Public executions are necessary for ensuring security policy compliance, says Dr. John Halamka. "There's no second chance if you violate trust," he said.
As CIO of both Boston's Beth Israel Deaconess Medical Center and Harvard Medical School, Halamka is charged with enforcing the policies and procedures that ensure the security of 9 million patient records and 70 terabytes of data.
Most people would think that medical professionals working in a world-class hospital and university would be above the temptations of records surfing, unauthorized downloads and abuse of computer resources. They're not. Each year, Halamka says, three or four doctors -- ranging from green residents and interns to well-weathered practitioners -- are fired for violating security and acceptable use policies.
Sometimes, doctors are looking up medical histories of their competitors to embarrass them or to gain a business advantage. Other times, they're simply curious about a famous patient and look up his lab tests. On occasion, they're caught releasing confidential records or billing information to unauthorized parties. And, of course, there are the porn surfers, online gamblers and cyberstalkers.
"You run into two kinds of folks: those who will accept the consequences and those who deny everything and must be presented with the preponderance of the evidence," says Halamka. "That's why you need public executions to reinforce good behavior and to protect resources."
Most organizations take pains to hide or downplay employee dismissals due to policy infractions. As with hacker incidents, enterprises fear that public disclosure of policy violations will damage their reputation and open them up to action.
That's changing, however. Regulations such as HIPAA and the California Security Breach Notification Act are making rigid policy enforcement an imperative. An even greater driver, though, is the maturation of security and IT in the workplace. As these groups gain more cachet, they're able to drive their agendas beyond the data center and into HR and legal groups. Enterprises are recognizing the need for strong policies and enforcement standards -- and the occasional public execution.
"It's not the name before the '@ sign' that's going to get in trouble; it's the name after [it] that will," says Michelle Drolet, president and CEO of ConQwest, a security assessment and integration firm.
For tips on creating awareness and enforcing policy, read the entire Information Security magazine feature.