Slashdot Mirror
Ask Slashdot: Do I Give IT a Login On Our Dept. Server?
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"
.... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.
You bought a server, with your own money, and connected it to your corporate network. Now the corporate IT people want a login to it, and you think it's OK to say no? Yeah okay.
But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"
It becomes a lot less clear in that formulation, huh?
Why does a server that is not owned or managed by the IT department exist inside the firewall?
In my workplace that's a sacking offence.
Have you asked him why he wants a shell? If not, why the hell not? And if so, why haven't you told us?
Please tell us which hospital this is for.
I want to make sure I never go there.
You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?
You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?
You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.
You want to put a server on the network, complete with special firewall rules to support it? Yes, it's reasonable for IT to want some access to it.
"National Security is the chief cause of national insecurity." - Celine's First Law
Tell them that the second they reimburse you for the server they can not only get a login, but they can become responsible for its maintenance and security and they had better be sure it has a solid uptime. That only seems reasonable. :-)
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
It's their job to manage security and the infrastructure. At a minimum, you gain a second set of eyes and hopefully expertise in hardening the server against the outside world. The last thing they want is your box to be a big gaping hole in their system.
If IT doesn't need root access, then he probably just wants it there to review the OS/changes to make sure that it won't break anything. Also, if it goes down, IT can help you get it back up or raise it when you're not available.
Really, I don't know why you *wouldn't* give IT a non-root account... but then again, you know what they say about doctors/academia and their egos.
while(1) attack(People.Sandy);
If you're hit by a car tomorrow and die you want someone else to be able to pick up the work and go forward. Once upon a time I had a VP I worked for at an ISP put me and the other head of the IT department on a plane with him to LA. The three of us were the only ones with access to the entire companies systems. I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.
That said, your IT department are the best ones to handle this. I doubt the hospital is paying you to play tech nerd, I'm sure you have other work you should be doing. The IT guys are PAID to do this and are screened carefully (at least I hope so) by management to be trustworthy in doing it.
It sounds to me more like you're looking for job security by being the only one with keys to the castle.
Chrooted into a jail that they can do almost nothing from (perhaps get version numbers from a few tools).
If you don't want IT to have access to your server, then don't come crying when something "doesn't work".
Let me tell you how this goes down in most corporations. If you don't, their security dept. simply won't give you what you want. They're likely to shut you out anyway. If you take it up the chain then you're calling attention to the fact that you have a non-hospital entity on the company network. This is/was a bad career move. You might get away with it and many do for some time. Given that you're running BSD is a plus as you're not as likely to propagate a virus. Unfortunately for you, IT already knows. So if you choose not to give them a login you might find yourself without an IP address. Or worse, without a job.
Asking what port 8443 is for wasn't a stupid question - if it's not in /etc/services, it's not a standard port number. As for giving him an account, look up "chroot jail". Problem solved.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
You are operating a server, behind the firewall, on their infrastructure, in their facility. You, (un)fortunately, don't make the rules. What you're doing sounds great and the lengths you've gone to make it happen are commendable. But I can't imagine any decent business being run while allowing any employee to run any server they want behind their firewalls without at least some oversight. You're going to have to follow their rules, sorry.
Yes. The simplest is to give the tech an account with limited privileges, let him log on and look around, and then when you have this server up and running, reduce the privileges on his account further so that he can't interfere with anything.
But here's bigger factors you should worry about : think longer term. There's a chance that your hacked together server will be in use for the next 10-20+ years. Just how things go. Make sure to make an image file of the final configuration of the server onto a DVD or something and tape it to the server, with a text file on the disk and hand written instructions how to restore from this image. Make sure to save the newegg receipt with the exact hardware configuration of the server. I hope you used a passively cooled cpu, a solid state disk, and a good quality power supply.
Feel free to take this up the chain of command. Both you and IT probably have valid arguments, and you should have a chance to duke it out to higher-ups. But at the end of the day, both sides will need to abide by whatever decision. To do otherwise would risk firing. If you don't like the decision that comes down ("Yes, IT must be given login access if you have this server"), you can simply tell your clients (the docs and allied health staff you serve) that you can't provide the calendar feature they asked for, and tell them to take it up the chain if they don't like it.
In other words: be the advocate for yourself and your clients, but don't try to be the judge as well, because you're likely to get stomped on by those who are the judges, deserved or not.
You say he doesn't want root access, only an account. Maybe he has an iPhone and is also stymied by the IT department's lack of support for CalDAV.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Play nice with them. Consider yourself lucky they didn't go ape-shit.
Give them a nice minimal account that doesn't have access to anything. That way you can show that your shit is tight. If they start demanding more then start playing hardball.
TCAP-Abort
Bringing in your own resources from home - while a novel idea, creates alot of headaches. From the Accounting department on down to the IT dept. What is your dept going to do if you leave? What is the refresh cycle on your little "server"? What happens when the PS dies and the box goes down? Who is going to back it up, and rotate the tapes? Who is the security point of contact for HIPAA? Is it within HIPAA scope? Sometimes, especially in the world of retarded litigation -- it is best to ask questions before apologizing...
Given HIPAA standards I'm suprised they are just asking for a user account. An unknown public server at a medical facility is a definite risk, and IT is probably very aware of HIPAA standards. Then again, they probably don't think twice when installing the latest version of whatever commercial software they use that makes outgoing TCP connections from "license compliance".
What you've done would cause any professional IT group to get out the hot tar, feathers, and rail. Or at least come into your office and ask you politely to remove the damn server from their facility. And never do this again. You must have missed all the security briefings, the issues with HIPPA, and whatnot when you were looking at systems. What you've done is to create a 'rogue system'.
Imagine one of your kids sets up a server in your house. You don't understand it, you don't know if it's happily sniffing network traffic to steal passwords so pizza can be ordered using your credit cards, serving up pr0n, or just running minecraft. Would you willy nilly allow the kids to open a port on your firewall without the ability to audit what they're doing ?
Of course not.
Personally I'm amazed that they only asked for an account on your little server. I would have gone over and watched while you removed it from the facility and put in in your car.
Does it sit on an IT managed network? Connected to IT managed switches? Does it use IT managed/owned internet access? Did you get approval from IT to connect a server to their managed network and deploy an unapproved service from them before plugging it into the IT managed network?
Im willing to bet the answer to all of the above is "no". You should be prepared for the WWE type smackdown. You should also re-read the Acceptable use policy for your enterprise/organization and you should very politely offer them watever access they desire to allow your unauthorized service on their managed network.
My ,02.
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
Several issues here.
1.) You're storing organizational data on a non-organizationally owned IT device. For that reason alone, they should say "no". (What guarantee do they have that you won't take your machine with you when you quit/get fired, and the data with it?)
