Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Recourse For Draconian Encryption Requirements?

kdawson posted more than 4 years ago | from the cold-dead-fingers dept.

Encryption 555

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. "I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we're rather reluctant to allow the hospital's IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn't have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?"

Sorry! There are no comments related to the filter you selected.

Obvious. (5, Insightful)

Yamata no Orochi (1626135) | more than 4 years ago | (#32044392)

Er. As part of the IT staff at a hospital, I can tell you they certainly can't touch your machine if you don't want them to. But they don't have to let you touch their network with your machine if you won't submit to their requirements. That's that.

Re:Obvious. (4, Insightful)

xaxa (988988) | more than 4 years ago | (#32044398)

So it's easy: either they provide you with a computer to use at home, or you stop checking your email at home.

Re:Obvious. (4, Insightful)

tom17 (659054) | more than 4 years ago | (#32044578)

this
Too many people feel the need to take their jobs home with them. If it's a job necessity for you to do so then the company has to supply the means to do it.

Tom...

Re:Obvious. (5, Insightful)

Daengbo (523424) | more than 4 years ago | (#32044456)

Their network, their rules. Stop taking your personal machine, and require them to supply you with one to do your job. Stop accessing the network after work. They cannot force you to install something on your computer, so they can't force you to connect after hours from home.

Oh, yeah, and start looking for a new job. This stance will make your life easier, but you'll never get promoted.

Re:Obvious. (0)

Anonymous Coward | more than 4 years ago | (#32044748)

The hospital is complying with HIPAA. They should give you a machine that complies with their security rules if they want you to check e-mail at home.

Re:Obvious. (0, Troll)

Anonymous Coward | more than 4 years ago | (#32044474)

Exactly. It's their network, their data, and, as an organization dealing with PHI, their liability when your dumb ass loses your laptop or becomes the next contestant on Wheel of Botnets. Get over it.

Re:Obvious. (5, Insightful)

klubar (591384) | more than 4 years ago | (#32044706)

I have to agree with your employer on this one.

Disallowing private machines on the network is good IT practice. Employeers should not allow any unapproved (and non-employer supplied) device to connect to their networks or machines (and this should include all USB devices like camera, MP3 players, headsets). If you need it for your job, your employer should supply and support it.

Most concerned and resonsible organizations use strong measures to authentic machines before they are allowed to connect to the corporate network. (They might allow guest machines is a firewalled zones for vistor/guest convenience.) I have to say that your employeers policy for no foreign machines on the network is quite reasonable. As for checking your mail remotely, there are some secure solutions for Exchange that enforce secure authentication and encryption for remote access via a web browser.

You might suggest that your employeer supply smart phones like the Blackberry that can be used for secure email access and can be remotely monitored and wiped if comprimised. (POTUS has a BB that passed the security screen.) I wouldn't be surprised if your employer restricts these devices to only business use (as it is their money that is paying for them.)

Re:Obvious. (0)

Anonymous Coward | more than 4 years ago | (#32044738)

I would go one step further and say that a computer is a tool. Hard to argue with that. Unless your job description requires you to provide your own tools, you don't have to let them touch your machine (you may not have to even if they do but you'd have to ask a lawyer about that not slashdot). But as already noted they're free to remove access from your personal machine.

If you worked for the company I'm working for right now you I'd be building you a laptop or a second desktop for use at your home and shipping it to you. Your home PC or laptop would not be able to access our work network.

Find a new job (0)

Anonymous Coward | more than 4 years ago | (#32044394)

N/T

Re:Find a new job (2, Informative)

plover (150551) | more than 4 years ago | (#32044622)

"Find a new job" may be a curse, not advice.

If I were a patient in your hospital, and the doctor was using some ultrasound machine or other PC-based diagnostic device, and the damn thing had a virus that caused a misdiagnosis, I'd be right pissed at the person who brought the virus in.

I know that lots of those machines are still running the manufacturer's originally-shipped OS, because they don't certify every OS hotfix and patch that comes out. I also know that if the thing can email a doctor a copy of the results, the doctors insist that the email works, so a network connection is mandatory. So you could be operating a production system on a completely unprotected environment.

Bringing in anything at all, whether it be a USB stick or a CD-ROM, could threaten those devices. And with our health care on the line, you want us to defend rules that might help clean up a risky mess?

Wrong crowd.

Re:Find a new job (0)

Anonymous Coward | more than 4 years ago | (#32044676)

Full disk encryption requirements would not prevent the hypothetical virus outbreak you are going on about.

Make lemonade (4, Insightful)

smallfries (601545) | more than 4 years ago | (#32044396)

Stop reading work email at home. Problem solved, and it turns out that it is actually a blessing in disguise.

Re:Make lemonade (0)

TheMeuge (645043) | more than 4 years ago | (#32044432)

Except when responding to email within time period X is part of your job requirements.

Re:Make lemonade (5, Insightful)

Aceticon (140883) | more than 4 years ago | (#32044480)

Except when responding to email within time period X is part of your job requirements.

As somebody pointed out above, at that point your employer has to provide you with the equipment to do so.

Re:Make lemonade (0, Flamebait)

TheMeuge (645043) | more than 4 years ago | (#32044536)

What universe do you live in? Cause it's not the same one I live in. Unfunded mandates are the future, man...

