Ask Slashdot: Do I Give IT a Login On Our Dept. Server? 1307
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"
In my corporate environment.... (Score:5, Insightful)
.... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.
I dunno (Score:5, Insightful)
But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"
It becomes a lot less clear in that formulation, huh?
Obvious question from their perspective (Score:5, Insightful)
Why does a server that is not owned or managed by the IT department exist inside the firewall?
In my workplace that's a sacking offence.
Ask? (Score:3, Insightful)
Doing it wrong (Score:5, Insightful)
Wait, what? (Score:5, Insightful)
You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?
You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.
Yes (Score:4, Insightful)
If you're hit by a car tomorrow and die you want someone else to be able to pick up the work and go forward. Once upon a time I had a VP I worked for at an ISP put me and the other head of the IT department on a plane with him to LA. The three of us were the only ones with access to the entire companies systems. I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.
That said, your IT department are the best ones to handle this. I doubt the hospital is paying you to play tech nerd, I'm sure you have other work you should be doing. The IT guys are PAID to do this and are screened carefully (at least I hope so) by management to be trustworthy in doing it.
It sounds to me more like you're looking for job security by being the only one with keys to the castle.
Their business, their rules. (Score:5, Insightful)
There is a bigger problem (Score:4, Insightful)
If you are able to put a server on the hospital's network and have it working without IT approval (apparently), then I'd say the hospital has a bigger problem.
Never mind the fact that IT is unable or unwilling to support the tools that you and your team need to do their jobs.
Re:Fuck no (Score:5, Insightful)
They can also not provide it a network port. When the server gets pwned it will be IT people blame.
Re:Obvious question from their perspective (Score:5, Insightful)
Also, this is a hospital.
Wouldn't this also be a HIPAA violation?
Re:In my corporate environment.... (Score:5, Insightful)
I think the real question should be should IT shut down any network port they see your rogue equipment connected to.
Hint: the answer is yes
Re:Tell them to reimburse you (Score:5, Insightful)
Sounds great. He can have access to the network switch port and the firewall opened up as soon as that transaction is complete. The Hospital IT should have switched off the network port the second they heard of this machine. Well really the network ports should just not all be on to begin with.
Re:In my corporate environment.... (Score:3, Insightful)
Re:Obvious question from their perspective (Score:5, Insightful)
Indeed. Be happy they haven't fired you for violating acceptable use and/or purchasing policies. Don't expect to take this server with you when you leave, either.
IT not supporting the application is one thing, YOU buying unknown, unsupportable hardware, plugging it into their network and then being arrogant enough to decide they shouldn't even have a log in? You seem to be running a bit short on common sense here.
Also, this is not a random user requesting access, it is your information technology people who A) should know what they are doing and B) are on the hook for what happens on the network security-wise.
Re:Obvious question from their perspective (Score:5, Insightful)
Re:Obvious question from their perspective (Score:4, Insightful)
*Drops Mrs. Lattimer from her plan*
Sincerely,
-Blue Cross Blue Shield of Texas
Take your personal server home (Score:4, Insightful)
At the large company I worked for, hooking up personal computers to the network was a terminable offense. So no, you don't give them a login - you don't set this up at all.
The chief reason appeared to be fear of viruses and hackers, but there are many, many more. The hacker front can be a bit obscure: What if your CEO read the article about RSA getting hacked by an excel file with an embedded flash object, and the CIO assures the board that all computers will have flash removed and tasks IT with identifying and removing flash everywhere? How are they going to look having to explain 'well, we got everything, except for the personal computers that we don't have access to'?
Lets say people start relying on the service you are providing with a personal computer under your desk. What if it goes down? Helpdesk will get called, and need to know what to tell the caller so they don't appear incompetent, and need to be able to address the problem. What if IT is required to certify that all of their computers have X patch applied as part of a compliance audit for certification? What if a corporate policy goes out that no computer can run unecnrypted ftp regardless of port # they run it on? What if your company is obligated to ensure that terminated employees can't log in to servers? What if a lawsuit is served and your company is required to provide copies of all records pertaining to meetings with client xyz, and your calendar server has meeting info on it but your IT department doesn't even know it exists? None of these things are unreasonable, but none of them can be done easily if you're allowed to set up whatever box you want doing whatever.
Sure, it makes your job harder if you have to go through official channels to get the things you need to get your job done. But your company needs to be able to get their job done too, and a bunch of random whatever-somebody-set-up-under-their-desk systems makes that really hard.
Re:I dunno (Score:5, Insightful)
Actually, you're giving IT access to a server for a service that they were not required to provide, and probably would have to a lot of asking for.
Seriously, people...a hospital stores confidential, privileged data about patients and medical conditions that is supposed to have certain safeguards applied to it in order to protect that confidentiality.
As has been repeated here already (and will be plenty more), placing an piece of personal network equipment on a medical network is bad enough. Asking for no oversight, giving your good word that everything will be OK, and requesting a port in the firewall be opened up to the public internet is lunacy.
Even if you're well-intentioned, capable, and reasonable about what you're asking for, this isn't a home server and family pictures you're providing access to.
