There are plenty of applications where there isn't even a network connection or multiple users or even changes to user software. For them, loss of patches and updates isn't really a problem. What might be a problem is if it becomes impossible to activate the OS. I assume there are activation hacks out there, but if there aren't, then this event will cause them to become more widespread. Some people care more about the legal implications of this than others.
Every place where I've worked, the curve of that hockey stick represents either personal investment of capital, a person with enough wealth that the *prospect* of his personal investment is high, a political appointment to a public board, or all of the above.
What Ellison story are you talking about? The connection between Ellison and the Terminator is based on television screenplays, and while I can understand the connection, it's hardly a derivative work.
Where I work (a defense plant) it is not unusual to dispose of disk drives. The ones we destroy have usually been pulled from copy machines. When a copy machine leaves a secure facility for any reason, the drive is shredded. Wiping with software isn't really an option because the disk would have to work, you have to have a machine that can interface it, you have to trust the person who does the wipe, which is falsifiable.
So we use a purpose-built shredder. The one we use is pretty impressive, an "AMS-2000". I think it could shred the shredder in the article. This is the same kind of shredder that is probably in use by a half dozen competing document disintegration services in your area. It's exactly what they use at Iron Mountain for destroying disk drives and LTO tapes, which is why we chose it.
As Donald Trump would say, "it's a wonderful product, it's my favorite hard disk shredder, and I love it."
>I agree that plugging in an unauthorized device is a gross violation of health information security.
I agree that it *might be* and that it *should be* a gross violation. But without seeing the institutional policy, it is not possible to determine whether this represents a violation of that institution's HIPAA compliance policy. HIPAA (and many other federal regulations) are pretty weird in that they drive the creation of institutional policy and compliance with that institutional policy becomes a legal obligation. It's not like you can scan the CFR for something that points to the OP's situation and say "A-ha, illegal under 45 CFR 164". There are specific things to be found in the CFR but that's not really how it works.
Working with auditors from a federal regulatory body, the institution creates an internal policy that meets the regulatory guidelines, which has an end result of compliance with those guidelines. Once your policy is approved, that regulatory body will periodically audit your compliance, effectively making your internal policies that you created, have the force of law. The process is quite intense and expensive and ongoing. The thing that jumps out at me from the Ask Slashdot question is that there does not appear to be a policy to cover the questioner's situation, or the IT manager's response. They are testing and asserting an ad-hoc policy, and this in itself could be a symptom of a systemic problem that puts the institution out of compliance with HIPAA, assuming they are subject to the regs in the first place.
We don't know much about the institution, and we don't know anything about its written policies. I'm willing to bet that it does have policies that haven't been properly communicated, and that both the administrator and the IT manager are in the wrong, and that not having a policy may be in itself a far more serious thing than the situation in the article.
In reality, there is plenty of gray area. If the violation is serious enough, and you have it documented well enough to take on the role of whistleblower, then that's your choice, and perhaps it is your duty to do so. If the violation isn't that serious, you may simply find yourself in the position of being easy to fire and be replaced with someone who is less eager to threaten the administration at every juncture. Since we don't really know the institutional policies, we are purely speculating as to whether there is a HIPAA violation in this case. Not every ad-hoc IT decision is an HIPAA violation, although a solid institutional policy would make it one, which means the violation of that internal policy could rise to the level of a federal crime. That's how it works. The CFR gives a fairly open-ended outline of what is regulated, defining the legislative end-result of a compliance policy. The institution must create its own policies and these policies must be approved and routinely audited by the regulatory body. At that point, violation of your own policies can become a crime. This isn't unique to HIPAA, it's also true in FAA regulations. You make your company policy in accordance with FAA rules and regulations. FAA auditors approve your polices, your forms, your roles and responsibilities, and routinely check your conformance to your own policies.
People with no experience in a regulated industry tend to assume things about the "letter of the law", and expect to be able to read the text of a law and have that be the whole story. That is not how it works.
The impression I get from the OP is that there isn't a clear policy, and that the IT manager is making ad-hoc policy. There's a compliance problem before the server and the firewall enter into it, because of the absence of a policy. How can they represent to a federal auditor that they are following their policy (and in an audit you have to be *specific*) if they have no policy?
I've worked in university IT, and call BS on the story too.
On the other hand, weird things happen and university departments can be woefully disorganized. We had a security group that learned, to their total surprise, that our engineering college had a functional nuclear reactor. It was a small reactor for creating medical isotopes, but after 9/11 they had to work out new security policies to deal with this nuclear reactor on campus that apparently very few people outside of one small department even knew about. They wanted to shut it down but it turns out that it is the only source for certain medicines within transportation range of a bunch of hospitals, so it got a permit for being essential to national security, and now the streets around the building have crossing gates and doghouses with 24 hr guards.
