Forgot your password?
typodupeerror
Encryption Privacy IT

Recourse For Draconian Encryption Requirements? 555

Posted by kdawson
from the cold-dead-fingers dept.
CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
This discussion has been archived. No new comments can be posted.

Recourse For Draconian Encryption Requirements?

Comments Filter:
  • Obvious. (Score:5, Insightful)

    by Yamata no Orochi (1626135) on Friday April 30, 2010 @10:05AM (#32044392)

    Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.

  • Make lemonade (Score:5, Insightful)

    by smallfries (601545) on Friday April 30, 2010 @10:06AM (#32044396) Homepage

    Stop reading work email at home. Problem solved, and it turns out that it is actually a blessing in disguise.

  • Re:Obvious. (Score:5, Insightful)

    by xaxa (988988) on Friday April 30, 2010 @10:06AM (#32044398)

    So it's easy: either they provide you with a computer to use at home, or you stop checking your email at home.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Friday April 30, 2010 @10:06AM (#32044400) Homepage Journal

    Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.

    You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.

  • by Tim C (15259) on Friday April 30, 2010 @10:06AM (#32044404)

    But be aware that it's their network, and expect them to refuse to allow you to connect to it.

    The real solution is that if you need a machine for your job, they should be providing it to you. If you do not, then leave it at home.

  • Just say no. (Score:4, Insightful)

    by gus goose (306978) on Friday April 30, 2010 @10:07AM (#32044420) Journal

    If they insist on your home machine being encrypted, then tell them either:
    1. They must supply the machine, and it's theirs, and you'll only use it for work.
    2. refuse to do any work at home.

    gus

  • Get an old machine (Score:5, Insightful)

    by Angst Badger (8636) on Friday April 30, 2010 @10:07AM (#32044428)

    Considering that decent used laptops -- adequate for checking mail and browsing the web, anyway -- can be had for about a hundred bucks, I'd just buy one off eBay or Craigslist and use that for work purposes. For a little more, you could always pick up a netbook or a bottom-of-the-line laptop new.

  • by ageoffri (723674) on Friday April 30, 2010 @10:07AM (#32044434)
    If you don't want to follow security standards then don't check your email from your personal machine. If they make it a requirement that you be able to respond to email outside of the physical location then require a laptop. I really doubt you have any legal recourse, especially since HIPPA and PII data have so many additional requirements around them.
  • by Slashdot Parent (995749) on Friday April 30, 2010 @10:07AM (#32044436)

    Why do you need to use your personal computer equipment to do your job? Your employer should be supplying everything you need to do your job.

    If you need a computer at work, your employer should supply it.

    If you need to check email from home, your employer should supply you with a blackberry.

    This isn't rocket surgery.

  • Re:Obvious. (Score:5, Insightful)

    by Daengbo (523424) <daengbo@nOsPAm.gmail.com> on Friday April 30, 2010 @10:08AM (#32044456) Homepage Journal

    Their network, their rules. Stop taking your personal machine, and require them to supply you with one to do your job. Stop accessing the network after work. They cannot force you to install something on your computer, so they can't force you to connect after hours from home.

    Oh, yeah, and start looking for a new job. This stance will make your life easier, but you'll never get promoted.

  • by Nursie (632944) on Friday April 30, 2010 @10:08AM (#32044460)

    It's that simple.

    Any business would be mad to let sensitive data (especially medical) get onto employee's home machines. And bringing personal machines to work and hooking them up the network?

    You're a walking, talking, security nightmare. Your IT staff should be fired for not being harsh enough. NO personal laptops on the network. NO accessing email from home machines.

  • by DiSKiLLeR (17651) on Friday April 30, 2010 @10:09AM (#32044464) Homepage Journal

    Its their network, their policy... be lucky you are even ALLOWED to connect your own personal laptop to their network, that is strictly forbidden for security reasons in most places.

    If you don't want them to install that software on your personal machine, don't bring it in or don't connect it to their network and use 3G or something.

    As soon as you connect to their network you must abide by their rules.

    Simple as that, really.

    (I'm a Network Administrator IRL.)

  • Re:Make lemonade (Score:5, Insightful)

    by Aceticon (140883) on Friday April 30, 2010 @10:09AM (#32044480)

    Except when responding to email within time period X is part of your job requirements.

