Slashdot Mirror
Recourse For Draconian Encryption Requirements?
CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.
N/T
Stop reading work email at home. Problem solved, and it turns out that it is actually a blessing in disguise.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.
You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
But be aware that it's their network, and expect them to refuse to allow you to connect to it.
The real solution is that if you need a machine for your job, they should be providing it to you. If you do not, then leave it at home.
It's official. Most of you are morons.
If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.
Go green: turn off your refrigerator.
Simple as that.
If they insist on your home machine being encrypted, then tell them either:
1. They must supply the machine, and it's theirs, and you'll only use it for work.
2. refuse to do any work at home.
gus
.. if only.
Don't use your personal computer for purposes of work. If you want to access your employer's network, use their tools and follow their rules. If you can't handle the rules, advocate for change or leave.
find another job if you don't want to follow the rules..
Considering that decent used laptops -- adequate for checking mail and browsing the web, anyway -- can be had for about a hundred bucks, I'd just buy one off eBay or Craigslist and use that for work purposes. For a little more, you could always pick up a netbook or a bottom-of-the-line laptop new.
Proud member of the Weirdo-American community.
If you don't want to follow security standards then don't check your email from your personal machine. If they make it a requirement that you be able to respond to email outside of the physical location then require a laptop. I really doubt you have any legal recourse, especially since HIPPA and PII data have so many additional requirements around them.
-- Slashdot, making the Left look conservative since 1997.
Why do you need to use your personal computer equipment to do your job? Your employer should be supplying everything you need to do your job.
If you need a computer at work, your employer should supply it.
If you need to check email from home, your employer should supply you with a blackberry.
This isn't rocket surgery.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Don't use your machine for work. Or, if you really want to, just dual boot it and let them do whatever they want with that partition.
Use it for nothing else. They can't mess up your personal machine or lose your data if they don't get their paws on it.
They should be using web-based email, that way the mail leaves their servers.
No sig today...
1) Stop using your own personal equipment at work, for work. If they don't supply you with the necessary gear to get the job done, then the job doesn't get done.
2) Stop checking your work e-mail from your home computer.
Problem solved.
There's nothing legally you can do to stop them from installing software on systems they own, or, requiring that you install their software before connecting your own systems to their network. It's not like they are legally required to allow you to bring in your own system and connect it to their network.
It's that simple.
Any business would be mad to let sensitive data (especially medical) get onto employee's home machines. And bringing personal machines to work and hooking them up the network?
You're a walking, talking, security nightmare. Your IT staff should be fired for not being harsh enough. NO personal laptops on the network. NO accessing email from home machines.
Be a professional instead of a hobbyist:
1. Don't use your personal computer for work insist on institutional equipment if needed
2. Quit working from home
3. Insist that your employer staff sufficiently for sane 40 hour work weeks
4. Insist on testing and migration environments to prevent the need for babysitting production constantly
Yea, I know that'll happen.
Its their network, their policy... be lucky you are even ALLOWED to connect your own personal laptop to their network, that is strictly forbidden for security reasons in most places.
If you don't want them to install that software on your personal machine, don't bring it in or don't connect it to their network and use 3G or something.
As soon as you connect to their network you must abide by their rules.
Simple as that, really.
(I'm a Network Administrator IRL.)
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
1. Outlaw Electronics in Elections
2. Vote every D and R out. (No exceptions)
This is one of those "damned if you do, damned if you don't" situations. The hospital is just trying to stay in compliance with HIPAA and the various personal non-public information regulations. Their solution DOES seem a little overboard, but this is what happens when people continually lose laptops/usb drives/etc that contain sensitive information. While this might be a little hard for the hospital's employees to get used to, it's really a win for us normal folk (assuming it's all properly executed, which is a big assumption).
As far as legal recourse, IANAL but I don't think you really have one. While I get the whole "You're not touching my computer" bit, why don't you just use the computers provided ? Hell, even at the community college I go to, I have to install some software just to connect to their network. Same with some of the other corporations that friends and family work for. In the end, if you weasel your way around the restrictions and then lose your laptop, have it stolen, whatever - you'll really be on the hook.
Unless there are very good reasons that were not in TFA, my response would be:
1) My personal computer will stay at home from now on
2) The IT department does not install anything on my personal computer.
3) I won't check my (work) email from my home anymore. Anyone who wants to contact me can use a phone (and better have a damn good reason if it happens at 2 a.m. in the night).
C - the footgun of programming languages
Don't use your personal system for work. Fact of the matter is, your workplace shouldn't allow personal machines in their network to begin with. If you so desperately want to use your own system, then be prepared for some demands for security and safety from their side, duh. If you need to work from home, they should supply you with a system or at the very least contribute to one. That's how it's usually done.
Install a second hard drive / OS that's used for work stuff only, then virtualize the OS in your primary OS. Whenever someone from work needs access to your computer, unmount your primary and boot from your work disk. Sounds like a hassle to me... :-p
Seems to me there needs some policy updates. Personally If I was managing the network you would not be allowed to put your personal machine on the hospital network. Accessing via a public wifi would be fine, but not on the hospital network. As for encryption software, there should be nothing on a desktop system that needs to be backed up, its should be on corporate servers. If the hard drive crashes the system disk is replaced and your back to the apps approved by the it dept. As for email, this is a policy issue. again, I wouldnt allow it. Your wasting business time checking personal email. If the email is business related it should come into your business account. You have no rights to do anything on a business network, Policy will dictate if and when you might be able.
You are putting personal equipment on the hospital LAN???!!!???!!!?!?!????
There's your problem right there.
Perhaps the hospital needs a guest network that is not directly connected to the hospital's systems to accommodate whatever it is that you do on your personal equipment, but letting Joe employee connect some random piece of hardware to the network inside the Hospital's fire wall is a HUGE security problem.
Are they paying you extra to use your own laptop at work, as they might if you were using your car for work and get a mileage allowance? If so then I'd say you probably will end up letting them install whatever they like. If not, tell them that if they want you to work within their rules, they'll need to buy you a "company" computer in order to satisfy those requirements since they aren't welcome to touch your personal machine.
As for checking your email from home, either have them also buy you an email-checking machine for home, or you can bask in the knowledge that your employer is well aware that you can't check email from anywhere but your office and go enjoy your life when you're not working.
As the subject says. Stop using your personal computer(s). Let management know that once you are off-site, you will no longer have email access as you are not going to install this software on your own computer. If they want you to continue to have off-site email access, they can provide you with appropriate equipment. The same goes with you bringing in your laptop to work, stop doing it, and let work provide a laptop.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Anyplace that would let idiot monkeys like this dictate IT policy decisions is headed into the crapper anyways - find a better place to work. FFS, full-disk encryption on machines that check WEBMAIL? The only thing FDE will protect against is physical loss of the machine - and if there's a sufficiently determined hacker tracking down hospital employees' private residences and stealing their machines just to try to snoop in the browser cache, why wouldn't they just kidnap the employee and employ rubber-hose cryptanalysis? Or, more likely, read the FDE password off the Post-it note stuck to the machine...
The solution is pretty simple. Don't use personal computers for business use.
If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.
I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.
I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.
Tell them to encrypt that, and use it only to check your email.
Since they don't know how to install encryption software properly, I doubt they know how to check which laptop connects to what anyway.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department as they refuse to distribute the encryption software to the employees for install.
You are going to love me. I'm going to inform your IT staff that a "blackberry" is in the subset of "any machine" which can "check email". As soon as a PHB or two are having their crackberries plucked from their hips... I give it one or two days before IT has to reconfigure their encryption policy.
You're welcome.
Where employees have download up to a million customer social security numbers and identities. Many medical sites still use SS# as patient IDs.
"Let's require full disk encryption, but allow any device in the world on our network." This being a hospital network, you shouldn't be allowed to even connect to it with personal machines.
If you brought your personal machine in and it got FUBAR'd, tough luck for you - it could have gotten just as screwed up from someone else's virus-infected PC on that wide-open hospital network. Leave your ball at home if you don't want to play by their overly lax rules.
Read your mail from a VM. Hand them a jump drive with your .vmdx & .vmx files, and see if they can figure out what to do with it.
Note this is purely for entertainment value, since that is about all an 1d10t wanna-be it staffer is good for. The reality is, they either A: want you to work from home, and will provide whatever is required to do so, or B: They don't want you to work from home, so don't work from home.
The company I work with tightened their restrictions in the past year. Only company machines can now access the network remotely and webmail requires installation of software. The software required only works on certain versions of Windows with specific versions of IE. Some of those that installed it have had their machines rendered in-operable after. My solution was to stop working after hours and remotely checking email. If I am called after hours I state I can't connect remotely and that it will take me x minutes to reach the office. I'm 24/7 support, but it turns out a lot of things are no longer that important to the higher ups. To date I've only been questioned once as to why my after hours availability had dropped. My answer that my home machine is not allowed to connect to the network was sufficient. If you are not required to have remote access or use your personal machines, try just stopping. I understand that it is probably more convient to have that though.