Re:Make lemonade (3, Insightful)

John Hasler (414242) | more than 4 years ago | (#32044648)

> What universe do you live in?

One where involuntary servitude is illegal. He doesn't have to continue working there.

Re:Make lemonade (0)

Anonymous Coward | more than 4 years ago | (#32044656)

Where I work I'm actually discouraged from checking my work email from personal computers. They'll happily give me a laptop to use, but I already have my own computers that I like more. Luckily, however, I don't have to deal with any full-disk encryption requirements on my personal computers though. I use various full-disk encryption products at work, and they all work well, but at home I'm worried about data recovery in the event of some sort of failure. I've pulled hard drives and mounted them on other machines to copy over data many times after I've had run into problems. Now I'm better about doing backups, but its still a concern.

Re:Make lemonade (0)

Anonymous Coward | more than 4 years ago | (#32044668)

Tell them you run Linux at home from a CD!

Re:Make lemonade (4, Insightful)

Mal-2 (675116) | more than 4 years ago | (#32044482)

Except when responding to email within time period X is part of your job requirements.

In this case it is the obligation of the employer to provide you with the equipment to do so.

Mal-2

Re:Make lemonade (1)

Golden_Rider (137548) | more than 4 years ago | (#32044484)

Then they have to provide a computer so that you can do that.

Re:Make lemonade (0)

Anonymous Coward | more than 4 years ago | (#32044530)

Except when responding to email within time period X is part of your job requirements.

Then they can provide the employee with the necessary tools to meet those requirements. That means either a company-issued laptop or web-based email so he doesn't need to connect to the network to read it.

Re:Make lemonade (0)

Anonymous Coward | more than 4 years ago | (#32044542)

YOUR employer must buy you equipment that is required to perform YOUR job.

Re:Make lemonade (3, Insightful)

TheMeuge (645043) | more than 4 years ago | (#32044616)

We live in a country where some cities are topping 20% unemployment, much of it middle-class white-collar jobs.

Employers don't HAVE TO do anything now, because they can yawn, pick up the phone, and replace you in 24 hours with someone who doesn't mind dropping $2k to buy a shitty computer from the company's approved supplier to check work email at home, because they want to eat sometime this week.

Re:Make lemonade (0, Flamebait)

Lunix Nutcase (1092239) | more than 4 years ago | (#32044734)

You're an idiot. Employers can't force you to work after hours or buy equipment to do said after hours work. If you're so pussy-whipped that you just bend over to every demand made to you that's your own fault.

Re:Make lemonade (3, Insightful)

butterflysrage (1066514) | more than 4 years ago | (#32044758)

another reason why a tech union is sounding better and better.

Re:Make lemonade (2, Informative)

causality (777677) | more than 4 years ago | (#32044618)

YOUR employer must buy you equipment that is required to perform YOUR job.

Correct. That's one big difference between an employee and a contractor.

Re:Make lemonade (1)

Senior Frac (110715) | more than 4 years ago | (#32044560)

If that is the case and they plan on enforcing it, I hope they thought to include the requirement in the job description that the employee provide the hardware and net access to do so! If not, guess who is on the hook to provide them?

Re:Make lemonade (1)

bsdaemonaut (1482047) | more than 4 years ago | (#32044672)

That would be a legal snafu, they couldn't require you to access email outside while at the same time refusing to allow you access. In this case they would either have to provide the employee with a computer, allow mail forwarding, or drop the issue altogether.

Re:Make lemonade (1)

sunderland56 (621843) | more than 4 years ago | (#32044726)

If you need to reply to email in a timely manner, wouldn't you get that mail on a smartphone, not a computer?

Bring them in your smartphone and see what they do. I doubt they'll be able to encrypt the root drive...

Stop bringing your machine to work (5, Insightful)

drinkypoo (153816) | more than 4 years ago | (#32044400)

Just stop. If you need a portable machine that will be repeatedly connected to their network, make them assign you one. Alternately, ask them to sign a form claiming responsibility for any problem with your laptop, promising to pay for data recovery services should their software cause you some problem with your data, et cetera. But if I were them, I'd tell you to fuck off.

You provided no argument as to why you should need to bring your own machine to work, so this is by far the most rational solution.

Re:Stop bringing your machine to work (4, Insightful)

Jer (18391) | more than 4 years ago | (#32044514)

This. Without an argument for why your personal machine should be on a sensitive network we can't help you.

I'm slightly disturbed that there's a hospital out there that apparently allows employees unfettered access to their network from their personal machines, actually.

Re:Stop bringing your machine to work (2, Insightful)

mprinkey (1434) | more than 4 years ago | (#32044752)

I second this. We have a secured LAN with several large Linux clusters and a few dozen workstations, also mostly Linux. Some of the users have been issued laptops running Windows (over our objection). We secured them and regularly update antivirus and firewall software, but since the users needs admin access (over our objections), they still carry viruses and other malware on site. It is not a constant problem, but it is a persistent one. We were considering building a DMZ for all laptop users to limit the amount of damage an infected system can do to the rest of the LAN.

Honestly, there is no way to allow personal systems on to the LAN without this sort of thing being a problem. For every cautious careful user like yourself, there are a dozen clueless ones. The same goes too for remote access. Without a remote client that is properly secured, no amount of encryption/VPN/SSL is going to keep the on-site information safe. It is inconvenient but true.

