A doctor logs in to a hospital server to deactivate his personal computer’s account. After his attempt, a server misconfiguration somehow makes the patient records the doctor accessed available on the Web, resulting in a four-year investigation and a $4.8 million fine for two hospitals.
Is this a failure of BYOD and the user? Or of IT’s server admins and security staff?
Your answer very likely will determine your fate in IT.
When the fine was announced recently, I got a few emails from readers citing this as an example of the evils of BYOD. After all, had the doctor not connected his own PC to the hospital network in the first place, the server misconfiguration wouldn’t have been triggered.
I’d love to be a fly on the wall for the Monday morning meeting of the BYOD doctors as they respond to this issue and work on an appropriate response. Just kidding: We all know who’ll be stuck dealing with this mess, one reader wrote.
It’s a sadly laughable comment: Blame the user for the fact that the server both was easily accessed by a physician and had a flaw that allowed private medical records to be pumped into the open Internet. If the server should have been off-limits to all but hospital-issued computers, how did the doctor connect? This occurred in 2010, when IT shops were addressing the first big wave of user devices — mainly mobile ones but also home PCs — accessing network resources that had been designed in an era when people worked in offices on company-issued PCs — and nothing else. So a smart doctor likely used work credentials on a personal device back before that was top of mind for IT. That was a forgivable oversight back then for both the user and IT.