D14.1: Discussion Topic 1:
In regards to laws and regulations… Complying with the law is obviously important, but in my industry (healthcare), sometimes this is a gray area. In my professional field, HIPPA regulates how we handle personally identifiably information. Encryption both at rest and in transit, is required in many cases. However, consider the nature of healthcare, and the urgency of providing emergency care. I have witnessed many times, where a physician in the emergency department needed to consult on case, and the most expedient method was to simply email the patient’s test results, images, etc., without any encryption or protection of their data. How do you feel about this situation? Is non-compliance ever justified? How could these issues be mitigated, without impacting the mission of the organization?
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
D14.3: Discussion Topic 3:
You are a security consultant with the Security Advisors Co. and have been asked to help investigate a recent security incident that took place at the law firm of Dewey, Cheatham, and Howe. In your assignment you have been assigned to work with the vice president of IT.
The security incident that you are investigating appears to be a case of an intruder who broke into a company computer to remove and destroy information on an upcoming legal case. A forensic examination revealed that the incident was actually an inside job that was perpetrated by one of the new programmers, who is a relative of the VP of IT.
When you wrote your findings and presented them to your client, the VP of IT asked you to change the findings in your report to show that the perpetrator could not be found. The VP has promised future work for your company and a good recommendation for your work if you comply.
What will you do next?
Jason A Lindsley says
D14.1: Discussion Topic 1:
In my opinion, e-mailing a patient’s personal information without proper security is unacceptable and is either a failure of business requirements or inadequate training of end users. I do see a justification in doing this when there is a life and death situation, however this should result in action that identifies the root cause and triggers a solution that prevents occurrence. The root cause might not even be an inadequate IT solution. Users may require additional training on the solutions available to them to share data more securely. Monitoring controls are required (e.g. DLP monitoring) that identify misuses of patient data and procedures must be in place to follow-up with offenders to prevent re-occurrence.
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
Although the areas that are characterized as unethical and unacceptable still apply today, the intended use of the Internet has exponentially expanded beyond government research and now serves as critical infrastructure for our financial system, public utilities, telecommunication, and more. The risks highlighted in this RFC are especially prevalent today and clearly the need to “set up technical and procedural mechanisms to make the Internet more resistant to disruption” has become a true reality. We are also experiencing the anticipated expense and complexity associated with securing the Internet and balancing security with the “free flow of information which makes the Internet so valuable”.
This document could be improved by considering all of the other critical infrastructure that the Internet now supports and identifying the additional unethical and unacceptable uses that we are now subject to (e.g. inappropriate funds transfer, identity theft, ransomeware, etc.)
D14.3: Discussion Topic 3:
It would be completely unethical to change my findings to appease the VP of IT, no matter what additional future work or recommendation that person is willing to provide. I would act with integrity and identify both the ombudsman of the company and the VP of IT’s boss. I would provide them with my findings and explain that the VP of IT asked me to change them to cover up the crime that was committed by a relative (i.e. a conflict of interest).
Ahmed A. Alkaysi says
Good points on Topic 2 Jason. The spirit of this document is still relevant. However, since this document is from 1989, so much has changed that extends beyond the scope of what was intended back then. This document can be improved by adding the different aspects of the internet, and what the responsibilities of the users would be. Also, the different types of devices that use the internet these days can also be added to the document to expand the scope of what used the internet back then.
Younes Khantouri says
D14.1: Discussion Topic 1:
Jason,
I do agree with you, e-mailing a patient’s personal information without proper security is unacceptable and is either a failure of business requirements or inadequate training. This can also make patients don’t trust that medical institution or hospital. I do believe that those doctors or medical employees don;t only needs to justify why they have done these types of actions, but they have to inform patients before and after exchanging their personal information over the internet. Asking for patients permissions would be more ethical.