Re:Stop bringing your machine to work (2, Insightful)

causality (777677) | more than 4 years ago | (#32044754)

This. Without an argument for why your personal machine should be on a sensitive network we can't help you.

I'm slightly disturbed that there's a hospital out there that apparently allows employees unfettered access to their network from their personal machines, actually.

Apparently they get used to that and it spoils them. Now that they're spoiled, when you fix the situation by implementing reasonable controls for sensitive data, they get upset at the new restrictions and start Ask Slashdot discussions about their unwillingness to deal with them.

I've personally worked in offices that dealt with sensitive data. What I dealt with was less sensitive than medical records, yet we had IT policies like this one and they were considered basic measures. Employees who needed to work from home or while traveling were issued company laptops. The laptops were configured to establish an encrypted VPN connection back to the company. All software used once the user logged into the VPN was actually running on the server (I think they used Citrix to remotely run applications) so sensitive data was not stored locally on the laptop's hard drive. I don't know whether the drive was also encrypted.

At this place where our data was less sensitive than medical records, most users were not allowed to plug USB devices like thumbdrives into the company computers. No one was allowed to connect a personal computer to the company network. This worked well since again, the company provided their own equipment to anyone who needed it. I don't believe anyone who was issued company laptops actually had Admin access to them. I think they used a "Power User" profile so a user could do most things but could not install software etc.

None of this was a problem for anyone. If people think not allowing personal computers to connect to sensitive networks is some kind of iron-fisted draconian measure, it'd a great and wonderful thing that those same people are not making IT decisions. Anyone who feels that way has no idea what they are dealing with and/or is unable to see that there is a bigger picture than their immediate convenience.

Come back to the real world please! (0)

Anonymous Coward | more than 4 years ago | (#32044686)

I am not sure if you an independent consultant or you just have no clue. When was the last time you got a decent sized company to sign legalese with them claiming responsibility for your stuff ? Co'mmon, get down and real here.

It is a hospital - so there are HIPAA requirements. On top of that, he is in IT and may have access to DBs that have a lot of patient data. If I were the hospital, I would give him a laptop or ask him to use a hospital inspected laptop (with encryption) to connect. We are not even a hospital, and we have similar mandates - and they bear legal liabilities. If you mess up, you get kicked with HIPAA and are made personally responsible for having compromised patient data.

It's your machine, refuse. (4, Insightful)

Tim C (15259) | more than 4 years ago | (#32044404)

But be aware that it's their network, and expect them to refuse to allow you to connect to it.

The real solution is that if you need a machine for your job, they should be providing it to you. If you do not, then leave it at home.

No. (5, Informative)

characterZer0 (138196) | more than 4 years ago | (#32044414)

If they tell you that for security reasons you cannot connect your computer to their network unless you follow their guidelines, either follow their guidelines or leave your computer at home.

Stop using your own machine. (0)

Anonymous Coward | more than 4 years ago | (#32044416)

Simple as that.

Just say no. (3, Insightful)

gus goose (306978) | more than 4 years ago | (#32044420)

If they insist on your home machine being encrypted, then tell them either:
1. They must supply the machine, and it's theirs, and you'll only use it for work.
2. refuse to do any work at home.

gus

Re:Just say no. (2, Interesting)

ProdigyPuNk (614140) | more than 4 years ago | (#32044596)

You realize that in the real world such harsh actions very rarely end with any type of benefit for the employee, right ? Might as well just quit. He works on a network with people's sensitive medical records. Myself, along with millions of other Americans, applaud hospitals and other institutions for NOT letting these kinds of shenanigans go on. That's why HIPAA was created, love it or hate it.

Re:Just say no. (1)

gus goose (306978) | more than 4 years ago | (#32044720)

Uhhhm, yes. I realize that. But, in this case the benefit is not supposed to be for the employee. The 'benefit' is that the data is secure. it is already acknowledged that the process is slow and fragile.

Which is exactly why you just say no. The assumption being that 'work' has better handle on what's right, and if they insist on doing things in a certain manner (for whatever reason - including that it's the best way to do things), then you say 'fine', but to support that then work must provide the resources to make it happen, especially in cases where the data is so sensitive.

While you can 'just say no' in a combative manner, I am not suggesting you do that, only suggesting that you say it in a way that gets the point across.

Letting 'work' apply constraints to your personal computer implies that they want ownership of the process, which in turn implies that they should own the entire process, not just part of it.

Anyway, reversing your logic, if the data is so sensitive, and vulnerable, then by all logic, the hospital should insist on only their equipment being used.... As an analogy, would you want a CIA agent using his personal laptop to do his job?

gus

Its Easy (2, Interesting)

macintard (1270416) | more than 4 years ago | (#32044424)

Don't use your personal computer for purposes of work. If you want to access your employer's network, use their tools and follow their rules. If you can't handle the rules, advocate for change or leave.

move on (0)

Anonymous Coward | more than 4 years ago | (#32044426)

find another job if you don't want to follow the rules..

Get an old machine (4, Insightful)

Angst Badger (8636) | more than 4 years ago | (#32044428)

Considering that decent used laptops -- adequate for checking mail and browsing the web, anyway -- can be had for about a hundred bucks, I'd just buy one off eBay or Craigslist and use that for work purposes. For a little more, you could always pick up a netbook or a bottom-of-the-line laptop new.

Separate work and home (4, Insightful)

ageoffri (723674) | more than 4 years ago | (#32044434)

If you don't want to follow security standards then don't check your email from your personal machine. If they make it a requirement that you be able to respond to email outside of the physical location then require a laptop. I really doubt you have any legal recourse, especially since HIPPA and PII data have so many additional requirements around them.

Re:Separate work and home (2, Informative)

jenningsthecat (1525947) | more than 4 years ago | (#32044710)

It's not HIPPA, it's HIPAA, as in "Health Information Portability and Accountability Act".

Why Personal Equipment? (3, Insightful)

Slashdot Parent (995749) | more than 4 years ago | (#32044436)

Why do you need to use your personal computer equipment to do your job? Your employer should be supplying everything you need to do your job.

If you need a computer at work, your employer should supply it.

If you need to check email from home, your employer should supply you with a blackberry.

This isn't rocket surgery.

The simplest solution... (1)

n00btastic (1489741) | more than 4 years ago | (#32044438)

Don't use your machine for work. Or, if you really want to, just dual boot it and let them do whatever they want with that partition.

Buy a cheap (second hand?) notebook (2, Informative)

qwerty shrdlu (799408) | more than 4 years ago | (#32044442)

Use it for nothing else. They can't mess up your personal machine or lose your data if they don't get their paws on it.

What they SHOULD do (1)

Joce640k (829181) | more than 4 years ago | (#32044450)

They should be using web-based email, that way the mail leaves their servers.

Re:What they SHOULD do (1)

Yamata no Orochi (1626135) | more than 4 years ago | (#32044564)

As a hospital or health system, there are laws regarding security and privacy wherever patient information or data could be concerned. This is likely why they're requiring even offsite e-mail users to run encryption.

Re:What they SHOULD do (0)

Anonymous Coward | more than 4 years ago | (#32044658)

They are using Web-based email. Did you read the summery? They don't want any non-encryption computer to see the e-mails at all.

The solution is clear (0)

Anonymous Coward | more than 4 years ago | (#32044452)

1) Stop using your own personal equipment at work, for work. If they don't supply you with the necessary gear to get the job done, then the job doesn't get done.

2) Stop checking your work e-mail from your home computer.

Problem solved.

There's nothing legally you can do to stop them from installing software on systems they own, or, requiring that you install their software before connecting your own systems to their network. It's not like they are legally required to allow you to bring in your own system and connect it to their network.

Yeah, stop using them on their network (4, Insightful)

Nursie (632944) | more than 4 years ago | (#32044460)

It's that simple.

Any business would be mad to let sensitive data (especially medical) get onto employee's home machines. And bringing personal machines to work and hooking them up the network?

You're a walking, talking, security nightmare. Your IT staff should be fired for not being harsh enough. NO personal laptops on the network. NO accessing email from home machines.

Re:Yeah, stop using them on their network (1)

oatworm (969674) | more than 4 years ago | (#32044756)

Agreed. Installing encryption software on the personal machine isn't even sufficient - the IT department should maintain a known good "white list" image with all of the required software needed to work in the hospital and nothing else extra. Furthermore, it should be on known good "white list" hardware that's been audited for hardware-related security breaches and can be remotely killed in the event of compromise.

Allowing personal equipment on a hospital network is extremely irresponsible. Personally, I'd love to find out which hospital is allowing this so we could collectively nail them on HIPAA violations.

Be a professional (0)

Anonymous Coward | more than 4 years ago | (#32044462)

Be a professional instead of a hobbyist:

1. Don't use your personal computer for work insist on institutional equipment if needed
2. Quit working from home
3. Insist that your employer staff sufficiently for sane 40 hour work weeks
4. Insist on testing and migration environments to prevent the need for babysitting production constantly

Yea, I know that'll happen.

Its their network, their policy.. (2, Insightful)

DiSKiLLeR (17651) | more than 4 years ago | (#32044464)

Its their network, their policy... be lucky you are even ALLOWED to connect your own personal laptop to their network, that is strictly forbidden for security reasons in most places.

If you don't want them to install that software on your personal machine, don't bring it in or don't connect it to their network and use 3G or something.

As soon as you connect to their network you must abide by their rules.

Simple as that, really.

(I'm a Network Administrator IRL.)

Sweet Jesus (-1, Troll)

gandhi_2 (1108023) | more than 4 years ago | (#32044468)

Another "special case" employee playing mom against dad.

How about you STFU and get some work done, let the IT department do their jobs following policies the organization created.

Leave your machine at home, mr. weak link.

[SOLUTION] (0)

Anonymous Coward | more than 4 years ago | (#32044488)

1. Outlaw Electronics in Elections
2. Vote every D and R out. (No exceptions)

Honestly... (3, Insightful)

ProdigyPuNk (614140) | more than 4 years ago | (#32044500)

This is one of those "damned if you do, damned if you don't" situations. The hospital is just trying to stay in compliance with HIPAA and the various personal non-public information regulations. Their solution DOES seem a little overboard, but this is what happens when people continually lose laptops/usb drives/etc that contain sensitive information. While this might be a little hard for the hospital's employees to get used to, it's really a win for us normal folk (assuming it's all properly executed, which is a big assumption).

