Topics

Security Hacks

After a breach, U. of North Carolina's shaming of a widely respected professor sparks debate over whether academics should be held fully accountable for overseeing the security of data.
January 27, 2011

The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. The hacker was never found or charged, and did not appear to have copied any of the data, which included 114,000 Social Security numbers. But the university tried to fire -- and is still trying to punish -- the researcher who was in charge of the information.

Although she had an unassailable track record, administrators concluded that Bonnie Yankaskas, a professor of radiology at the medical school who had been collecting and analyzing mammography data for more than a decade without incident, had been careless with sensitive information and had damaged public trust in the university, and should be terminated. A faculty hearings committee later persuaded the university instead to demote Yankaskas to associate professor. She could keep her tenure, but her pay would be cut by half.

The case is gaining attention from academics who believe the university is trying to make Yankaskas into a scapegoat in order to save face. Now her supporters at North Carolina and elsewhere are saying that the way the administrators have handled the case could in fact cause more damage to the research university’s reputation than the data security breach Yankaskas is alleged to have enabled.

“You couldn’t pay me a gazillion dollars to work at UNC based on what they’ve done,” says Patricia Carney, a professor of family medicine at Oregon Health & Science University. The idea that a university would make a researcher with Yankaskas’s record walk the plank because some hacker managed to foil a firewall that Yankaskas did not personally set up could impede on North Carolina’s ability to recruit research faculty, Carney says. After all, says Richard McCann, a surgery professor at Duke University’s medical school, “Why would you go to someplace that wouldn’t support you?”

Carney and McCann were two of 127 researchers, mostly from the North Carolina system, who earlier this month signed a petition in support of Yankaskas. “Systemic institutional failure,” not the carelessness of the principal investigator, is to blame for the breach, wrote Michael Knowles, a professor of physiology, and C. William Davis, a professor of cell biology, on behalf of the undersigned. The petition, which echoes comments by the faculty, is addressed to the Chapel Hill board of trustees. The board has tabled an appeal by Yankaskas while the university tries to settle the matter through third-party mediation. (This paragraph has been updated since publication to correct an error.)

The problem was not that Yankaskas failed to keep her data secure, her champions argue; it was that she did not have the necessary training or technical expertise to be reasonably held accountable for its security. “I did everything I knew to do, but I did not know how to secure a machine,” Yankaskas told Inside Higher Ed. The university tests its researchers’ knowledge of confidentiality rules every year, she says, but the assessment is oriented to ethical and legal matters surrounding confidentiality — not technical skills needed to understand and safeguard against the sophisticated cyber-attacks enabled by networked data storage.

In fact, Chapel Hill does not require research investigators such as Yankaskas to learn how to put up and maintain a firewall; it merely requires that they appoint a tech-savvy “server custodian” to do so on their behalf. In an October 2009 memo to Yankaskas expressing Chapel Hill’s original intention to fire her, Bruce Carney, the provost, criticized the professor for hiring a university software programmer who “had no certification or experience as a server administrator” to be in charge of installing security updates on the server that was later hacked. Carney further asserted that Yankaskas ignored her custodian's requests for additional training, and consistently rated her as an “excellent” server administrator despite her lack of qualifications. “It is my opinion that Dr. Yankaskas was negligent in the fact that she hired an individual without the proper credentials or experience for that responsibility,” wrote Matthew Mauro, the chair of the radiology department, in a different memo.

The administration proffered a whole other set of reasons for trying to fire Yankaskas having to do with whether the researcher had acquired her data by ethical means; it was the faculty hearings committee’s absolution of Yankaskas on that question that led the university to dock her pay rather than fire her. What the faculty review board did not dispute was that Yankaskas was accountable for the breach according to existing university policy. Rather than exonerate her on that count, the board concluded that she made the errors in good faith, while suggesting in vague terms that the burden that policy places on the shoulders of non-techie academics in the event of tech-intensive leaks ought to be rethought. “This case, as presented to the Committee, reveals a weakness in the linkage between campus security professionals who understand and monitor computer networks and the researchers who acquire and use confidential data,” it said, adding: “The security failures revealed by this case should prompt wider consideration of reform in how University research involving confidential data is carried out."

Larry Conrad, the chief information officer at Chapel Hill, says updating the university’s information security protocols across the board has been one of his top projects since he took the reins in 2008. But with more than 3,000 faculty members at Chapel Hill, the computing environment is too spread out for the central I.T. office to hold every researcher’s hand, says Conrad. “I’m no lawyer, yet I’m held responsible for the contracts I sign and ensuring I get competent legal help,” he says. “There are resources available to me to help determine who is competent... [and] it’s my responsibility to seek that help.” Both the medical school and the central I.T. office at Chapel Hill have people Yankaskas could have turned to, he says. (Yankaskas says that she did turn to university I.T. for help, in effect, by hiring someone that university I.T. had trained. She says she figured her server custodian’s former bosses would have said something if their former pupil was unfit to oversee server security, but they did not.)

John Baines, assistant director of security standards and compliance at the nearby North Carolina State University, says Chapel Hill's policy of holding the principal investigator of a research project wholly accountable for mistakes made in his or her own shop is not unusual; North Carolina State has a similar policy, says Baines. "I remember the case well," he told Inside Higher Ed via e-mail. "I have used it as a case study in various presentations. I am sorry, but the principal investigator on any research project is always ultimately responsible for the care and security of the research data in his/her care. Particularly with Social Security numbers and how much of a lightning rod they have become in identity theft."

The autonomy granted to research faculty is considered a great strength at large research institutions, says Paul Howell, the chief I.T. security officer at the University of Michigan. "They’re given a great deal of latitude and freedom in how they operate, and they’re asked to make good decisions within that,” Howell says. That includes taking full responsibility for the actions of their hired help, he says.

But to some members of the North Carolina faculty, the university's handling of the Yankaskas case has tarnished their faith that the university will treat them fairly. Knowles, the physiology professor who co-authored the petition to restore Yankaskas to her former status, says he cannot believe that her sins were so egregious as to warrant the fate her bosses have sought for her, given her otherwise unblemished record and the $12 million in grants she has secured for the university over 25 years.

Davis, the cellular biologist, says that if the university does have a compelling counternarrative to justify its treatment of his colleague, the administration has so far failed to articulate it to the dozens of researchers who have reacted to the news with fear and outrage. He feels angry enough to resign in protest, he says.

But, for the same reason he fears being similarly punished for failing to prevent data intrusions that he does not understand, Davis says he will probably not quit: he can’t afford it.

For the latest technology news and opinion from Inside Higher Ed, follow @IHEtech on Twitter.

Most:

  • Viewed
  • Commented
  • Past:
  • Day
  • Week
  • Month
  • Year
Back to Top