Thursday, April 3, 2008

Ethics

IT departments often are the largest professional service department of an organization. They provide very valuable services, and users often have a lot of confidence in our abilities to deliver. They trust us to look after their systems and data to the best of our abilities.



IT departments should be constantly growing in their role as responsible service providers. As part of this growth, we want to share with the rest of the community that we are proud of what we do. We do a lot, and what we do, we do well.



For an IT group to look after one hundred systems or more is not unusual. Some of those systems are of critical importance to at least some part of the organization. Most of them impact the company as a whole. We provide a service at a high level of professionalism.



We, as information technology workers often hold, by the nature of our job function, positions that enable us with more abilities than others to inspect, create, modify, or delete information. As system administrators, network administrators, technicians, database administration, customer services representatives, developers, or designers, we have de facto access to all electronically stored assets under our control.


Because we are in such a unique position, our actions must stand up to the highest level of scrutiny. We must strive to never break the level of trust that the community has in us. Our users must know that we will never access any information if we do not have explicit permission to do so, and that we will never share information that we encounter in our day-to-day business.


We have to be constantly aware of the fact that we have a privileged position, and must take great care not to use our special privileges unless we absolutely have to.


The ability to access information does not imply the authority to do so.


Consider the following example. It took case at a research institute a few years ago.


A company's physical security department received a report of unauthorized access to a research and development lab. Someone had gone into the lab using a key, used a PC to surf the web, and order a product from an online store. The unauthorized entry was detected because an employee with legitimate access noticed that some of his equipment had been moved. The lab is only accessible with a dedicated key, which was only issued to two people, and by a master key. The master key is carried by everyone in facilities, cleaning, security, by many people in the computing center, and possible by several others. While this person had the ability to access the room, they did not have the room owner's permission to do so.



While the person had the ability to access the PC, they did not have the room owner's permission to do so. While the person had the ability to log on to the PC, and surf the Internet, he did not have the authority to do so.

The ability to access something does not equate to the authority to do so.


The employee who noticed that something was out of the ordinary proceeded by trying to find out who did it. Unfortunately, by doing so, he started an investigation. While he had the ability to do so, he did not have the authority to do so.

Investigations to find out which individual did something, how it was done, when it was done, where it was done and what was used to do it, is something that requires special skills. It also invades a user's personal privacy.


While users should know that the resources that they use are for business use, and that they do not have a reasonable expectation of privacy, the right to carry out an investigation is something that has to be provided on a case-by-case base, and only after explicit written permission of someone who has the authority to do so.


If you carry out an investigation without explicit written permission, you put your job at risk, and you expose yourself to legal liability. That applies to everyone, even if you are trying to help out one of your users to the best of your abilities. As soon as trying to help includes accessing information to which you would ordinarily not have access, make sure you cover yourself, and get a get-out-of-jail-free card before you proceed. While that means that you will not be able to assist a user right away, you will be doing the ethically correct thing.


While using that get-out-of-jail-free card, make sure you keep a log of what you do, and when you do it. Document your actions.


Not only do we have access to all systems, we are also in a position that we see a lot of information. Technicians pay "house calls" to end-users and see whatever they have on their desks, or on their computer. Database administrators are privy to the most sensitive information out there. System administrators have access to people's email; network administrators can see all traffic flowing over the network. Yet, because we see things, it does not mean that we can look at it.


What you see is not what you get.



Any information that you encounter during your work must be considered confidential. Do not discuss it with co-workers, family, or friends. Do not be tempted to share with anyone the kind of information you see, or are able to access. Not only is that a violation of trust, it also puts you at risk of criminals who will go after people to get to information. What you see is not what you get.


Consider this example from my past. It is partly made up, and partly based on truth.

Let's consider Adam. Adam was a computer technician providing field support at a university hospital. While working on someone's computer, Adam noticed that the doctor whose computer he was working on had left a file open that contained medical information. As per the hospital's protocol, Adam proceeded by closing the file before he started work on the computer. However, while closing the file, Adam could not help but notice that the record had the patient's name, Eve, on it. Adam realized that he knew Eve.



Fortunately, Adam knew that he would be in big trouble if he looked at the contents of the file, and he did not. Adam did not have the authorization to inspect the contents of Eve's medical file, and he did not use his ability to do so.

Several weeks went by and Adam met Eve at a small party. Remembering that he saw that Eve's medical records were on doctor's PC, Adam commented to Eve that he did notice her file at the Oncologist's, but that he did not read it, or even look at it.

Eve was shocked, and upset. She had not yet told anyone that she was seeing an oncologist, let alone wanted that fact mentioned in public. Even worse was that Eve's mother, who was also at the party, overheard Adam's comment.

Even though Adam had good intentions, he disclosed the fact that Eve was seeing an oncologist, without having her approval to do so. Because Adam was able to see information, does not mean that he was allowed to discuss it.

What you see is not what you get.

Adam broke a very fundamental level of trust between him and Eve. The latter case is even amplified by the fact that medical information is one of the types of information that has Federal protection. The Health Insurance Portability and Accountability Act (HIPAA) is very specific (pdf). Any entity that provides medical services, charges for those services, and stores any information is considered to be a 'covered entity'.

HIPAA a privacy rule that is fairly specific, yet very broad. Wikipedia formulates it as "Personal Health Information is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history." The HIPAA Privacy Rule requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.

By discussing the mere fact that Eve had a medical file at the oncologist's office, Adam broke the confidentiality that had to be ensured.


Having said this, there will be cases in which you see information that make you see uncomfortable. There could be images on someone's computer, or there could be information that is at odds with your organization's mission. If that happens, do not confront the user about it. Ignore the fact that the information is there, and talk to your supervisor. If you do not feel comfortable talking to your direct supervisor, talk to another manager.

However, there really only two cases in which you should do this. When you think that information is related to a criminal act, you must tell someone about it. Not only will it make you feel better, you will also transfer some of the responsibility for addressing the situation. The other reason to share your findings with your supervisor is when you encounter information that is at odds with your company's mission.

The important things that I hope to have conveyed in this post are that we have been given very special privileges, and that we should be very aware and conscious of those privileges all the time. The two specific case examples:

  1. The ability to access information does not equate to the authorization to access information;
  2. Whatever you see, you must keep private and confidential. What you see is not what you get.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.