As far as legal recourse, IANAL but I don't think you really have one. While I get the whole "You're not touching my computer" bit, why don't you just use the computers provided ? Hell, even at the community college I go to, I have to install some software just to connect to their network. Same with some of the other corporations that friends and family work for. In the end, if you weasel your way around the restrictions and then lose your laptop, have it stolen, whatever - you'll really be on the hook.

Why use your own PC on their network at all? (4, Insightful)

Lonewolf666 (259450) | more than 4 years ago | (#32044502)

Unless there are very good reasons that were not in TFA, my response would be:

1) My personal computer will stay at home from now on
2) The IT department does not install anything on my personal computer.
3) I won't check my (work) email from my home anymore. Anyone who wants to contact me can use a phone (and better have a damn good reason if it happens at 2 a.m. in the night).

 

Obvious solution. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32044504)

Don't use your personal system for work. Fact of the matter is, your workplace shouldn't allow personal machines in their network to begin with. If you so desperately want to use your own system, then be prepared for some demands for security and safety from their side, duh. If you need to work from home, they should supply you with a system or at the very least contribute to one. That's how it's usually done.

Dual Boot (1)

the_one_wesp (1785252) | more than 4 years ago | (#32044506)

Install a second hard drive / OS that's used for work stuff only, then virtualize the OS in your primary OS. Whenever someone from work needs access to your computer, unmount your primary and boot from your work disk. Sounds like a hassle to me... :-p

Re:Dual Boot (1)

RiffRaff06078 (1297983) | more than 4 years ago | (#32044660)

A VM might be a good solution. Allows the IT staff to implement whatever they want without risking your system.

As to your IT staff, their network, their rules. As a network admin I am under no obligation whatsoever to allow my users to access the corporate network with their personal systems.

That being said, based on what you've described, I'd agree with your assessment of them being over-reactive and borderline incompetent. There are easier methods of keeping a network secure.

personal machine on corp network (0)

Anonymous Coward | more than 4 years ago | (#32044508)

Seems to me there needs some policy updates. Personally If I was managing the network you would not be allowed to put your personal machine on the hospital network. Accessing via a public wifi would be fine, but not on the hospital network. As for encryption software, there should be nothing on a desktop system that needs to be backed up, its should be on corporate servers. If the hard drive crashes the system disk is replaced and your back to the apps approved by the it dept. As for email, this is a policy issue. again, I wouldnt allow it. Your wasting business time checking personal email. If the email is business related it should come into your business account. You have no rights to do anything on a business network, Policy will dictate if and when you might be able.

WHAT THE HELL ARE YOU DOING???? (0)

Anonymous Coward | more than 4 years ago | (#32044512)

You are putting personal equipment on the hospital LAN???!!!???!!!?!?!????

There's your problem right there.

Perhaps the hospital needs a guest network that is not directly connected to the hospital's systems to accommodate whatever it is that you do on your personal equipment, but letting Joe employee connect some random piece of hardware to the network inside the Hospital's fire wall is a HUGE security problem.

Work-Issued Devices (1)

The Yuckinator (898499) | more than 4 years ago | (#32044524)

Are they paying you extra to use your own laptop at work, as they might if you were using your car for work and get a mileage allowance? If so then I'd say you probably will end up letting them install whatever they like. If not, tell them that if they want you to work within their rules, they'll need to buy you a "company" computer in order to satisfy those requirements since they aren't welcome to touch your personal machine.

As for checking your email from home, either have them also buy you an email-checking machine for home, or you can bask in the knowledge that your employer is well aware that you can't check email from anywhere but your office and go enjoy your life when you're not working.

Easy solution.. stop using your personal equipment (1)

Fallen Kell (165468) | more than 4 years ago | (#32044532)

As the subject says. Stop using your personal computer(s). Let management know that once you are off-site, you will no longer have email access as you are not going to install this software on your own computer. If they want you to continue to have off-site email access, they can provide you with appropriate equipment. The same goes with you bringing in your laptop to work, stop doing it, and let work provide a laptop.

Find a better place to work (0)

Anonymous Coward | more than 4 years ago | (#32044546)

Anyplace that would let idiot monkeys like this dictate IT policy decisions is headed into the crapper anyways - find a better place to work. FFS, full-disk encryption on machines that check WEBMAIL? The only thing FDE will protect against is physical loss of the machine - and if there's a sufficiently determined hacker tracking down hospital employees' private residences and stealing their machines just to try to snoop in the browser cache, why wouldn't they just kidnap the employee and employ rubber-hose cryptanalysis? Or, more likely, read the FDE password off the Post-it note stuck to the machine...

Pretty simple (5, Insightful)

Paul Carver (4555) | more than 4 years ago | (#32044548)

The solution is pretty simple. Don't use personal computers for business use.

If I'm a patient at your hospital I'm barely comfortable relying on the hospital's IT department to keep my medical information secure. I certainly don't want to rely on a myriad of clueless doctors, nurses, and miscellaneous technicians and administrators all maintaining or failing to maintain their own home computers.