    As somebody pointed out above, at that point your employer has to provide you with the equipment to do so.

  • Re:Make lemonade (Score:5, Insightful)

    by Mal-2 (675116) on Friday April 30, 2010 @10:10AM (#32044482) Homepage Journal

    Except when responding to email within time period X is part of your job requirements.

    In this case it is the obligation of the employer to provide you with the equipment to do so.

    Mal-2

  • Honestly... (Score:4, Insightful)

    by ProdigyPuNk (614140) on Friday April 30, 2010 @10:10AM (#32044500) Journal
    This is one of those "damned if you do, damned if you don't" situations. The hospital is just trying to stay in compliance with HIPAA and the various personal non-public information regulations. Their solution DOES seem a little overboard, but this is what happens when people continually lose laptops/usb drives/etc that contain sensitive information. While this might be a little hard for the hospital's employees to get used to, it's really a win for us normal folk (assuming it's all properly executed, which is a big assumption).

    As far as legal recourse, IANAL but I don't think you really have one. While I get the whole "You're not touching my computer" bit, why don't you just use the computers provided ? Hell, even at the community college I go to, I have to install some software just to connect to their network. Same with some of the other corporations that friends and family work for. In the end, if you weasel your way around the restrictions and then lose your laptop, have it stolen, whatever - you'll really be on the hook.
  • by Lonewolf666 (259450) on Friday April 30, 2010 @10:10AM (#32044502)

    Unless there are very good reasons that were not in TFA, my response would be:

    1) My personal computer will stay at home from now on
    2) The IT department does not install anything on my personal computer.
    3) I won't check my (work) email from my home anymore. Anyone who wants to contact me can use a phone (and better have a damn good reason if it happens at 2 a.m. in the night).

     

  • Obvious solution. (Score:1, Insightful)

    by Anonymous Coward on Friday April 30, 2010 @10:10AM (#32044504)

    Don't use your personal system for work. Fact of the matter is, your workplace shouldn't allow personal machines in their network to begin with. If you so desperately want to use your own system, then be prepared for some demands for security and safety from their side, duh. If you need to work from home, they should supply you with a system or at the very least contribute to one. That's how it's usually done.

  • by Jer (18391) on Friday April 30, 2010 @10:11AM (#32044514) Homepage

    This. Without an argument for why your personal machine should be on a sensitive network we can't help you.

    I'm slightly disturbed that there's a hospital out there that apparently allows employees unfettered access to their network from their personal machines, actually.

  • Pretty simple (Score:5, Insightful)

    by Paul Carver (4555) on Friday April 30, 2010 @10:13AM (#32044548)

    The solution is pretty simple. Don't use personal computers for business use.

    If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.

    I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.

    I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.

     

  • Re:Obvious. (Score:5, Insightful)

    by tom17 (659054) on Friday April 30, 2010 @10:15AM (#32044578) Homepage
    this
    Too many people feel the need to take their jobs home with them. If it's a job necessity for you to do so then the company has to supply the means to do it.

    Tom...
  • Re:Make lemonade (Score:4, Insightful)

    by TheMeuge (645043) on Friday April 30, 2010 @10:17AM (#32044616)

    We live in a country where some cities are topping 20% unemployment, much of it middle-class white-collar jobs.

    Employers don't HAVE TO do anything now, because they can yawn, pick up the phone, and replace you in 24 hours with someone who doesn't mind dropping $2k to buy a shitty computer from the company's approved supplier to check work email at home, because they want to eat sometime this week.

  • Re:Make lemonade (Score:4, Insightful)

    by John Hasler (414242) on Friday April 30, 2010 @10:19AM (#32044648) Homepage

    > What universe do you live in?

    One where involuntary servitude is illegal. He doesn't have to continue working there.

  • Simple solution (Score:4, Insightful)

    by idontgno (624372) on Friday April 30, 2010 @10:21AM (#32044674) Journal

    Keep your personal machine off the Hospital network.

    The only really sane policy: if it's on the Hospital network, it conforms to IT security guidance. Period.

    I'm assuming you're in the U.S. "Exuberant" is an apt description of HIPAA [wikipedia.org] data infrastructure guidance, but it's still the law of the land. I don't want my patient information accidentally sneaking out on your laptop's unencrypted hard drive.

