Unfortunately for Elena, the laboratory information management system (LIMS) her team used was discontinued by the vendor, Initech. She is a biochemist working in the pathology department, and this software is critical for keeping track of required tests, tests that have already been run, and providing critical notifications of abnormal test results.
Since Initech had discontinued that product, the hospital system issued an RFQ for a replacement and, after a multi-year bidding process, offered the software replacement contract to Initech.
And so IniLab left and was replaced by IniHeal. Gone was the classic terminal interface that everyone had learned to use, and in its place was a “user friendly” GUI – a GUI that hid functionality behind fifteen clicks, had no meaningful keyboard shortcuts, and constantly changed as they pushed updates, making it impossible to adapt .
Also gone is the IniLab scripting language. IniLab’s scripting language was how they put together a workflow for lab processes. You could have fine-grained control over which scripts are associated with which types of tests, and even build custom workflows as one-offs if needed. They had many thousands of lines of code that needed to be ported into IniHeal. The problem is that IniHeal’s approach to scripting was… well, bad.
First, IniHeal does not allow you to write scripts. Instead, it has a pair of “rules” files. The marketing blurb calls them “declarative” and promises they’re an upgrade. In practice, these are huge files containing a set of rules to be evaluated every test and every sample.
But the worst problem with IniHeal is how it lets you handle data. In IniLab, if you want the patient’s age, you can reference the field by name: Patient.age. In IniLab you should use PPPPLL. What is PPPPLL?
PPPPLL stands for “position” and “length”. Instead of referencing the field by Name, you must reference the field by its byte offset and length. So Patient.age could be [091001]. And no, there is no easy way to create constants or variables to hold your PPPPLLs, you just need to know that [091001] is age, and hopefully the input never changes its appearance.
Now, one of the things that Elena noticed while the technicians were on site was that the length of the datetime field was 32 bits and the data was Unix epoch seconds. So she asked one of the senior developers “Hey, is this Year 2038 software safe?”
The developer laughed. – I will be retired by then.
The final insult is that this software is not installed on any of the lab workstations. Instead, they had to use Remote Desktop to access it from within the VM. While the environment was theoretically locked down so that the only program you could run was IniHeal, in practice it was trivially easy to get to the desktop inside the VM.
Curious, Elena stared around. She not only found the installation logs from her lab, but also the installation logs from several other labs. These diaries included various internal and private details, including account passwords. Somehow the log files from the client installations got through their installation media and were deployed at each client site.
Elena reported a potential data breach. The final finding was that the password in question no longer existed, which led the administration to decide “well, that’s not a problem then”.
IniHeal has a tagline about equipping customers with innovative tools, but Elena suggests a new one:
“The Q in IniHeal is for quality.”
[Advertisement]
ProGet has you covered with security and access controls for your NuGet feeds. Find out more.