Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recourse For Draconian Encryption Requirements?

Posted by kdawson on from the cold-dead-fingers dept.

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

45 of 555 comments (clear)

  1. Obvious. by Yamata+no+Orochi · · Score: 5, Insightful

    Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.

    1. Re:Obvious. by xaxa · · Score: 4, Insightful

      So it's easy: either they provide you with a computer to use at home, or you stop checking your email at home.

    2. Re:Obvious. by Daengbo · · Score: 5, Insightful

      Their network, their rules. Stop taking your personal machine, and require them to supply you with one to do your job. Stop accessing the network after work. They cannot force you to install something on your computer, so they can't force you to connect after hours from home.

      Oh, yeah, and start looking for a new job. This stance will make your life easier, but you'll never get promoted.

      --
      Put identity in the browser.
    3. Re:Obvious. by tom17 · · Score: 4, Insightful

      this
      Too many people feel the need to take their jobs home with them. If it's a job necessity for you to do so then the company has to supply the means to do it.

      Tom...

    4. Re:Obvious. by klubar · · Score: 5, Insightful

      I have to agree with your employer on this one.

      Disallowing private machines on the network is good IT practice. Employeers should not allow any unapproved (and non-employer supplied) device to connect to their networks or machines (and this should include all USB devices like camera, MP3 players, headsets). If you need it for your job, your employer should supply and support it.

      Most concerned and resonsible organizations use strong measures to authentic machines before they are allowed to connect to the corporate network. (They might allow guest machines is a firewalled zones for vistor/guest convenience.) I have to say that your employeers policy for no foreign machines on the network is quite reasonable. As for checking your mail remotely, there are some secure solutions for Exchange that enforce secure authentication and encryption for remote access via a web browser.

      You might suggest that your employeer supply smart phones like the Blackberry that can be used for secure email access and can be remotely monitored and wiped if comprimised. (POTUS has a BB that passed the security screen.) I wouldn't be surprised if your employer restricts these devices to only business use (as it is their money that is paying for them.)

    5. Re:Obvious. by buchner.johannes · · Score: 4, Insightful

      Dongles and laptops are bad for security. It is obvious that the IT department doesn't want them. Tell them you need a computer so you can stay productive, if they need control over it they should provide it.
      Why are people bringing their own equipment in the first place?

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    6. Re:Obvious. by poetmatt · · Score: 4, Insightful

      yeah, that should raise red flags all over.

      I mean phones, ipods, etc, that cannot be reasonably controlled. However, personal laptops at work is asking for hippa, general confidentiality issues, and general security issues all around. If people are using personal laptops on the company network that's something worth informing IT/HR, as that's a huge risk.

      All it takes is one employee with a virus and you're set for a lawsuit, or one employee with bad intentions and you've got a bunch of identity thefts.

    7. Re:Obvious. by jriding · · Score: 4, Informative

      And what happens when you want to leave the company? Do they get to keep your laptop? or review your laptop for 3 weeks to make sure you are not taking their data with you?

      Never use personal equipment at work. They have every right to fully review your equipment at any time to decide if their data is on your person equipment.

      --
      love the taste, hate the texture
    8. Re:Obvious. by butterflysrage · · Score: 4, Insightful

      This... the policy isn't draconian, it is absurdly lax. No unauthorized computers should be allowed, period.

      --
      the preceding post was not spell checked... suck it.
    9. Re:Obvious. by John+Hasler · · Score: 4, Insightful

      Point out to them that their encryption software is not working well when installed on employee-owned machines and therefor may not be making those machines secure. Try to do this without implying that they are incompetent or that the software is crap, even though both are probably true. Also point out that some employees may be tempted to remove the software without telling them. Suggest that a better solution would be to ban private computers entirely and provide laptops to those who need off-site access. Explain to your boss that because of your concerns about the stability of the encryption software and the risks to you and to the hospital of having sensitive information on your computer that you intend to cease using your personal machines for work. Emphasize your concern about the risks to the hospital.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    10. Re:Obvious. by Yamata+no+Orochi · · Score: 4, Informative

      Because the hospital is probably not a standalone company, but rather part of a "Health System" or similar type of organization. They are likely in direct competition with other, nearby hospitals belonging to other regional health systems or organizations. Why wouldn't they have a marketing department?

      To reiterate, I'm speaking from personal industry involvement.

    11. Re:Obvious. by Achromatic1978 · · Score: 4, Informative

      Random pedantry, HIPAA, not HIPPA. That being said, two thumbs up. I'm amazed that anyone's allowed to connect their personal equipment to the network, as someone who writes medical software.