    If you must conduct personal internet business at work and don't want to convert your personal computer into a personally-owned company-configured machine, bypass the hospital net with a 3g dongle and your own data plan.

  • by Anonymous Coward on Friday April 30, 2010 @10:23AM (#32044692)

    Maybe I'm missing something here, but you can talk all day about security, but allowing employees to connects PCs they bring from home shatters any hope of a secure network. I've never worked somewhere that would allow this and these were just standard corporate networks. We've always had "guest" wireless networks that routed to the Internet only, but never would we be allowed to physically connect home computers. That's just a horrible idea

  • Re:Obvious. (Score:5, Insightful)

    by klubar (591384) on Friday April 30, 2010 @10:23AM (#32044706) Homepage
    I have to agree with your employer on this one.

    Disallowing private machines on the network is good IT practice. Employeers should not allow any unapproved (and non-employer supplied) device to connect to their networks or machines (and this should include all USB devices like camera, MP3 players, headsets). If you need it for your job, your employer should supply and support it.

    Most concerned and resonsible organizations use strong measures to authentic machines before they are allowed to connect to the corporate network. (They might allow guest machines is a firewalled zones for vistor/guest convenience.) I have to say that your employeers policy for no foreign machines on the network is quite reasonable. As for checking your mail remotely, there are some secure solutions for Exchange that enforce secure authentication and encryption for remote access via a web browser.

    You might suggest that your employeer supply smart phones like the Blackberry that can be used for secure email access and can be remotely monitored and wiped if comprimised. (POTUS has a BB that passed the security screen.) I wouldn't be surprised if your employer restricts these devices to only business use (as it is their money that is paying for them.)
  • Standard Policy (Score:5, Insightful)

    by mseeger (40923) on Friday April 30, 2010 @10:25AM (#32044722)

    Hi,

    IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.

    Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.

    It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him

    Sincerely yours, Martin

    P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.

  • by mprinkey (1434) on Friday April 30, 2010 @10:27AM (#32044752)

    I second this. We have a secured LAN with several large Linux clusters and a few dozen workstations, also mostly Linux. Some of the users have been issued laptops running Windows (over our objection). We secured them and regularly update antivirus and firewall software, but since the users needs admin access (over our objections), they still carry viruses and other malware on site. It is not a constant problem, but it is a persistent one. We were considering building a DMZ for all laptop users to limit the amount of damage an infected system can do to the rest of the LAN.

    Honestly, there is no way to allow personal systems on to the LAN without this sort of thing being a problem. For every cautious careful user like yourself, there are a dozen clueless ones. The same goes too for remote access. Without a remote client that is properly secured, no amount of encryption/VPN/SSL is going to keep the on-site information safe. It is inconvenient but true.

  • by causality (777677) on Friday April 30, 2010 @10:27AM (#32044754)

    This. Without an argument for why your personal machine should be on a sensitive network we can't help you.

    I'm slightly disturbed that there's a hospital out there that apparently allows employees unfettered access to their network from their personal machines, actually.

    Apparently they get used to that and it spoils them. Now that they're spoiled, when you fix the situation by implementing reasonable controls for sensitive data, they get upset at the new restrictions and start Ask Slashdot discussions about their unwillingness to deal with them.

    I've personally worked in offices that dealt with sensitive data. What I dealt with was less sensitive than medical records, yet we had IT policies like this one and they were considered basic measures. Employees who needed to work from home or while traveling were issued company laptops. The laptops were configured to establish an encrypted VPN connection back to the company. All software used once the user logged into the VPN was actually running on the server (I think they used Citrix to remotely run applications) so sensitive data was not stored locally on the laptop's hard drive. I don't know whether the drive was also encrypted.

    At this place where our data was less sensitive than medical records, most users were not allowed to plug USB devices like thumbdrives into the company computers. No one was allowed to connect a personal computer to the company network. This worked well since again, the company provided their own equipment to anyone who needed it. I don't believe anyone who was issued company laptops actually had Admin access to them. I think they used a "Power User" profile so a user could do most things but could not install software etc.

    None of this was a problem for anyone. If people think not allowing personal computers to connect to sensitive networks is some kind of iron-fisted draconian measure, it'd a great and wonderful thing that those same people are not making IT decisions. Anyone who feels that way has no idea what they are dealing with and/or is unable to see that there is a bigger picture than their immediate convenience.