The most disturbing thing to me about this story and question is that someone in the IT department was willing to open the port and allow the machine to stay connected without having root access, intimate knowledge of all installed versions of software and packages, and without relocating the server to an access-controlled datacenter. If I'm the head of IT, first I unplug and remove the box, then I talk to legal to see what needs to be done (audits, interviews, scans, etc), and then I reprimand the person in IT who said it could be done.
Re:In my corporate environment.... (Score:5, Insightful)
A good IT manager would mosey over and have a sit-down to explain the IT policy concerning servers, lay out all the reasons why IT is responsible for them - backups, security scans, keeping antivirus up to date, tracking hardware assets, etc.
By the end of the conversation, the owner of said rogue device would be thinking 'Wow, I really should hand this over, this guy is much more capable than I am at maintaining a server.. and why would I _want_ to maintain a server anyway?'
No need for threats or derision for being ignorant. (note: ignorance isn't a bad trait as long as it isn't willful and repeat, it just means you don't know)
Re:In my corporate environment.... (Score:1, Insightful)
Yeah, what the worlds needs is some disgruntled employee putting a computer in their office that will dump client data out a particular port without IT knowing what is going on.
And I've seen IT so risk adverse and arrogant that user rebellions like this were the only way new services ever got added.
Give them a user account with no privileges. They can look at the command prompt all day if it makes them happy.
Besides, it shouldn't kill them to white list your server on one freaking port.
Head of the division, you say? (Score:5, Insightful)
That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.
Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.
In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?
Re:In my corporate environment.... (Score:5, Insightful)
Give them a user account with no privileges. They can look at the command prompt all day if it makes them happy.
Besides, it shouldn't kill them to white list your server on one freaking port.
I certainly hope IT would hire someone smart enough to realize that you gave them no access. In fact, I'd hope they were smart enough to place that machine on it's own VLAN or outside the firewall so that you (the employee) couldn't grab whatever data was available on the internal network and broadcast it on whatever port you were given.
Re:In my corporate environment.... (Score:5, Insightful)
Re:In my corporate environment.... (Score:5, Insightful)
That machine on the network without IT approval is a violation of HIPAA Security Rule. Frankly, the fact that your ISO hasn't written you up means he is too nice of a guy. Yeah, you need to give IT access, and then thank them for not written you up and turning your name over to the BoD.
Re:In my corporate environment.... (Score:5, Insightful)
Welcome to HIPAA requirements. [hhs.gov]
You're precisely right. There is a REASON that there are policies - in this case, federal law that can turn into massive, multi-million-dollar lawsuits.
I always am amused when someone kludges something together behind IT's back because "it's easier" than actually following protocol to get a function. If you need a function, we'll work with you to get it done, provided we can legally do so. If we can't do it, we will tell you why.
Going around behind IT's back is asking for trouble. Worse than that, it ensures that IT looks at you askance from that point forward. There are users we work with and have no problem with, and then there are the assholes who do something behind our backs and cause trouble when we have to chase down their mistakes. Guess who gets first priority on the list of new feature/function requests?
Re:In my corporate environment.... (Score:4, Insightful)
Not aimed at the IT person directly, but the OP certainly seems willing to make threats on his own.
The OP is an ass and should have a severe talking to by management. If I was the IT person, I would see the OPs threat to take it up the chain and raise him a discussion of plugging unauthorized equipment into the network, busting HIPAA regulations, and potentially exposing the organization to security breach, bad publicity, legal liability, and fines -- and have that discussion in front of management when the OP took his case "up the chain".
Sysadmins VS Lusers, lets get ready to rumble! (Score:5, Insightful)
Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.
Re:Head of the division, you say? (Score:5, Insightful)
Doing our jobs and complying with Federal regulations does not make us dickwads, it makes us professionals.
Re:In my corporate environment.... (Score:4, Insightful)
Yeah, what the worlds needs is some disgruntled employee putting a computer in their office that will dump client data out a particular port without IT knowing what is going on.
Besides, it shouldn't kill them to white list your server on one freaking port.
No... It can kill them. You're running an application that isn't approved, and they haven't weighed the vulnerabilities. An open port is always a target for exploitation, which is why the IT department needs to be able to audit the machine and ensure what software is installed, so they can mitigate those vulnerabilities.
I'm going to guess that if this person set up a server just say, in their office, this machine is on a network segment that may not be as firewalled-off as a data center may be. That means if something malicious does happen to this server, there's a greater chance of infection elsewhere, as well as some risk of productivity loss. Besides, the machine itself doesn't have to be the target of attack-- it can just be the jumping-off point for something bigger, once they've installed tools to probe the network.
Especially when you're in a healthcare setting, privacy is a big issue. You could conceivably have someone post patient data in a calendar appointment, even. If that connection isn't TLS encrypted, and the devices not properly managed, it just takes one theft of a device sitting in a coffee shop to result in a serious breach of privacy and patient trust, even if the thief doesn't access the data that might be contained on the device.
