Pink slips motivate policy compliance

Lawrence M. Walsh, News Writer

Public executions are necessary for ensuring security policy compliance, says Dr. John Halamka. "There's no second chance if you violate trust," he said.

As CIO of both Boston's Beth Israel Deaconess Medical Center and Harvard Medical School, Halamka is charged with enforcing the policies and procedures that ensure the security of 9 million patient records and 70 terabytes of data.

Most people would think that medical professionals working in a world-class hospital and university would be above the temptations of records surfing, unauthorized downloads and abuse of computer resources. They're not. Each year, Halamka says, three or four doctors -- ranging from green residents and interns to well-weathered practitioners -- are fired for violating security and acceptable use policies.

Sometimes, doctors are looking up medical histories of their competitors to embarrass them or to gain a business advantage. Other times, they're simply curious about a famous patient and look up his lab tests. On occasion, they're caught releasing confidential records or billing information to unauthorized parties. And, of course, there are the porn surfers, online gamblers and cyberstalkers.

"You run into two kinds of folks: those who will accept the consequences and those who deny everything and must be presented with the preponderance of the evidence," says Halamka. "That's why you need public executions to reinforce good behavior and to protect resources."

    Requires Free Membership to View

Most organizations take pains to hide or downplay employee dismissals due to policy infractions. As with hacker incidents, enterprises fear that public disclosure of policy violations will damage their reputation and open them up to action.

That's changing, however. Regulations such as HIPAA and the California Security Breach Notification Act are making rigid policy enforcement an imperative. An even greater driver, though, is the maturation of security and IT in the workplace. As these groups gain more cachet, they're able to drive their agendas beyond the data center and into HR and legal groups. Enterprises are recognizing the need for strong policies and enforcement standards -- and the occasional public execution.

"It's not the name before the '@ sign' that's going to get in trouble; it's the name after [it] that will," says Michelle Drolet, president and CEO of ConQwest, a security assessment and integration firm.

For tips on creating awareness and enforcing policy, read the entire Information Security magazine feature.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: