Ask Slashdot: Do I Give IT a Login On Our Dept. Server? 1307
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"
Re:In my corporate environment.... (Score:2, Informative)
I agree - I've been an IT person from NOCs all the way down to the local admin level - it is an absurd request for a user to want to plug their machine into you're network without access to the thing on some level - let alone to open up a port on the firewall for it. Just opening the firewall port and the organization in question should buy a machine for the role - especially if it is for some internal productivity tool like the one you are using - it absolutely should be controlled by the admins, and for that matter you shouldn't have a root account to it. You're essentially talking about placing a big gaping hole in the security that is required to safeguard HIPAA records - even for if only for you're own safety as you could personally be found in breach of some pretty big privacy issues along with the IT people for letting you do it if that machine somehow becomes compromised without your knowledge.
Re:In my corporate environment.... (Score:5, Informative)
Depending on the poster's country, there may be a lot of regulatory, compliance, legal, and other issues at play here. This appears to be a rogue server as you cite. If I were the head of IT, I'd have it outta-there in a heartbeat and write up whomever deployed it-- on the surface and without other information, this is a problem.
WIthout more information, it sounds to me like a convenience issue for the department head, but it's a legal nightmare looking for a spot marked X-- that server, for starters.
Re:In my corporate environment.... (Score:5, Informative)
Some questions not answered:
Did the OP ask the IT department what sort of services they are capable of providing? Hospital IT departments are usually in the habit of trying to provide departments with what they need, as department heads and doctors generally win the battle for "I want ________" when it goes up the chain.
Did he inform IT of his plans prior to executing it, or just bring in a server and set it up, then start asking for access? If he did the former, they might have worked with him, providing him with rackspace, security, and expert administration so that his workload was limited to application administration. if he did the latter, he's lucky they haven't made an issue out of it and gotten him written up.
Did he make sure he's not violating any federal regulations regarding patient data security? A rogue server on the network is a MAJOR security threat, no matter how competent the administrator is (or believes himself to be).
Did he think about the precedent this sets? If every department decides to go running their own servers on their own terms, IT can't support them and the whole hospital steps back about 20 years in how their network functions.
Did he consider the idea that maybe the service he's setting up for his own department might be useful to scale to the entire hospital at a later date? it sounds like he's found a service he considers worth putting a lot of effort into providing...for just his department. If it's good for radiology, it's likely good for lots of others. But HIS server probably can't accommodate that scale. HIS server isn't centralized. HIS server...well, is his.
Re:Obvious question from their perspective (Score:2, Informative)
Exactly which part
The part where a rouge system gets owned through a firewall hole and compromises the rest of the network.
So, if the IT guys watch Grey's Anatomy??? (Score:5, Informative)
More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.
Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.
I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.
But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""
Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!
Re:In my corporate environment.... (Score:5, Informative)
I've worked in healthcare - if there's a chance of leaking patient records, then the Information Security officer would have to sign off on any server after a full assessment.
Re:In my corporate environment.... (Score:5, Informative)
Highly irregular that the first thing IT heard about it would be an 'open this port on a firewall request'; which is basically taboo for anything storing security sensitive info anyways -- proper security design is a major factor, including requirements such as server administrators at arms length from devs of the application and from auditors/security team.
Actually, that's usually how this crap happens.
"I want project X set up yesterday so me and my fellow tenured people can do it immediately." - IT response, "Give us some time to look into it and ensure we can come up with a solution that meets regulations.
A week later: "IT is too slow. I want it yesterday. I'll just go kludge something together (or have my incompetent Indian grad student do it) and plug it into the network."
Happens all the time, especially when you have douchenozzles with tenure running around. IT can only "see" the device once it's plugged into the network jack, and even then if they're monitoring a ton of machines, they won't know it from an iPhone or Blackberry or iPad until it either (a) pops up as unscannable, (b) they get the "open a port for my kludge project" request, or (c) it attempts to send some data packet that triggers an alarm.
Troll. (Score:5, Informative)
The OP is a troll.
The user ID "jddorian" is a fictional character on the US TV program Scrubs.
No head of department at any hospital or university I have been associated with would have had the time in their career to be more than passingly conversant on computer IT issues, forget know about ports. Heads of departments get to those positions only because they do nothing else with their lives.
A head of department would know better than to set up something themselves. They wouldn't also have the time to do something like that. They would be familiar with the idea that the hospital IT infrastructure is far more highly managed than normal corporate IT structures.
And, unless this is a seriously podunk hospital, they likely already run Microsoft Exchange for email, and so have electronic calenders.
Troll. It's a troll.