There exists some positive integer N that you are the Nth person to read this signature.
Due to increases in sensitive data being lost they clearly want all possible sources of said data to be encrypted. This may or may not be overklill depending on your opinion but one thing is for sure and that is that it's their decision to make.
If your not happy having your personal computer encrypted (And I know I wouldn't be) the simple solution is don't use it at work, use a work computer. If the requirement covers you checking webmail from a personal computer at home, where you will have access to sensitive data, the solution it to not check your email from home.
If you are required to check email from home and are not happy to have your whole computer encrypted then your employer should provide you with a company laptop which they can do what they want with, encryption and all.
Ctrl-Z
IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).
You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.
Your options are basically as follows:
1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.
Don't put your equipment on their network, don't check email from your home machine. If they ask why your not checking your email tell them why and if they want you to have access from home tell them to issue you a laptop for that purpose as you wont give them access to your personal equipment.
You "have no intention of letting these people install anything on my machine".
And they have no intention of letting you connect your machine to their network without letting them install some things on it.
Hence, you don't connect your machine to their network.
You "have no intention of letting these people install anything on my machine".
And they have no intention of letting you check your email on a machine they haven't installed some things on.
Hence you don't check your email from your machine.
So they get to choose who connects to it. Simple as that. If you want to bring a personal machine in for personal, non job related use, accept that you might not have connectivity. Most of the hospitals around here have a guest wifi, you might be able to use that, or a 3G card. For job related stuff, tell them they have to provide the equipment.
If you have read the HIPPA laws, the penalties for leaking PII are severe. Full-disk encryption for all connected machines is probably the best way to prevent problems with such things. It would be nice if they would let you just use TrueCrypt and install it yourself, but IT departments tend to just set a standard policy for everyone. That way they can audit the policy and such. You wouldn't want to have to support everyone doing their own thing either, to be fair.
*sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).
And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!
They certainly can't require you to install anything on your computer, that much is for sure. In the same vein, they don't have to allow you access. It's hard to suggest anything knowing as little as I/we do. You said you have access to webmail. Since most people don't have a static IP, how exactly are they planning on limiting user's access (compliant or otherwise) from unprivileged outside locations? For instance, from what your describing, if you complied, you could access your email from home on your computer. What happens if you access it from a different computer, how exactly are they being positive that your accessing your email from the computer that your supposed to be? I'm guessing some sort of Radius authentication could be worked out in which certain software credentials would be required.. but that would be a real pain..
I manage security for a major hospital system and I am leading the encryption roll out.
1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.
2. Notification costs MAJOR dollars plus the PR hit
3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.
4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.
This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)
Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.
I'd probably just get another cheap-ass, used computer strictly for the purposes of checking email from home, etc (I have two or three sitting in the garage right now that would work). Let them put their software on THAT machine.
Proverbs 21:19
Don't use your personal machine for work.
Have them supply an appropriate laptop or desktop to do the job.
If you work as a contractor and believe it would be possible, you could get the name of the software they are using, or other software which they would approve and do it yourself. This is the approach I would take on my machine if the rules were being imposed. No-one other than me installs software on it and I want the recourse to deal with whatever company wrote the software in the event I have a problem. I wouldn't want the hospital to end up being a middle-man for support issues.
That my personal health information is probably already synced into the cloud by someone at a hospital installing google sync on their personal computer with access to medical records. Should speed up the process
But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
And how are you allowed to plug it into the network? GBTW and STFU.
I want to delete my account but Slashdot doesn't allow it.
Keep your personal machine off the Hospital network.
The only really sane policy: if it's on the Hospital network, it conforms to IT security guidance. Period.
I'm assuming you're in the U.S. "Exuberant" is an apt description of HIPAA data infrastructure guidance, but it's still the law of the land. I don't want my patient information accidentally sneaking out on your laptop's unencrypted hard drive.
If you must conduct personal internet business at work and don't want to convert your personal computer into a personally-owned company-configured machine, bypass the hospital net with a 3g dongle and your own data plan.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Bring in an XO laptop (or some other obscure device) and let them try to install their software on it.
I am not sure if you an independent consultant or you just have no clue. When was the last time you got a decent sized company to sign legalese with them claiming responsibility for your stuff ? Co'mmon, get down and real here.
It is a hospital - so there are HIPAA requirements. On top of that, he is in IT and may have access to DBs that have a lot of patient data. If I were the hospital, I would give him a laptop or ask him to use a hospital inspected laptop (with encryption) to connect. We are not even a hospital, and we have similar mandates - and they bear legal liabilities. If you mess up, you get kicked with HIPAA and are made personally responsible for having compromised patient data.
I once worked with a fellow who worked long hours, including weekends, just of his own volition. Once, his management demanded that he come in and work on a Saturday. From that day forward, he only worked overtime when demanded by his management. Belligerent obedience. When asking for more pay, he was told "we pay average", so he replied "then I will give you average work". Belligerent obedience.
I'm not sure I'd suggest being that extreme, but you should consider why are you funding your employer's business operations by using your own equipment? Use their equipment, adhere to their policies and procedures. After all, I assume you are an employee, so you can only loose by trying to fight them. If it really bothers you, start looking for a better job.
Maybe I'm missing something here, but you can talk all day about security, but allowing employees to connects PCs they bring from home shatters any hope of a secure network. I've never worked somewhere that would allow this and these were just standard corporate networks. We've always had "guest" wireless networks that routed to the Internet only, but never would we be allowed to physically connect home computers. That's just a horrible idea
Perhaps you could suggest they provide two networks. One secure network that requires the full disk encryption and allows access to patient records etc. to which the hospital provides all client workstations for work use and a second guest network for everything else that doesn't require the encryption. If you make the guest network open to patients and their visitors as well then it might even be possible to at least partly fund the installation with a pay for access scheme. You'd probably want to push for free/reduced rates for staff though. :)
UNIX? They're not even circumcised! Savages!
Hi,
IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.
Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.
It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him
Sincerely yours, Martin
P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.
you are all missing the point I bet IT has a spreed sheet listing which uses they have installed the stuff on .... and then they compare it to the logs. bring any old computer in install it on that ...and never touch it again.
If they're going to insist on this type of software, then stop using your personal machines to connect to the network or check your email at home.
If they really want you to check your email, demand that they provide hardware that meets with their approval to do so.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
My company did the same thing. Well except they gave us all laptops to use. Tell them it's fine, but if you want me to work at home you have to give me a laptop. If they refuse, just stop doing that work at home.
Your lucky you can even use your personal computer
if we try to plug a personal computer into the network IT disables the Ethernet port and call your local and ream you out. No checking your email from home. Local LAN only for reading email.
If there is someone there who insists that home machine be allowed on the network (beyond stupid in the first place) this might be the "compromise" that the IT department was able to reach.
You can have your home machine on the network ... BUT ... it must have full disk encryption.
Most everyone will be able to figure out that that means "leave your home computer at home".
Gosh there has to be at least one person on here wondering how they can tell if your drive is encrypted or not. Maybe a reg key, or an ioctl to the FS driver. Seems like there might be a way around this. Not that I am recommending it.
...I bet the encryption software is for Windows and MacOS only. Install Linux on a laptop, using a full disk encryption filesystem to be compliant. Install a copy of WINE and QVWM95 so that the IT staff see a Windows-like GUI that can run Windows software. Once they're done messing with the machine, you will still have Linux with all the capabilities of Linux and all the speed and reliability of Linux, with no risk of harm from the hospital software, and no risk of liability as (a) you let the software be installed, and (b) the machine is fully HIPPA-compliant at all points afterwards. Ok, it would be fully HIPPA-compliant before, too, but the hospital mandates the software, not the compliance.
This is not a suggestion for the purpose of evading their actual (and quite legitimate) aim of meeting regulatory requirements. Rather, it is a suggestion for independently meeting those same requirements, then letting them do what they need to do because of the way the policy is written.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I deal with my employers similiar needs by running a virtual machine just for them. Using VMWare player, build an OS install with whatever software you need at work and whatever software IT needs. Set the virtualized OS to use network bridging, which bypasses the host OS so the network can see the virtual machine directly. Turn off the host networking before you plug your machine in.
Problem solved. IT is happy because they only get to see the secured VM and your free of IT playing with your data.
Added bonus, you can move the virtual machine to other physical computers, meaning you can make a single VM and distribute it to the entire staff. If you take that route, dont enter the license keys until after the image is created to avoid distributing in violation of license agreements.
Do not use your personal computer for work. Do not use your work computer for fun. You are asking for trouble.
If you are a contractor or such, you should already have your hard drive encrypted. Provide the facility with evidence that your hard drive is encrypted.
There is no good excuse, in 2010, to not have the hard drive of your computers encrypted. Operating systems should be encrypting hard drives by default during installation. The only exception is if they are servers sitting in a physically secured data center.