  • Re:Make lemonade (Score:4, Insightful)

    by butterflysrage (1066514) on Friday April 30, 2010 @10:27AM (#32044758)

    another reason why a tech union is sounding better and better.

  • Re:Obvious. (Score:5, Insightful)

    by buchner.johannes (1139593) on Friday April 30, 2010 @10:28AM (#32044768) Homepage Journal

    Dongles and laptops are bad for security. It is obvious that the IT department doesn't want them. Tell them you need a computer so you can stay productive, if they need control over it they should provide it.
    Why are people bringing their own equipment in the first place?

  • by khasim (1285) <brandioch.conner@gmail.com> on Friday April 30, 2010 @10:29AM (#32044778)

    If there is someone there who insists that home machine be allowed on the network (beyond stupid in the first place) this might be the "compromise" that the IT department was able to reach.

    You can have your home machine on the network ... BUT ... it must have full disk encryption.

    Most everyone will be able to figure out that that means "leave your home computer at home".

  • Re:Obvious. (Score:1, Insightful)

    by Anonymous Coward on Friday April 30, 2010 @10:31AM (#32044802)

    This actually a decent stance to take. The *IT* department there should be taking it though. I for one would not want random computers plugging into my network.

    If they are unwilling to supply you tools to do your job why did they hire you? Look for another job and be up front why you left the other place 'they would not buy me tools to do my job'. Or tell them to buy you a computer for this. If they are unwilling to do so say 'my computer broke'. Now they have a choice either you 'do less work' and still get paid the same, or they 'buy you a computer for it'.

    I as a computer professional do not bring my home computers in to work. Neither should you. It makes for a nice 'clean break' too if you want to leave.

    Do not let them install whatever garbage they manage their computers with into your home computer. What if you leave to work somewhere else. Do you want the headaches of your last job hanging around with you?

  • Re:Make lemonade (Score:3, Insightful)

    by TheMeuge (645043) on Friday April 30, 2010 @10:32AM (#32044820)

    Right... he also doesn't have to have a roof over his head, and doesn't have to eat.

  • Re:Obvious. (Score:5, Insightful)

    by poetmatt (793785) on Friday April 30, 2010 @10:32AM (#32044826) Journal

    yeah, that should raise red flags all over.

    I mean phones, ipods, etc, that cannot be reasonably controlled. However, personal laptops at work is asking for hippa, general confidentiality issues, and general security issues all around. If people are using personal laptops on the company network that's something worth informing IT/HR, as that's a huge risk.

    All it takes is one employee with a virus and you're set for a lawsuit, or one employee with bad intentions and you've got a bunch of identity thefts.

  • Re:Obvious. (Score:5, Insightful)

    by butterflysrage (1066514) on Friday April 30, 2010 @10:35AM (#32044876)

    This... the policy isn't draconian, it is absurdly lax. No unauthorized computers should be allowed, period.

  • Re:Obvious. (Score:5, Insightful)

    by John Hasler (414242) on Friday April 30, 2010 @10:37AM (#32044902) Homepage

    Point out to them that their encryption software is not working well when installed on employee-owned machines and therefor may not be making those machines secure. Try to do this without implying that they are incompetent or that the software is crap, even though both are probably true. Also point out that some employees may be tempted to remove the software without telling them. Suggest that a better solution would be to ban private computers entirely and provide laptops to those who need off-site access. Explain to your boss that because of your concerns about the stability of the encryption software and the risks to you and to the hospital of having sensitive information on your computer that you intend to cease using your personal machines for work. Emphasize your concern about the risks to the hospital.

  • Re:Make lemonade (Score:5, Insightful)

    by butterflysrage (1066514) on Friday April 30, 2010 @10:39AM (#32044942)

    A union wont keep you from being fired, but it will keep you from being replaced on a whim. Hell just look at what IBM is planning... over 75% of their workforce are basically losing all their benefits by being hired back on as private contractors. That means no health, no pention, no severance, even LESS security, same hours, same wage.

  • by cdrguru (88047) on Friday April 30, 2010 @10:39AM (#32044946) Homepage

    Probably something like "because you say it is in a signed statement." Lying is almost certainly grounds for termination plus whatever penalties HIPPA can be used to bring to bear. Lying, therefore would be stupid, the act of a total moron.