Younes Khantouri says
D14.3: Discussion Topic 3:
Jason,
Great explanation, This is a very ethical question, I won’t change my report. I will discuss with my superiors what happened and if they decide to change the report, I will have to leave the company. In my opinion, if the consultant is not strong to make the right power, he/she shouldn’t be in that position.
Ronghui Zhan says
Topic 3:
1, Assuming investigator background here: middle class with $100K/year, has two kids and full time house wife.
Assuming he won’t know there maybe other personnel working with VP in the company. Assuming VP may have enough resource to deal with investigator, he knows some powerful friends and investigator knows it. If he reports, VP uses his resource to revenge . He not only lose job, his family could also in danger. That’s the toughest dilemma in his life.
Me, assuming his trusted friend would recommend,
First, talk to his family what he faces at once, making sure her wife understands every consequence and moving his family to somewhere safe.
Second, find a trusted lawyer, planning everything ahead, including prepare an audio record, recording every possible evidence, making sure his statement supported by evidence.
Third, comply with law and ethics, doing what he’s suppose to do.
That was the worst case. In a less sever case, doing step two and three will be enough.
Neil Y. Rushi says
Discussion Topic 14.3 – I would report my findings as needed, regardless if the new programmer is the relative of the VP. The VP can offer whatever he wants but in the end, the integrity of myself is more important than more money. In the world of cyber security, we don’t want to encourage people who break the law and not comply with IT laws. Forensics requires much analysis of the crime scene, just like in the police world – a detective doing his job will not sacrifice his honesty for the sake of saving someone who broke the rules. This is an example of employees intentionally performing malicious acts. I would report my findings as I see fit and keep a backup on another device just in case someone decides to modify my report.
Ronghui Zhan says
exception happens a lot
Oby Okereke says
D14.1: Discussion Topic 1:
I totally agree with Jason’s viewpoint . The need for security awareness training remains inherently important if healthcare providers are to handle patients’ sensitive data as required by HIPAA regulations. Non-compliance is a big security issue and It should never be justified because security and privacy risk should be a shared responsibility of all healthcare providers.
Complying to the HIPAA requirement of protecting patient’s sensitive data where
healthcare providers find themselves challenged with increasingly multifaceted requirements for effective management and processing of sensitive health data can be mitigated by deploying a proven encryption technique to safeguard the data while at rest and during transmission. Prohibiting use of personal email account on computers that would be used in emergency situations will go a long way to mitigate and lessen sensitive data from being exposed.
Oby Okereke says
D14.2: Discussion Topic 2:
I would consider the RFC 1087: Ethics and the Internet still relevant. In my opinion, it forms the building block of all things internet today. The five basic ethical principles forms the pillar of most policies and rules governing the use and access of data that traverses the internet. Most internet users will definitely find the document easy to understand but being that the internet and its use has grown way beyond what it was originally intended for, there is the need to expand the RFC 1087 to include these new areas that leverage on the use of internet i.e. IOT, artificial intelligence, use of data across international borders, Blockchain and a host of other technologies that come with its inherent risks and problems that if not addressed exposes its users and adopters to a new set of security risks.
Fred Zajac says
I believe the sharing of private information should be based on an emergency policy. The emergency policy should outline why information needs to be shared, how the information should be shared, and who can request such information. HIPPA has an exception to the privacy policy. The exception states that a health entity can exchange patient information if it is life threatening. This exception is important because protecting the patient’s life is more important than protecting the patients PII. As for the encryption process, there are services that are available to provide email encryption to and from outside entities. The hospital should use a service for this type of high level emergencies. As a lower level option, one could use 7-zip to compress, encrypt, and attach to an email. You can password protect the zip file as well. You could then use another means of communication, like the phone, to exchange the encryption password.
Ronghui Zhan says
Topic 1:
How to interpreter law and regulation is subjective. It offers definition telling us what is right from wrong. In emergency case, time is life. what are we really worried about ? Is privacy a issue? It depends.