The health care facility needs to get its written policies in order. They should explicitly prohibit computers that are not the property of the facility from being attached to its network. They should explicitly prohibit access to its email servers from computers (including mobile devices) it does not own. It should implement measures to enforce this and not be wishy-washy about someday terminating access, maybe, we really mean it this time. They are asking for trouble.
obviously no deficiencies vs. no obvious deficiencies
swap your HD, install a clean windows, let IT take a crap on that, swap back your old HD, continue about your business
They get to check off a box saying you have whatever installed on your machine, you avoid hassle. Win Win.
If you get called out later just say you don't know anything about it and they must have installed it wrong.
Your best recourse was to not support HIPPA laws when they were being drafted.
1. Let them encrypt your computer 2. Don't use your personal computer for work. 3. Quit and state their Draconian Rules as you reason. As a head of IT for a Financial institution who has similar requirements, if you quit they will tell you Bye. we don't allow any personal computer to connect to our network, company provided Laptops have VPN access, and all machines have full drive encryption. Now we use Truecrypt and it provides easy to use stable encryption. so here is my advise. Stop doing work from home, if you nees to work from home have them provide a laptop w/VPN for access and use their encryption. Or find a new job.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
Why do you bring your own laptop to work? Seems your problems stem from your laptop being your personal laptop, but also a tool you use to process sensitive job related data on a hospital's network. You need to create a clear line between what is yours and what is the hospital's property.
If it is for checking your own mail, consider getting a cell phone with a data plan. Using a cell phone data network for personal stuff means you won't touch the hospital's network. You could use the phone directly, or tether your laptop to the phone.
If you must use your own laptop on the hospital's network because you are using your laptop for work, then there is little you can do, because the laptop is actually a work tool. Consider getting the hospital to supply the tools you need for work.
Move out of Massachusetts....
Easy solution. You either give me a machine for working off-site *or* I don't work off site.
Personally, I do not think ANY employee ANYWHERE should ever use personally owned PCs
for company business. By using your equipment you have agreed to surrender it to the courts
in the event of a "discovery order" issued during any legal action against the employer.
Just say no thank you.
Bring in your old PC from 2000, have them install the encryption on it. Go home, stack it back in the corner where it was before and use your current PC for your email. They'll never know the difference.
Just be glad these jokers aren't treating patients.
Full drive encryption in that environment is a joke, Sounds to me like your IT department is too busy fapping over it to realise.
let the IT department do their jobs following policies the organization created.
</quote>
How about we replace most IT depts with people that actually know WTF they are doing cus i sure aint found ONE yet that has even the FIRST hint of an idea
They are staffed by MOUSE JOCKEYS reading CRIB sheets just the same as call centers in fact most call cenetrs could sub as IT depts and get away with it for years
--
Karma HUMAN unlike the slashdot mods they are botnets
What the F*** is Kharma i do got teeth i don't got no kharma
Allow the admins to install their encryption, use this netbook for email only,
and quit your whining, because SOME people don't even HAVE a job,
asshole.
Having worked in the IT industry for a while, I can understand both sides of this argument about checking email at home and using personal machines for work purposes, so I won't talk about that part of this. To the posters second question, the quality of the software. I have in the past deployed two different vendors PGP style disk encryption software packages for mainly Windows. Performance wise, there's a hit and depending on desktop to laptop, it can be very noticeable. I haven't seen data loss from shall we say "normal use" but if for some reason your password key to unlock the encrypted disk becomes lost or unknown, at best it's a total pain in the a$$ to get it unencrypted, and at worst it's not at all possible.
While I find that some form of encryption is needed for files, I think this total encryption method is not the best. For linux I found that there are packages that can encrypt just a portion of the HD and not the entire disk and prevent the big data and performance hits.
In this case I have to agree with what many people have said already. I have been with DOD and DOE, as well as other companies that deal with PII and HIPAA. If they are not willing to provide you with a laptop for work use at home then I wouldn't be doing work at home. Every company I have worked for that has its employees on a lease at all times provides the equipment for them especially when it comes to full-disk encryption. Also they have supplied blackberries and run a BES. The DOD makes it clear that if you come across any information above Unclass they reserve the right to confiscate your machine and your HDD. That is the risk you take even though you should be receiving any info above unclass on an unclass machine it is a risk none the less. So in turn I do agree with much that has already been said, have them provide you with a computer to do work at home or some other device or simply don't work from home. It is their network so they can impose any policies they want for the protection of said network but you also dont have to work from home if they aren't providing you with the means to do it.
Any PC that contains the slightest bit of patient data should be encrypted. This just ensures that the hospital is fully complying with HIPAA regs. I work for an insurance broker and all of our computers are encrypted. This not only allows to not have to worry about compliance, but also covers our ass.
A bit snarky - but install VMWare, make it full-screen and hope they don't notice?
Not sure what you do with your laptop - and why you want your personal laptop at work. But for any installation with sensitive data, you are a security nightmare. If you were at my company, you would be legally mandated to not connect any device to the network that has not been checked by the IT security. Any such inspected m/c is inspected weekly for security vulnerabilities etc, and patched remotely.
Patient data (like credit card and personal information) is very sensitive - and if I were in your shoes, I would stop mucking about, before I was fired for compromising security.
So finally
1. Stop using your laptop for anything business oriented. Ask them for a laptop - or if they dont give you one - stop checking email from home.
My company locks down machines more and more every day. The funny part is they do it in the name of security, yet we run insecure Microsoft Windows and are forced to only use the totally insecure IE browser. All in the name of security. LOL. Then they add in Anti-virus, intrusion detection, full disk encryption, all sorts of system monitoring software to validate licenses (keeps the lawyers happy) and the machine grinds to a stand still. Then i get..."Done yet?". To which i reply, "Well i could have been done a week ago, but this machine is so unresponsive that my productivity is a tiny fraction of what it could be."
If they provided the laptop, even as "personal property" then they are probably within rights to request that you install certain software.
If you connect to their network they are probably within rights to request that you install certain software. But they can't force you to install software on your personal machine if you don't connect.
Given my horrible experience with disk encryption software, I understand your pain. It was required on my company provided laptop and until it was removed company-wide, we had many problems with crashes, slowness, weird behaviour, etc..
If it was me, I'd pick up a $150 P4 machine with 10G of hard drive space and have them install it there. Then call their support desk at 3AM when you check your email. Make sure you escalate to the persons who pushed this requirement.
1. Why are you using your personal equipment to do hospital work. If they are a major hospital then acquiring equipment, even older used equipment is no big deal 2. Yes they can be draconian about network connections, because we have to be, HIPAA fines can run into thew tens of millions of dollars easily. 3. if they want you to check email at home, then THEY need to provide you with the equipment. all that aside, I have a cartoon in my cube from XKCD about how stupid laptop encryption is. I
~corporate tool, but employed~
Stop reading work email at home, or only read it on your cell phone. They can't require you to check it, and I'd love to see what they'll try to do to your cell phone.
Apart from them wanting to clamp down on the security elements of staff stealing or being negligent with patient records, there is a huge hole here for injecting viruses and malware into the hospital. There's also a disease vector from bringing outsdide stuff in and out of a hospital: MRSA can easily be transmitted on touched surfaces (hence the medical wipes and hand-gels by every doorknob inn many countries).
Hopefully every other hospital will follow the lead from yours.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
People who use their own personal machines to access sensitive information should perhaps be
even *more* restrictive. It is this type of access that is the most dangerous.
If you simply have to check your facebook, check email, etc, then get yourself
a 3G network enabled device.
Agreed. My question is if they are allowing people to use email clients such as outlook, there's really not much point in encrypting something that all it does is get email, as email is by nature insecure unless encrypted itself! One should assume that any information sent over email not encrypted is compromised and public information. Car analogy, its like adding biometric entry and soundproofing a car so what you say in there is secure, but then you roll down the window and scream across a parking lot to tell a colleague sensitive information. SSN's, passwords, etc are not information that should be handled via email.
"It's ok, I'm completely secure as long as my iron is off"
Does allowing access to encrypted webmail or remote access to a encrypted machine (i.e. Citrix/TS) not solve these problems. With obvious policies to not allow transfer of data off of these encrypted machines.
I do home tech support for someone who works at what I assume is the same northeast hospital & was asked about this.
Requiring full disk encryption or anything that's on or connecting directly to the network seems reasonable for all the reasons stated above; it's their network, they have compliance obligations to meet & systems to protect, etc.
The part that gets me is the request to encrypt or install stuff on any machine connecting to webmail - seems to be a reaching a bit. If said hospital wants to provide webmail it's their choice, fair to assume they do it for their own goals of getting more out of their employees. If they're willing to lose the productivity... turn it off. Attempting to impose security requirements on end user machines for a web application is a fool's errand, you'll never get 100% absolute perfect security & you're gonna piss a lot of people off trying. Secure the web app as much as you want, but that's where your control ends.