I hope that if my medical information is leaked through any hospital employee's personal computer that I will be able to sue them for millions. It's just irresponsible to leave the handling of sensitive data to the random computer skills of people who are mostly employed for their non-computer skills.

I hope that most hospital employees are skilled in medical fields but I don't expect them to be particularly skilled with computers or to really care that much about computer security. I expect the hospital's IT department to be extremely vigilant about computer security so that the medical personnel can focus on healing patient.

 

Bring an old laptop... (1)

Noryungi (70322) | more than 4 years ago | (#32044556)

Tell them to encrypt that, and use it only to check your email.

Since they don't know how to install encryption software properly, I doubt they know how to check which laptop connects to what anyway.

Use your boss (0)

Anonymous Coward | more than 4 years ago | (#32044558)

To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department as they refuse to distribute the encryption software to the employees for install.

You are going to love me. I'm going to inform your IT staff that a "blackberry" is in the subset of "any machine" which can "check email". As soon as a PHB or two are having their crackberries plucked from their hips... I give it one or two days before IT has to reconfigure their encryption policy.

You're welcome.

I'm tired of month lost/stolen laptops (1)

peter303 (12292) | more than 4 years ago | (#32044570)

Where employees have download up to a million customer social security numbers and identities. Many medical sites still use SS# as patient IDs.

Simple: Your IT security/network staff is insane. (0)

Anonymous Coward | more than 4 years ago | (#32044580)

"Let's require full disk encryption, but allow any device in the world on our network." This being a hospital network, you shouldn't be allowed to even connect to it with personal machines.

If you brought your personal machine in and it got FUBAR'd, tough luck for you - it could have gotten just as screwed up from someone else's virus-infected PC on that wide-open hospital network. Leave your ball at home if you don't want to play by their overly lax rules.

Entertainment potential (0, Flamebait)

lusid1 (759898) | more than 4 years ago | (#32044584)

Read your mail from a VM. Hand them a jump drive with your .vmdx & .vmx files, and see if they can figure out what to do with it.

Note this is purely for entertainment value, since that is about all an 1d10t wanna-be it staffer is good for. The reality is, they either A: want you to work from home, and will provide whatever is required to do so, or B: They don't want you to work from home, so don't work from home.

Don't check from home. (1)

Nova1313 (630547) | more than 4 years ago | (#32044586)

The company I work with tightened their restrictions in the past year. Only company machines can now access the network remotely and webmail requires installation of software. The software required only works on certain versions of Windows with specific versions of IE. Some of those that installed it have had their machines rendered in-operable after. My solution was to stop working after hours and remotely checking email. If I am called after hours I state I can't connect remotely and that it will take me x minutes to reach the office. I'm 24/7 support, but it turns out a lot of things are no longer that important to the higher ups. To date I've only been questioned once as to why my after hours availability had dropped. My answer that my home machine is not allowed to connect to the network was sufficient. If you are not required to have remote access or use your personal machines, try just stopping. I understand that it is probably more convient to have that though.

Simple, don't use your own PC for work business (1)

mike_c999 (513531) | more than 4 years ago | (#32044590)

Due to increases in sensitive data being lost they clearly want all possible sources of said data to be encrypted. This may or may not be overklill depending on your opinion but one thing is for sure and that is that it's their decision to make.

If your not happy having your personal computer encrypted (And I know I wouldn't be) the simple solution is don't use it at work, use a work computer. If the requirement covers you checking webmail from a personal computer at home, where you will have access to sensitive data, the solution it to not check your email from home.

If you are required to check email from home and are not happy to have your whole computer encrypted then your employer should provide you with a company laptop which they can do what they want with, encryption and all.

Yes and No. (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32044594)

IT can't do jack to your computer without your consent. To do so would be criminal. However, IT is under absolutely no obligation to let your computer on their network. And, while they probably can't stop you from pinging the mailserver, they can certainly stop you from logging in from an untrusted machine. Given that (I am quite sure) this process is a gigantic pain in the ass for the IT guys, they have probably been told that stopping you is their job(either under the law, or because the boss will fire them otherwise).

You are basically at an impasse here. They can't touch your computer without your consent; but you can't touch their network without their consent, and they can make your consent a condition of their consent.

Your options are basically as follows:
1)Stop checking email from home/personal machine at work. If this is impractical/untenable, move on to step two.
2)Request that, if IT wants security and management, they issue you the hardware you need to do your job. If you don't have the clout/there's no chance in hell/you'll be stuck on a Latitude CPi from 1999 if you do that, move on to step 3.
3)Purchase a "sacrificial" notebook. A netbook or cheap CULV thin-and-light(depending on where you fall on the small size vs. screen size issue) can be had for $400 or less on any given day, depending on which models are on sale. Buy one, set up a restore disk, then let the IT department do its vile work. If their software fucks it up, run the restore and make IT do it again.

Simple solution (0)

Anonymous Coward | more than 4 years ago | (#32044598)

Don't put your equipment on their network, don't check email from your home machine. If they ask why your not checking your email tell them why and if they want you to have access from home tell them to issue you a laptop for that purpose as you wont give them access to your personal equipment.

Re:Simple solution (1)

HikingStick (878216) | more than 4 years ago | (#32044654)

This is the simplest and best solution. If they want you checking mail from home, and have a laundry list of special requirements, let them provide the gear.