2.) Your machine is on their network. They are responsible for what happens on that machine. Your machine could potentially be used to escalate placement of an attacker to the rest of their network.
3.) Even if you leave your machine after you quit/get fired, do you really believe that someone left behind will know how to maintain a BSD machine running OpenLDAP? Or that they NEED to maintain the machine?
Be GLAD they aren't asking for the root password. It's their network, it's their neck, and it's fair for them to have access to check up on you every now and then.
(I'd concede some of the above points if your job role was explicitly systems administration, but it doesn't seem to be the case in your description.)
It's pretty dicey to say it's not owned by them. While technically it might belong to you, and you might be able to prove it after an expensive lawsuit, in general it's not a good idea to mix your own stuff with company's stuff. If you bought it for use by the company, being possessive of it will not help you much.
Do you trust your IT group? Did you ask them why they want a login on your box? Do you have any reason not to trust them? Because they do have a reason to not trust you, and that is, lots of employees do weird random things. It makes sense that they want to be able to check stuff out on the box. If it doesn't hurt you, then there's no reason to not allow it. BSD was designed with multi-user security in mind, after all.
"First they came for the slanderers and i said nothing."
If you are able to put a server on the hospital's network and have it working without IT approval (apparently), then I'd say the hospital has a bigger problem.
Never mind the fact that IT is unable or unwilling to support the tools that you and your team need to do their jobs.
Go on, citizen, stamp the vote card. R or D, your choice.
Comment removed based on user account deletion
They can also not provide it a network port. When the server gets pwned it will be IT people blame.
Can I plug my packet sniffer box onto your network?
Idiot.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
It's a game. Get over it. Give him an account that has zero privileges. And set it up to log whatever he does. 99% chance that he only logs in once and does nothing more than peer around for a minute. 1% chance of interesting :-)
is if IT should even allow it on the network.
Your hair look like poop, Bob! - Wanker.
Why would they even let it int the firewall? I suggest having your employer repay you for your mini server and then letting IT go to town. Its a huge issue if its your property in their network/firewall. Speaking from an Auditors POV its a huge no no. Make them buy there own and junk it up as they may.
It doesn't matter that you bought the server with your own cash. It's located at your business and being used for a business purpose. It's a business server. Having you A) claim ownership of the machine and B) resist anyone else having access of any sort should make your business very, very nervous about you.
What would you try to do if you quit or were fired? Would you pull the plug and take it home? Would you donate it to them at that time, making sure to give IT the password? What if you are hit by a truck (and your colleagues can't save you)?
You need to do two things:
1) Start talking to IT. It's great that they will let you manage the server and even maintain exclusive root access, but you should develop a transition plan (either to move the service to an existing IT server, or to transition maintenance of your machine to IT in the event you leave).
2) Put in an expense report and be paid for the hardware you bought. That way the ownership of the physical hardware will be clearly established (as theirs) and you won't be sued or arrested when you try to walk out the door with it later.
Yes, it's just scheduling software (for now), but seriously, if you proceed down the path you've chosen, all I see in your future is Terry Childs.
It doesn't hurt to be nice.
would you let a device that you couldn't administer onto a network you were responsible for?
Probably not. Its a reasonable request. Maybe you can trade with said IT guy and see if he's designed any surgical devices he'd like to see get some action :)
For people saying no, under the HIPAA, the IT department has to have access and make sure it's secure if it connects to their network.
This sounds stupid ... you understand you need to ask IT for permissions to open up a port, but you don't want to allow them access to your machine. Well, why should they allow you access to their network? The poster doesn't elaborate on why he feels IT shouldn't be able to access the machine -- especially since they accept they don't need root.
If you don't trust them with access to the information, you already have bigger problems in that your IT department can probably access all sorts of private information.
Just because you're head of a clinical division, why do you have any expectation of being able to put un-verified machines onto the hospital network? IT has a responsibility to the hospital as a whole, and not just your department. Certainly not if you're talking about punching holes through the firewall.
At a very minimum, they need to be sure that you're not opening up some great big hole in the overall security. Why should you be allowed to connect a machine to their network without some involvement from them?
People going around insisting on installing machines without oversight and adhering to the rules are generally people you need to be very leery of in any organization -- because they insist the rules don't apply to them, and they try very hard to circumvent policies which are in place for a damned good reason.
I see your choices as waiting until they provide you with a solution, or working with them to allow you to install your own solution. Insisting they open up the firewall and then insist they shouldn't be able to access the machine ... well, that's just rather short sighted.
Lost at C:>. Found at C.
As an IT manager myself, I'd have to say this is a very reasonable request. Firstly most places wouldnt allow you to run your own server on the network, so I'd say your IT team is being quite generous. The responsibility for the network and its security is the IT departments, should a hacker break in and steal personal records who would be blamed ? In an environment like a hospital which is subject to numerous government IT regulations (at least in the UK and US) having a non secure system is a massive liability, it would immediately cause an audit to fail.
..."Should I give IT a login account on a server that is not owned or managed by them?"...
You mean not owned and managed by them right now. However, someday down the road, when you are gone, IT will have to manage the damn thing. The company I work for made a mistake many years ago by allowing every user to have Microsoft Access installed on their machines. A lot of power users went wild creating Access databases for their own purposes. Naturally, over time, two things happened: 1) The databases grew in size and complexity. 2) The company began to depend on them and link the information in them to each other. Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company. It has been very tedious getting the data away from these god-awful Access databases, and re-designed and normalized into proper SQL Server or DB2 databases.
Yes, IT should have access to your server. They'll have to manage it eventually anyway.
Proverbs 21:19
It is about service and support. However, it's also about security and best practices. If some non-IT person is expecting to throw stuff on the network, then it has to be evaluated by the proper people. The only power and control we want is to be able to keep our network safe. It's our butts on the line when someone manages to hack into the network and get to medical data that has privacy laws associated with it. You wouldn't want us throwing medical equipment at you haven't had the chance to evaluate.
We find that, by far, the most problems come from systems not managed by US. I don't mean problems of a trivial nature, I mean shit getting virused or hacked. Most non-sysadmin types are not as good at administering systems as they think they are. Now I don't blame them, not only is it complex but they have other things on their plate, but it does happen.
That your IT department it willing to entertain your request tells me they are probably a reasonably good IT department, the kind that works with users to provide what they need not the No you can't have it," kind. In that case, you probably should give them want they want because they are looking to protect you from yourselves.
I know that you probably view yourself as really smart, and indeed you may be really smart, however you may well not be as good at this sort of thing as you think. Also even if you are, you may not give it the attention it needs. You set it up and then turn your attention back to your regular job duties, letting it languish.
