Recourse For Draconian Encryption Requirements? 555
CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
No. (Score:5, Informative)
If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.
Buy a cheap (second hand?) notebook (Score:2, Informative)
Yes and No. (Score:4, Informative)
You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.
Your options are basically as follows:
1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.
Re:Make lemonade (Score:3, Informative)
YOUR employer must buy you equipment that is required to perform YOUR job.
Correct. That's one big difference between an employee and a contractor.
Re:Find a new job (Score:3, Informative)
"Find a new job" may be a curse, not advice.
If I were a patient in your hospital, and the doctor was using some ultrasound machine or other PC-based diagnostic device, and the damn thing had a virus that caused a misdiagnosis, I'd be right pissed at the person who brought the virus in.
I know that lots of those machines are still running the manufacturer's originally-shipped OS, because they don't certify every OS hotfix and patch that comes out. I also know that if the thing can email a doctor a copy of the results, the doctors insist that the email works, so a network connection is mandatory. So you could be operating a production system on a completely unprotected environment.
Bringing in anything at all, whether it be a USB stick or a CD-ROM, could threaten those devices. And with our health care on the line, you want us to defend rules that might help clean up a risky mess?
Wrong crowd.
Typical unpleaseable geekdom (Score:3, Informative)
*sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).
And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!
Yes, Sorta, No (Score:5, Informative)
I manage security for a major hospital system and I am leading the encryption roll out.
1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.
2. Notification costs MAJOR dollars plus the PR hit
3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.
4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.
This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)
Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.
Yay for misinterpretation! (Score:4, Informative)
But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.
Re:Separate work and home (Score:2, Informative)
It's not HIPPA, it's HIPAA, as in "Health Information Portability and Accountability Act".
Re:Obvious. (Score:5, Informative)
And what happens when you want to leave the company? Do they get to keep your laptop? or review your laptop for 3 weeks to make sure you are not taking their data with you?
Never use personal equipment at work. They have every right to fully review your equipment at any time to decide if their data is on your person equipment.
Re:Obvious. (Score:3, Informative)
Re:Obvious. (Score:4, Informative)
Because the hospital is probably not a standalone company, but rather part of a "Health System" or similar type of organization. They are likely in direct competition with other, nearby hospitals belonging to other regional health systems or organizations. Why wouldn't they have a marketing department?
To reiterate, I'm speaking from personal industry involvement.
Re:Make lemonade (Score:2, Informative)
Can you provide a link on that? The IRS is cracking down on such actions, and the requirements for them to be contractors are going to be more than IBM would want. ( http://www.irs.gov/businesses/small/article/0,,id=99921,00.html [irs.gov] )
Re:Obvious. (Score:5, Informative)
Re:Obvious. (Score:3, Informative)
I also bring my own laptop to work on most days, either to take care of some personal stuff during the breaks or the downtime, or to test something work-related which could fuck up the pc or network.
I think our company does this right. Most locations, as far as I know, have wired ethernet everywhere, and you can only connect the authorized computers there. There are also two wi-fi networks, one is the corporate which requires full authentication with certificates and all that crap, and another guest network, which allows employees (or actual guests, if an employee generates them some credentials) to get on the internet without accessing the corporate LAN.
Why consultants have to use their own tools (Score:4, Informative)
Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.
Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.
Do I have any recourse (Score:3, Informative)
Re:Make lemonade (Score:3, Informative)
link: http://slashdot.org/submission/1224936/IBM-may-outsource-34-of-its-permanent-workforce [slashdot.org]
Re:Find a new job (Score:3, Informative)
A non-integrated system doesn't mean the equipment isn't sharing the same network infrastructure. Viruses, worms, malware or whatever, they don't restrict themselves to looking for "integrated systems" to infect. They blast their payloads out to any network or subnet address within reach. Vulnerable systems get infected, integrated or not.
The things I'm talking about are machines that have no apparent medical business being on the network, yet are. I was looking at an ultrasound machine that was still running XP SP1 because that's what the vendor shipped. And it was obviously on the network because the doctor was able to send the images electronically. Why it wasn't adequate to simply drop the printed copies of images into the file folder that was sitting next to him, I don't know.
Sure, nobody is SUPPOSED to go to the desktop and surf the web from that machine, or read their email from it, but that doesn't mean it's not vulnerable to some other attack like Blaster. Other concerns are that since the machine is portable, and it has had patient information in it, that encryption might prevent someone from harvesting patient names (and whatever other information is associated with the patient and is still on the hard drive.)
Bottom line: that hospital's infrastructure was fragile, as I suspect most of them are. Sure, mandated encryption is a politician's stupid requirement that probably won't solve many real-world problems. But plugging personal equipment into a weakly secured network is a high risk proposition, one they should immediately cut off.