    This is health care and health care records. We should all hope they get serious, are serious and stay serious.

  • Re:Make lemonade (Score:4, Insightful)

    by Jason Levine (196982) on Friday April 30, 2010 @10:43AM (#32045000)

    So this hypothetical replacement employee has $2,000 lying around to buy a new computer but doesn't have enough money to feed himself/his family? Something tells me that, had I only $2,000 left in my bank account, I'd use it for food before using it to buy a computer.

  • by petes_PoV (912422) on Friday April 30, 2010 @10:45AM (#32045036)
    You don't expect (and would run away, very fast) if other hospital workers started bringing in their own thermometers, or scalpels or things they told you were medical instruments? Why should a guy with a home computer be any different? Personally I'm glad that your hospital is starting to take a professional attitude towards its IT. Banning all non-hospital supplied (and maintained) IT equipment would be a good next step.

    Apart from them wanting to clamp down on the security elements of staff stealing or being negligent with patient records, there is a huge hole here for injecting viruses and malware into the hospital. There's also a disease vector from bringing outsdide stuff in and out of a hospital: MRSA can easily be transmitted on touched surfaces (hence the medical wipes and hand-gels by every doorknob inn many countries).

    Hopefully every other hospital will follow the lead from yours.

  • Re:Obvious. (Score:2, Insightful)

    by poetmatt (793785) on Friday April 30, 2010 @10:47AM (#32045082) Journal

    I think the issue that people don't get, and understandably so when you're not an IT-minded person - I myself mix this up constantly too and I consider myself an IT person, is this:

    you don't have, nor do you want, the same access,tools and control that you have at home. Different tools for different uses.

    We all think from a personal perspective "oh, I have this at home, I should have it at work", but really, from a medical perspective it's like: are you going to keep a set of medical tools at home for use? It just doesn't fit the purpose.

  • Re:Obvious. (Score:3, Insightful)

    by B'Trey (111263) on Friday April 30, 2010 @10:57AM (#32045260)

    If I were to hazard a guess, I'd wager he's in the marketing department.

    Perhaps. It's also possible that he works in another department and brings his own computer because they won't allow the apps he wants to use on the hospital computers. I've used my personal computer for lots of work stuff because I wasn't allowed to install anything and the only text editor available was Notepad.

    I'd echo the advice already given numerous times to stop checking email on anything other than a company machine. But for personal machines at work, it depends on why they're being used and why they're connected to the network. Are they actually being used to access local network resources or is the network merely being used to provide internet connectivity? If its the latter, it's not difficult to set up isolated VLANs and subnets which only have access to the internet. The hospital IT staff may not be willing to do this, of course, but it's a possible option to consider.

  • I Concur (Score:5, Insightful)

    by DRAGONWEEZEL (125809) on Friday April 30, 2010 @10:58AM (#32045282) Homepage

    If you were "trying to help out" then stop. NOW. You're helping no one, using your own resources for testing? I do that as I manage a VPN client that has specific.... issues. So I use my home software to verify connectivity from other networks... But when they want info on other OS's etc, I now say Show me the H/W.

    I can't test w/ hardware that I don't have, and I'm no longer going to use my hardware to do their work.

    Not because I don't want too, but if I come into a problem (like a drive I had passed on it's bit's to the next world) I have to FURTHER use my resources to try and get back to a working state asap. This is difficult for some people to do.

    However my boss totally got it, understood what I needed and is prepping me w/ the supplies as we speak.

    Just let them know what you need. If you're expected to do any work at home, you should expect them to hand you a laptop. It's so common, it's not even worth mentioning really.

  • Re:Obvious. (Score:1, Insightful)

    by Anonymous Coward on Friday April 30, 2010 @11:01AM (#32045326)
    This is very insightful. Wish I had mod points. Stop taking your work home with you. If over eager beaver A types would stop this, then likely this would be less expected behaviour from companies and we all could enjoy that elusive ideal of a good work/life balance. If people do it, it becomes the expected behaviour. Stop it. It screws you and everyone else. Companies don't add extra hours to the end of my life for the extra hours I sometimes have to work. So fuck them and fuck you if you are one of those who are screwing it up for the rest of us.
  • Re:Obvious. (Score:1, Insightful)

    by Anonymous Coward on Friday April 30, 2010 @11:03AM (#32045358)

    this

    I keep seeing people write comments starting with that word. Is it a javascript thing?

