Slashdot Mirror
Recourse For Draconian Encryption Requirements?
CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.
Stop reading work email at home. Problem solved, and it turns out that it is actually a blessing in disguise.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.
You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
But be aware that it's their network, and expect them to refuse to allow you to connect to it.
The real solution is that if you need a machine for your job, they should be providing it to you. If you do not, then leave it at home.
It's official. Most of you are morons.
If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.
Go green: turn off your refrigerator.
If they insist on your home machine being encrypted, then tell them either:
1. They must supply the machine, and it's theirs, and you'll only use it for work.
2. refuse to do any work at home.
gus
.. if only.
Considering that decent used laptops -- adequate for checking mail and browsing the web, anyway -- can be had for about a hundred bucks, I'd just buy one off eBay or Craigslist and use that for work purposes. For a little more, you could always pick up a netbook or a bottom-of-the-line laptop new.
Proud member of the Weirdo-American community.
If you don't want to follow security standards then don't check your email from your personal machine. If they make it a requirement that you be able to respond to email outside of the physical location then require a laptop. I really doubt you have any legal recourse, especially since HIPPA and PII data have so many additional requirements around them.
-- Slashdot, making the Left look conservative since 1997.
Why do you need to use your personal computer equipment to do your job? Your employer should be supplying everything you need to do your job.
If you need a computer at work, your employer should supply it.
If you need to check email from home, your employer should supply you with a blackberry.
This isn't rocket surgery.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Use it for nothing else. They can't mess up your personal machine or lose your data if they don't get their paws on it.
It's that simple.
Any business would be mad to let sensitive data (especially medical) get onto employee's home machines. And bringing personal machines to work and hooking them up the network?
You're a walking, talking, security nightmare. Your IT staff should be fired for not being harsh enough. NO personal laptops on the network. NO accessing email from home machines.
Its their network, their policy... be lucky you are even ALLOWED to connect your own personal laptop to their network, that is strictly forbidden for security reasons in most places.
If you don't want them to install that software on your personal machine, don't bring it in or don't connect it to their network and use 3G or something.
As soon as you connect to their network you must abide by their rules.
Simple as that, really.
(I'm a Network Administrator IRL.)
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
This is one of those "damned if you do, damned if you don't" situations. The hospital is just trying to stay in compliance with HIPAA and the various personal non-public information regulations. Their solution DOES seem a little overboard, but this is what happens when people continually lose laptops/usb drives/etc that contain sensitive information. While this might be a little hard for the hospital's employees to get used to, it's really a win for us normal folk (assuming it's all properly executed, which is a big assumption).
As far as legal recourse, IANAL but I don't think you really have one. While I get the whole "You're not touching my computer" bit, why don't you just use the computers provided ? Hell, even at the community college I go to, I have to install some software just to connect to their network. Same with some of the other corporations that friends and family work for. In the end, if you weasel your way around the restrictions and then lose your laptop, have it stolen, whatever - you'll really be on the hook.
Unless there are very good reasons that were not in TFA, my response would be:
1) My personal computer will stay at home from now on
2) The IT department does not install anything on my personal computer.
3) I won't check my (work) email from my home anymore. Anyone who wants to contact me can use a phone (and better have a damn good reason if it happens at 2 a.m. in the night).
C - the footgun of programming languages
The solution is pretty simple. Don't use personal computers for business use.
If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.
I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.
I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.
IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).
You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.
Your options are basically as follows:
1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.
"Find a new job" may be a curse, not advice.
If I were a patient in your hospital, and the doctor was using some ultrasound machine or other PC-based diagnostic device, and the damn thing had a virus that caused a misdiagnosis, I'd be right pissed at the person who brought the virus in.
I know that lots of those machines are still running the manufacturer's originally-shipped OS, because they don't certify every OS hotfix and patch that comes out. I also know that if the thing can email a doctor a copy of the results, the doctors insist that the email works, so a network connection is mandatory. So you could be operating a production system on a completely unprotected environment.
Bringing in anything at all, whether it be a USB stick or a CD-ROM, could threaten those devices. And with our health care on the line, you want us to defend rules that might help clean up a risky mess?
Wrong crowd.
John
*sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).
And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!
I manage security for a major hospital system and I am leading the encryption roll out.
1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.
2. Notification costs MAJOR dollars plus the PR hit
3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.
4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.
This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)
Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.
But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Keep your personal machine off the Hospital network.