Ronghui Zhan says
Topic 2:
Those rules still apply today. But it just offers a general framework. Today’s internet is a lot more complicated. More comprehensive principle is needed. Based on it, details shall be described.
Oby Okereke says
4.3: Discussion Topic 3:
Every profession maintains a code of conduct for its members and security consulting is not left behind. Based on the scenario, any action short of presenting my findings as obtained will reek of impropriety. As a security consultant, I must strive to avoid any improprieties or the appearance of improprieties nothing less. It is my responsibility to honor the code of conduct of security consultancy no matter who is involved. After reviewing the case, I must comply accordingly by reporting the perpetrator as discovered to the Law Firm.
Ahmed A. Alkaysi says
D14.1: Discussion Topic 1:
It really depends on the circumstances that might result in a non-compliance. If it is a life-or-death situation, I believe that non-compliance would be justified. This would be similar to a Good Samaritan law. A possible way to mitigate these types of issues is by:
-Setting up rules and regulations on when this would be justified
-Requiring approvals before sending out documents
-Having a relative or Patient’s guardian sign a waiver or providing the consent before sending the documentations.
Ahmed A. Alkaysi says
D14.3: Discussion Topic 3:
I would also report the findings as everyone else has stated. It would be against the law for me to corrupt the findings. However, having said this, without perfecting the facts, maybe maybe the wording can be modified to not soften the blow. During audits, when we discover a finding, we discuss it with the clients and agree on the wording that will go into the final report. This way, not only are we appeasing to the clients, we are getting them to agree and acknowledge the issues so that they can work on re-mediating them.
Ronghui Zhan says
what kind of wording is appropriate?
Ahmed A. Alkaysi says
It can be wording that gets the message across but wouldn’t sound extremely harsh, maybe either a substitution of words or added context around the intended message.
For example, if during an Audit it is found that users have access to an Application they do not need, instead of just saying that “Users were found with unneeded access” more context can be added explaining that users required access to the application due to an earlier project but they were not removed afterwards.
Ahmed A. Alkaysi says
Apologize for the typos, meant – “without perverting the facts, maybe the wording can be modified to soften the blow.”
Fraser G says
D14.1: Discussion Topic 1:
In that particular situation, I feel fine with the actions taken – if someone’s health and safety is in danger, and you aren’t violating anyone else’s privacy I would say go for it. Non-compliance is justified in a lot of situations, because no auditor or system architect/security expert can plan for all eventualities. To put things in perspective, the director of security for Morgan Stanley went AGAINST the Port Authority (owners of the building) orders to stay in place and not evacuate on 9/11. He ended up saving thousands of employees lives. Now, that is an extreme example however shows how compliance is just the best prepared plan given ideal circumstances (even for things like disaster planning they have to set a baseline).
Non-compliance can be helpful not only in a certain situation but in learning how to plan for that situation in the future. Non-compliance should be documented and reviewed, as a tool for how the current policy could be amended and just as important rectifying the non-compliant actions that occurred (in the case above, notifying patient of breach of privacy, offer services to monitor credit etc.).
D14.2: Discussion Topic 2:
This document is still relevant today. The internet was created by idealists, and we should try to preserve these ideals:
“The Internet is a national facility whose utility is largely a
consequence of its wide availability and accessibility.
Irresponsible use of this critical resource poses an enormous threat
to its continued availability to the technical community.
The U.S. Government sponsors of this system have a fiduciary
responsibility to the public to allocate government resources wisely and effectively. Justification for the support of this system
suffers when highly disruptive abuses occur. Access to and use of
the Internet is a privilege and should be treated as such by all
users of this system.”
This is straight from the first page and speaks volumes about the current Net Neutrality debate. I think most internet users would find this interesting and understand the sentiment of RFC 1087 today, particularly with the aforementioned Net Neutrality debate and the political climate in this country.
I don’t think the document should be updated or changed, I think its important to have a frame of reference as to where the internet came from and the spirit of the technology.