-j
I agree it is rather lax that they allow personal equipment on their network. However, the poster's issue was the computer at home. They want to touch that. I would suggest just bringing the IT dept a computer. I'm thinking punish them a bit. Dust off an old 486sx w/ Win95. Search your friend's closets and basements if you have to. Tell them this IS your personal home computer. It's only email, you don't use the computer or the net for much beyond that so you haven't spent the money to upgrade in a while. Then just sit back and enjoy their frustration.
Hospital e-mail should be restricted to the hospital network. If you have a legitimate need to check this e-mail from home, the hospital should provide you with a netbook or a PDA or something that allows you to do that. The device would be supported by the hospital, and could have full-disk encryption on well-tested hardware. Use VPN to connect to the hospital network. If things break, it should be easy for them to fix or to swap out.
When you're at the hospital, there should be a clear separation of the hospital (confidential) and a guest (non-confidential) network. Only hospital-owned and -supported devices get to connect to the hospital network. Your personal laptop should connect to the guest network, which should not have these security requirements.
If they're trying to be cheap by making you use personal hardware to do hospital business, you should be allowed to refuse. If they need you to have one, they can buy it for you. Netbooks are cheap and should be sufficient for what you're describing. If they still won't budge, and you cave, at least talk to a tax person to see if you can write it off the costs of the machine and your Internet access as a business expense.
If you do not want their crappy software on your favourite computer, but want to bring a personal computer at work, the only solution is to have a second computer dedicated to these two purposes: running their crappy software and at work usage. It is just a logic problem. Computers are so cheap, these days.
My company doesn't allow people to access their network from none company equipment peroid, this includes thumbdrives. I think with modern security concerns this is not an unreasonable request from your company because it is your choice to use your personal equipment. Are you willing to agree to paying for any costs that could be incured by your company due to any security breach caused by you using your personal equipment?
We also had encryption rammed down our throats. For months, our computers would slow down or die and management just told us that we had no choice. It was bad enough that we were hiding our laptops from IT staff so that it would not be encrypted.
Then over one weekend and entirely by coincidence, the laptops of our three senior managers all died in separate incidents when they were giving public, high profile presentations.
They were horribly embarrassed and we had to pretend to be sympathetic. No "I told you so"s. At 10 a.m., on the Monday, after a hurried ultimatum to the IT department, all encryption efforts were suspended indefinitely "until further review"...
Encryption should be confined to the lowest level, at the hard disk, where it runs invisibly and seamlessly.
It's good to hear that the hospital is taking the privacy of medical records seriously. It's too bad there are people like the poster who feel their personal convenience is more important, though. These are the same people who think nothing of loading a personal laptop or hard drive up with hundreds of thousands of unencrypted patient records and then forgetting the device in a taxi or losing it when their home gets robbed.
I only use a bootable encrypted USB key to do my online banking - and that's the only thing I used that OS image for. It'd be a pain shutting down your home PC while you boot to the secure environment just to check the e-mail...
Another option, boot from a read-only CDR of Knoppix.
In both cases you will have to go an extra step to ensure the Linux firewall is up by default and root gets assigned a password, and that the OS doesn't automatically find and use a local HDD linux swap partition for swap space, as that would "leak" unencrypted data to the local hard disk. With the USB key OS that's easy, as it can persist itself, but you'd have to re-master/re-image Knoppix to get it to do that. Coming up on a strange network with no firewall and a blank root password -- bad idea...
No, it's their network and their stupid rules. You can of course use your own laptop but if you want to use their network you have to abide by their rules.
I'd recommend getting a cell access point like verizon/sprint/something mifi. If they don't like you creating your own AP then tether it to a cell phone.
If you were "trying to help out" then stop. NOW. You're helping no one, using your own resources for testing? I do that as I manage a VPN client that has specific.... issues. So I use my home software to verify connectivity from other networks... But when they want info on other OS's etc, I now say Show me the H/W.
I can't test w/ hardware that I don't have, and I'm no longer going to use my hardware to do their work.
Not because I don't want too, but if I come into a problem (like a drive I had passed on it's bit's to the next world) I have to FURTHER use my resources to try and get back to a working state asap. This is difficult for some people to do.
However my boss totally got it, understood what I needed and is prepping me w/ the supplies as we speak.
Just let them know what you need. If you're expected to do any work at home, you should expect them to hand you a laptop. It's so common, it's not even worth mentioning really.
How much is your data worth? Back it up now.
Some years back I worked for a government agency and the laptops had to be fully encrypted. There was a bit of a performance lag, but it was quite stable and there were no issues. I've used Safeguard by Utimaco and again, no stability problems.
Encryption of a disk only helps when the data is on the disk itself. Use Terminal Services to connect to a central encrypted server. Have a single point of entry to this server -- perhaps a VPN that allows only Remote Desktop to one TS cluster.
Or, like everyone else said, don't check work email from home, and don't bring your personal computer to work.
Most IT departments have little or no idea of what they are doing. They see a buzzword like "encryption" and they think it will "increase security" (whatever the hell "increase security" means). Another common problem is seeing some big expensive piece of enterprise software and assuming it will do everything marketing claims without any problem. It's big and expensive so it must be good right?
The end result is a poorly thought out solution that makes everyone less efficient and more annoyed, increases the complexity of the enterprise, and introduces new security holes. Not to mention the high costs of these enterprise solutions.
If it's a software company frequently the engineers know more than the IT staff and see the dumb mistakes they make, but that's why they are engineers and the IT people are in IT.
They are basically telling you that once you leave the office you are to forget about work. No reading email from home, or the road (unless using a company machine). If they want you to read email from home they need to buy you a machine with which to do so. Bill them for the power it consumes! No longer bring your computer to work. If they cannot provide proper equipment, you will just have to work slower. It's all quite simple really, put the burden on the hospital to make it all work, it's not your job or your problem.
Just one question though, do they want to encrypt the Micro SD card in your Droid as well?
I don't want you anywhere near my medical records.
Either stop bringing you computer to work and checking your email at home, buy a new computer for this that they can configure, or stop crying about security. IT has enough issues without cry babies that think they are better than that.
Honestly if I was your IT guy I would institude closed network and not let anyone connect that they did not have full control over until you stopped crying about encryption. So offload your porn and take your computer in before the IT manager gets sick enough to make it policy no one can bring personal computers in.
There are lots of good recs for Windows/Linux encryption programs above, mixed in the with the 10,000 responses that all say "don't use your personal computer for work" Not much about Macs, though. We have a similar project happening now. Crashplan Pro (WDE in addition to network backup) has caused lots of headaches, but PGP Whole Disk Encryption works pretty well. That won't last, though, since PGP is being purchased by Symantec. WDE is a very immature field in Mac-land. I suspect that developers aren't willing to spend the time creating good stand alone WDE because they are afraid Apple might undercut them and add it as a built in feature to the 10.7 or 10.8 OS update.
This one is easy. They get to buy you a computer for you to use, which you'll happily comply with their rules while using. And then no more e-mail from home. You're making your own problem by volunteering more than you should - that time at home is your own time, and that computer is your own computer, and if your job wants to control them then they can provide compensation and resources.
The two obvious solutions are to use a live boot CD or removeable drive, or to use virtualization where the virtual disk image has full disk encryption. Neither will work without IT support, as they don't let you do the install yourself (although you could rip the full disk encrypted image after they install it, then reinstall your OS or untouched hard drive).
I suggest the bootable flash drive with encryption. A fully encrypted OS on a bootable flash drive meets all of the requirements, but doesn't put an undue burden on use of personal assets. Unfortunately, your IT staff may not be up to that level of complexity. The solutions are out there, but many IT organizations aren't at the forefront of technology (no funding!).
For your home desktop, if you have a spare drive let them image that. Then dual-boot to your OS when not doing work.
A few comments:
1) Why on earth are they allowing people to use personal computing on the company network?
2) For home access, they should deploy some type of terminal environment at the office. So that you get the screen displayed on your home computer, but don't actually get the data stored there.
Personally I think they should be banning any non-company devices from their internal network. Period.
As for the home access, I agree with you about not wanting them to install software on your personal machines (if they just want Anti-Virus, that is one thing, but requiring disk encryption...)
But I agree with their need to lock it down. They're just going about it wrong.
Can we get some recourse for overuse of the word "Draconian" in recent months? I practically expected this rant to include something about Draconian DRM and how it spells the end of the world.
He who forgets will be destined to remember. - EV
We had this requirement rolled out at work a couple years ago, and it caused great knashing of teeth because the encryption software they chose wasn't great. I've used Linux full disk encryption, Mac OS X File Vault, TrueCrypt for USB drives and folders, GPG for encrypted files, and currently use a hardware-encrypted hard drive for day-to-day use. All of them were significantly faster than the software that our IT staff selected. All of them were easier to use, especially the mental model of what happens to encrypted files when they are copied, and how they interact with systems that don't have the software loaded.
From what I understand the main reason that it was picked, like many other enterprise purchasing decisions, was that it got the group policy / central management factor down, where-as the other options I mentioned are largely targeted for end users.
This is really no different from geeks saying you need anti-virus software installed, and then bitching about Symantic and McAfee bloatware.
