Recourse For Draconian Encryption Requirements?

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

Its Easy

[macintard]

Don't use your personal computer for purposes of work. If you want to access your employer's network, use their tools and follow their rules. If you can't handle the rules, advocate for change or leave.

Re:Just say no.

[ProdigyPuNk]

You realize that in the real world such harsh actions very rarely end with any type of benefit for the employee, right ? Might as well just quit. He works on a network with people's sensitive medical records. Myself, along with millions of other Americans, applaud hospitals and other institutions for NOT letting these kinds of shenanigans go on. That's why HIPAA was created, love it or hate it.

Re:Find a new job

[capnchicken]

I'm sorry, you must be under the impression that systems in a hospital are integrated in SOME fashion. They are not, and I've never heard of one that was, although my experience with them only spans about 7 years and only includes 3 U.S. states (not Mass). Electronic medical records are just now KIND OF being integrated and usually only at expensive hospitals. And I have yet to see a medical diagnostic device that didn't run in it's own vendor supported proprietary bubble. So having a virus run amok doesn't really concern me as it would get stopped in its tracks by the entire clusterfuck that is Healthcare IT.

Healthcare IT is a vendor lock-in, non-integrated mess and having IT run around and lose people's data with some mandated encryption system they probably bought from a snake oil salesman is probably worse than any scenario you might be thinking about.

And I am glad!

[goffster]

People who use their own personal machines to access sensitive information should perhaps be
even *more* restrictive. It is this type of access that is the most dangerous.

If you simply have to check your facebook, check email, etc, then get yourself
a 3G network enabled device.

Re:Make lemonade

[TheMeuge]

It's the equivalent of cutting your salary by $2000. If the alternative is not earning any salary, you better come up with the money.

Re:need more information

[cdrguru]

I suggest that the answer is very simple and non-technical. They ask everyone with access to email externally to sign a piece of paper stating that they have read the security policy and will never violate it, where violating it is doing things like accessing the email system through any unsecured computer.

Violation of the policy is grounds for immediate termination plus criminal penalties for potentially exposing patient data. After the first guy goes to jail for five years or so people will start actually paying attention.

Don't think that this is going to be isolated to MA. It is a logical outgrowth of HIPPA and is pretty much a requirement. It is about time.

Re:Obvious.

[interval1066]

"...why would they (the hospital) have a marketing department?"

Are you kidding me? Here is S. Cal we're inundated with advertising for medical concerns, both private and publicly funded. Its ridiculous.

Re:Make lemonade

[Daniel Dvorkin]

Well, I can't provide a link, but I can tell you that a good friend of mine who until recently worked for IBM got caught up in it. And it's even worse than GPP indicated -- they offered him his old job back as a contractor at about two-thirds the pay, with no benefits etc. I don't know if there are any news stories on it because it's not really the kind of thing IBM is going to be eager to publicize, but it's happening. And while the IRS may be cracking down on some of the chicanery involved in hiring contractors, there's nothing in the link you posted to indicate that they're doing anything about the core problem: treating highly skilled, dedicated, specialized technical workers as interchangeable parts.

Not that I think the IRS should do anything about it, you understand -- it's really not their job -- but it's the kind of thing a good union certainly could. Unfortunately, the /. consensus on unions is pretty representative of thinking in the tech world generally, and shows in gory detail how effective decades of anti-union propaganda have been in convincing otherwise intelligent people.

Why do they let you do that?

[gujo-odori]

I'm going to take a different tack from most responders and ask why, if the IT department is sufficiently concerned about security to require whole-disk encryption on all machines connecting to the network (as a member of the security industry, I applaud their decision), do they allow people to connect their personal machines to the network? Especially in a HIPAA environment, that's nuts. How do they ensure that you retain no confidential data on your personal computer if you quit? In such an environment, no one should be allowed to use personal equipment on the network, but if they are, they should all be required to sign a contract that upon leaving employment (voluntarily or not), they will turn over any personal machines used to connect to the hospital network so that the disk(s) can be removed and destroyed.

That said, if they are going to let you connect your personal gear and you are dead-set on doing it, install whole-disk encryption yourself and bring the machine in for them to inspect it. They'll probably want the passphrase, too.

If they won't budge, then you either stop using your personal machine or you let them install their encryption solution on it. You may not like their decisions (I don't like all of my employer's IT decisions either), but it's the hospital's network, not yours, which means they get to make the rules. If you find this one so onerous that you can't live with it, I recommend seeking work elsewhere before it gets to bug you so much that it harms your job performance. Otherwise, you may wind up seeking work elsewhere anyway, but under less good circumstances.