Also you might want to work with IT lest you find that they simply say "no". In some environments, that is an option. They can just flat out deny your request to run your own stuff and that is that. If you work with them, maybe they work with you. If you don't maybe they use the nuclear option and just say "You can't have it, sorry."
HIPAA is a very valid reason.
This is the polite first step in absorbing a server into central management. First IT gets an unprivilaged account, then they will ask to have a standard scanning tool be installed that requires root access, then a recommendation to move all priviliaged users to sudo root access and allow IT to do some basic tasks for you, then some process will be added to notify IT when you are making changes to the server and then slowly your authority and access to change your server will be diminished until you are a regular user of an IT server.
I'm not judging centralized IT vs local responsibility, just saying that these are the signposts to watch for as it happens.
If it were my network you would either provide IT with root access, or it would be physically removed from the network permanently.
If you were to do such again and firing you was not an option I would revoke your access to all network resources.
Rogue users in a hospital environment (where privacy regulations have teeth) are not to be tolerated.
My current IT department, in addition to every IT department I've worked with in the last ten years, would be pretty damn pissed that you took it upon yourself to set up your own server and stick it on a network we're responsible for, to the point of our jobs being on the line. So yeah, give them the password. Then explain to the accounting department and purchasing department why you didn't go through the proper channels there, either.
Of course they want "power and control." If you were held responsible and accountable for a system, reasonably or not, then you would want "power and control" over it as well.
"YES" give them limited access. (you can always remove the account after they have done the scan)
Otherwise you're opening yourself to a multimillion $ law suit if there is ANY breach of the system due to your server being on the network.
If you let them check it over then subsequently there's a breach, then it's the hospitals problem.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Look, you just introduced a foreign object onto their network and on top of that want an exception to the firewall. While you may be competent enough to run that server, how do they know that, and why should they take your word for it? You could be introducing a serious security breach in their systems, you could be violating HIPAA regulations that you don't even know about. Think of the other computer lackeys that you have worked with over the years and whether you would blindly trust them? You can't completely verify the security of a system by external scans, let alone compliance with any auditing requirements or other regulations.
Keeping the hospital network secure is IT's responsibility, and the least you can do is let them look at how you have configured your machine. Besides if you have permissions setup correctly then there should be no harm giving them non-privileged login account anyway, right? Stop being so damn possessive about something that isn't even in your legitimate realm of authority.
Meaning that you're from the only kind of IT department in the world that allows any clueless asshole (students) to connect to your network. Meanwhile this guy works at a hospital where stuff like HIPPA means that if IT policies aren't carried out properly, IT people lose their jobs.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
(Policies and Procedures)
If your institution has them, you probably should get to know them before plunking down your hard earned money. I worked for a large company years ago where that kind of behavior got people fired, including some corporate execs who insisted on doing the very thing you are doing.
Chances are, if the IT department has any mandate from higher-ups to protect the network there, you're going to have to jump through whatever hoops they require. In that case, just be glad that they're allowing you to use something you bought with your own money rather than telling you to use it as an expensive doorstop. If they screw it up, then go have a long chat with the head of IT and whoever gives them their clout, financially and otherwise.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
WSUS / etc won't do much good for a Linux server...
bork bork bork!
Comment removed based on user account deletion
In reading over this, it seems harsh. It is not my intent to be harsh. I get to deal with this type of interaction fairly regularly where I work. I think it is an opportunity to talk openly about some of the struggles IT has with providing responsive, responsible support to our customers.
A couple of observations:
* You're right: The server is not owned or managed by them
* You bought something and put it in place without explicitly consulting IT
* The box is going to travel on a network that ~is~ owned by IT
* There are lots of other nodes on that network that may be affected by yours
* You're asking IT to support something they were unable to plan for
You're not an ordinary Joe if you're installing/connecting all those pieces of the puzzle. However, it's a bit presumptuous to think IT needs to conform to your personal requests without prior knowledge of your intent. As for running it up the chain, you may tread lightly. My current CIO would smack the request down pretty quickly and would probably demand that you remove your unauthorized IT device from ~his~ network.
Looking forward to reading some of the other responses.
God is good all the time! -K
...You're a doctor, not a network engineer.
In Soviet Russia, Chuck Norris will still kick your ass.
You don't appear to understand why a hospital needs everything to be done by the book. To get to a HoD position you must have been in the business a while, so I can only wonder what other rules you've broken during that time. But it sounds like you just don't understand the basic principles and really shouldn't be working in a place like that. The decent thing would be to leave, now. Before your acts get discovered and before your actions cause serious problems.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
So, you know enough to setup a BSD and OpenLDAP, but you didn't think to ask your IT dept if they would allow such a service on the network. AND you just bought your own server and used software that may or may not be authorized by said IT Dept?
I totally understand that it's just for your small group, but if it's IT, and not secured against attacks within or without your network, you are liable, rather than the IT dept.
Granted I know it's 'only' for an electronic calendar, but couldn't you have saved some cash and time by finding an online alternative that would work across all phones your group would have? Maybe a web app of some kind?
-Josh
Dude you probably ALREADY violated several IT policies of the hospital doing this yourself. This is where you should have got with your IT department and asked them what you needed to do to get what you wanted. If that didn't get you far, then you go up the chain.
So what do you do now? Scrap it and take it home.
Gorkman
The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access').
From the point of view of the hospital IT department, they now have a rogue server inside their network from a guy that tried to get around their (possibly misguided) policy of only using approved software on hospital equipment. Then this jackass that went around their policy with unapproved equipment and software is now trying to get IT to do favors for him.
Basically, he needs to count himself lucky that this machine isn't unplugged right now.
I am officially gone from
jddorian - I'm going to bottom line this for you. It's really quite simple.
The request to have a non-root account on a box plugged into a network managed by IT could not be more reasonable. If you have problems with this request then you have bigger issues my friend than we could possibly deal with here on Slashdot. It might be interesting to know exactly why you are opposed to this request. If you can't live with it then take you box and go home with it.
Sorry dude. IT departments would take it in the ass if that server violated HIPPA laws. You JUST don't DO this now. PERIOD.
Gorkman
This whole Ask Slashdot is bullshit flamebait. Anyone who reads /. knows this request is absurd. Someone that knows enough to install and configure the listed apps knows that requesting a rouge server to have open internet access and no management it NOT going to happen.
I realize different organizations have different rules and operating philosophies, is it accepted practice for employees to set up their own systems in your hospital?
Is this a US hospital? Does HIPAA have anything to say about this practice? Are IT systems audited? Would the IT group be liable for any problems that are found on your system? What if someone cracks your system and uses it as a jumping off point to get patient data? What happens when you leave?
Self awareness - try it!
Coming from someone who might be criminally liable for HIPAA compliance issues based on your server, this was pretty damn polite.