I see 2 issues.
1- It's totally normal for the hospital to require encryption and strict access control. But since you're using your own PC, they can't force you to install anything on it, just forbid you to connect to their network. They should buy you a PC, and configure it as they wish. As for Off-site access, same deal.
2- Their encryption solution sucks. What did they choose ? I'm getting good feedback on BitLocker and Truecrypt. Is there not a bit of user hysteria going on ?
The Cloud - because you don't care if your apps and data are up in the air.
In the past, I've dealt with these kinds of things by creating a virtual machine with required VPN, AV, etc. etc. and use the VM image to access the network.
Software results in data loss and is prone to errors, the solution is to buy full disk encryption hardware. Install the harddrives and be done with it. Or if you don't want to install the harddrive then give them a usb hardware encryption thumb drive to take home with them.
There is no reason to use software encryption unless you just want to be cheap.
Simply plug the key into your computer at home and access the encrypted data on the DVDrom or even on the USB key itself.
Problem solved.
If they access it via https at least then it's encrypted. If they access via some kind of VPN it can also be secure.
It just has to be done in a way where their computer cannot save anything. A liveCD or liveUSB type setup might work but I don't know for sure. What do you think?
When I'm at home, I do all my work on a virtual machine. I connect to my employer's VPN from that VM and work on it like I would if I were sitting at my desk. I would let my employer do anything they want to that virtual machine. My backups consist of copying the entire VM image off to a network drive, so in the event that it crashes all I have to do is copy the image back down and I'm up and running again. The backups take a few hours, but I just start them when I go to bed and they're done when I get up. No special software required. The entire setup is easy, and the software I used in that work environment is isolated from my home machine.
*** *** You're just jealous 'cause the voices talk to me... ***
How much difficulty would it take to build a custom linux live distro specifically to access the VPN from a secure environment? The employee can purchase the USBkey with the Linux Distro built into it. They plug the USBkey into their home computer and it loads a live distro of Linux. They can only save files onto the USBkey itself in encrypted form, no data ever touches the harddrive of the personal computer. No viruses or anything else can run because the LinuxDistro is extremely limited and extremely secure.
And if there is a data security breach you take it from their paycheck. So what do you think? Would it work?
The company I work for doesn't allow any personal computers to be attached to the network. If you attach your computer to the network, they will come and erase your harddrive, wipe it clean. They have a guest wireless network that is external access only doesn't connect to any of the internal network. No cameras are allowed except company approved ones, including phones with cameras and laptops with built-in cameras, they deal with lots of sensitive data. There are even special pattern sheets of paper you have to run through the photocopiers after you get done copying your material. They even provide encrypted usb flash drives if you need to transfer data, any unapproved flash drives get wiped clean.
They shouldn't allow personal computer access, it's a huge security risk, barring that what they are asking is very reasonable.
Put them on notice that you will no longer bring personal machines to work and that your machines ay home will not ever be used for work purposes or to check your work email accounts. If they wish you to have a laptop or machine for work at home they may feel free to purchase them for you and install whatever software they see fit. Perhaps you should not work at home at all.
Now for some good practices for companies:
Why would anyone want to use their personal computers at work?
Tired of my customary (Score:1)
This one is easy. Those machines should have encrypted storage anyway. Portables get lost, stolen, etc. Once it's out of the barn, it's too late to close the barn door. The reasons to encrypt on these machines are so overwhelming that the hospital's desires and security theater are irrelevant.
Fair enough, but for the people whose disks weren't already encrypted, they've already created a testament that Joe-Below-Average-IT guy is 10x more knowledgeable about computers than they are. Why not take the free expert help? Since you've got to encrypt on portables anyway, if you're not doing it yet, then you must be having some sort of problem. Let 'em fix it for you.
Then hurry up and get it done yourself instead of spending time asking Slashdot how to get out of it. In the time it took you to write this and wait for the replies, you could have dm-crypt or Truecrypt set up by now.
This may not make sense on the surface, but probably has a reason. Email might be cached, attachments saved, etc. Desktops aren't lost or stolen at anywhere near the rate of portables, but it could still happen. Here's the thing: if internal email is released to the world, who will be held responsible? If your computer is stolen, the most they can do to you, is fire you. And that doesn't even fix the problem. They have to deal with the risks. Don't like it? Then don't read work email at home. That's not even a serious burden; who the fuck wants to work when they're not getting paid? Either encrypt your disk (which will also help you in addition to them, in the unlikely event your computer it stolen or you have a disk fail and RMA it, mailing data to fuck-knows-where) or use a dedicated work machine for your work-related email reading (which strikes me as horrifically inefficient, but hey, whatever).
If you're accessing their data and storing it locally (do you really understand how your email client works?), taking reasonable steps to protect it is just common courtesy at a bare minimum. And from their point of view, there's a lot more to be concerned about than courtesy.
It probably sounds like I've been siding with them against you, up to now. There's a very slimey underlying subtext to all this, though. What's this about them refusing to distribute the software? Are they requiring you to store things securely OR are they requiring some specific software, possibly even proprietary? If it's the second case, then for fuck's sake, just stop accessing their data on your machines right now, and let them supply their own machines for it, compromised by whatever crapware they are contracted to be made to feel safe by.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I think I work at the same hospital as the OP. To clarify the policy...
You are allowed to use any encryption package you want. You just have to certify that you are encrypting. And that only applies to laptops, for now. Pretty reasonable given some of the data loss scenarios we have been hearing about. And given the new law that requires encryption for Massachusetts resident's info( posed on Slashdot yesterday).
But the unreasonable part is that the policy applies for any device used to access web mail. If they need to ensure that, web mail should be disabled and only VPN connections used. (There would be an uproar! So my guess is that the policy is just for admin to cover their own *****! if anything happens.)
That the main reason for requiring the IT staff be the ONLY ones allowed to install is the main reason for this stupidity is the spyware that they are installing at the same time.
#1. Buy a used windows XP laptop/netbook
#2. install you're favorite email client (one that can auto check and forward).
#3. take it in
#4. set it up to get and forward email to your private email account.
I killed da wabbit -Elmer Fudd
You can dual boot different versions of windows: http://windows.microsoft.com/en-us/windows-vista/Set-up-a-dual-boot-system-from-Windows-Vista-Inside-Out -- Maybe you could have an unencrypted partition to boot off of at home, and an encrypted partition to boot off of at work. Or boot windows off of a flash drive: http://articles.techrepublic.com.com/5100-22_11-5928902.html Although I might suggest linux. Ubuntu's full disk encryption works great. You could set up a fully encrypted usb stick to boot from @ work.... If they accept that encryption. You could dual boot Ubuntu with windows. Just some thoughts.
Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.
Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.
Let them install the encryption in a VM and then only connect from that... like @ http://www.mokafive.com
It's pretty simple: It's their network and their rules. If you don't want to comply then don't use their network, or bring your computer to work. They will provide you with what you need to do your job.
Conversely: If you don't want their shit on your home computer. Do not login to their network from home.
Very simple.
Seems to me the problem is doing work stuff at home. If they want you to do work stuff at home, they can give you their own computer. Medical, huh? On-call blah blah. They don't want to give you their computer? Looks like time to change careers. Pay your bills. Run from these guys or conform. You'll never beat them; all you can do is get a big promotion where you can push everyone else around mindlessly. Can't do that? Run. Run like h$*$%
Actually, I wish all employers did this - limit your access to the network such that you use a work provided device or PC, period.
It is NO FUN to have to come into work on Thanksgiving weekend and cleanup your company mailservers, try to get a quick de-list off SpamCop and Spamhaus, and clean up other PCs, all because someone brought in their infected personal laptop.
Oh, it was just a "accident" .... and since management thought it was tragic, there was no traction to take ANY steps that would avoid a repeat incident (since there was no law, and it wasn't a medical IT job anyways).
Wait, that's not true exactly... the owner of the laptop DID say they would take steps to avoid a repeat... that their kids would have to "ask daddy before installing things downloaded with 'Limewire' ".
You're one of those lame MacFreaks that doesn't get that your shitty bowl of applesauce has no place on a corporate network? Refuse to use a lowly "PC" because your over-expensive piece of garbage makes you feel elite and superior?
Anyone that supports the current incarnation of Apple should be equated with "anti-american" and "anti-freedom". (And "Stupid")
Seems to me that by your admission, the hospital is in violation of HIPPA regulation just allowing alien computers onto it's network.
I'd consider myself lucky that your admins are dim enough to let you plug your personal computer in at the office so to speak.
I am Bennett Haselton! I am Bennett Haselton!
REPEATING POSTS ARE REPETITIVE...
Say, I have an idea, DON'T ACCESS WORK E-MAIL FROM HOME!! Oh wait, somebody already said that? My bad.
"Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
You mean, beyond taking your personal computer home and not using it for work purposes?
Just how stupid are you? Using your personal computer on a network with highly sensitive confidential information.
Yes. Quit.
I basically concur with the general consensus, but there is something your IT staff could do.