Otherwise, when you bring your PC in for them to install the software, require them to sign an agreement in which they acknowledge that they are responsible for data loss on your machine, and for any exploits to which your machine might be exposed from running their software.

What's the problem? (1)

nedlohs (1335013) | more than 4 years ago | (#32044604)

You "have no intention of letting these people install anything on my machine".

And they have no intention of letting you connect your machine to their network without letting them install some things on it.

Hence, you don't connect your machine to their network.

You "have no intention of letting these people install anything on my machine".

And they have no intention of letting you check your email on a machine they haven't installed some things on.

Hence you don't check your email from your machine.

It's their network... (1)

Big Boss (7354) | more than 4 years ago | (#32044620)

So they get to choose who connects to it. Simple as that. If you want to bring a personal machine in for personal, non job related use, accept that you might not have connectivity. Most of the hospitals around here have a guest wifi, you might be able to use that, or a 3G card. For job related stuff, tell them they have to provide the equipment.

If you have read the HIPPA laws, the penalties for leaking PII are severe. Full-disk encryption for all connected machines is probably the best way to prevent problems with such things. It would be nice if they would let you just use TrueCrypt and install it yourself, but IT departments tend to just set a standard policy for everyone. That way they can audit the policy and such. You wouldn't want to have to support everyone doing their own thing either, to be fair.

Typical unpleaseable geekdom (3, Informative)

Anonymous Coward | more than 4 years ago | (#32044624)

*sigh* First you bitch and moan about how everyone should encrypt everything on their computers and brag about how easy it is to do full-partition encryption and how it's oh so fucking great that there's encryption around to protect you from the sp00ks and boogeymen that dadgum gummint apparently sends after you every day (oooo, scaaaaaaary!).

And THEN you bitch and moan when someone TELLS you to do full-scale encryption on your computers! You people are never happy, are you? THIS is why nobody takes us seriously! THIS is why we can't have nice things!

need more information (1)

bsdaemonaut (1482047) | more than 4 years ago | (#32044636)

They certainly can't require you to install anything on your computer, that much is for sure. In the same vein, they don't have to allow you access. It's hard to suggest anything knowing as little as I/we do. You said you have access to webmail. Since most people don't have a static IP, how exactly are they planning on limiting user's access (compliant or otherwise) from unprivileged outside locations? For instance, from what your describing, if you complied, you could access your email from home on your computer. What happens if you access it from a different computer, how exactly are they being positive that your accessing your email from the computer that your supposed to be? I'm guessing some sort of Radius authentication could be worked out in which certain software credentials would be required.. but that would be a real pain..

Yes, Sorta, No (5, Informative)

Anonymous Coward | more than 4 years ago | (#32044640)

I manage security for a major hospital system and I am leading the encryption roll out.

1. Encryption is "safe harbor" meaning that if the device is lost or stolen, you don't have to notify HHS or the patients.

2. Notification costs MAJOR dollars plus the PR hit

3. As of ARRA/HITECH, _YOU_ are PERSONALLY liable in the case of WILLFUL NEGLECT. To give you an example of how broad this can be, I have met the Deputy Director for Clinical Information Privacy at HHS... and she says that password sharing is willful neglect. We both know that password sharing is more than common in the medical industry (doctors don't login, they tell someone to login)... So take this point and run with it... you left your laptop in your car overnight? It was stolen? Willful Neglect. Notify the world, and pay the fines, and possibly endure criminal charges.

4. You should not be using your personal device and you need to get used to the fact that the PHI you view is NOT YOURS. It belongs to the PATIENT.

This is a HUGE shift for the medical industry, and frankly, if people knew just how bad security was, they would call for heads. It's starting to change, but it will take time. Doctors and clinicians are not animals that like change. I will be the first to admit that encryption has a steep curve, and it can break things... but you better adapt or your State Attorney General will come for you... (State AG's are charged with enforcing both their own state's legislation as well as the new federal regs)

Bottom line: you are responsible. Leave your personal equipment at home. /posting anonymously because I don't remember the password to my 5 digit slashdot id.

Re:Yes, Sorta, No (0)

Anonymous Coward | more than 4 years ago | (#32044740)

/posting anonymously because I don't remember the password to my 5 digit slashdot id.

roomofcare.jpg

Get another computer? (1)

wcrowe (94389) | more than 4 years ago | (#32044646)

I'd probably just get another cheap-ass, used computer strictly for the purposes of checking email from home, etc (I have two or three sitting in the garage right now that would work). Let them put their software on THAT machine.

Don't use your personal machine (1)

topham (32406) | more than 4 years ago | (#32044650)

Don't use your personal machine for work.
Have them supply an appropriate laptop or desktop to do the job.

If you work as a contractor and believe it would be possible, you could get the name of the software they are using, or other software which they would approve and do it yourself. This is the approach I would take on my machine if the rules were being imposed. No-one other than me installs software on it and I want the recourse to deal with whatever company wrote the software in the event I have a problem. I wouldn't want the hospital to end up being a middle-man for support issues.

