Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Encryption Privacy IT

Recourse For Draconian Encryption Requirements? 555

Posted by kdawson
from the cold-dead-fingers dept.
CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
This discussion has been archived. No new comments can be posted.

Recourse For Draconian Encryption Requirements?

Comments Filter:
  • No. (Score:5, Informative)

    by characterZer0 (138196) on Friday April 30, 2010 @10:06AM (#32044414)

    If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

  • by qwerty shrdlu (799408) on Friday April 30, 2010 @10:08AM (#32044442)
    Use it for nothing else. They can't mess up your personal machine or lose your data if they don't get their paws on it.
  • Yes and No. (Score:4, Informative)

    by fuzzyfuzzyfungus (1223518) on Friday April 30, 2010 @10:16AM (#32044594) Journal
    IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).

    You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.

    Your options are basically as follows:
    1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
    2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
    3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.
  • Re:Make lemonade (Score:3, Informative)

    by causality (777677) on Friday April 30, 2010 @10:17AM (#32044618)

    YOUR employer must buy you equipment that is required to perform YOUR job.

    Correct. That's one big difference between an employee and a contractor.

  • Re:Find a new job (Score:3, Informative)

    by plover (150551) * on Friday April 30, 2010 @10:17AM (#32044622) Homepage Journal

    "Find a new job" may be a curse, not advice.

    If I were a patient in your hospital, and the doctor was using some ultrasound machine or other PC-based diagnostic device, and the damn thing had a virus that caused a misdiagnosis, I'd be right pissed at the person who brought the virus in.

    I know that lots of those machines are still running the manufacturer's originally-shipped OS, because they don't certify every OS hotfix and patch that comes out. I also know that if the thing can email a doctor a copy of the results, the doctors insist that the email works, so a network connection is mandatory. So you could be operating a production system on a completely unprotected environment.

    Bringing in anything at all, whether it be a USB stick or a CD-ROM, could threaten those devices. And with our health care on the line, you want us to defend rules that might help clean up a risky mess?

    Wrong crowd.

  • by Anonymous Coward on Friday April 30, 2010 @10:17AM (#32044624)

    *sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).

    And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!

  • Yes, Sorta, No (Score:5, Informative)

    by Anonymous Coward on Friday April 30, 2010 @10:19AM (#32044640)

    I manage security for a major hospital system and I am leading the encryption roll out.

    1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

    2. Notification costs MAJOR dollars plus the PR hit

    3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

    4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

    This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

    Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.

  • by ircmaxell (1117387) on Friday April 30, 2010 @10:20AM (#32044666) Homepage
    This all boils down to misinterpretation of the laws governing medical information (Most importantly HIPPA - Health Insurance Privacy and Protection Act)... They don't need every machine being encrypted. All they need to do is make sure that the medical information is encrypted. And encrypting the hard drive has nothing to do with that. If they are providing you with web mail (something like Outlook Web Access), then what difference in reality does it make if you have your hard drive encrypted? All they need to do is set the headers properly to not allow client side caching. That way, you never have any data on your machine anyway. I don't see any reason that all the hard drives in the facility need to be encrypted. If they wanted to create an encrypted data partition, sure. If they want to encrypt laptops, fine. But why is sensitive data stored on local computers anyway? That should all reside on an encrypted network share (if for nothing else than data backup and compliance reasons). All they are doing is trying to cover their asses so that in case something does happen, they can say "well, but we took steps to try to lock down the data" even if those steps were ancillary and irrelevant to the problem at hand.

    But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
    • Encrypt your personal computer
    • Get a second computer just for work, and encrypt that
    • Have your employer provide you with a laptop or computer to take home to work with
    • Don't work from home

    Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.

  • by jenningsthecat (1525947) on Friday April 30, 2010 @10:24AM (#32044710)

    It's not HIPPA, it's HIPAA, as in "Health Information Portability and Accountability Act".

  • Re:Obvious. (Score:5, Informative)

    by jriding (1076733) on Friday April 30, 2010 @10:35AM (#32044868)

    And what happens when you want to leave the company? Do they get to keep your laptop? or review your laptop for 3 weeks to make sure you are not taking their data with you?

