Slashdot Mirror


Ask Slashdot: Do I Give IT a Login On Our Dept. Server?

jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"

13 of 1,307 comments (clear)

  1. In my corporate environment.... by Anonymous Coward · · Score: 5, Insightful

    .... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.

    1. Re:In my corporate environment.... by Ferzerp · · Score: 5, Insightful

      I think the real question should be should IT shut down any network port they see your rogue equipment connected to.

      Hint: the answer is yes

    2. Re:In my corporate environment.... by Stargoat · · Score: 5, Insightful

      That machine on the network without IT approval is a violation of HIPAA Security Rule. Frankly, the fact that your ISO hasn't written you up means he is too nice of a guy. Yeah, you need to give IT access, and then thank them for not written you up and turning your name over to the BoD.

      --
      Hoist Number One and Number Six.
  2. I dunno by EvanED · · Score: 5, Insightful

    But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"

    It becomes a lot less clear in that formulation, huh?

    1. Re:I dunno by drakaan · · Score: 5, Insightful

      Actually, you're giving IT access to a server for a service that they were not required to provide, and probably would have to a lot of asking for.

      Seriously, people...a hospital stores confidential, privileged data about patients and medical conditions that is supposed to have certain safeguards applied to it in order to protect that confidentiality.

      As has been repeated here already (and will be plenty more), placing an piece of personal network equipment on a medical network is bad enough. Asking for no oversight, giving your good word that everything will be OK, and requesting a port in the firewall be opened up to the public internet is lunacy.

      Even if you're well-intentioned, capable, and reasonable about what you're asking for, this isn't a home server and family pictures you're providing access to.

      The most disturbing thing to me about this story and question is that someone in the IT department was willing to open the port and allow the machine to stay connected without having root access, intimate knowledge of all installed versions of software and packages, and without relocating the server to an access-controlled datacenter. If I'm the head of IT, first I unplug and remove the box, then I talk to legal to see what needs to be done (audits, interviews, scans, etc), and then I reprimand the person in IT who said it could be done.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  3. Obvious question from their perspective by tomalpha · · Score: 5, Insightful

    Why does a server that is not owned or managed by the IT department exist inside the firewall?

    In my workplace that's a sacking offence.

    1. Re:Obvious question from their perspective by MaerD · · Score: 5, Insightful

      Indeed. Be happy they haven't fired you for violating acceptable use and/or purchasing policies. Don't expect to take this server with you when you leave, either.

      IT not supporting the application is one thing, YOU buying unknown, unsupportable hardware, plugging it into their network and then being arrogant enough to decide they shouldn't even have a log in? You seem to be running a bit short on common sense here.

      Also, this is not a random user requesting access, it is your information technology people who A) should know what they are doing and B) are on the hook for what happens on the network security-wise.

      --
      I put on my robe and wizard hat..
    2. Re:Obvious question from their perspective by Lumpy · · Score: 5, Insightful

      "He's a doctor, a faculty member (professor), and a division head (administration/management). I promise you he's not a moron."

      I have met professors with multiple PHD's that are in fact morons.
      I have a Sister in Law with 3 Masters degrees that cant keep a car on it's tires, she has flipped 6 cars in 4 years.

      Education does not eliminate you from the moron pool.

      --
      Do not look at laser with remaining good eye.
  4. Doing it wrong by dzr0001 · · Score: 5, Insightful

    You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?

  5. Wait, what? by 0100010001010011 · · Score: 5, Insightful

    You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?

    You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.

  6. Head of the division, you say? by spun · · Score: 5, Insightful

    That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.

    Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.

    The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.

    In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:Head of the division, you say? by spun · · Score: 5, Insightful

      Doing our jobs and complying with Federal regulations does not make us dickwads, it makes us professionals.

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  7. Sysadmins VS Lusers, lets get ready to rumble! by spun · · Score: 5, Insightful

    Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton