Recourse For Draconian Encryption Requirements?

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

Obvious.

[Yamata+no+Orochi]

Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.

Re:Obvious.

[Daengbo]

Their network, their rules. Stop taking your personal machine, and require them to supply you with one to do your job. Stop accessing the network after work. They cannot force you to install something on your computer, so they can't force you to connect after hours from home.

Oh, yeah, and start looking for a new job. This stance will make your life easier, but you'll never get promoted.

Re:Obvious.

[klubar]

I have to agree with your employer on this one.

Disallowing private machines on the network is good IT practice. Employeers should not allow any unapproved (and non-employer supplied) device to connect to their networks or machines (and this should include all USB devices like camera, MP3 players, headsets). If you need it for your job, your employer should supply and support it.

Most concerned and resonsible organizations use strong measures to authentic machines before they are allowed to connect to the corporate network. (They might allow guest machines is a firewalled zones for vistor/guest convenience.) I have to say that your employeers policy for no foreign machines on the network is quite reasonable. As for checking your mail remotely, there are some secure solutions for Exchange that enforce secure authentication and encryption for remote access via a web browser.

You might suggest that your employeer supply smart phones like the Blackberry that can be used for secure email access and can be remotely monitored and wiped if comprimised. (POTUS has a BB that passed the security screen.) I wouldn't be surprised if your employer restricts these devices to only business use (as it is their money that is paying for them.)

Stop bringing your machine to work

[drinkypoo]

Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.

You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.

No.

[characterZer0]

If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

Re:Make lemonade

[Aceticon]

Except when responding to email within time period X is part of your job requirements.

As somebody pointed out above, at that point your employer has to provide you with the equipment to do so.

Pretty simple

[Paul+Carver]

The solution is pretty simple. Don't use personal computers for business use.

If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.

I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.

I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.

 

Yes, Sorta, No

I manage security for a major hospital system and I am leading the encryption roll out.

1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

2. Notification costs MAJOR dollars plus the PR hit

3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.

Standard Policy

[mseeger]

Hi,

IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.

Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.

It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him

Sincerely yours, Martin

P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.

Re:Find a new job

[capnchicken]

I'm sorry, you must be under the impression that systems in a hospital are integrated in SOME fashion. They are not, and I've never heard of one that was, although my experience with them only spans about 7 years and only includes 3 U.S. states (not Mass). Electronic medical records are just now KIND OF being integrated and usually only at expensive hospitals. And I have yet to see a medical diagnostic device that didn't run in it's own vendor supported proprietary bubble. So having a virus run amok doesn't really concern me as it would get stopped in its tracks by the entire clusterfuck that is Healthcare IT.

Healthcare IT is a vendor lock-in, non-integrated mess and having IT run around and lose people's data with some mandated encryption system they probably bought from a snake oil salesman is probably worse than any scenario you might be thinking about.