Well its nice to know (0)

Anonymous Coward | more than 4 years ago | (#32044652)

That my personal health information is probably already synced into the cloud by someone at a hospital installing google sync on their personal computer with access to medical records. Should speed up the process

Yay for misinterpretation! (3, Informative)

ircmaxell (1117387) | more than 4 years ago | (#32044666)

This all boils down to misinterpretation of the laws governing medical information (Most importantly HIPPA - Health Insurance Privacy and Protection Act)... They don't need every machine being encrypted. All they need to do is make sure that the medical information is encrypted. And encrypting the hard drive has nothing to do with that. If they are providing you with web mail (something like Outlook Web Access), then what difference in reality does it make if you have your hard drive encrypted? All they need to do is set the headers properly to not allow client side caching. That way, you never have any data on your machine anyway. I don't see any reason that all the hard drives in the facility need to be encrypted. If they wanted to create an encrypted data partition, sure. If they want to encrypt laptops, fine. But why is sensitive data stored on local computers anyway? That should all reside on an encrypted network share (if for nothing else than data backup and compliance reasons). All they are doing is trying to cover their asses so that in case something does happen, they can say "well, but we took steps to try to lock down the data" even if those steps were ancillary and irrelevant to the problem at hand.

But in your case, there's a clear cut solution. Company policy says you need to only access their information from an encrypted computer. That leaves you with four options.
  • Encrypt your personal computer
  • Get a second computer just for work, and encrypt that
  • Have your employer provide you with a laptop or computer to take home to work with
  • Don't work from home

Don't forget, no matter how stupid you think the policy is (or it may actually be), it's still your job to abide by them (unless you have the power to change them, which it doesn't seem you do). So either comply, or don't. If you chose not to, realize that you may be let go... It's as simple as that.

Why do you bring your computer into work? (1)

Gothmolly (148874) | more than 4 years ago | (#32044670)

And how are you allowed to plug it into the network? GBTW and STFU.

Simple solution (3, Insightful)

idontgno (624372) | more than 4 years ago | (#32044674)

Keep your personal machine off the Hospital network.

The only really sane policy: if it's on the Hospital network, it conforms to IT security guidance. Period.

I'm assuming you're in the U.S. "Exuberant" is an apt description of HIPAA [wikipedia.org] data infrastructure guidance, but it's still the law of the land. I don't want my patient information accidentally sneaking out on your laptop's unencrypted hard drive.

If you must conduct personal internet business at work and don't want to convert your personal computer into a personally-owned company-configured machine, bypass the hospital net with a 3g dongle and your own data plan.

Give them a challenge (0)

Anonymous Coward | more than 4 years ago | (#32044682)

Bring in an XO laptop (or some other obscure device) and let them try to install their software on it.

Belligerent Obedience (1)

Dr_Art (937436) | more than 4 years ago | (#32044690)

I once worked with a fellow who worked long hours, including weekends, just of his own volition. Once, his management demanded that he come in and work on a Saturday. From that day forward, he only worked overtime when demanded by his management. Belligerent obedience. When asking for more pay, he was told "we pay average", so he replied "then I will give you average work". Belligerent obedience.

I'm not sure I'd suggest being that extreme, but you should consider why are you funding your employer's business operations by using your own equipment? Use their equipment, adhere to their policies and procedures. After all, I assume you are an employee, so you can only loose by trying to fight them. If it really bothers you, start looking for a better job.

Why would employees be allowed to ever connect (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32044692)

Maybe I'm missing something here, but you can talk all day about security, but allowing employees to connects PCs they bring from home shatters any hope of a secure network. I've never worked somewhere that would allow this and these were just standard corporate networks. We've always had "guest" wireless networks that routed to the Internet only, but never would we be allowed to physically connect home computers. That's just a horrible idea

Guest network? (1)

Zocalo (252965) | more than 4 years ago | (#32044700)

Perhaps you could suggest they provide two networks. One secure network that requires the full disk encryption and allows access to patient records etc. to which the hospital provides all client workstations for work use and a second guest network for everything else that doesn't require the encryption. If you make the guest network open to patients and their visitors as well then it might even be possible to at least partly fund the installation with a pay for access scheme. You'd probably want to push for free/reduced rates for staff though. :)

Standard Policy (5, Insightful)

mseeger (40923) | more than 4 years ago | (#32044722)

Hi,

IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.

Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.

It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him

Sincerely yours, Martin

P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.

Probably not done right anyway (0)

Anonymous Coward | more than 4 years ago | (#32044728)

you are all missing the point I bet IT has a spreed sheet listing which uses they have installed the stuff on .... and then they compare it to the logs. bring any old computer in install it on that ...and never touch it again.

Stop checking your email (1)

Tridus (79566) | more than 4 years ago | (#32044744)

If they're going to insist on this type of software, then stop using your personal machines to connect to the network or check your email at home.

If they really want you to check your email, demand that they provide hardware that meets with their approval to do so.

No laptop, no work at home (1)

cenobyte40k (831687) | more than 4 years ago | (#32044750)

My company did the same thing. Well except they gave us all laptops to use. Tell them it's fine, but if you want me to work at home you have to give me a laptop. If they refuse, just stop doing that work at home.

Could be worse (1)

updatelee (244571) | more than 4 years ago | (#32044762)

Your lucky you can even use your personal computer

if we try to plug a personal computer into the network IT disables the Ethernet port and call your local and ream you out. No checking your email from home. Local LAN only for reading email.

 

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?