    12. Re:Obvious. by ceoyoyo · · Score: 3, Insightful

      Yeah, that's one way of going about it. The other way to look at it is that if all it takes is one employee with an infected device to fry your network, your network is in a pretty sorry state.

      I work in medical research. My previous lab was on a hospital network. One day someone, somewhere in the hospital brought in a notebook with a virus. Most of the machines in the hospital went down, including one of the MR scanner consoles. It was a huge crisis. Our lab barely noticed -- we were running Macs. Our Windows terminal server was properly patched and firewalled.

      Hospital IT responded by cracking down on outside devices but NOT really tightening up security on individual machines. Of course, if someone, either with malicious intent or by mistake, plugged an infected laptop into the network, they would be right back at square one.

  2. Make lemonade by smallfries · · Score: 4, Insightful

    Stop reading work email at home. Problem solved, and it turns out that it is actually a blessing in disguise.

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    1. Re:Make lemonade by Aceticon · · Score: 5, Insightful

      Except when responding to email within time period X is part of your job requirements.

      As somebody pointed out above, at that point your employer has to provide you with the equipment to do so.

    2. Re:Make lemonade by Mal-2 · · Score: 4, Insightful

      Except when responding to email within time period X is part of your job requirements.

      In this case it is the obligation of the employer to provide you with the equipment to do so.

      Mal-2

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    3. Re:Make lemonade by TheMeuge · · Score: 3, Insightful

      We live in a country where some cities are topping 20% unemployment, much of it middle-class white-collar jobs.

      Employers don't HAVE TO do anything now, because they can yawn, pick up the phone, and replace you in 24 hours with someone who doesn't mind dropping $2k to buy a shitty computer from the company's approved supplier to check work email at home, because they want to eat sometime this week.

    4. Re:Make lemonade by John+Hasler · · Score: 3, Insightful

      > What universe do you live in?

      One where involuntary servitude is illegal. He doesn't have to continue working there.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    5. Re:Make lemonade by butterflysrage · · Score: 3, Insightful

      another reason why a tech union is sounding better and better.

      --
      the preceding post was not spell checked... suck it.
    6. Re:Make lemonade by butterflysrage · · Score: 4, Insightful

      A union wont keep you from being fired, but it will keep you from being replaced on a whim. Hell just look at what IBM is planning... over 75% of their workforce are basically losing all their benefits by being hired back on as private contractors. That means no health, no pention, no severance, even LESS security, same hours, same wage.

      --
      the preceding post was not spell checked... suck it.
    7. Re:Make lemonade by Jason+Levine · · Score: 3, Insightful

      So this hypothetical replacement employee has $2,000 lying around to buy a new computer but doesn't have enough money to feed himself/his family? Something tells me that, had I only $2,000 left in my bank account, I'd use it for food before using it to buy a computer.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  3. Stop bringing your machine to work by drinkypoo · · Score: 5, Insightful

    Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.

    You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Stop bringing your machine to work by Jer · · Score: 4, Insightful

      This. Without an argument for why your personal machine should be on a sensitive network we can't help you.

      I'm slightly disturbed that there's a hospital out there that apparently allows employees unfettered access to their network from their personal machines, actually.

    2. Re:Stop bringing your machine to work by pesho · · Score: 4, Insightful

      My guess is that he is an a setup that I have seen on multiple places around the country - a research or university hospital. The network layouts were designed out at time when there where no data protection laws and little electronic patient records. As a result over the years machines that host the patient records now end up on the same network that hosts machines used for research, including everybody's personal laptop. Now the new and very appropriate data protection laws come into effect and the managment and IT staff have three choices:

      1. Spend tons of money on complete overhaul that will separate the patient records and the machines that process them from the rest of the network. This includes putting interfaces that would allow aggregate anonymized data to be accessed from the outside for population, epidemiological and other types of research.

      2. Encrypt everything that ever touches the network.

      3. Shut down the hospital or the research

      Which option would you choose?

      At the places where I have been very few of the postdoc and grad students have a computer that is purchased by the employer. Even if they do they still need to bring their personal laptop for various reasons directly connected to their work or study. I am currently doing research at a place like that and the security measures although not as draconian as in the article, are interfering seriously with my work. I never touch anything even remotely related to patients, but I need to exchange large chunks of data with colleagues around the world, have remote access to the local network, etc. Based on my experience I would advise the poster to calm down, and not lash out at the poor IT staff that has to deploy all this, while dealing with the anger of everybody around. You need to talk to people that are higher at the pay scale, define well the problem that you are facing and work with them to solve it.

  4. It's your machine, refuse. by Tim+C · · Score: 4, Insightful

    But be aware that it's their network, and expect them to refuse to allow you to connect to it.