    Never use personal equipment at work. They have every right to fully review your equipment at any time to decide if their data is on your person equipment.

  • Re:Obvious. (Score:3, Informative)

    by oakgrove (845019) on Friday April 30, 2010 @10:40AM (#32044972)
    If you're on Windows, Truecrypt is an excellent solution. On many Linux distros, encryption is offered out of the box using LUKS [wikipedia.org] which is very transparent and, at least on my netbook, suffers no discernible slowdowns. And for some nice two factor authentication, it can easily be set up to require a usb dongle [mknowles.com.au] in addition to the password before it will boot.
  • Re:Obvious. (Score:4, Informative)

    by Yamata no Orochi (1626135) on Friday April 30, 2010 @10:46AM (#32045060)

    Because the hospital is probably not a standalone company, but rather part of a "Health System" or similar type of organization. They are likely in direct competition with other, nearby hospitals belonging to other regional health systems or organizations. Why wouldn't they have a marketing department?

    To reiterate, I'm speaking from personal industry involvement.

  • Re:Make lemonade (Score:2, Informative)

    by EvilJoker (192907) on Friday April 30, 2010 @10:51AM (#32045156)

    Can you provide a link on that? The IRS is cracking down on such actions, and the requirements for them to be contractors are going to be more than IBM would want. ( http://www.irs.gov/businesses/small/article/0,,id=99921,00.html [irs.gov] )

  • Re:Obvious. (Score:5, Informative)

    by Achromatic1978 (916097) <robert@@@chromablue...net> on Friday April 30, 2010 @10:55AM (#32045222)
    Random pedantry, HIPAA, not HIPPA. That being said, two thumbs up. I'm amazed that anyone's allowed to connect their personal equipment to the network, as someone who writes medical software.
  • Re:Obvious. (Score:3, Informative)

    by mobby_6kl (668092) on Friday April 30, 2010 @11:34AM (#32045836)

    I also bring my own laptop to work on most days, either to take care of some personal stuff during the breaks or the downtime, or to test something work-related which could fuck up the pc or network.

    I think our company does this right. Most locations, as far as I know, have wired ethernet everywhere, and you can only connect the authorized computers there. There are also two wi-fi networks, one is the corporate which requires full authentication with certificates and all that crap, and another guest network, which allows employees (or actual guests, if an employee generates them some credentials) to get on the internet without accessing the corporate LAN.

  • by DragonWriter (970822) on Friday April 30, 2010 @11:41AM (#32045930)

    Many companies/governmental institutions require the consultants to provide their own hardware since they think it's cheaper.

    Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.

    Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.

  • by c0d3g33k (102699) on Friday April 30, 2010 @11:52AM (#32046110)
    Yes. Quit.
  • Re:Find a new job (Score:3, Informative)

    by plover (150551) * on Friday April 30, 2010 @01:35PM (#32047466) Homepage Journal

    A non-integrated system doesn't mean the equipment isn't sharing the same network infrastructure. Viruses, worms, malware or whatever, they don't restrict themselves to looking for "integrated systems" to infect. They blast their payloads out to any network or subnet address within reach. Vulnerable systems get infected, integrated or not.

    The things I'm talking about are machines that have no apparent medical business being on the network, yet are. I was looking at an ultrasound machine that was still running XP SP1 because that's what the vendor shipped. And it was obviously on the network because the doctor was able to send the images electronically. Why it wasn't adequate to simply drop the printed copies of images into the file folder that was sitting next to him, I don't know.

    Sure, nobody is SUPPOSED to go to the desktop and surf the web from that machine, or read their email from it, but that doesn't mean it's not vulnerable to some other attack like Blaster. Other concerns are that since the machine is portable, and it has had patient information in it, that encryption might prevent someone from harvesting patient names (and whatever other information is associated with the patient and is still on the hard drive.)

    Bottom line: that hospital's infrastructure was fragile, as I suspect most of them are. Sure, mandated encryption is a politician's stupid requirement that probably won't solve many real-world problems. But plugging personal equipment into a weakly secured network is a high risk proposition, one they should immediately cut off.

No user-servicable parts inside. Refer to qualified service personnel.

Working...