  • by pesho (843750) on Friday April 30, 2010 @11:06AM (#32045404)

    My guess is that he is an a setup that I have seen on multiple places around the country - a research or university hospital. The network layouts were designed out at time when there where no data protection laws and little electronic patient records. As a result over the years machines that host the patient records now end up on the same network that hosts machines used for research, including everybody's personal laptop. Now the new and very appropriate data protection laws come into effect and the managment and IT staff have three choices:

    1. Spend tons of money on complete overhaul that will separate the patient records and the machines that process them from the rest of the network. This includes putting interfaces that would allow aggregate anonymized data to be accessed from the outside for population, epidemiological and other types of research.

    2. Encrypt everything that ever touches the network.

    3. Shut down the hospital or the research

    Which option would you choose?

    At the places where I have been very few of the postdoc and grad students have a computer that is purchased by the employer. Even if they do they still need to bring their personal laptop for various reasons directly connected to their work or study. I am currently doing research at a place like that and the security measures although not as draconian as in the article, are interfering seriously with my work. I never touch anything even remotely related to patients, but I need to exchange large chunks of data with colleagues around the world, have remote access to the local network, etc. Based on my experience I would advise the poster to calm down, and not lash out at the poor IT staff that has to deploy all this, while dealing with the anger of everybody around. You need to talk to people that are higher at the pay scale, define well the problem that you are facing and work with them to solve it.

  • Re:Make lemonade (Score:3, Insightful)

    by TheMeuge (645043) on Friday April 30, 2010 @11:06AM (#32045406)

    What kind of weird world do you live in?
    Jobs are offered to me regularly without me asking for it, my current company that I just joined 6 months ago provides me with lots of benefits and gives me whatever I feel like I need; I'm also free to come in whenever I want.

    I say this whole crisis is nothing but a myth. Or maybe it only affects completely useless jobs.

    I guess there also wasn't an earthquake in Haiti because you didn't feel any shaking. If it doesn't affect you, it must be a myth.

  • by ogrius (186951) on Friday April 30, 2010 @11:16AM (#32045554)

    A few comments:

    1) Why on earth are they allowing people to use personal computing on the company network?

    2) For home access, they should deploy some type of terminal environment at the office. So that you get the screen displayed on your home computer, but don't actually get the data stored there.

    Personally I think they should be banning any non-company devices from their internal network. Period.

    As for the home access, I agree with you about not wanting them to install software on your personal machines (if they just want Anti-Virus, that is one thing, but requiring disk encryption...)

    But I agree with their need to lock it down. They're just going about it wrong.

  • Re:I Concur (Score:5, Insightful)

    by rwv (1636355) on Friday April 30, 2010 @11:17AM (#32045578) Homepage Journal
    I'm posting at the top because I've never seen such a unified response to an AskSlashdot in the decade I've spent reading this site. I want to inform readers... don't waste your time reading past this point because the rest of the discussion is redundant.
  • Re:Obvious. (Score:4, Insightful)

    by ceoyoyo (59147) on Friday April 30, 2010 @11:25AM (#32045680)

    Yeah, that's one way of going about it. The other way to look at it is that if all it takes is one employee with an infected device to fry your network, your network is in a pretty sorry state.

    I work in medical research. My previous lab was on a hospital network. One day someone, somewhere in the hospital brought in a notebook with a virus. Most of the machines in the hospital went down, including one of the MR scanner consoles. It was a huge crisis. Our lab barely noticed -- we were running Macs. Our Windows terminal server was properly patched and firewalled.

    Hospital IT responded by cracking down on outside devices but NOT really tightening up security on individual machines. Of course, if someone, either with malicious intent or by mistake, plugged an infected laptop into the network, they would be right back at square one.

  • Re:Obvious. (Score:3, Insightful)

    by causality (777677) on Friday April 30, 2010 @11:51AM (#32046090)

    Never use personal equipment at work. They have every right to fully review your equipment at any time to decide if their data is on your person equipment.