    The real solution is that if you need a machine for your job, they should be providing it to you. If you do not, then leave it at home.

    --
    It's official. Most of you are morons.
  5. No. by characterZer0 · · Score: 5, Informative

    If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

    --
    Go green: turn off your refrigerator.
  6. Just say no. by gus+goose · · Score: 3, Insightful

    If they insist on your home machine being encrypted, then tell them either:
    1. They must supply the machine, and it's theirs, and you'll only use it for work.
    2. refuse to do any work at home.

    gus

    --
    .. if only.
  7. Get an old machine by Angst+Badger · · Score: 4, Insightful

    Considering that decent used laptops -- adequate for checking mail and browsing the web, anyway -- can be had for about a hundred bucks, I'd just buy one off eBay or Craigslist and use that for work purposes. For a little more, you could always pick up a netbook or a bottom-of-the-line laptop new.

    --
    Proud member of the Weirdo-American community.
  8. Separate work and home by ageoffri · · Score: 4, Insightful

    If you don't want to follow security standards then don't check your email from your personal machine. If they make it a requirement that you be able to respond to email outside of the physical location then require a laptop. I really doubt you have any legal recourse, especially since HIPPA and PII data have so many additional requirements around them.

    --
    -- Slashdot, making the Left look conservative since 1997.
  9. Why Personal Equipment? by Slashdot+Parent · · Score: 3, Insightful

    Why do you need to use your personal computer equipment to do your job? Your employer should be supplying everything you need to do your job.

    If you need a computer at work, your employer should supply it.

    If you need to check email from home, your employer should supply you with a blackberry.

    This isn't rocket surgery.

    --
    They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
  10. Yeah, stop using them on their network by Nursie · · Score: 4, Insightful

    It's that simple.

    Any business would be mad to let sensitive data (especially medical) get onto employee's home machines. And bringing personal machines to work and hooking them up the network?

    You're a walking, talking, security nightmare. Your IT staff should be fired for not being harsh enough. NO personal laptops on the network. NO accessing email from home machines.

  11. Honestly... by ProdigyPuNk · · Score: 3, Insightful

    This is one of those "damned if you do, damned if you don't" situations. The hospital is just trying to stay in compliance with HIPAA and the various personal non-public information regulations. Their solution DOES seem a little overboard, but this is what happens when people continually lose laptops/usb drives/etc that contain sensitive information. While this might be a little hard for the hospital's employees to get used to, it's really a win for us normal folk (assuming it's all properly executed, which is a big assumption).

    As far as legal recourse, IANAL but I don't think you really have one. While I get the whole "You're not touching my computer" bit, why don't you just use the computers provided ? Hell, even at the community college I go to, I have to install some software just to connect to their network. Same with some of the other corporations that friends and family work for. In the end, if you weasel your way around the restrictions and then lose your laptop, have it stolen, whatever - you'll really be on the hook.

  12. Why use your own PC on their network at all? by Lonewolf666 · · Score: 4, Insightful

    Unless there are very good reasons that were not in TFA, my response would be:

    1) My personal computer will stay at home from now on
    2) The IT department does not install anything on my personal computer.
    3) I won't check my (work) email from my home anymore. Anyone who wants to contact me can use a phone (and better have a damn good reason if it happens at 2 a.m. in the night).

     

    --
    C - the footgun of programming languages
  13. Pretty simple by Paul+Carver · · Score: 5, Insightful

    The solution is pretty simple. Don't use personal computers for business use.

    If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.

    I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.

    I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.

     

  14. Yes and No. by fuzzyfuzzyfungus · · Score: 3, Informative

    IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).

    You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.

    Your options are basically as follows:
    1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
    2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
    3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.

  15. Typical unpleaseable geekdom by Anonymous Coward · · Score: 3, Informative

    *sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).

    And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!

  16. Yes, Sorta, No by Anonymous Coward · · Score: 5, Informative

    I manage security for a major hospital system and I am leading the encryption roll out.

    1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

    2. Notification costs MAJOR dollars plus the PR hit

    3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

    4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

    This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

    Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.

  17. Yay for misinterpretation! by ircmaxell · · Score: 3, Informative
    This all boils down to misinterpretation of the laws governing medical information (Most importantly HIPPA - Health Insurance Privacy and Protection Act)... They don't need every machine being encrypted. All they need to do is make sure that the medical information is encrypted. And encrypting the hard drive has nothing to do with that. If they are providing you with web mail (something like Outlook Web Access), then what difference in reality does it make if you have your hard drive encrypted? All they need to do is set the headers properly to not allow client side caching. That way, you never have any data on your machine anyway. I don't see any reason that all the hard drives in the facility need to be encrypted. If they wanted to create an encrypted data partition, sure. If they want to encrypt laptops, fine. But why is sensitive data stored on local computers anyway? That should all reside on an encrypted network share (if for nothing else than data backup and compliance reasons). All they are doing is trying to cover their asses so that in case something does happen, they can say "well, but we took steps to try to lock down the data" even if those steps were ancillary and irrelevant to the problem at hand.