Re:In my corporate environment.... (Score:4, Insightful)
Exactly. Setting up a calendaring server for a single department is a lot different from getting the entire facility to sign off on funding for it. The down side of IT in a large organization is that you cannot do things piecemeal. What the division head should be doing is selling the idea to his peers at the same level in other departments. If his department needs it, maybe he should find room in his budget to make it a reality for the entire hospital. IT is always short on funding, so he could build some bridges to IT, and other departments, and get EVERYONE a good calendaring solution.
It does not sound like the guy is a department head. He sounds like a pompous ass hat who wants to do things his way. He reminds me of a VP I knew once who decided he didn't like the way the database system worked, so he did everything for his department in Access. Despite being warned repeatedly about what a piece of crap Access is, he plowed on. 18 months later, Access took a crap on him and he lost everything. The shitty thing about it is that the data loss fell on IT. Senior management decided that IT should have been more forceful in nipping the Access adventure in the bud, even though they failed to back up IT when IT first raised the issue.
I'm sure there are similar dynamics at work in the hospital. Who is going to fix the server when the application takes a big dump and nobody can get their schedules? I bet you it sure as hell won't be Mr. Department Head guy. He'll be too busy doing his real job, and that's how it should be. Let IT handle the computers and software.
Re:Sysadmins VS Lusers, lets get ready to rumble! (Score:4, Insightful)
Hilarious. This story has polarized Slashdot into the "I work in IT as a sysadmin and managing tech is my job" camp and the "I don't work in IT and need tech to do my job" camp. The sysadmins are actually taking offense that the non-IT folks won't immediately recognize their superior policies and procedures. The non-IT folks, for their part, seem used to this crap. Here's the deal, IT: we will respect your mad skillz only after you have demonstrated that that your hoops are justifiable and not unduly burdensome. Until then, you are just like the PHBs. No insult intended, but this is our job, and our butts on the line, not yours.
There, fixed that for you. At the risk of being modded "-1 Disagree" to oblivion.
Re:Sysadmins VS Lusers, lets get ready to rumble! (Score:4, Insightful)
Oh my fucking GOD, read up on HIPAA, this is not some heavy handed IT decision, this is a fucking Federal Regulation with HUGE penalties for non-compliance, but then, why should I expect you to understand that? You aren't in IT, and it is not your job to understand those things.
Given that we have already been vetted by your company's HR, and by other IT staff at your place of employment, the default assumption should be that we know our craft. Would you take offense if I simply assumed that you are unqualified to do the job you were hired to do?
Actually, I will assume you are unqualified at your job, as you see fit to complain about your tools (computers) and we all know, it is a poor workman who blames his tools. I'm guessing YOU are the reason you have difficulty with your job, not your IT department.
Re:Obvious question from their perspective (Score:5, Insightful)
"He's a doctor, a faculty member (professor), and a division head (administration/management). I promise you he's not a moron."
I have met professors with multiple PHD's that are in fact morons.
I have a Sister in Law with 3 Masters degrees that cant keep a car on it's tires, she has flipped 6 cars in 4 years.
Education does not eliminate you from the moron pool.
Re:So, if the IT guys watch Grey's Anatomy??? (Score:4, Insightful)
You don't have to take it aggressively...The question is genuine...What part offended you?
The part where I am an IT administrator who knows better than to play doctor, and the part where the poster is an (I assume) doctor who doesn't know better than to play IT. I know what I'm doing after years of training and experience. Yeah, I could read the manual and run an XRay machine, but how incredibly stupid and irresponsible would it be for me to do that.
I don't care if it's a doctor, lawyer, or plumber... but if they think just cause they play with OSS at home that they are a l337 hax0r who will post to /. for sympathy against "The Man" is SORELY mistaken.
We do things for a reason, especially when it comes to security. When you are dealing with military or hospital systems, someone could die if IT screws up. And we sure as hell don't need cock sure users pulling the IT equivilant of "Don't worry, I play a Dr. on TV," on our networks.
Am I aggressive? Yes, because this potentially puts patients at risk. I'm just as aggressive if I were to post on a doctor forum, "Hey, I brought in my home sewing kit to do stitches. I watch House and I'm pretty good when I practice on dolls at home. Why does the floor director refuse to let me help out?"
Re:In my corporate environment.... (Score:4, Insightful)
I've had to deal with more than a few doctors who'd tried to have everything their way. They are some amazing smart guys but don't consider all the problems these one-offs create. I appreciate them trying to move things forward - I do the same myself - but their "I walk on water so you should do what I say" attitude does more harm than good and wastes scarce resources either fighting them or changing things to suit.
Re:Head of the division, you say? (Score:4, Insightful)
Mr. jddorian ignores (in the sense that he doesn't know about it) HIPAA and IT had not mentioned it at any time. Since IT didn't help and didn't explain why, he goes on to solve his problem. When he finally does it, he requests something that on his perspective seems trivial: access to his solution.
Mr. jddorian is a division head at a teaching hospital. If Mr. jddorian does not know about HIPAA then Mr. jddorian needs to be let go from his position immediately.
Re:In my corporate environment.... (Score:4, Insightful)
And then pray that none of the users of the server ever put any patient data on the server. This means that the calendar data can't include patient names (they're personally identifiable).
Good luck booking appointments without knowing the name of the person who has the appointment.