    I disagree that they automatically have every right to do that. I will say that they'd be foolish not to make that a written agreement that must be signed before a job offer is made, if they plan to permit personal equipment to connect to their networks. In the absence of such an agreement, I don't recognize anyone's right to go through someone's personal equipment merely because they connected it to a network with permission to do so.

    They need to think about these things before such permission to use their networks is given. What's unacceptable is retroactively deciding "oops, we made the mistake by allowing you to use your equipment on our network without a written agreement, so now we deserve access to your property and your data." That's just incompetence and a failure to plan ahead. It'd be the wrong way to deal with even data far less sensitive than medical records.

    Really though the best way to handle this is to authorize onlly company-issued laptops and other company equipment for use with company networks.

  • by cgenman (325138) on Friday April 30, 2010 @11:54AM (#32046150) Homepage

    From my time in IT, I guarantee that at least 1 in 10 of those personal laptops is compromised in a major way. You can encrypt the hard drive against physical theft, but you can't encrypt the OS against being rooted. Personally I'm shocked they let private data on personal laptops at all.

  • Re:Make lemonade (Score:3, Insightful)

    by nahdude812 (88157) * on Friday April 30, 2010 @12:45PM (#32046884) Homepage

    So we should just let companies get away with deplorable behavior because there's probably a different company out there who doesn't do it? This is not just a slippery slope, it's a flowing stream (meaning that progression down the slope is not just likely, but inevitable).

    Companies will act in self interest over employee interest whenever they think they can get away with it. If we accept some employers requiring people to install certain software on employee home computers as part of their job duty, eventually nearly all employers will do this, and it will be difficult or impossible to find employers who don't. Those who don't will be operating at a competitive disadvantage to those who do.

    I'm sorry, "so get a different job" is never an acceptable justification for a company trying to screw an employee. It may be good advice for the employee, but it can't be used to dismiss the employer's actions.

  • by rickb928 (945187) on Friday April 30, 2010 @01:05PM (#32047118) Homepage Journal

    "In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day."

    The IT department made a mistake there. Not acceptable to allow confidential data on a private machine. Their error, not yours. If your department doesn't have budget for IT services, perhaps it needs to be managed properly or shut down. Obviously, they will manage it properly.

    "the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted", including desktop-style machines at home"

    BlackBerry Problem solved. If they balk at handing out BBs, then you don't need offsite or portable email access. Problem solved.

    I'm astonished that they let you bring your own machine in to do work with confidential data. Entirely unacceptable, no matter how diligent you are about your machine's security. It is responsible. They cannot be responsible if they don't control the environment, including the hardware and software. I'm equally astonished they aren't using a VPN with certificates.

    But I am not unfamiliar with Massachusetts hospitals, so I am not greatly astonished. One Boston-area hospital got a cool teleradiology contract with a hospital I worked at back in the 90s, and gave us the stern lectures about security, data encryption, etc. And emailed the user IDs and passwords to everyone on the department mailing list, even the CEO and CFO. Nice, guys. How about taking out an ad in the Globe next time, ok? It would be safer, nobody reads that.

  • by iamhassi (659463) on Friday April 30, 2010 @02:16PM (#32048008) Journal
    ""their network - their rules" is something the asker should know (or at least familarize themselves with if they want to continue to use computers in the US)."

    Agreed. I'm a bit shocked at the arrogance of this Ask Slashdot:
    "they now require full-disk encryption on any computer connected to their network on site....many of the employees (myself included) bring their own personal machines to work every day...Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

    This is a joke, right? Late April Fools'? Surely this guy is not crying "I want to use my private spyware and virus-ridden laptop on my company's network and they're requiring (INSERT SOFTWARE) be installed!" Oh sure, your laptop has no spyware/viruses, but what about Nurse Betty's laptop on 3rd floor? Or Janitor Steve's?
  • by James Youngman (3732) <jay&gnu,org> on Saturday May 01, 2010 @10:05AM (#32056152) Homepage

    If a major hospital is letting people roll up and connect personal (i.e. uncontrolled) laptops to their internal networks, the information security team/officer there is either incompetent or being ignored. They should take responsibility for making sure neither of those things is happening.

    As for the OP, they seem to me to be recklessly endangering the security of patient data. People's personal laptops have all kinds of scary cruft on them. Seventeen different kinds of malware, if they run Windows, probably.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...