I think the central problem here is that neither the department director nor the IT manager "knows how many regulatory issues" are violated, because there's either not a written policy or the policy isn't being communicated to the people who need to follow / enforce it. That alone is enough to be out of compliance.
It's probably not as dramatic as he makes it sound. When you hear "hospital", think "two doctors investing in a small business" and when you hear "IT department", think "one guy who works for them one or two days a week." Since he claims to represent an "academic hospital", think "unfunded research group with a couple of MD/PhD postdocs" and "IT department" as an IT manager who knows his stuff and works for a medical school that is much, much more than the OP's department.
There are a lot more medical institutions that are very small businesses than there are big hospitals.
I am picturing a group of doctors, maybe four, each with an office staff and maybe one IT guy who supports the whole place.
I am not picturing a hospital campus with 2500 employees and hundreds of thousands of patients.
This is on my mind when I think about the dynamics of the employee relationships, and is something to consider when you think about who wins in a conflict. HIPAA statutes are taken seriously by people in the medical profession, but they are not as clear cut as lay people often make them out to be. (Lot of posters today talk about how people could go to jail over this. Nobody is going to jail over this unless it actually gets the attention of federal investigators, the feds ask for changes in the hospital's policy in order to be in compliance, and the hospital refuses or gets repeated violations.)
As a guide for making policy it may be helpful to think of HIPAA regs in that way, but the point is, the regs require you to make policy with the end result being compliance with the law. The result for the institution is that institutional policies tend to be much more clear-cut and precisely defined than the CFR itself. So you might have an IT policy about firewalls that has an end result of staying in compliance with regulations, even though the regulations don't actually specify anything that's in your policy.
With federal regulations (I know about industrial safety, FAA regs, and stuff like that), it is often the *company* that makes a policy, submits it to the federal regulators, and then adherence to the company's policy *becomes law*. So you can make a policy that's more strict than the law, violate your own policy, and be out of compliance. (This leads to negotiations with auditors and adjustments to policies, not usually to firings or jail.)
He might be gone sooner than he thinks. He broadcast enough information to be identified, and he has publicly pointed out that his institution doesn't have policies in place that affect HIPAA compliance issues. Maybe the hospital is private and the OP is a doctor who has a large personal investment that funds the hospital (or some other situation that puts him into the "can't be fired" category). I hope so, for his sake.
And the institutional policies should be more specific, saying *how* this information security mandate will be met by the institution. The fact that there is enough of a gray area to lead to an Ask Slashdot posting is an indicator that the institution itself might be non-compliant. The OP doesn't seem to know about any institutional policy (a potential violation in itself). The IT manager is making an ad-hoc policy decision (another potential violation.) Before we even talk about port 8443 or the server itself, we have a hospital that may not be in compliance with federal regulations, or does not take compliance seriously enough to communicate its policies to staff.
HIPAA law is not as specific as amateurs often made out to be. But as a set of federal compliance guidelines, it leads to institutional policy that *will* be very specific, and also industry practices aimed at helping institutions maintain policies that will enable compliance. So you can't open up 45 CFR and find a law that says "thou shalt not instal thine own BSD server on port 8443." But you very well may find an institutional rule that suggests that doing so is a step in the wrong direction from compliance. Basically if your institution has an information security policy (which they must have) and you act outside that policy, you do run the risk of putting your institution out of compliance with its own policy, which is then governed under enforceable provisions of federal regulations. (But reality is nowhere near as clear-cut as "if IT lets you do this, they could go to jail".)
The real problem in the OP's situation is that there is apparently not a policy covering this risk scenario. THAT, not the server, is the HIPAA compliance issue.
For the same reasons you cannot knowingly allow an unmitigated security risk, you also cannot "cut them out of any form of network access" because doing so might negatively impact provision of medical care to a patient.
I wonder what it would cost to get to the moon if the *only* costs were market prices for raw materials and reasonable hourly rates for labor, and nothing else.
>Yeah, and then "it's a dry heat" will mean people die without air conditioning.
More people die in the summertime heat in the Northeast than in Arizona. Whenever I bring up the whole "conservation" concept, someone invariably turns it into "people dying" or even "living in caves."
I believe we can consume less without radically altering society or effecting genocide.
Remember the refinery fire? I saw a report about a week after the quake that indicated it was still burning. I wonder how that ended up, and I wonder if more toxic stuff got into the local environment from a burning refinery than from the Fukushima plant. I doubt I will ever know.
Slashdot Mirror
There are plenty of applications where there isn't even a network connection or multiple users or even changes to user software.
For them, loss of patches and updates isn't really a problem. What might be a problem is if it becomes impossible to activate the OS. I assume there are activation hacks out there, but if there aren't, then this event will cause them to become more widespread. Some people care more about the legal implications of this than others.