    But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
    • Encrypt your personal computer
    • Get a second computer just for work, and encrypt that
    • Have your employer provide you with a laptop or computer to take home to work with
    • Don't work from home

    Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.

    --
    If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
  18. Simple solution by idontgno · · Score: 3, Insightful

    Keep your personal machine off the Hospital network.

    The only really sane policy: if it's on the Hospital network, it conforms to IT security guidance. Period.

    I'm assuming you're in the U.S. "Exuberant" is an apt description of HIPAA data infrastructure guidance, but it's still the law of the land. I don't want my patient information accidentally sneaking out on your laptop's unencrypted hard drive.

    If you must conduct personal internet business at work and don't want to convert your personal computer into a personally-owned company-configured machine, bypass the hospital net with a 3g dongle and your own data plan.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  19. Standard Policy by mseeger · · Score: 5, Insightful

    Hi,

    IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.

    Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.

    It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him

    Sincerely yours, Martin

    P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.

  20. Maybe the passive aggressive approach? by khasim · · Score: 3, Insightful

    If there is someone there who insists that home machine be allowed on the network (beyond stupid in the first place) this might be the "compromise" that the IT department was able to reach.

    You can have your home machine on the network ... BUT ... it must have full disk encryption.

    Most everyone will be able to figure out that that means "leave your home computer at home".

  21. Re:Find a new job by capnchicken · · Score: 5, Interesting

    I'm sorry, you must be under the impression that systems in a hospital are integrated in SOME fashion. They are not, and I've never heard of one that was, although my experience with them only spans about 7 years and only includes 3 U.S. states (not Mass). Electronic medical records are just now KIND OF being integrated and usually only at expensive hospitals. And I have yet to see a medical diagnostic device that didn't run in it's own vendor supported proprietary bubble. So having a virus run amok doesn't really concern me as it would get stopped in its tracks by the entire clusterfuck that is Healthcare IT.

    Healthcare IT is a vendor lock-in, non-integrated mess and having IT run around and lose people's data with some mandated encryption system they probably bought from a snake oil salesman is probably worse than any scenario you might be thinking about.

    --
    A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
  22. I Concur by DRAGONWEEZEL · · Score: 4, Insightful

    If you were "trying to help out" then stop. NOW. You're helping no one, using your own resources for testing? I do that as I manage a VPN client that has specific.... issues. So I use my home software to verify connectivity from other networks... But when they want info on other OS's etc, I now say Show me the H/W.

    I can't test w/ hardware that I don't have, and I'm no longer going to use my hardware to do their work.

    Not because I don't want too, but if I come into a problem (like a drive I had passed on it's bit's to the next world) I have to FURTHER use my resources to try and get back to a working state asap. This is difficult for some people to do.

    However my boss totally got it, understood what I needed and is prepping me w/ the supplies as we speak.

    Just let them know what you need. If you're expected to do any work at home, you should expect them to hand you a laptop. It's so common, it's not even worth mentioning really.

    --
    How much is your data worth? Back it up now.
    1. Re:I Concur by rwv · · Score: 4, Insightful

      I'm posting at the top because I've never seen such a unified response to an AskSlashdot in the decade I've spent reading this site. I want to inform readers... don't waste your time reading past this point because the rest of the discussion is redundant.

  23. Why consultants have to use their own tools by DragonWriter · · Score: 3, Informative

    Many companies/governmental institutions require the consultants to provide their own hardware since they think it's cheaper.

    Many also do it because whether or not someone you pay to do work uses tools you provide or brings their own tools is one of 20 factors specifically identified by the IRS as being used to determine whether a person paid to do work for you is an "employee" for whom you are required to withhold income taxes, pay the employer's share and withhold the employee's share of payroll taxes, etc., or an "independent contractor" to which none of those rules apply. Using the employers tools is a factor that specifically weighs in favor of finding that the worker is an employee, not an independent contractor.

    Merely calling someone a "consultant" or "contractor" doesn't make the government see them that way, and employers who want someone to legally have "contractor" status generally want to do everything possible to assure that if that status is ever challenged, either by the worker or the government, the employers position that the worker is a "contractor" is upheld.