I'd suggest you give it to them, and ask if they have any securing suggestions for you.
Let me get this straight... you've set up your own personal server inside a hospital network. I will assume that there's no monitoring in place, no regular update schedule...
And when it gets pwned and turns into a botnet node with access to all internal network servers, it will end up being ITs job to clean it up.
Rather than being offended, you should be thankful that they're even humoring you. A properly run IT department would move that server of yours into the nearest body of water (to maximize cooling performance...) using a catapult.
What hospital is this? I want to make sure my confidential medical records don't end up in a place that permits such an egregious security breach.
I would insist on the same if I were in that person's shoes. The network is managed by IT, and they need to know exactly what is running on it. It would be negligence to allow an unmonitored/uncontrolled server inside of the firewall. Also, anything related to IT stands a strong chance of being inherited by IT in the future. Someone sets up a system, and then they leave and IT is left to reverse-engineer the whole thing because they weren't involved.
Would this totalitarian attitude actually prevent someone from plugging in a sniffer, or would it just keep people from getting their work done?
Godaddy is a scam and a ripoff.
Knock it off - use Google Calendar like everyone else who is doing an end-run around the IT department.
This keeps a separation of responsibilities.
Do you really want to be the one fired for causing a HIPPA failure/fault/fine?
What do they want if for?
Privacy is terrorism.
Meanwhile this guy works at a hospital where stuff like HIPPA means that if IT policies aren't carried out properly, IT people lose their jobs.
And/or get big fines and/or go to jail.
The truth is that all men having power ought to be mistrusted. James Madison
Please read the BOFH where the IT guy plugs the pc's network connection into an AC wall outlet. Problem solved! There are no illegal devices on the net.
This sure is far more efficient than using a thumbtack and a cork bulletin board.
If you want something to run on the corporate network, and ESPECIALLY if you want a firewall hole opened up, you sure as hell better be giving me access to your server. And I better be able to have full admin rights, even if I'm not going to do anything to it. This is an ABSOLUTE requirement, there is no exceptions here. You would be lucky to get permission to even plug a network cable into this since you didn't go to the IT department about this before you ever started. IT is for the IT people for a damn good reason. Things you haven't taken into account, security (ok, I'll give it that you have thought about this some), HIPPA, Sarbanes-Oxly, several other legal liabilities that fall back upon the IT dept if something gets hacked on that box. All of these have to be taken into account.
Use Google calendar. Whether they use an iPhone or not they can access it and you won't need to worry about Hospital Policy.
There's even a swafty little article discussing iPhone usage in tandem right here:
http://news.softpedia.com/news/How-To-Use-iPhone-With-Google-039-s-Products-59231.shtml
For all the people posting about what you can or can't do in their own particular corporate environ, who cares? My environment allows us all to bring in our laptops and anything else we want and hook it up to the network inside the firewall without anybody poking their nose in our business. Who cares? You and I don't work at his hospital, and mayhaps the people he works with aren't allowed to go ape shit over something like this.
As for all this blather about handing over an account that has virtually no rights, that'd be pointless. IT would need admin access just the same as they would on any other box. I'd be more inclined to say that the guy who said he didn't need but basic login access either
a) didn't know how to do his job right
or
b) intends to root your box anyways
I can tell you after working 14 years in IT, that if ANYBODY did this they would find their network ports blocked and a notice from an executive on their desk in the morning. ESPECIALLY in the medical field with, as others mentioned, HIPPA compliance issues. If you really want to make enemies in IT then keep pushing it. Otherwise make a case to the director with your requirements and do it the right way.
For even setting that machine up on a hospital network. Do you even know what HIPAA is?
CAn'T CompreHend SARcaSm?
While I'm not familiar with DAViCal, when your admin opens up that port - he/she opens up a vulnerability in their (and your) network. Scanning for viruses alone helps protect this to some degree - but what if patches arent applied in timely manners? What if there's a hidden trojan in the application and your admin has a few tricks up their sleeves for determining this? Does the setup leave you potentially vulnerable? An admin having admin access has only themselves to blame if/when something malicious does happen when it could have been prevented.
Here's the deal - if a hacker gets a hold of any kind of access to that machine via DAViCal, that leaves your whole network vulnerable. If people are syncing their phones - then their phones as well. By introducing this machine *and* this software to the network, you've made the whole network vulnerable.
As others have stated - simply allowing this 'rogue' machine on the network is unusual - and in any corporate environment is dangerous to allow.
Your admin is doing what's responsible - by trying to secure your system, he/she is trying to protect the rest of the network.
Personally, In your position, I'd be handing off all of your machine's networking integration and securitization to your admin - this requires full access to the machine. It is, after all, their job, right?
Just because you and your department want a certain feature/service doesn't mean that you should have free reign in implementing and installing non-approved services in the hospital's infrastructure. You have to ask yourself why IT can't (or won't) provide this service to the community as a whole. More often than not it is a matter of money, time, risk, knowledge, business need and/or a combination of these and other factors. The IT department is there to deliver a bunch of services that ensures that the hospital's mission and objectives are achieved. Often, these objectives conflict with what individual users, or user groups, want. God, I wish my company would allow us to connect our devices (Androids, iPhones) directly into the Exchange server, allow us to have some sort of internal social media, wikis, etc. But we don't. And we don't because the company has chosen not to. Myopic? Yes. Justified? Absolutely. It is the company's business and assets they're protecting. So the short answer is yes. They're allowing you to play in their network? You need to give them access. What you need to do is go up to both IT and Hospital management and convince them that what you want to do is not only good for your group, but for the company as a whole. Hey, maybe you'll end up changing the way the company delivers services to your user community.
the future is but past forgotten
IT are Dogs! They are a bureaucracy that exist only to make real useful systems less effective. Throw them a pig ear and tell them you'll call them when the Exchange calendar is down again!
There are so many reasons why you should be happy they didn't simply confiscate it. They're responsible for making sure all computer hardware is following regulations for example, all electronic equipment that plugs into the local power system needs to pass an inspection to make sure it won't cause a problem with any medical equipment (like shorting out circuits). Also, the hospital needs to be able to ensure HIPPA laws aren't being violated with patient data making it's way straight out of the network into the wild open as well as making sure your "little server" can't be a point for a security breach from the outside world with an open port.
I'm sure in your mind "YOUR" server has no problems but other people's asses are on the line for it.
I don't have time to make a sig
You aren't their only customer. If your box has high network demands, they'll get complaints from everyone else who's affected. Sometimes the Service and Support isn't about you.
If there 100Gbit/sec, how many do they allocate to your server? And how many do they allocate to your phone? And how many to your payroll server? And your mail server? And your printer? And, and, and, and, and.
The roadblocks are put in place to keep one group (with the loudest executive) from monopolizing a resource that needs to be shared by all.