This country has to decide what “(B) disrupts the intended use of the Internet” means to them – this question of what the internet means to each individual is critical for it to remain a tool of positive action. The ISPs would love more control, at the expense of the consumer and creators. The orwellians would love censorship, with their own kind acting as the judge and jury of thought crimes. The flat earthers just want to spread the truth about the sphereist conspiracy. It will be interesting to see how far the political class can go in their backlash against Russian meddling on social media and electioneering.
D14.3: Discussion Topic 3:
I wouldn’t change a thing in the report, and I would go above him to the CIO (For DCH it’s listed as Otto Delupe )- and CC the CEO – whoever it took – to communicate exactly what he offered me. Your work is a reflection of who you are. Less important, security firms are built upon reputations – you are selling a set of technical skills but also a reputation, as my old boss told me “trust is earned in drops and lost in buckets”.
Brent Hladik says
D14.1: Discussion Topic 1:
In regards to laws and regulations… Complying with the law is obviously important, but in my industry (healthcare), sometimes this is a gray area. In my professional field, HIPPA regulates how we handle personally identifiably information. Encryption both at rest and in transit, is required in many cases. However, consider the nature of healthcare, and the urgency of providing emergency care. I have witnessed many times, where a physician in the emergency department needed to consult on case, and the most expedient method was to simply email the patient’s test results, images, etc., without any encryption or protection of their data. How do you feel about this situation? Is non-compliance ever justified? How could these issues be mitigated, without impacting the mission of the organization?
Personally I don’t feel right about this situation as I wouldn’t feel comfortable sending someones information over the wire not encrypted as that would just leave too many holes and chances for someone to try to steal their information. In this case non compliance would be justified as if they were ever hacked all someone researching the history would discover how they sent their information.
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
I think it would still be viable for today. Many people should still understand the basis behind the document. And this would apply to them still today.
D14.3: Discussion Topic 3:
You are a security consultant with the Security Advisors Co. and have been asked to help investigate a recent security incident that took place at the law firm of Dewey, Cheatham, and Howe. In your assignment you have been assigned to work with the vice president of IT.
The security incident that you are investigating appears to be a case of an intruder who broke into a company computer to remove and destroy information on an upcoming legal case. A forensic examination revealed that the incident was actually an inside job that was perpetrated by one of the new programmers, who is a relative of the VP of IT.
When you wrote your findings and presented them to your client, the VP of IT asked you to change the findings in your report to show that the perpetrator could not be found. The VP has promised future work for your company and a good recommendation for your work if you comply.
What will you do next?
I would not make any changes to the findings as that would be an ethical issue and they should be reported to some kind of ethical compliance committee so this way it shows that you did your part in up holding the law ans not breaking any rules.
Donald Hoxhaj says
Discussion Topic 1
I do not think this is justified, especially for a healthcare industry where patient information is most critical and any information leak can actually be dangerous. The healthcare industry is surrounded with heavy financial transaction and patient information and any data theft might cost enormously. The situation described above is essentially gross negligence and a mistake from the hospital or clinical authorities who have failed to encrypt emails before sending. These issues can be mitigated by enabling encryption of all emails as recommended by the American Medical Association (AMA). The regulations need to be strictly followed. The regulations state that all physicians must encrypt electronic files or media before sending it across to anyone. If a physician is using a laptop, there has be a portable encrypted backup of all the information. Any crash of the system can lead to loss of millions of records of patients. Hospitals and Clinics can ensure this by implementing safe IT practices. This might cost a little but can safeguard the company from future losses
Discussion Topic 2
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
The RFC 1087 was issued by the Internet Advisory Board in 1989. The memo required the United States government to allocate enough resource to protect the privacy of public. The 5 main activities as part of the code were unauthorized access of information, wasting resources, compromising privacy of users, disrupting use of internet, and corrupting data. These activities still are very relevant in many cases and most of the internet theft or cybercrime today fall in one of the above mentioned categories. However, there are certain areas that still need broad classification of information. The world has changed today and cybercrime has gone to an extremely another level. Most cybercrimes are done to either impact Intellectual Property of others or to seek financial aid in the form of blackmailing. For the current set of users, it would make sense to include a broader set of rules with respect to theft of computer systems, theft in Intellectual Output without consent, etc.