If you are satisfied with pseudorandom pads, all you need to keep is the seed.
If you have the dropbox agent installed, how do you know anything on your computer is private?
Every place where I've worked, the curve of that hockey stick represents either personal investment of capital, a person with enough wealth that the *prospect* of his personal investment is high, a political appointment to a public board, or all of the above.
Where are these jobs that are so easily changed?
What Ellison story are you talking about? The connection between Ellison and the Terminator is based on television screenplays, and while I can understand the connection, it's hardly a derivative work.
Where I work (a defense plant) it is not unusual to dispose of disk drives. The ones we destroy have usually been pulled from copy machines. When a copy machine leaves a secure facility for any reason, the drive is shredded. Wiping with software isn't really an option because the disk would have to work, you have to have a machine that can interface it, you have to trust the person who does the wipe, which is falsifiable.
So we use a purpose-built shredder. The one we use is pretty impressive, an "AMS-2000". I think it could shred the shredder in the article. This is the same kind of shredder that is probably in use by a half dozen competing document disintegration services in your area. It's exactly what they use at Iron Mountain for destroying disk drives and LTO tapes, which is why we chose it.
As Donald Trump would say, "it's a wonderful product, it's my favorite hard disk shredder, and I love it."
I laugh when I hear about the "DOD" wipe protocol, because what we actually do here is feed drives to the Ameri-Shred. It's fun.
http://www.ameri-shred.com/Hard_Drive_Shredder.html
Most drives we destroy come from decommissioned copy machines. I never knew that copy machines had disk drives before this.
But they are on the coast. Literally a stone's throw from boat docks. Why would they need *roads?*
>I agree that plugging in an unauthorized device is a gross violation of health information security.
I agree that it *might be* and that it *should be* a gross violation. But without seeing the institutional policy, it is not possible to determine whether this represents a violation of that institution's HIPAA compliance policy. HIPAA (and many other federal regulations) are pretty weird in that they drive the creation of institutional policy and compliance with that institutional policy becomes a legal obligation. It's not like you can scan the CFR for something that points to the OP's situation and say "A-ha, illegal under 45 CFR 164". There are specific things to be found in the CFR but that's not really how it works.
Working with auditors from a federal regulatory body, the institution creates an internal policy that meets the regulatory guidelines, which has an end result of compliance with those guidelines. Once your policy is approved, that regulatory body will periodically audit your compliance, effectively making your internal policies that you created, have the force of law. The process is quite intense and expensive and ongoing. The thing that jumps out at me from the Ask Slashdot question is that there does not appear to be a policy to cover the questioner's situation, or the IT manager's response. They are testing and asserting an ad-hoc policy, and this in itself could be a symptom of a systemic problem that puts the institution out of compliance with HIPAA, assuming they are subject to the regs in the first place.
We don't know much about the institution, and we don't know anything about its written policies. I'm willing to bet that it does have policies that haven't been properly communicated, and that both the administrator and the IT manager are in the wrong, and that not having a policy may be in itself a far more serious thing than the situation in the article.
In reality, there is plenty of gray area. If the violation is serious enough, and you have it documented well enough to take on the role of whistleblower, then that's your choice, and perhaps it is your duty to do so. If the violation isn't that serious, you may simply find yourself in the position of being easy to fire and be replaced with someone who is less eager to threaten the administration at every juncture. Since we don't really know the institutional policies, we are purely speculating as to whether there is a HIPAA violation in this case. Not every ad-hoc IT decision is an HIPAA violation, although a solid institutional policy would make it one, which means the violation of that internal policy could rise to the level of a federal crime. That's how it works. The CFR gives a fairly open-ended outline of what is regulated, defining the legislative end-result of a compliance policy. The institution must create its own policies and these policies must be approved and routinely audited by the regulatory body. At that point, violation of your own policies can become a crime. This isn't unique to HIPAA, it's also true in FAA regulations. You make your company policy in accordance with FAA rules and regulations. FAA auditors approve your polices, your forms, your roles and responsibilities, and routinely check your conformance to your own policies.
People with no experience in a regulated industry tend to assume things about the "letter of the law", and expect to be able to read the text of a law and have that be the whole story. That is not how it works.
The impression I get from the OP is that there isn't a clear policy, and that the IT manager is making ad-hoc policy. There's a compliance problem before the server and the firewall enter into it, because of the absence of a policy. How can they represent to a federal auditor that they are following their policy (and in an audit you have to be *specific*) if they have no policy?
I've worked in university IT, and call BS on the story too.
On the other hand, weird things happen and university departments can be woefully disorganized. We had a security group that learned, to their total surprise, that our engineering college had a functional nuclear reactor. It was a small reactor for creating medical isotopes, but after 9/11 they had to work out new security policies to deal with this nuclear reactor on campus that apparently very few people outside of one small department even knew about. They wanted to shut it down but it turns out that it is the only source for certain medicines within transportation range of a bunch of hospitals, so it got a permit for being essential to national security, and now the streets around the building have crossing gates and doghouses with 24 hr guards.