All they want is a login and not even root access AND they allow you to run your own server? Wow.
I would give them an account and also ask them why they want it. Perhaps they just were thinking to put something like that up themselves.
Or they want it so they can verify where the problem is if somebody complains that it doesn't work and you are on a holiday.
So ask them why they need it. That way you could either deny it or give them MORE access, depending on their answer and not on guessing. If security is an issue, don't run anything over their network.
Don't fight for your country, if your country does not fight for you.
Just use google apps iPhones, androids, web browsers can all connect just fine. It doesn't sound like you are putting up sensitive data that can't be used in the cloud for security reasons.
I have to agree with Gorkman. If I can't see what your box does from A to Z, then I am not going to put my neck on the block for the possible HIPPA violation, let alone trying to track a bug caused by incorrect configuration, extra services such as DNS, etc. This doesn't even take the yearly security audit into account, where I have to explain what your box does. 'I don't know' doesn't go very far with them.
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
Exactly. Unless you're willing to take full responsibility for any damages incurred on the organization as a result of your potentially insecure server providing a crack in the network (which could most likely be huge damages), you're out of your mind to suggest that IT shouldn't be allowed to manage the server. If it's so important to you, host it on an external network like you would host any other independently operated service.
As a person interviewing for an IT position at a large U.S. university, I'm thrilled to hear that the hassle of maintaining sane network policies won't be part of the job.
Hahahaha you must work in marketing. Ask Vanna if you can buy a clue.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
I work in the managed IT services space, and honestly given this is a health organization and HIPAA applies, I think they're being rather nice. If you're able to build a box, connect it to the hospital network, and get a port opened to the outside world where you are potentially storing PHI (face it, you're going to end up with at least a peppering of health information in even just the subject entries let alone the details for the calendar). . . that's pretty lax on their part. Does the hospital outsource their IT support? If yes, I'd jump on the opportunity to move forward with "just providing a login", because if this works it's way up the chain you'll no doubt be taking that machine how with you soon :)
If the hospital manages their own IT, you're chances are better since there's probably less worry of finger pointing in the event of a breach.
See what happens.
You're the one that's out of line here. Even if you do know what you're doing in setting this up and getting it to work, you're intruding on IT's job. Would you be OK with it if out of the blue IT decided to setup their own X-Ray machine or MRI? Even if they told you that they "took all the necessary precautions"?
At the base level, this is not about your ability to run a server, competently or otherwise. It's about IT being responsible for the IT infrastructure. They don't know how competent you are, they don't know whether you'll keep it patched or up and running properly, but they know they'll damn sure get the blame if you do not. If you're IT shop is incompetent or inflexible, this is an issue to "send up the chain", but don't expect to be treated with respect if you go rogue.
Quit trying to do IT's job for them. If you want a server for an iPhone-compatible calendar tool, the IT department should be the ones building and administrating the server.
I'm surprised they didn't disable the network port as soon as you told them you had an unauthorized server on the network.
Scrap your server and if IT isn't willing to deploy their own managed server that provides the services you need, take that request up the chain. This is the only right way to handle your situation.
Besides HIPAA, there are also various ISO regulations on any computer networks involved in medical devices, testing & the like. You'd have some major explaining to do when your ISO auditor can't get into one of the servers on your network.
You're doing work for the hospital on the system; therefore they need access to it.
Not only that, but there are all sorts of legal requirements around any data on the damn thing. Technically, your calendar, which includes appointment data and scheduling for when you worked on which patient's stuff probably falls under the domain of medical records....
There's a reason that beaurocracy isn't real compatible with you throwing up a server for whatever.. there are legal requirements that make it so every little thing needs to have enterprise grade bs and management behind it. At least on paper anyway.
Not only that, but once you've used it for that, who'se going to sanitize the data off it when you're done with it? I'm surprised the IT guys didn't show up with crowbars demanding admin accounts, followed shortly by dismantling the thing.
That said, I'm sure it's a sweet iphone calendar thingy or whatever.
If you brought your own server into my network, you would be taking that right back home with you. That is an absolute no, no with me.
I don't even allow people to bring their own monitors, memory or speakers. (I'm not so strict on mice and keyboards though)
Assets management can be an issue. Especially when people leave/get terminated and they have brought their own hardware/software. If you need/want something. Get it approved and we will buy it. Don't bring your own.
My employment (aka my source of money) is put at risk when someone else plugs a server into my network that might open up the entire network to intrusion. Your reckless behavior can impact my ability to make money. This has nothing to do with God complexes and everything to do with making sure IT doesn't take the fall for incompetency elsewhere.
Wow. I couldn't write that last sentence with a straight face. We take the fall for other people's incompetencies all the time.
120 characters for a sig? That's bloody useless.
Why is a Division Head fooling with computer hardware like this? Isn't that what IT is there for? That's why you are paid several times more than them...
In the hospital where I used to work this guy, head of a division or not, would be reprimanded (if not worse) for trying to pull this stunt.
If you want to take something up the chain, it's a request for a caldav server. Not a "hack" to allow your own little pet project to jeopardize security. I assume you want others to use this system as well? Who will train them? Who will maintain the service after you leave? Who will fix this server when you're on leave? Who wil be held responsible when your server gets hacked? Did you actually think any of this through?
At the large company I worked for, hooking up personal computers to the network was a terminable offense. So no, you don't give them a login - you don't set this up at all.
The chief reason appeared to be fear of viruses and hackers, but there are many, many more. The hacker front can be a bit obscure: What if your CEO read the article about RSA getting hacked by an excel file with an embedded flash object, and the CIO assures the board that all computers will have flash removed and tasks IT with identifying and removing flash everywhere? How are they going to look having to explain 'well, we got everything, except for the personal computers that we don't have access to'?
Lets say people start relying on the service you are providing with a personal computer under your desk. What if it goes down? Helpdesk will get called, and need to know what to tell the caller so they don't appear incompetent, and need to be able to address the problem. What if IT is required to certify that all of their computers have X patch applied as part of a compliance audit for certification? What if a corporate policy goes out that no computer can run unecnrypted ftp regardless of port # they run it on? What if your company is obligated to ensure that terminated employees can't log in to servers? What if a lawsuit is served and your company is required to provide copies of all records pertaining to meetings with client xyz, and your calendar server has meeting info on it but your IT department doesn't even know it exists? None of these things are unreasonable, but none of them can be done easily if you're allowed to set up whatever box you want doing whatever.
Sure, it makes your job harder if you have to go through official channels to get the things you need to get your job done. But your company needs to be able to get their job done too, and a bunch of random whatever-somebody-set-up-under-their-desk systems makes that really hard.
is competition good, or is duplication of effort bad?