Most enterprise level switches and Wireless APs allow people they don't know and who don't authenticate to access a separate VLAN, which they can trivially allow out to the internet, and not on the corporate network. Chances are, they already do this in some limited fashion now, say if you're cafeteria has wireless internet access. If they actually care about security, they should be securing their ports anyway in the normal case. If it's at the switch or Wireless level, it's perfectly safe.
It occurs to me to Ask Slashdot if there's a browser that saves it's cache encrypted (say when using https) that he could suggest that might work around IT's (probably more general than this) problem.
I'm also curious as to what they do about blackberries and iphones and the like. You'd think people would flip if they couldn't get email on their shiny.
Setup a virtual machine at home specifically for work and follow whatever guidelines your employer wants. This is exactly how I solved my problems with needing MS Outlook and a crappy VPN client at home (where I use Linux almost exclusively) for work use. A small little Windows VM with MS Ofiice running under kvm works beautifully for this.
Is open source and stable. Perhaps that would do the job.
If you are required to provide equipment, ask for a letter documenting this fact and then purchase equipment dedicated to the task. It is likely that the equipment will then be deductible from your taxes as an "unreimbursed business expense".
If you are required to check email from home, ask the IT staff to provide a solution that complies with their security requirements. Perhaps they can come up with a remote desktop solution, like Citrix or that actually does a good job at keeping the PII on the corporate assets.
If not required, then don't do it. All it does is puts you at substantial risk if a data breach were to occur (even if it is not your fault).
Personally, I do ALL my home-based work using remote desktop to my office computer (over a VPN and with SecurID). The only "company-owned" thing you will find on my personally owned machine is the VPN client itself. Even then, the vendor has the unconfigured client available as a free download.
Buy an iPad, bring it to work and tell them this is the only computer you use for reading your email.
Watch the reaction....
Then either they will have to supply you with their own approved device, or you can just forget about working from home...
The other poster that suggested 'foreign' computers should be put on a DMZ is absolutely right. Your IT department installing the encryption software on 'foreign' computers is a clear indication of lack of experience in setting effective IT policy. Even if you encrypt a home computer spyware or other forms of software could still release the information they are worried about. People want dirt cheap IT. Well you get what you pay for. Hiring at least one experienced IT person who truly understands security could save this hospital millions. Locking down email is necessary since there are unfortunate examples of 'protected' information getting out that way. Since they have already made their security measures completely ineffective one thing you could do is this: 1. Take a ghost image of your home machine. 2. Let them install the software they want. 3. Take another ghost image of the system. 4. Reload the original image without the offending software. 5. If necessary run the image with their software in a virtual machine. That way their problems will not be yours.
He works in a hospital, why would they have a marketing department?
Because hospitals are businesses with competitors. They need to bring in customers (patients) the same as any other business. Every hospital has a marketing department in some form or another even if it isn't explicitly labeled as such.
(Even in the US, I assume it's the insurance and drug companies that do all the marketing, and the government that does the public awareness stuff.)
And you would be wrong to assume that. Every medical practice has to market its services just like any other business. The fact that the business is treating disease is irrelevant. Hospitals need to market their services the same as IBM needs to market theirs. If this is unsettling to you, you need to check your high horse at the door. Did you think the laws of economics suddenly vanish when it's health care?
Aside from the standard 'wtf are you doing using your home computer to do work for' and 'i don't want my personal info on your home computer anyway' concepts, I have to ask about the IT department handing out encyrption software like candy? Unless we're talking truecrypt, what about the license costs, or should someone call the BSA? Even volume licensing costs, and i'd hate to be the hospital customer paying for it.
An I.T. motto in the hands of an idiot is a dangerous thing...
At least in the US you cant just take it out of their paycheck. You would have to take them to court and prove gross negligence or malicious intent. A user getting a drive by infection while browsing at home wouldn't be enough.
Fair enough. I see hardly any medical advertising,
I doubt that. You might not have paid any attention to it but it's there. In my town each of the hospitals has rented billboards, has TV ads, and has print ads too. Little private practice groups do the same. I see ads in the paper for family health care and dentists every week. I get direct mailings from health care providers and doctors.
If you live anywhere but the most rural parts of the US the only way you could miss the advertising is if you aren't paying attention. Not that ignoring advertising is a bad thing...
, so a hospital advertising itself seems strange to me.
It does seem a little odd at first. Mostly it is for brand recognition and to advertise specific specialties. Not all hospitals do all procedures and some have definite areas of expertise. Hospitals compete against private groups, outpatient clinics, other hospitals, surgery centers, and more. Advertising is a proven way to increase business even in health care.
VirtualBox.
_______
2B1ASK1
for over 10 years. she's even worked in places where celebrities go for treatment.
if you look back at the past 10 years most of the data losses have been due to people copying data to endpoint devices and losing them. no one wants their medical records lost. people will sue because of it.
most places my wife has worked don't allow personal smartphones to connect to the email system. everything is monitored, tracked, etc. in the case of celebrities people have gotten fired just for accessing their charts without a valid reason.
Am I the only one pleased that a Hospital is actually complying with HIPAA regulations and is going so far as to actually protect their PHI?
Sure, asking "Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?" is silly, and "their network - their rules" is something the asker should know (or at least familarize themselves with if they want to continue to use computers in the US).
With that said:
- enforcing client security requirements by telling employees "take these measures to protect us, and if you don't, we'll call you up and be very cross", and
- requiring full disk encryption on machines that are in the office 0 days a year
are signs of an incoherent approach to security.
If they were really concerned about compromised remote machines logging into their webmail system, they wouldn't have one.
So every single reply has been "don't use your computer for work", or "make them give you one". I have to wonder if you ever read slashdot. That you even asked the question in the first place makes me think that you actually do not know *why* everyone is posting the same answer:
How many times have we read about "stupid companies" that let their employees wander around with sensitive data on unencrypted devices, like credit card numbers and health care information.
LOL union - in a blink of an eye your jobs will be moving to my desh - India. Even most IT support can now be done remotely and programming - HA!
When Credit Suisse's financial reports (usually done by 1-2nd yr MBAs from top schools in US) are done in India, some crappy software programming for business applications can easily be done by 'non-unionzed' workers in india. :) the rest of you can rollover and die!
Use a hardware encrypted disk. They are becoming a lot more affordable and easier to find. You don't have to do a single thing to the software. Visit newegg.com and type "fde" (for "full disk encryption") into the search form, and you will find a bunch. These drives encrypt the disk in ECB mode, which leaves some kinds of data patterns detectable, but it's a huge improvement over leaving the disk unencrypted. It should stop the most scary types of personal information disclosure in this application, even though it leaks vaguer sorts of information that make it unsuitable for a general purpose cryptographic solution. There are some ways to compensate for this with special software, but you're trying to avoid using any of that.
"In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day."
The IT department made a mistake there. Not acceptable to allow confidential data on a private machine. Their error, not yours. If your department doesn't have budget for IT services, perhaps it needs to be managed properly or shut down. Obviously, they will manage it properly.
"the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted", including desktop-style machines at home"
BlackBerry Problem solved. If they balk at handing out BBs, then you don't need offsite or portable email access. Problem solved.
I'm astonished that they let you bring your own machine in to do work with confidential data. Entirely unacceptable, no matter how diligent you are about your machine's security. It is responsible. They cannot be responsible if they don't control the environment, including the hardware and software. I'm equally astonished they aren't using a VPN with certificates.
But I am not unfamiliar with Massachusetts hospitals, so I am not greatly astonished. One Boston-area hospital got a cool teleradiology contract with a hospital I worked at back in the 90s, and gave us the stern lectures about security, data encryption, etc. And emailed the user IDs and passwords to everyone on the department mailing list, even the CEO and CFO. Nice, guys. How about taking out an ad in the Globe next time, ok? It would be safer, nobody reads that.
deleting the extra space after periods so i can stay relevant, yeah.
Did you seriously think you were going to get a sympathetic ear HERE? At /.?
Cryostatis meet reality. Reality, this is Cryostatis. You two should get to know each other.
One of my solutions is to have the mail server forward mails to another account (like gmail.) While totally against the spirit of the policy, it is often overlooked. Don't make a lot of noise, don't announce you are doing it, just go through the mail server interface (especially if you can access a webmail interface) and look for a vacation forwarding feature. Just make sure your thunderbird settings allow you to reply as if you are using their server.
If they're locked down, it probably wont work. But orgs with stupid policies are usually maintained by stupid (or ambivalent) staff.
I'm going to take a different tack from most responders and ask why, if the IT department is sufficiently concerned about security to require whole-disk encryption on all machines connecting to the network (as a member of the security industry, I applaud their decision), do they allow people to connect their personal machines to the network? Especially in a HIPAA environment, that's nuts. How do they ensure that you retain no confidential data on your personal computer if you quit? In such an environment, no one should be allowed to use personal equipment on the network, but if they are, they should all be required to sign a contract that upon leaving employment (voluntarily or not), they will turn over any personal machines used to connect to the hospital network so that the disk(s) can be removed and destroyed.
