Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Do I Give IT a Login On Our Dept. Server?

Posted by CmdrTaco on from the would-they-give-one-to-you dept.

jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"

3 of 1,307 comments (clear)

  1. Re:In my corporate environment.... by postbigbang · · Score: 5, Informative

    Depending on the poster's country, there may be a lot of regulatory, compliance, legal, and other issues at play here. This appears to be a rogue server as you cite. If I were the head of IT, I'd have it outta-there in a heartbeat and write up whomever deployed it-- on the surface and without other information, this is a problem.

    WIthout more information, it sounds to me like a convenience issue for the department head, but it's a legal nightmare looking for a spot marked X-- that server, for starters.

    --
    ---- Teach Peace. It's Cheaper Than War.
  2. Re:In my corporate environment.... by PFI_Optix · · Score: 5, Informative

    Some questions not answered:

    Did the OP ask the IT department what sort of services they are capable of providing? Hospital IT departments are usually in the habit of trying to provide departments with what they need, as department heads and doctors generally win the battle for "I want ________" when it goes up the chain.

    Did he inform IT of his plans prior to executing it, or just bring in a server and set it up, then start asking for access? If he did the former, they might have worked with him, providing him with rackspace, security, and expert administration so that his workload was limited to application administration. if he did the latter, he's lucky they haven't made an issue out of it and gotten him written up.

    Did he make sure he's not violating any federal regulations regarding patient data security? A rogue server on the network is a MAJOR security threat, no matter how competent the administrator is (or believes himself to be).

    Did he think about the precedent this sets? If every department decides to go running their own servers on their own terms, IT can't support them and the whole hospital steps back about 20 years in how their network functions.

    Did he consider the idea that maybe the service he's setting up for his own department might be useful to scale to the entire hospital at a later date? it sounds like he's found a service he considers worth putting a lot of effort into providing...for just his department. If it's good for radiology, it's likely good for lots of others. But HIS server probably can't accommodate that scale. HIS server isn't centralized. HIS server...well, is his.

    --
    120 characters for a sig? That's bloody useless.
  3. So, if the IT guys watch Grey's Anatomy??? by Kamiza+Ikioi · · Score: 5, Informative

    More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.

    Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.

    I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.

    But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""

    Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!

    --
    I8-D