As several other posters have pointed out, in my work environment, your server would have been confiscated already. I doubt that you would have been able to purchase such a thing here at all. And any complaints about being unable to get the services you desired, or how it was a 'simple' task, or any other excuse would have been met with silence.
And you would have been on the carpet with at least three senior VPs, along with your own VP explaining how they permitted the attempt. Just the attempt.
Around here, you would have had to install it all on a desktop PC you snagged for some other purpose. It would have lasted a few hours until someone from network services came around with a cart and bolt cutters to snip off the cable lock. And a security guard.
Now, if it were MY network, and I were either the great high Administrator or director, I would have demanded immediate root access or disconnection, per pre-existing policy. It's kinda like paying for the insurance on my car, but having no say in who drives it. I'd like to at least know who crashed it was permitted to drive, and no, I would not let the local meth heads take it for a spin to Mexico. Either your IT department is in charge or they are not. And no, you can't have your own Internet gateway, even if you promise to never ever interconnect it. Do you not know what HIPAA is all about?
deleting the extra space after periods so i can stay relevant, yeah.
For the same reasons you cannot knowingly allow an unmitigated security risk, you also cannot "cut them out of any form of network access" because doing so might negatively impact provision of medical care to a patient.
-fb Everything not expressly forbidden is now mandatory.
You are inside their firewall so it's their responsibility.
"If any question why we died, Tell them because our fathers lied."
You have an IT department for a reason...use it. If someone tried pulling this kind of crap at one of the sites I manage (and people have tried), you'd be packing the hardware in the trunk of your car and taking it home with you. It's in your best interest, as well as your peers and clients, to follow whatever policies are in place. Maybe if you tried collaborating with your IT department you could have made this whole thing easier on yourself. More than likely there would have been someone willing to take your requirements and run with it to get your desired service up and running while making it compliant with whatever polices are in place.
Insanity: doing the same thing over and over again and expecting different results.
OK, if the point is to get work done, then jddorian (the original submitter) should meet with the IT department and explain to them what he needs and how he went about setting it up. That at least puts the onus on the IT department for providing the requested service or explaining why they can't do it.
The attitude of "default no" at least keeps organizations from making serious mistakes. IT drug deals and one offs are a recipe for disaster since issues such as security and support are usually ignored, until something goes terribly wrong that is.
In the land of the blind, the one-eyed man is usually crucified.
First of all, as has already been said, you may be violating a ton of policies as well as HIPAA by putting that machine on the network.
In most instances, IT has control of every piece of equipment that connects to the wire, even if they don't officially support the software or hardware. However, I know of plenty of exceptions to this rule. There are times when it is desirable to exclude IT from having access to a piece of equipment or server for a variety of reasons. Said equipment is generally supported by either a local department resource or an outside vendor directly. These arrangements are pretty much always in writing though. If you want to keep your server outside of IT control, you'll no doubt need to work that out with them.
Since its a single function server paid for out of the OPs OWN pocket, it belongs somewhere else than on the institutions network.
He should put it under his desk at home on his own cable modem, and use dyndns or some such.
If Its just work schedules and contains no HIPAA data. It can be anywhere.
Why set up your own machine, you can buy this service for dirt cheap.
On the other hand, if it truly only runs schedules, whats the problem with forking over an account for IT? The fact that there is resistance to doing so suggest there may be some internal gossip board or other motive for keeping everyone else out.
Sig Battery depleted. Reverting to safe mode.
While you're at it, why don't you have a new entrance built for only your use. Don't consult the maintenance department or anything, though.
1. install vmware server, configure a barebones virtual machine
2. configure local ssh to listen to an alternate port number.
3. configure port forwarding on your local machine to direct port 22 to the virtual machine.
4. give them access to the VM
Best of both worlds.
They think you've given them access, and you have...just not to the machine they think they're accessing.
If you decide to give them an account on the actual machine, configure an external location to backup your logfiles, even remote logging. When they attempt to do something bad on your machine (and they will) you'll have the proof you need to make someone regret their actions.
"Lame" - Galaxar
Academic IT departments are very different beasts. The bureaucracy to get things done can be much more complicated, the resources much scarcer, and the variety of tasks that people need to do/think they should have a right to do/assert that IT is born to do is vastly greater.
The more the IT people lock things down in an academic environment, the more rogue operations there are. If they go after the rogue operations, then the bureaucracy increases as the rogues fight to take the power away from centralized IT.
On the other side, if I want something done on an academic network, dealing with support in an IT department built to have work-study students explain to incompetent professors how to bring back a menu bar in Outlook (or Thunderbird, or whatever Macintoshes use, and, of course, professors will insist on the choice of which one) can be a nuisance. It'll waste a half-hour of my time (more in the phone queue), and a half-hour of thir time. On the other hand, if I screw up the MAC cloning on the rogue device I'm jacking in, or if I put it into an unauthorized drop, the competent person calls me, and we can sort the issue out. Nobody wastes any time. Of course, they'll also call me if I run an IRC client, and tell me that my PC is botted.
So, yeah, if they want a login on the box, good for them. They won't have the interest or money in administrating it. Naturally, they could be just collecting the data they need to bring a complaint.
Or a BSD server, like in the OP...
Actio personalis moritur cum persona. (Dead men don't sue)
That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.
Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.
In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
This is why you should need a licence to own and operate computer equipment :-) If someone attached their own kit to my network I'd shutdown the interface on the switch. To suggest that *they* shouldn't have access is a joke - it is *their* network... Give them root access and be thankful you haven't been fired!
My wife is a practitioner at a large hospital. What upper management says goes - and what IT says goes for the network, hardware, and software. Much of the software and other infrastructure is slow, cumbersome, and IT is about as responsive as the DMV.
They wouldn't allow what the OP did and they wouldn't do anything about iPhone calender software. She'd be SOL.
The OP would have a much better chance having the hospital get them some sort of PDA/smartphone that's compatible with their infrastructure and paying the associated monthly bills.
Keep the iPhone for personal use.
Plug it in at home, problem solved.
However: Why buy a server at all? Get a hosted vm image somewhere, throw the software on there, and just have everyone in the department use it. Putting a machine on the IT department's network is what causing the issue (legitimately for them, annoyingly for you) remove that part of the equation, and the problem is largely solved (only issue left would be whether keeping the schedule outside is a privacy, or policy violation).
We are agents of the free
Is it really that hard to load into your smartphone a few weeks schedule occasionally? Even if everyone in the department is a techie, there is no need to try and get fancy. Sometimes the old fashioned really is better.
If you were talking a department of 100+, I can see some benefit. For a dozen freaking people though, you're just creating needless drama.
More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.
Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.
I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.
But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""
Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!
I8-D
You want to use their Network infrastructure you play by their rules - simple. If you don't like their rules, unplug your box from their network.