Discussion Topic 3
Going by the ethics and the norms practiced by my company, I would go ahead and give an honest report showing how the data breach happened because of relative of the VP of IT. The report will be essential because a false report might lead to much bigger problems in the future and anyways impact the business that we have. It’s better to be safe than sorry and that is why I would present to the management of the company a report indicating the source of attack, the name of the person, and the impact of the attack on the business. It is up to the management how to take it forward.
Shi Yu Dong says
Discussion Topic 14.3
I would report my discoveries as required, in any case if the new software engineer is the relative of the VP. The VP can offer whatever he needs however at last, the honesty of myself is more vital than more cash. In the realm of digital security, we would prefer not to energize individuals who infringe upon the law and not agree to IT laws. Legal sciences requires much investigation of the wrongdoing scene, much the same as in the police world – an investigator doing his activity won’t forfeit his genuineness for sparing somebody who broke the tenets. This is a case of workers deliberately performing malignant acts. I would report my discoveries as I see fit and keep a reinforcement on another gadget just on the off chance that somebody chooses to adjust my report.
Younes Khantouri says
D14.1: Discussion Topic 1:
I do agree with you Brian with the fact so many people in the medical field such as doctors in your example don’t respect the regulations that are there to protect the patients PII. I don’t that patients with be ok with that especially those who have diseases and don’t want to share with others. In my opinion, it is wrong for a doctor to send any type of documents by email that contains any medical reports. I will understand if the doctor has to do it in a case of an emergency.
This is not acceptable action by these medical employees.
D14.2: Discussion Topic 2:
I do believe this document needs to be updated to go parallel with the new uses of the internet. In the other hand, the document talks about the ethical use of the internet which I believe that is an importance guidance to help users use it for the right reasons.
This document was published in 1989 at the time when the internet was used mostly for communication. Nowadays, the use of Internet changes to be extended to insure the business continuity of so many types of businesses. New document or an update should be published to explain the internet ethics in our days.
D14.3: Discussion Topic 3:
This is a very ethical question, I won’t change my report. I will discuss with my superiors what happened and if they decide to change the report, I will have to leave the company. In my opinion, if the consultant is not strong to make the right power, he/she shouldn’t be in that position.
Sachin Shah says
Discussion 1:
In my job I work with vendors all the time and I MUST encrypt patient information when I am emailing it. In case of a clinician, their number one priority is patient care and looking after a solution. There may be oversight and if an audit comes about through HIPPA the clinician just needs to prepare his reasoning and ensure they are isolated incidents. Non clinician should have no reason to access patient records through emr and unless receiving proper training and reason. I have no problem if a doctor is non-compliant as long as they are not putting patient at risk.
Discussion 2:
I think the document RFC 1087 is still viable today. Yet it needs to be altered a bit. This is a great foundation yet it needs a updated version. Back in 1989 internet was just a form of communicating instead of telephone or postal mail. Today we conduct personnel matters and run business on them. There were no personal data breaches or different types of cyber-crimes. I don’t think this document accounted for things like slander, libel, cyber-bullying, extortion, and other safety risks the internet poses.
Discussion 3:
I would have no choice but to report my findings. I would not alter them as that is unethical and the VP can easily turn me in or use that against me in other matters. Basically I would tell the VP the forensics do not lie and his\her cousin is the culprit. I can not compromise my integrity to a person who wants me to lie. My personal thought is that the truth comes out and that VP could fire me in 6 months after hiring me. What than? I helped a VP and cousin get away and am an accomplice.