A doctor logs in to a hospital server to deactivate his personal computer's account. After his attempt, a server misconfiguration somehow makes the patient records the doctor accessed available on the Web, resulting in a four-year investigation and a $4.8 million fine for two hospitals.
Is this a failure of BYOD and the user? Or of IT's server admins and security staff?
Your answer very likely will determine your fate in IT.
When the fine was announced recently, I got a few emails from readers citing this as an example of the evils of BYOD. After all, had the doctor not connected his own PC to the hospital network in the first place, the server misconfiguration wouldn't have been triggered.
I'd love to be a fly on the wall for the Monday morning meeting of the BYOD doctors as they respond to this issue and work on an appropriate response. Just kidding: We all know who'll be stuck dealing with this mess, one reader wrote.
It's a sadly laughable comment: Blame the user for the fact that the server both was easily accessed by a physician and had a flaw that allowed private medical records to be pumped into the open Internet. If the server should have been off-limits to all but hospital-issued computers, how did the doctor connect? This occurred in 2010, when IT shops were addressing the first big wave of user devices — mainly mobile ones but also home PCs — accessing network resources that had been designed in an era when people worked in offices on company-issued PCs — and nothing else. So a smart doctor likely used work credentials on a personal device back before that was top of mind for IT. That was a forgivable oversight back then for both the user and IT.
But the posting of regulated patient data to the Internet had nothing to do with the user's actions, BYOD or otherwise. The two hospitals involved acknowleged that their security and network practices were substandard, which is why they accepted the $4.8 million fine this winter from the feds. Even back in 2010, that was an unforgivable failure on the part of IT.
Yet four years into the consumerization shift, there remains a strain of IT folks who just can't accept that we live in a connected, heterogeneous, porous-border world and instead keep wishing users would act as if it were still the 1990s or 2000s.
Four years ago, when I first started writing about BYOD and the fundamental shift to users that is the consumerization-of-IT phenomenon, I encountered many bewildered IT pros, whose familar contexts were being uprooted — and fast. I often heard a subset of IT pros, shaking their fists, declare, "Just you wait until all the breaches happen!"
Sign up for CIO Asia eNewsletters.