Google Calendar
you are what you is -- FZ
IMO you really don't want to fight them on this, especially since they're not asking for root access. Even if you kick it up the chain of command and get a ruling in your favor (which is by no means a foregone conclusion), making enemies in the IT department is simply bad office politics.
If you cooperate with them on the little things, you increase your odds of being able to fly under the radar on the stuff that actually matters.
Where I work, the IT infrastructure is very MS-centric. We're a satellite R&D office, with no dedicated IT staff; the corporate IT people are 1000 miles away. I help the IT folks with the day-to-day stuff at our site (making sure the Windows server gets backed up, installing software, troubleshooting Outlook problems, etc.), and in return they leave the software group (which comprises about 20% of the people in this office) alone to manage our own Linux-based server and desktops. Everybody wins. (Well, other than the part about me having to troubleshoot other people's Outlook problems... but I digress!)
Assuming a network scan from your IT people means that the machine is secure and not infected says that you haven't quite got a full handle on security.
Yes, you bought your own machine with your own money. Did you ask IT before doing this? Do they support iPhones as devices on the network? If not, why are you connecting them to it?
The real solution is not to randomly go and install your own project without asking, it's to engage with IT first, and ask why they don't support particular devices and services. If there's a great hospital need that can be filled by this, then get a project started, with a bit of budget, and get the IT bods trained. Get the service installed such that when it (inevitably) goes bang, someone will be around shortly to get it fixed.
I'm wondering, as head of a clinical department, how much your time is worth, compared to your IT guys? If it's several times the cost (most likely) then you've just cost the hospital a shed load of money. You now have to support it (more money), and odds on, you'd not be as good as an IT specialist at doing so. So, several times the cost for a less reliable service.
When you're doing your clinical job, will you take the calls when it falls over (or will you even take the night calls when it fails for the staff on over night that use it)?
There are so many things wrong with just slapping a machine on the network, it's not even funny (I work in a hospital, in the IT side, and attaching a computer to the network that's not been vetted and supported by IT is a disciplinary offence; you could easily put a hole in the network security that puts patient confidentiality at risk). If your IT guy wanted to play by the book, the recommendation would be to shut the box down as a rogue, and get you to engage with IT properly. Do a risk analysis, and a security vetting on it to make sure it's not going to do anything nasty. Make sure it's supportable and the skills are in house to make sure that when it goes bang, someone whose job it is to fix that will be there while you're concentrating on fixing patients (which IT really can't do, but they really are pretty handy at fixing computers that break).
No, it won't be ready tomorrow. Or in a few weeks.. But as long as you put your money into it to make sure it's supportable, then all is good.
Have a good think, and imagine what would happen if all the departments decided to run their own little projects without engaging IT. What would happen with the standard fail rates of hardware and software, and the user support needed. What would happen to costs and department efficiencies?
The account on there is really such a trivial thing in the wrongness here that it's barely worth mentioning amongst the much bigger wrongs going on..
All IT want is to help you do your job more efficiently and provide you with what you need, balanced with what's safe for the hospital and the patients, and what can be safely resourced. If you use the IT department properly, everything gets slowly better. If you don't, you fragment the systems, and end up without support and with lots of expensive wasted time.
How did you even get your server on the network? I don't work in a hospital, just a run-of-the-mill business, but you wouldn't even get a rogue server on our corporate network without IT's permission first. If you found a way to get it on the network, then we'd track it down and confiscate it with management approval (management doesn't like to hear "HIPAA violation") and you might be facing sanctions for violating IT policy.
You wouldn't get that permission to host this server unless the server was sitting in our datacenter running our build of Windows or Linux, configured with our patch management system along with reviews of the configuration and especially any custom code. And yes, we'd have the root password and you would not. If you could guarantee that no HIPAA covered data would live on the server, you might get to have the server in your own DMZ, but IT would still need the root password so we can check it out or shut if down if it does anything suspicious (like become part of a botnet)
HIPAA ceritification is a long expensive process, and allowing self-managed departmental servers on the internal network is not HIPAA compliant. People think that IT just makes arbitrary rules that makes it hard to get real work done, but often those seemingly arbitrary rules are due to the seemingly arbitrary regulations that we have to follow.
I don't think staffing calendars are HIPAA protected data (as long as no patient data is revealed like "Tuesday - Dr Joe performs Joe Doe's sex change operation"), so why not just rent an Amazon EC2 instance and host it outside of the hospital network entirely? Though the IT department may still not allow it unless they have a way to audit the hosted date to ensure it doesn't fall under HIPAA protections.
(A) you can buy your own hardware and take it to work and use it, but (B) it's their network and they can demand access to it to insure it's secure.
But really, if they didn't need root access, it's going to make security checking approximately impossible to do confidently, so they're already demonstrating some ineptitude. Beware. It's quite possible the IT person you are working with is a "knows just enough to be dangerous" and they outsource the heavy lifting and he's just the eyes and hands on site for simple stuff. In which case stick a sucker in his mouth and be thankful you don't have to deal with hassle.
I've been known to take my own stuff to work - heck, I've always had my own laptop, and so far nobody's challenged me to get their hands on it. But then I generally know at least as much as they do, or more, so they leave me alone. Once they told me they needed to replace my computer with a "company machine" and asked for a written quote for replacement of everything in my laptop bag. I assume they got severe sticker shock, (I don't pack light) as they haven't brought it up since. First place I took my laptop to it was the only machine in the building that could work on the server's scsi drives, and the PHB didn't want me to bring it in until the day I had to and then he left me alone. (and refused to pay for one of their own)
If they were pushing me on the issue, and only wanted a shell on my machine and not root, I'd call that a fair compromise actually. (at least I'd be fairly confident they wouldn't do any danage) No way I would give them root. If they want root they can supply their own machine. But I do accept that my denying them root it would be totally fair to result in them to deny me a mapped port. Or just plain forbid me from connecting to the LAN period. I've seen companies and schools that are that way, the switches only routing traffic from apprived MACs. Flash drives too. Had a manager in the past the forbid personal flash drives on premises. But he was an ex bank manager so that wasn't too surprising.
Really you've already opened a can of worms by not just bringing in your own machine, but turning it into a server, a business-reliant machine. If I take my laptop home, stuff doesn't stop working. I'd say you've gone too far and should make a presentation to the PHBs to replace your kit with some of their own. Tell them you brought it in to demonstrate NEED and that the test is done and the results are in, and you are now going to take your gear home and they need to decide whether or not to buy their own stuff. If they can't see the improvement by the numbers now, take your box home and that will make the numbers fall again. If they still don't see a justification, either it's not worth it (is it? be serious and answer that) If it's worth it and they don't see that, time to move.