The only really sane policy: if it's on the Hospital network, it conforms to IT security guidance. Period.
I'm assuming you're in the U.S. "Exuberant" is an apt description of HIPAA data infrastructure guidance, but it's still the law of the land. I don't want my patient information accidentally sneaking out on your laptop's unencrypted hard drive.
If you must conduct personal internet business at work and don't want to convert your personal computer into a personally-owned company-configured machine, bypass the hospital net with a 3g dongle and your own data plan.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Hi,
IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.
Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.
It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him
Sincerely yours, Martin
P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.
If there is someone there who insists that home machine be allowed on the network (beyond stupid in the first place) this might be the "compromise" that the IT department was able to reach.
You can have your home machine on the network ... BUT ... it must have full disk encryption.
Most everyone will be able to figure out that that means "leave your home computer at home".
I'm sorry, you must be under the impression that systems in a hospital are integrated in SOME fashion. They are not, and I've never heard of one that was, although my experience with them only spans about 7 years and only includes 3 U.S. states (not Mass). Electronic medical records are just now KIND OF being integrated and usually only at expensive hospitals. And I have yet to see a medical diagnostic device that didn't run in it's own vendor supported proprietary bubble. So having a virus run amok doesn't really concern me as it would get stopped in its tracks by the entire clusterfuck that is Healthcare IT.
Healthcare IT is a vendor lock-in, non-integrated mess and having IT run around and lose people's data with some mandated encryption system they probably bought from a snake oil salesman is probably worse than any scenario you might be thinking about.
A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
Probably something like "because you say it is in a signed statement." Lying is almost certainly grounds for termination plus whatever penalties HIPPA can be used to bring to bear. Lying, therefore would be stupid, the act of a total moron.
This is health care and health care records. We should all hope they get serious, are serious and stay serious.
Apart from them wanting to clamp down on the security elements of staff stealing or being negligent with patient records, there is a huge hole here for injecting viruses and malware into the hospital. There's also a disease vector from bringing outsdide stuff in and out of a hospital: MRSA can easily be transmitted on touched surfaces (hence the medical wipes and hand-gels by every doorknob inn many countries).
Hopefully every other hospital will follow the lead from yours.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
People who use their own personal machines to access sensitive information should perhaps be
even *more* restrictive. It is this type of access that is the most dangerous.
If you simply have to check your facebook, check email, etc, then get yourself
a 3G network enabled device.
I suggest that the answer is very simple and non-technical. They ask everyone with access to email externally to sign a piece of paper stating that they have read the security policy and will never violate it, where violating it is doing things like accessing the email system through any unsecured computer.
Violation of the policy is grounds for immediate termination plus criminal penalties for potentially exposing patient data. After the first guy goes to jail for five years or so people will start actually paying attention.
Don't think that this is going to be isolated to MA. It is a logical outgrowth of HIPPA and is pretty much a requirement. It is about time.
If you were "trying to help out" then stop. NOW. You're helping no one, using your own resources for testing? I do that as I manage a VPN client that has specific.... issues. So I use my home software to verify connectivity from other networks... But when they want info on other OS's etc, I now say Show me the H/W.
I can't test w/ hardware that I don't have, and I'm no longer going to use my hardware to do their work.
Not because I don't want too, but if I come into a problem (like a drive I had passed on it's bit's to the next world) I have to FURTHER use my resources to try and get back to a working state asap. This is difficult for some people to do.
However my boss totally got it, understood what I needed and is prepping me w/ the supplies as we speak.
Just let them know what you need. If you're expected to do any work at home, you should expect them to hand you a laptop. It's so common, it's not even worth mentioning really.
How much is your data worth? Back it up now.
A few comments:
1) Why on earth are they allowing people to use personal computing on the company network?
2) For home access, they should deploy some type of terminal environment at the office. So that you get the screen displayed on your home computer, but don't actually get the data stored there.
Personally I think they should be banning any non-company devices from their internal network. Period.
As for the home access, I agree with you about not wanting them to install software on your personal machines (if they just want Anti-Virus, that is one thing, but requiring disk encryption...)
But I agree with their need to lock it down. They're just going about it wrong.
Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.
Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.
Yes. Quit.
"In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day."
The IT department made a mistake there. Not acceptable to allow confidential data on a private machine. Their error, not yours. If your department doesn't have budget for IT services, perhaps it needs to be managed properly or shut down. Obviously, they will manage it properly.