I think the central problem here is that neither the department director nor the IT manager "knows how many regulatory issues" are violated, because there's either not a written policy or the policy isn't being communicated to the people who need to follow / enforce it. That alone is enough to be out of compliance.
It's probably not as dramatic as he makes it sound. When you hear "hospital", think "two doctors investing in a small business" and when you hear "IT department", think "one guy who works for them one or two days a week." Since he claims to represent an "academic hospital", think "unfunded research group with a couple of MD/PhD postdocs" and "IT department" as an IT manager who knows his stuff and works for a medical school that is much, much more than the OP's department.
There are a lot more medical institutions that are very small businesses than there are big hospitals.
I am picturing a group of doctors, maybe four, each with an office staff and maybe one IT guy who supports the whole place.
I am not picturing a hospital campus with 2500 employees and hundreds of thousands of patients.
This is on my mind when I think about the dynamics of the employee relationships, and is something to consider when you think about who wins in a conflict.
HIPAA statutes are taken seriously by people in the medical profession, but they are not as clear cut as lay people often make them out to be. (Lot of posters today talk about how people could go to jail over this. Nobody is going to jail over this unless it actually gets the attention of federal investigators, the feds ask for changes in the hospital's policy in order to be in compliance, and the hospital refuses or gets repeated violations.)
As a guide for making policy it may be helpful to think of HIPAA regs in that way, but the point is, the regs require you to make policy with the end result being compliance with the law. The result for the institution is that institutional policies tend to be much more clear-cut and precisely defined than the CFR itself. So you might have an IT policy about firewalls that has an end result of staying in compliance with regulations, even though the regulations don't actually specify anything that's in your policy.
With federal regulations (I know about industrial safety, FAA regs, and stuff like that), it is often the *company* that makes a policy, submits it to the federal regulators, and then adherence to the company's policy *becomes law*. So you can make a policy that's more strict than the law, violate your own policy, and be out of compliance. (This leads to negotiations with auditors and adjustments to policies, not usually to firings or jail.)
He might be gone sooner than he thinks. He broadcast enough information to be identified, and he has publicly pointed out that his institution doesn't have policies in place that affect HIPAA compliance issues. Maybe the hospital is private and the OP is a doctor who has a large personal investment that funds the hospital (or some other situation that puts him into the "can't be fired" category). I hope so, for his sake.
And the institutional policies should be more specific, saying *how* this information security mandate will be met by the institution. The fact that there is enough of a gray area to lead to an Ask Slashdot posting is an indicator that the institution itself might be non-compliant. The OP doesn't seem to know about any institutional policy (a potential violation in itself). The IT manager is making an ad-hoc policy decision (another potential violation.) Before we even talk about port 8443 or the server itself, we have a hospital that may not be in compliance with federal regulations, or does not take compliance seriously enough to communicate its policies to staff.
HIPAA law is not as specific as amateurs often made out to be. But as a set of federal compliance guidelines, it leads to institutional policy that *will* be very specific, and also industry practices aimed at helping institutions maintain policies that will enable compliance. So you can't open up 45 CFR and find a law that says "thou shalt not instal thine own BSD server on port 8443." But you very well may find an institutional rule that suggests that doing so is a step in the wrong direction from compliance. Basically if your institution has an information security policy (which they must have) and you act outside that policy, you do run the risk of putting your institution out of compliance with its own policy, which is then governed under enforceable provisions of federal regulations. (But reality is nowhere near as clear-cut as "if IT lets you do this, they could go to jail".)
The real problem in the OP's situation is that there is apparently not a policy covering this risk scenario. THAT, not the server, is the HIPAA compliance issue.
For the same reasons you cannot knowingly allow an unmitigated security risk, you also cannot "cut them out of any form of network access" because doing so might negatively impact provision of medical care to a patient.
You work in a hospital that doesn't have polices in place for this kind of question. Your problem is not with IT.
I wonder what it would cost to get to the moon if the *only* costs were market prices for raw materials and reasonable hourly rates for labor, and nothing else.
They got Boehner, aren't they happy with that?
>Yeah, and then "it's a dry heat" will mean people die without air conditioning.
More people die in the summertime heat in the Northeast than in Arizona.
Whenever I bring up the whole "conservation" concept, someone invariably turns it into "people dying" or even "living in caves."
I believe we can consume less without radically altering society or effecting genocide.
Remember the refinery fire? I saw a report about a week after the quake that indicated it was still burning. I wonder how that ended up, and I wonder if more toxic stuff got into the local environment from a burning refinery than from the Fukushima plant. I doubt I will ever know.