That said, if they are going to let you connect your personal gear and you are dead-set on doing it, install whole-disk encryption yourself and bring the machine in for them to inspect it. They'll probably want the passphrase, too.
If they won't budge, then you either stop using your personal machine or you let them install their encryption solution on it. You may not like their decisions (I don't like all of my employer's IT decisions either), but it's the hospital's network, not yours, which means they get to make the rules. If you find this one so onerous that you can't live with it, I recommend seeking work elsewhere before it gets to bug you so much that it harms your job performance. Otherwise, you may wind up seeking work elsewhere anyway, but under less good circumstances.
It's pretty straight forward.
Just buy a $300 PC for checking email.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Home pc may fall under the same rules that uniforms do as IN If there cost makes you pay go under mini wage then they must pay for them and A good Desktop with software can run $500-$1000 with a laptop at $800-$1500 and prices like will pull most people under min wage for that week.
But Why not just have laptop that are to used at home for work and at work as well that work IT runs.
Let's see if I get this right: you've chosen to use your own computer, at your expense, for the benefit of a company for whom you work, when the provide you with computer(s) to use without said investment. But, when they say you have to secure your machine to comply with regulations (probably HIPAA) by installing whole-disk encryption on it, you complain. Get over it. Either install the same software at your own expense (probably the PGP WDE) or let them install it. Since you back up your computer you should have no issue. The problem of slow compute after WDE is installed was true with older releases but no issues that I know of recently. Here is the problem: HIPAA requires certain things and your employer's legal staff has set standards for compliance that they are satisfied will fit into the regulations. In their mind, until you have all the t's crossed and i's dotted, you are creating a legal problem for them. Legal problems typically become employment problems, particularly for the employee. In the Federal government space, they won't let anyone, even contractors who have NO government provided computer, to plug into a Fed Government network (physical wire and Feds do not allow wi-fi). Every contractor runs around with a broadband card sticking out of their laptops. Even then, contractors, from clearances for SBU data and up (that would be practically all Federal data BTW), have to have WDE. Healthcare has similar requirements and it's just a battle to lose to try and fight it. You are not even on moral ground here, you just need to suck up and either fix the encryption problem or stop trying to use your personal equipment for work.
TV-MA - the Beginning: "Ward, don't you think you were a little hard on the Beaver last night?"
That is exactly the approach I am considering. Slax with nxclient installed will fit the bill nicely. The problem with implementing it is 10% technical and 90% political.
Dutifully bring in a machine for them to install crapware on. Take it home. Clean that stuff off and do whatever you want.
rather than the new Mass law.
Get a $300 el-cheapo netbook, and let them configure it however they want. Use it for nothing else. And/or ask them to set up a VM that you can securely RDP into (VPN, VMWare View or Citrix), so there's no data on your remote PC/laptop/mobile phone, just pixels. Or both: have them buy you a thin client netbook.
If you want to be tricky, image the HD of the el-cheapo netbook after they set it up, and run it inside a VM on your personal PC. Note that this may or may not comply with their legal restrictions.
They should have two networks. One with security on it, and the other open to the Internet for all to use, with open wi-fi access.
Are they imposing this encryption on patients' computing devices as well? Do they even provide Internet access to patients? If they don't, they are pretty much acting like a prison rather than a hospital. The worst part of being in the hospital is being alone. BT, DT, and the depression from being cut off from most of my friends was much worse than the disease I had.
So if they don't already have a two-tiered security structure, but they're going through the effort of imposing full-lockdown security, they've put the cart before the horse.
Don't use use your personal assets for work. Beyond the trouble you're already experiencing, it causes other problems: it prevents management from understanding the total cost of IT operations; it's likely to create unrealized dependencies on personnel (which will be realized upon their departure or transfer); and it complicates the creation of Disaster Recovery and Continuity of Operations plans.
The measures your hospital is taking may be draconian, but in the face of countless new articles trumpeting that latest XYZ agency/company/government who lost a laptop with account records full of very personal and very accessible information, it's understandable. It's very, very difficult for a corporation to maintain appropriate level of control over their own mobile assets. It's an unsolved problem, and to me at least, not obviously solvable without substantial changes to the underlying operating system and communication technology. (And then, will the resulting Internet be open, extensible, and autonomous like the one we have today?) But I digress...
I point out this article http://www.experiordata.com/blog/2010/01/19/disk-encryption-is-not-enough-for-hipaa-hitech-act-compliance/ Bad data design allows the user to store data on there laptop. Having been a consultant, programmer, and user. Most Health Care company's are struggling to make ends meet. This does not allow for a re-write that would secure the data.
My assumption is that they did this in light of the ever increating regulatory requirements (HIPPA to name one). I would challenge the fact that they allow you to bring personal assets into the company at all.
I would say separate work from personal. Then you never have to worry about being challenged and taken to court because someone thought you may be violating or circumventing a company policy on your personal asset.
One other interesting tidbit... I read that the HIPPA laws may be changing in the fact that the company no longer assumes "resonsibility" for policy that you may intentionally or accidentally violate. This means your legal exposure is that much greater.
Just my 2 cents.
I work in health care too. I do use a vpn from time to time from my home machine to do menial work, it's rare though. However, I also have a laptop from work to do every thing with. The only reason I'd use my machine is if for instance I have it booted, and my laptop is cold, and have to put a ticket in progress, or to quickly check mail inbetween frags / maps in TF2 & L4D2.
This is the the part that confused me too.
Definately crazy! In my opinion, I just don't trust my coworkers habits. Our network guys do a decent job, but we are also one of those large Co still on IE6. I don't want their packets to touch my gear w/ a 10 NAT pole! (I practice safe computer sex, but you never know.. you could break a firewall mid intercourse)
Seriously though... Physicians try and do this all the time... This kind of sounds like the ring of a doctor's rant. Your personal laptop has no need to be on their network. For business purposes, use their guest network and VPN. I can't imagine they'd really require encryption on the other side of a VPN, that isn't conducive to getting work done, and just pisses people off.
How much is your data worth? Back it up now.
My gear to work w/o wrapping...
If you're not going to wrap it,
Stay home and whack it...
Old saying still true.
How much is your data worth? Back it up now.
These points have been covered but here are the facts in one place.
1. Any IT that let's personal computers connect internally is bad IT.
2. MA law requires only encryption of data (stored or transmitted) or computers that access data with the following criteria:
a. Massachusetts residents full name plus any ONE of the following
b. SSN, Bank account#, credit card #, or any other financial data
3. There is no reason and an exorbitant expense to encrypt all computers unless you are in a field (banking, finance) where all users have access to that data or will transmit it.
4. Properly configured email systems do not required home computers to be encrypted.
5. This law has nothing to do with HIPAA.
I live and work in MA in an IT department and we went through all this with our lawyers. It's much ado about nothing for most companies. This law was a direct result of TJX customer data becoming available
The Massachusetts Law is an unexpected windfall for Medical Application Integrators who are now faced with protecting Massachusetts resident-only personal identification information across multiple application domains.
Case in point: The Law has potential application against information systems of out-sourced third parties who are under contract to provide health care services to Massachusetts residents as active or reserve military and discharged veterans. Specialty clinics and laboratories that provide such services will need to be found in full compliance of the Massachusetts Law before Federal service contracts can be renewed.
Anywhere in the world.
In particular, it means that the US Veterans Administration and the Dept of Defense will need to overhaul the VISTA and the AHLTA medical networks to ensure that no component subsystem can result in violation of the Massachusetts Law. Those components come from everywhere - UK, Canada, Australia, Germany, the Netherlands, Japan, S. Korea, and especially China, for all the hand held in-the-field medical information devices, that have display memories that can be read with remote RF monitoring equipment.
I'm sure that the citizens of Massachusetts will be lobbying Senators Scott Brown and John Kerry to ensure that the Senate Defense Appropriations Committee takes the necessary steps to fund this massive IT rewrite with federal tax dollars.
This one state law has created a huge Federal Budget Exposure that the Congressional Budget Office will need to sink its teeth into.
This is a great day for medical application integrators around the world ... but only as long as the Massachusetts Law is allowed to stand.
It would be sincerely unfortunate if doctors in Washington DC failed to anticipate a fatal pharmaceutical allergy while treating anyone in the Massachusetts congressional delegation, because their childhood medical records were fully encrypted, the encryption key was lost, and the records unavailable for review.
DarkStarZumaBeachSurfinApocalypseWow
Doctors, lawyers etc. are professionals and are governed by a code of ethics. Break that code and you end up being unable to practice that profession anywhere so the situation is very different compared to a company where once you stop working for them you have almost no obligations to them other than what the law requires. If a doctor left a hospital and started sharing former patients' data with others they would end up in a lot of trouble and probably get struck off.
This is ridiculous, IT gone amok. And klubar is one of those fucking moronic IT persons.
*I* choose what computer to use, not you bastard IT minion.
I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site.
So encrypt your disk already.
