UNC Breach

An excellent writeup on the recent UNC-Chapel Hill security breach at Inside Higher Ed.

Here’s a quick synopsis: Dr. Bonnie Yankaskas, a professor of radiology at the university, was collecting mammography data for a study. The server holding the data, which included medical records and social security numbers, was breached by an unknown attacker and the data is considered to be potentially compromised.

The University wanted to fire her, but settled for demoting her to Assistant Professor and halving her pay.

Dr. Yankaskas’s argument is that she is an academic researcher, not a computer security expert – disciplining her for a security breach is unfair, because this is not her area of expertise or her responsibility. The school’s policy is that she should have appointed a “server caretaker” to monitor the firewall, install patches, etc., and the person she chose is a programmer with no training in security and no experience in server  administration. She also ignored his requests for training over the years, and continually graded him as “excellent” in his administration of the server, despite the fact that he did not know what he was doing.

This is a typical tension in higher education – the faculty want to be free of the strictures of security and IT policy, because they feel it unfairly confines their research. IT, on the other hand, wants to be as strict as possible and keep everything in a nice, predictable box.

6 Responses to “UNC Breach”

  1. Pitt says:

    Honestly, I think it should be the school’s responsibility to hire security personnel, not hers. I mean, where I work, I don’t have my own personal IT person. Nor would I know the first thing about hiring an IT person. I’d probably just call matt, or one of my fellow RPI alums. 😉

  2. BrianN says:

    Human trials are the responsibility of the University’s IRB. They should have procedures and rules in place to prevent this kind of thing from happening. If she didn’t follow the rules, her IRB permission should be revoked so she can’t do human trials. The ‘demotion’ is a bit odd, never knew you could do that.

    I doubt the issue was about confining her research, she probably just didn’t think it was important enough to spend the money to train her computer person, who she probably had doing work she considered more useful.

  3. matt says:

    @BrianN

    I think you’ve hit the nail on the head. The IRB has a policy that you had to have a competent technical person in charge of data security – she just selected someone who was not qualified, who she probably had some pre-existing relationship with, and then didn’t get him the training he needed.

  4. BrianN says:

    The thing is, I’ve never worked under an IRB, just IACUC (which is for animal studies), but usually they come do inspections, part of which is to quiz people on protocols. I’ve always assumed IRBs were more stringent than IACUC, but hey, mice are people too. (I know plenty of people who skirt the IACUC too, but they eventually get caught, and sometimes even shut down.)

  5. Pitt says:

    Mice don’t have Social Security Numbers.

  6. BrianN says:

    @Pitt,

    Yeah, there’s also no ‘double-kill’ policy toward human research subjects.

Leave a Reply