"the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted", including desktop-style machines at home"
BlackBerry Problem solved. If they balk at handing out BBs, then you don't need offsite or portable email access. Problem solved.
I'm astonished that they let you bring your own machine in to do work with confidential data. Entirely unacceptable, no matter how diligent you are about your machine's security. It is responsible. They cannot be responsible if they don't control the environment, including the hardware and software. I'm equally astonished they aren't using a VPN with certificates.
But I am not unfamiliar with Massachusetts hospitals, so I am not greatly astonished. One Boston-area hospital got a cool teleradiology contract with a hospital I worked at back in the 90s, and gave us the stern lectures about security, data encryption, etc. And emailed the user IDs and passwords to everyone on the department mailing list, even the CEO and CFO. Nice, guys. How about taking out an ad in the Globe next time, ok? It would be safer, nobody reads that.
deleting the extra space after periods so i can stay relevant, yeah.
I'm going to take a different tack from most responders and ask why, if the IT department is sufficiently concerned about security to require whole-disk encryption on all machines connecting to the network (as a member of the security industry, I applaud their decision), do they allow people to connect their personal machines to the network? Especially in a HIPAA environment, that's nuts. How do they ensure that you retain no confidential data on your personal computer if you quit? In such an environment, no one should be allowed to use personal equipment on the network, but if they are, they should all be required to sign a contract that upon leaving employment (voluntarily or not), they will turn over any personal machines used to connect to the hospital network so that the disk(s) can be removed and destroyed.
That said, if they are going to let you connect your personal gear and you are dead-set on doing it, install whole-disk encryption yourself and bring the machine in for them to inspect it. They'll probably want the passphrase, too.
If they won't budge, then you either stop using your personal machine or you let them install their encryption solution on it. You may not like their decisions (I don't like all of my employer's IT decisions either), but it's the hospital's network, not yours, which means they get to make the rules. If you find this one so onerous that you can't live with it, I recommend seeking work elsewhere before it gets to bug you so much that it harms your job performance. Otherwise, you may wind up seeking work elsewhere anyway, but under less good circumstances.
A non-integrated system doesn't mean the equipment isn't sharing the same network infrastructure. Viruses, worms, malware or whatever, they don't restrict themselves to looking for "integrated systems" to infect. They blast their payloads out to any network or subnet address within reach. Vulnerable systems get infected, integrated or not.
The things I'm talking about are machines that have no apparent medical business being on the network, yet are. I was looking at an ultrasound machine that was still running XP SP1 because that's what the vendor shipped. And it was obviously on the network because the doctor was able to send the images electronically. Why it wasn't adequate to simply drop the printed copies of images into the file folder that was sitting next to him, I don't know.
Sure, nobody is SUPPOSED to go to the desktop and surf the web from that machine, or read their email from it, but that doesn't mean it's not vulnerable to some other attack like Blaster. Other concerns are that since the machine is portable, and it has had patient information in it, that encryption might prevent someone from harvesting patient names (and whatever other information is associated with the patient and is still on the hard drive.)
Bottom line: that hospital's infrastructure was fragile, as I suspect most of them are. Sure, mandated encryption is a politician's stupid requirement that probably won't solve many real-world problems. But plugging personal equipment into a weakly secured network is a high risk proposition, one they should immediately cut off.
John
""their network - their rules" is something the asker should know (or at least familarize themselves with if they want to continue to use computers in the US)."
Agreed. I'm a bit shocked at the arrogance of this Ask Slashdot:
"they now require full-disk encryption on any computer connected to their network on site....many of the employees (myself included) bring their own personal machines to work every day...Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"
This is a joke, right? Late April Fools'? Surely this guy is not crying "I want to use my private spyware and virus-ridden laptop on my company's network and they're requiring (INSERT SOFTWARE) be installed!" Oh sure, your laptop has no spyware/viruses, but what about Nurse Betty's laptop on 3rd floor? Or Janitor Steve's?
my karma will be here long after I'm gone
If a major hospital is letting people roll up and connect personal (i.e. uncontrolled) laptops to their internal networks, the information security team/officer there is either incompetent or being ignored. They should take responsibility for making sure neither of those things is happening.
As for the OP, they seem to me to be recklessly endangering the security of patient data. People's personal laptops have all kinds of scary cruft on them. Seventeen different kinds of malware, if they run Windows, probably.