privileges)?

A. For HIPAA compliance, all pc's and other computers in the hospital are password protected and the databases with the patient records have different levels of authority. After the incident at issue, however, the security audit firm found that several of the personal computers that are routinely used to access the patient record databases can be connected to the Internet at the same time that the patient record is open.
 
Q. Had Karen Veal conducted any training sessions with users of the patient records system and/or pc usage on how to detect and update computers possibly infected with a virus?  If so, how long prior to the patient's death did this training occur?

A. Karen Veal has not trained any of the medical care providers that use the patient record systems as to the detection and treatment of computer viruses. The IT staff has three personnel assigned to dealing with network security, particularly from a HIPAA compliance standpoint.

Q. Please explain Kathy Vine's relationship to Kevin Violet.

A. None other than they are both students at Midstate University.

Q.  As Chief Information Officer, does Karen Veal have specific job duties that are in writing?  If so, did she sign the document when hired and what is specified for managing the patient record  system and for providing network security?

A. Karen Veal was promoted to the newly created position of Chief Information Officer 11 years ago. At the time she was hired, the job description was as follows: "Establishes and directs the strategic long term goals, policies and procedures for an information technology department. Determines an organization's long-term systems needs and hardware acquisitions to accomplish the organization's business objectives. Requires a bachelor's degree and may be expected to have an advanced degree in a related area with at least 10 years of experience in the information technology field. Generally manages middle managers/directors. Relies on experience and judgment to plan and accomplish goals. Typically reports to a CEO or COO." She has been too busy since then to re-write or update her job description.

Q. Did Kirk Voltz know about the incident that caused the data corruption, what did he do, and how will he prevent future problems before they arise?

A. [This will be counted as two questions and the second question will be disallowed under rules of evidence.] Kirk Voltz learned about the incident when police began an investigation and sent two detectives into the office of his CIO. Voltz had delegated to the IT department headed up by the CIO the responsibility for establishment and maintenance of the computer network systems for the university.  When the CIO advised him of the visit from the detectives, he requested that the head of campus security launch an internal security investigation immediately. The CIO has testified that the IT department had put in an anti-virus software and firewall onto the University servers that would screen emails coming in from the Internet.

Q. Did Kirk Voltz establish IT policies to ensure that academic activities performed on University computers that might be harmful are contained or quarantined so not to cause accidental damage to other people or systems? (I did not see anything like this in KSU's policies).

A. go to "Information Technology Computer Usage Policies" available at http://its.kennesaw.edu/its_policies.htm.

Q. Did Kirk Voltz inform all of the students of the University's IT policies?

A. No. Kirk Voltz did not personally inform all the students of the University's IT policies. Under the direction of the CIO of the University, the Web Master posts the policy on the University Web site. Each student is issued an e-mail address on the University server in the first week of their enrollment as a student when they are freshman; before the e-mail is issued, the student must sign an acknowledgement that he/she has read the University's IT policy.

Q. Was it within class rules/policy for Kevin to have knowingly posted malicious/dangerous code/executables on the class bulletin board?

A. See response to similar question above. See the Midstate University policy regarding policies on acceptable use.

Q. “The records of the IT department for the university show that a computer file was posted that contained the virus that infected the hospital system on the day before the deaths at the hospital.  The computer file was posted by someone with the login and password of Kevin Violet" I am working under the assumption that there is a difference between the actual posting of the code, and the actual activating of the code...so posting the code only makes it available for people to read, and activating the code means that you took the code and executed it.. The line that says “the computer file was posted that contained the virus that infected the hospital system...” is confusing me because in order to infect the hospital system, it has to be executed or activated...not posted. Am I off track?

A. The code was apparently posted to the class bulletin board and after some period of time activated and released onto the Internet.

Q. Did Kevin Violet target particular group of businesses or was the virus generally sent to every unprotected business computer system?

A. Mr. Violet has not testified (under his Fifth Amendment rights), so the evidence is not clear as to whether Mr. Violet had any intention to target any person or business. See responses above as to how the virus was posted and released.

Q. Is there any proof that the virus in question actually changed any of the patient records or is it possible that the deaths occurred because of human error either at the data entry stage (when they first entered the drug/patient information) or when they pulled the drugs to be given (i.e. they accidently pulled a larger dose than was needed or pulled the wrong drug)?

