Recourse For Draconian Encryption Requirements?

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

No.

[characterZer0]

If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

Yes, Sorta, No

I manage security for a major hospital system and I am leading the encryption roll out.

1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

2. Notification costs MAJOR dollars plus the PR hit

3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.