Do they require you use some particular software or do they let you use one of your choice? Are you running Linux or something else?
(If the answers are "your choice" and "Linux" I know there's a solution - because I use it on a me-configured laptop with MY gargantuan employer, which requires full disk encryption and up-to-date software on any offsite or portable machine where you view or store company data or access its network.)
The Ubuntu distribution, for instance, has a full-disk encryption option. Encrypts everything but the boot partition (gotta have SOMETHING in the clear to get started) as one big loop-mounted device where the rest of the partitions and swap area are built.
Don't know if it's available on the Live CD on Karmic or Lucid. But for Hardy and Jaunty it was only available on the "alternate" installation disk. (Do a default install from the live CD to see how the distribution wants to be partitioned first, then clone that mapping when partitioning the encrypted hard drive when installing from the alternate CD.)
No conversion on-the-fly that I know of. But save your data offline, reinstall, and load it back onto the new install. Then you're back on the air with full disk encryption.
DON'T forget the passphrase: Unlike commercial systems with administrator backdoors the passphrase IS the key and if you lose it you're hosed.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I am a systems architect who had the challenge of implimenting such requirement at a fortune 100 Finananial institution where securty is a big concern especially after an employee started stealing customer data and was caught selling it. There are many workarounds that I can suggest.
Here are my 2 cents
1. They have no business touching your personal property
2. They have every right to deny you access without an approved system and most big shops will not allow you to connect your own personal computer to their network. I have seen people terminated over this for repeatidly sneaking in their Laptops. We had a 0 day virus outbreak 5 years ago that was traced to a user bring in their Laptop so they can use our internet speed to download mp3s on limewire which caused us to adopt this harsh policy.
If they require you to work from home they should either
a) Provide you with a laptop with all the required security measures
b) Provide a DMZ area for unmanaged systems with extremly limited network access to just do your job or the ability to rdp (once VPNed) to your workstation
c) Leverage some terminal/remote desktop system like citrix, vmware view, etc so all you need to do is browse to a site and kick off a terminal session. Add VPN as a 2nd layer of security if deemed neccessary.
I would suggest you mention some of these options to your IT staff. Suggest a formal email straight to the security person as just mentioning in passing to the typical Desktop Goon would probably blow you off. he/she is busy counting the minutes so they run home and fire up their World of Warcraft and whine about how their evil users like you are telling them how to do their jobs ;)
Good luck
>many of the employees (myself included) bring their own personal machines to work every day.
Stop doing that.
-fb Everything not expressly forbidden is now mandatory.
PC's need to be provided for free.
I work in this hospital system, and as a doctor, I am expected to be able to view patient information from home 24/7. In fact, I am expected to be able to make changes to orders electronically from home as well.
So, the comment that "just don't check your e-mail" or "you're just not available after work" is just not realistic. You are available 24/7, and in fact, you are expected to be reachable very quickly and to be able to respond quickly.
As an aside - I don't understand why a computer which VPN's into the hospital network to run a Citrix session needs to be encrypted in any case. You need a dongle PLUS two passwords to even log-in. After you log out, nothing is stored locally. What does encryption get you? For e-mail that is stored locally on Outlook or Mail, I get it (but they are already rolling out encrypted e-mail as well).
If I were in this position and the company I worked for wanted me to have access to company resources from my home or wherever I would have them issue me a computer for the purpose and be done with it. You get more gizmos to play with and the idiots in IT get to explain either the loss of productivity or additional expendatures to aquire and maintain more hardware.
I'm sure the core of this is some high level interaction with a scare mongering security vendor who misrepresents regulatory requirements in a bid to sell products and services you don't need and make more $$$.. The industry seems to have themselves quite an extensive network of blogs and opinion peices on regulatory requirements that don't actually exist.
Get your personal gear out of there. The institution you work for needs to provision you with the devices needed to do your job computers included. You should not be putting yourself at risk doing your work on a personally owned device. The institution you work for needs to take a good hard look at the liability and risks of allowing its staff to use personal equipment. HIPAA mandates a number of protections to electronic personally identifiable health information which are nearly impossible to enforce on personally owned computers that are being used for health care business, treatment or operations purposes. How does the institution assure confidentiality , integrity and availability on a computer it does not own?
here is the link to the CMS where formal HIPAA complaints can be filed
http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
security who know nothing about it.
Swell.
"many of the employees (myself included) bring their own personal machines to work every day."
Stop it.
Keep the hospital system on their own network. Don't let anyone put a non approved person system on that network. EVER.
That would do you far better the encryption.
Also, don't store data on the local machines. If you really want security, you will go to terminal systems and all data will be housed in a database system.
But no. You will encrypt everything, while still letting attack vectors onto your system, and then the whole thing will crumble in 6 months when some administration person looses there data because the lost their key... again.
The Kruger Dunning explains most post on
We do not allow any privately owned machines to connect to our network.
You want to work at home? Talk to your manager and get a hospital laptop. Or, if you just want to read your email, a Blackberry.
You want to take work home to do on your own PC? Come and talk to us and, if we are happy you are not taking confidential information (patient information etc), we will give you an encrypted 2GB USB at no cost.
This is pretty much the policy for the entire UK National Health Service. You are forbidden from connecting your own storage devices to our PCs and we are about to roll out Port Control to enforce that.
Every portable data storage device must now be encrypted. You do not store data on your PCs. That is what the network is for.
Until recently, every separate hospital & clinic ran its own email server. These were only accessible offsite from its own equipment that had a VPN set up. They are now rolling out a, web based, national system that can be accessed from any PC you like. Officially, this is much more secure than us peasants can supply.
Of course, the NHS is not there to make a profit. It is supposed to be there for making or keeping everyone healthy. If money is more important to you, I am sure that personal devices will be used.
Mind you, on the cost front, we spend a lot less per head than you and have a fractionally longer life span. Maybe if we spent as much as you we could live to 210...
I'll see your Constitution and raise you a Queen.
Buy an iPad and let them try to encrypt it. They will have to try and get their app approved by Steve, and good luck with that.
If I don't have phone service at home and don't have cable because I use a cell phone and TV bores me, then good luck finding Cable or Telco that will install internet service
If it's just for checking e-mail, then it won't eat much of the 5 GB per month that you get with your cell phone's data plan.
Should they try to fire me, for my private life choices then they'll be ripe for a huge class action lawsuit.
Such a suit will not succeed in any state whose employment law is remotely at-will.
So just pop out your HD, put in a clean 1, install windows, give it to IT, get it back and put your drive back in. its web mail they cant see whether u actually have it running only that your computer isnt on the clean computers list...
If you are looking for a simple solution to keep everyone happy - get yourself a cheap netbook for work only. That way it is not hurting your regular computer.
Do what I do: run your corporate email and VPN in a virtual machine on a fully-encrypted external (USB) hard disk.
The hospital you work for seems to both 1) expect you check your email at home and 2) comply with their own intrusive network security demands. Why not tell them about/show them your computer running Ubuntu or Solaris? If their software won't work on your machine they'll either have to provide you with a work computer or release you from checking your email outside of work.
If the reality is that your employer is going to force him/herself into your home, don't go without a fight.
If a major hospital is letting people roll up and connect personal (i.e. uncontrolled) laptops to their internal networks, the information security team/officer there is either incompetent or being ignored. They should take responsibility for making sure neither of those things is happening.
As for the OP, they seem to me to be recklessly endangering the security of patient data. People's personal laptops have all kinds of scary cruft on them. Seventeen different kinds of malware, if they run Windows, probably.
Blah, blah, blah, blah. These issues haven't changed since I ran into them more than 20 years ago. Anyone foolish enough to use their own equipment for someone else's purpose isn't thinking clearly.
http://slashdot.org/comments.pl?sid=1631698&cid=32056406 Hilarious. The great "registered user wannabe expert" (not) in tomhudson loses his ass to a 'mere lowly anonymous coward'. Go get a degree in computers first tomhudson, before you look more the ass online here.
"Here's my Frankenboxen running Amiga OS in one partition, and BSD in another. When can I pick it up?"
There is nothing wrong with yr Internet. Do not attempt to adjust the picture. We are controlling the transmission - NSA
This should be +4 funny!
Free Software: Like love, it grows best when given away.
In fact, the evil IT people might well be following the law- HIPPA mandates some fairly strong controls on how personally-identifiable health information must be protected.
My suggestion is that if they want you to check email at home, they should provide you with a machine to do it with. And- this is actually what YOU want; that way, if the machine breaks, it's their problem; if it's stolen, it's their problem; if it gets compromised and all the credit card numbers get turned into a big TJX-style identity theft debacle, it's their problem; no matter WHAT happens, it's their problem.
Simple rule for an easy life: keep your hardware *yours*, and your employer's hardware *theirs*.
Wow, I am surprised you let employees put a personal machine on your network. We forbid any personal machines from being plugged into our network, and I'm working on NAC so I'll be alerted if anyone does so. Personal machines are virus and zombie magnets and have no business being on a business network.