A.  The nurses that administered the drugs to the patients who died both testified that they administered the dosages for the drugs that were based on the electronic patient record. The hospital's investigation committee found that the electronic patient records for these patients did, in fact, reflect the lethal dosages that were apparently administered based on erroneous data contained in the electronic record. The data regarding the administration of life-critical drugs is maintained in two places: a) the doctor prescribes dosages and timing into the electronic record system (which links up to the pharmacy); then the health-care provider (e.g. nurse, doctor) writes in the dosages actually administered into the paper chart that is clipped to a clip-board at the foot of the patient’s bed; and b) the health-care provider then enters the data into the electronic patient record system through a couple of means: hand-held device that is synced up manually or at the nurses’ station computer.  The paper and electronic records for the fatal dosages (as administered by and entered by the nurses) match. The paper and electronic records for the prior dosages (as administered by nurses on prior shifts) do not match.

Q. Were there only two patient records affected in this incident or did the hospital discover other record changes after these two patients died?

A. The hospital investigation did not find any other records affected by this incident, but there was no way to be sure that other records were not corrupted. The corruption that affected the patient records at issue did not render the entire patient record useless, rather, only the drug administration field was affected.

Q. How is the IT Security class bulletin board system maintained regarding authorization (i.e., can only current students and teaching staff gain access) and authentication (i.e., generic or unique passwords)?

A. Only students registered for the class were issued unique logins and initial passwords (which they were prompted to change upon the first login) by the Professor.

Q. How exactly was the virus activated? Meaning, was the file posted strictly an executable file.

A. The name of the file that was apparently the source of the virus on the class bulletin board was “studyguide1.zip”. Once unzipped, the package contained the executable file for the virus.   The name of the file that was attached to the email that is believed to be the source of the virus from the University system is “im_shocked.com”.

Q. Did the university's anti-virus software discover the virus between the time it was posted and the time it was activated or after?

A. The university's anti-virus softrware did not discover the virus between the time it was posted and the time it was activated. Nor did it detect the virus after it was launched until it was received within an hour by some of the email addresses served by the university (when the anti-virus software screens incoming mail only).

Q. What is Kevin Violet's computer background? To be more specific programming, work experience background?

A. Kevin is a senior in the CS/IS department at Midstate University. His college transcript reflects that he has taken a substantial number of the courses required to earn a B.S. degree with a major in computer science. He has a B average. Kevin Violet’s job history reflects the following:

  • Summer of Freshman and Sophomore Year – Onondaga Golf and Country Club, Pool Staff. Job duties included cooking hamburgers, French fries, and making milkshakes, putting out towels, and monitoring restrooms.
  • Summer of Junior Year – Tech Corps, unpaid internship with a nonprofit. Job duties included building training lab networks for nonprofit in community centers in 3 cities outside Atlanta, Georgia. These networks were connected to the Internet to create a virtual private network with the main network located at the administrative offices in Atlanta.

Q. What service was provided for by Access Plus, Inc. to the Midstate University? Just to clarify, "service", as an Internet Provider, an Internet Provider and Email Service Provider, or just as an Email Service Provider.

A. Access Plus provide Internet access for Midstate University. The university operates its own e-mail servers.

Q. To what extent was the University's acknowledgement of Access Plus, Inc.'s policy regarding it's services provided.

A. In 1999, one of the employees in the IT department of the University ordered high speed Internet access (via several T1's) through Access Plus. At the time, no one at the University signed a contract, however, Access Plus did maintain the INternet Service Agreement on its Web site (in much the same form as at http://www.earthlink.net/about/policies/isa/) and a Service Level Agreement in the form as at : http://www.earthlink.net/about/policies/extdsl_sla/. Since that time, Access Plus has sent a monthly invoice for the service which Midstate University pays on time. Since 1999, Midstate University, through one of the employees in the IT department, has increased its access to ten T3 lines. The invoice that Access Plus sends each month contains messages at the bottom which include a reference to the Internet SErvice Agreement and SLA Web site links.

Q. Why is Kyle Vetch and Access Plus, Inc. the only ISP being charged with this alleged crime? I am assuming that the hospital has an ISP also, otherwise, they could not receive email or connect to the Internet.

A. The prosecution will not disclose why it has not chosen to prosecute any other ISP's in the "chain of possession" of the viruses.

Last updated: August 9, 2007. Computer Ethics is a course taught in the CS/IS Department at Kennesaw State University, Kennesaw, Georgia. Opinions expressed on this Web site are those of the author, Ann K. Moceyunas. Certain Portions Copyright © 1996 -2007 Moceyunas P.C. All rights reserved. Have Questions? Contact Ann Moceyunas at ann@moceyunas.com.