Recourse For Draconian Encryption Requirements?

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

No.

[characterZer0]

If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

Yes and No.

[fuzzyfuzzyfungus]

IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).

You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.

Your options are basically as follows:
1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.

Typical unpleaseable geekdom

*sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).

And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!

Yes, Sorta, No

I manage security for a major hospital system and I am leading the encryption roll out.

1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

2. Notification costs MAJOR dollars plus the PR hit

3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.

Yay for misinterpretation!

[ircmaxell]

This all boils down to misinterpretation of the laws governing medical information (Most importantly HIPPA - Health Insurance Privacy and Protection Act)... They don't need every machine being encrypted. All they need to do is make sure that the medical information is encrypted. And encrypting the hard drive has nothing to do with that. If they are providing you with web mail (something like Outlook Web Access), then what difference in reality does it make if you have your hard drive encrypted? All they need to do is set the headers properly to not allow client side caching. That way, you never have any data on your machine anyway. I don't see any reason that all the hard drives in the facility need to be encrypted. If they wanted to create an encrypted data partition, sure. If they want to encrypt laptops, fine. But why is sensitive data stored on local computers anyway? That should all reside on an encrypted network share (if for nothing else than data backup and compliance reasons). All they are doing is trying to cover their asses so that in case something does happen, they can say "well, but we took steps to try to lock down the data" even if those steps were ancillary and irrelevant to the problem at hand.

But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.

• Encrypt your personal computer
• Get a second computer just for work, and encrypt that
• Have your employer provide you with a laptop or computer to take home to work with
• Don't work from home

Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.

Re:Obvious.

[jriding]

And what happens when you want to leave the company? Do they get to keep your laptop? or review your laptop for 3 weeks to make sure you are not taking their data with you?

Never use personal equipment at work. They have every right to fully review your equipment at any time to decide if their data is on your person equipment.

Re:Obvious.

[Yamata+no+Orochi]

Because the hospital is probably not a standalone company, but rather part of a "Health System" or similar type of organization. They are likely in direct competition with other, nearby hospitals belonging to other regional health systems or organizations. Why wouldn't they have a marketing department?

To reiterate, I'm speaking from personal industry involvement.

Re:Obvious.

[Achromatic1978]

Random pedantry, HIPAA, not HIPPA. That being said, two thumbs up. I'm amazed that anyone's allowed to connect their personal equipment to the network, as someone who writes medical software.

Why consultants have to use their own tools

[DragonWriter]

Many companies/governmental institutions require the consultants to provide their own hardware since they think it's cheaper.

Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.

Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.