False Sense of Security.
Recently I have been involved in a number of interviews and talk sessions connected with a highly involved government audit. As with many of these sorts of things when money is channeled through and organization that has it's origins in tax revenues, Uncle Sam and his mini me's will want to make sure that a series of written doctrines and processes are being followed and adhered to. Failure to do so results in the river finance drying up, followed by the plague of legal locusts swarming in the black cloud of litigation. Such is the lot of doing business with government agencies at the state and federal levels.
I readily acknolowedge the need for oversight of these sorts of things. Indeed our very existence is in some respects due to the fact that some of these sorts of requirements exist. What I do feel is overblown are the reasons cited for some of the requirement. From the outside looking in, a list of features built into the seal of approval from such audits would read to instill some level of confidence. From inside looking out however the vibe is a very different one. Let's take the notion of information security as an example.
In one such engagement we had a requirement for a separate team of folks to be responsible for building a public facing application, rather than the development team being responsible for such endeavors. In fact the actual requirement, had that dedicated build team responsible/required to conduct all such building and deployment activities even into the test environments. The reason cited was to enhance security. Specifically the notion being that a separate person or team of persons would be less likely to inject unwanted content into said application, (read as backdoors or security holes into said application). As if a person who collects a set of components, places them in a specific location on a dedicated machine and then clicks a build button, would somehow magically see a back door phase into view should one exist, just like a Romulan War Bird dropping out of cloak before their very eyes.
I know that somewhere in the past some agency was bitten by some disgruntled nit wit and found itself to be vulnerable to an attack staged by said nit wit. In the post mortum, someone disconnected with the whole mess thought this measure would have prevented this issue. In their report they wrote it up and it has forever been yet another thing that adds to the cost of doing such business. Anyone who has written anything more complex than HelloWorld might beg to differ with that sentiment. In reality that specific measure does little more than keep someone else employed. (admittedly a worthy cause in this down in the dumps economy). Facts are that it presents yet another hurdle to agility in a development effort. Worse yet it contributes to the false sense of security those on the outside have in the workings of such technology endeavors. The world of IT is rife with such issues.There are all manner of certifications and regulations that are in many cases targeted at securing the information within from the unsavory without.
I found myself thinking about this very point as I was standing 50 deep in queue, holding my shoes in one hand, along with my pants because I had to take my belt off as well. Waiting to pass through the xray machine at the airport. My mind wandered from thoughts of pity for the poor soul who was forced to look at the macabre ugliness of humanity as it schlepped through this particular checkpoint myself included. Yet I was all warm and fuzzy feeling the huge boost in my personal safety that this measure of indignity afforded my meager existence. It was then I realized the resemblance this measure had with what we face in in IT every day.
IT endeavors and their interfacings with the general population are full of said measures that are laughable. One collection of said measures goes by the moniker of HIPAA. It's basic premise is good in that it supposed to prevent the unwanted dissemination of private health related information about a person to others persons who are not supposed to see that information. Things like a person name and such. Yet every time I go into a doctors office I sign in on a sheet with perhaps dozens of other peoples names who have come in before me, or when I pick up my Viagra at the Pharmacy I sign a sheet with the same peoples names....
Now I can hear the the supporters of these regulations saying that these measures are necessary and the breaches cited are minor and innocuous in nature. What about when IT worker q installs a policy at the enterprise server that prevented the workstations connected to said server from activating their USB ports. The idea being that those pesky USB ports were conduits for wanton information dissemination via storage keys, smart phones, and music players. This poor IT guy, tired from the weekend of wine and women filled debauchery, having made a typical human mistake and also turned off every one of the hundreds of workstations keyboards and mice. ( they were after all USB devices.) How about that, Marge from accounting, who always complains that her sled of a machine was garbage is the only one working now because it didn't use USB ports for the keyboard and mouse, imagine that. All kidding aside though, this same regulation also is creating serious issues in the world that the promise of IT could address. One such example would be when the same regulations prevent doctor x from knowing that I am being treated for something by doctor y, this because doctor x does not have a release of information submitted to doctor y. Doctor x then goes on to prescribe something to me that runs counter to what doctor y is doing.
I hear people clamoring well you should have told the doctor what you were doing with the other doctor, they ask you about your other treatments don't they. Yes standard practice has you drill out everything you are taking, thinking, doing every time you go into a doctors office. What if you forget a dosage as you are filling out this form for the umpteenth time, what you have been in a horrible accident that has left you in a coma and the ER doc has no way of knowing. Don't kid yourself into thinking that the safety supposed to be provided by these layers of regulation will help you in this scenario, don't think that it never happens that way either.
I work every day with people who know that the sharing of information of this type would go so far to silence the squeaky creaking of a healthcare system that has been on life-support for longer than most of the patients it so treats. The entire system sits in its own iron lung even as it struggles to care and provide services for the people who need it. In a vacuum a single happening requiring said system to provide care and healing, shows that the system can work remarkably well. I break my leg when I am a young child, and I go to the hospital to get it set and cast, revisiting said doctor when its time to remove it and all is well. Its when the picture gets complicated, after years of interactions with the system and people and places involved have come and gone that regulation like that cited prove a hinderance.
The situation is even worse on the behavioral health side. Ironically the stigma associated with substance abuse, mental, and developmental disability issues were a major impetus for the regulation as it stands today. Yet on the public sector side of the population where the involvements in service providers are many and varied and lengthy. Information sharing would provide the greatest of benefits. Yet there is that pesky regulations set in place. The systems employed could easily be made to talk to one another if the regulation allowed it to. Then the real promise of IT could come to provide a real sense of security rather than the Maginot line we have today.
- Posted using BlogPress from my iPad