I work for the Department of Redundancy Department.
So, this rouge server, does it make people blush, or what?
All kidding aside, I agree, it's their network, their rules - and besides, let them have the headaches/ability to fix it if some hardware dies on a weekend. That's a win/win scenario.
Of course you're going to get lambasted for bringing in your own resources. What you did was both cool and questionable, and I can see how you might want to bounce the idea off of a bunch of geeks.
I'm going to ask you an alternate question - can you set up a Google calendar for this? I know, I know - you went to a bunch of effort to roll your own, but if the department isn't too large, and you don't worry about giving everyone write access to the calendar (they're adults, right?), then a "community" style calendar might work without the need to get IT involved. I use it for two or three small organizations along with my family calendar, and it works seamlessly with the iPhone, iPad, (it better work with Android), and any box that has port 80 access without a block on Google apps.
Go grab a cold beer now - it'll help put out all the flames ;-)
Is it just my observation, or are there way too many stupid people in the world?
Have you met any IT people? The ones I know are not much more than computer literate. They know just enough to pass their MCSE cert. The last one I met didn't know the difference between a router and a switch with vlans....he thought they did the same thing! Before that, I spent a few hours explaining to an MCSE newhire what ping and traceroute did! I'm not saying that all MCSEs are that bad, but I haven't ever met one that was any good.
So, I got out of IT....associating with those guys will give you a bad name, and everyone will hate you.
This guy is trying to run open source software, his IT department is - no doubt - filled with Windows weenies.
I recently needed a server with internet access and had to configure the server myself....the IT department here doesn't "speak linux". They recently asked me if I was doing my own backups! The first thing I did was create offsite backups because I don't trust their ability to keep this VM running!
"Lame" - Galaxar
"The Hospital IT department doesn't offer... so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal."
Wow. Why not just push all the buttons on management to get the 'real' IT folks to support a calendaring package from this century, or at least a scheduled sync with a Google calendar that your devices can sync to?
What you just did was add a whole mess of unaccountable, unmaintainable, indispensable, and covert technology to the mix. If I was a manager in I.T., I would likely cut some of your department's support over something like this, and start inviting you to more meetings so there are no further 'misunderstandings'.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Having been round the block, I understand the issue from all sides.
I understand your wish for a service of some kind. But I don't think its your job to provision or supply it, and above all else, primarily, its not your network, or system. As such, nominally you don't have a starting position other than to take forward your request for the services you might like in the first instance. And the fact they don't provision something may not be a lack of service, it may be legal or compliance based.
I also understand that sometimes in research and scientific areas, there is in some orgnaisation some leeway applied. But in all cases, IT really has to be involved, and you have to end all the ideas that this is your service, on your network. Its not. It is a service on their network, through their firewall, and all the threats and vectors land on their plate and not yours.
Its sometimes tedious because in the real world - you get a full spectrum of IT, from very bad to very good, and often beyond your control or influence. There is another side of course. IT really only exists to provide services and tools to people, and sometimes thats lost in the mix. It gets lost in the storm that is lack of money, compliance, legal garbage, and budgets, problems, support, and so on.
We`re all equal
Yes, you should give IT a login and make him a member of the wheel group so that you don't have to give out your root password. However, I'm surprised that the IT department hasn't thrown off some alarms regarding a rouge server on their network. If I were in your position, I would work with IT and allow them to secure your system and bring it up to their SOP's and R&R's regarding equipment on their network. You really should have consulted with the IT department before spending your own money and time when they could have just as easily taken care of this for you.
However, what's done is done. Of course, this falls under what a mentor of mine used to tell me: It's better to ask for forgiveness than it is to ask for permission.
Good luck!
For when that HIPAA audit occurs, or when something fails (while you are on vacation, etc) and no one ends up being on call for a weekend.
WSUS / etc won't do much good for a Linux server...
He did say "and other tools", and that's exactly the point - if they can't do patch management for your particular flavor of Linux, they can't easily ensure that it is up to date with security patches.
Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company.
This inevitably happens because IT organizations refuse to comprehend or work under the concept that they are not the reason for the existence of the business, but instead exist to help the business make money.
I'm one of those "pinheads". My VPs give me requirements to accomplish some task, gather some data, and build some reports in order to support the operation of the business. Such a task requires some kind of database to hold the data and some kind of reporting application to build the reports. So I go to IT and ask, spend weeks building BRDs and cases and they come back with the ridiculous response that it will take 2 years to build and cost half a million dollars.
I'm not allowed to hire any new employees to do this work manually and this is far from the only task I have to do each week, so what do I do? I spend a couple evenings and weekends hacking together a solution that "works".
Now I try use the best practices I can, with normalized tables, primary keys, with the data all in SQL and linked to Access, etc. But I'm no expert. But why can't the IT organization come up with "quick solutions"? Are there no people in IT who know more than me who could make something "as good" as the POS I cobbled together in a week or two?
Well, the answer is that there apparently aren't. So pinheads like me, who have to get a job done "now" so the business can do what it does (making and selling widgets) do what we have to get the job done so we can sell widgets and earn the money that justifies our existence as a business (and pays for the IT budget and salaries).
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. Considering how much time and effort they have to spend on the back-end of it, dealing with crappy databases and data, it would probably actually require less time and effort if they availed themselves at the front-end when the business needed a quick solution.
If a pinhead like me can come up with a solution in a couple weeks (less time than all the project scoping meetings) that's still holding up pretty well after 5 years, then it's clearly not rocket-science. Why can't an IT person or two, who actually do this for a living, do the same or better?
Ah, the old IT conundrum: If I ask IT to do it, it'll take several months and tens of thousands of dollars in budget to implement. If I hack it together myself, it'll take a few hours, and a $1000 investment in hardware. But then comes maintenance, and repair, and so forth and so on.
In the end, you're going to need to hand over control of the system to IT, whether that means having them build a new box for you that does the same as the one you built, or handing them over root control of the system you built, if they're familiar with the components of the BSD/LDAP/CalDAV beast you've hacked together. Basically what you've built for them is a Proof of Concept system, or a Prototype, which they'll need to take over eventually, because you're not going to in the business long term of supporting this tool.
Awesome. I had the same question the other day and looked it up.
Loading...
He might be gone sooner than he thinks. He broadcast enough information to be identified, and he has publicly pointed out that his institution doesn't have policies in place that affect HIPAA compliance issues. Maybe the hospital is private and the OP is a doctor who has a large personal investment that funds the hospital (or some other situation that puts him into the "can't be fired" category). I hope so, for his sake.
-fb Everything not expressly forbidden is now mandatory.
IT is a service. I know, he probably should have tried putting in a formal request first, but the feeling I get is that would have been a waste of time. That he went ahead and did this shows initiative on his part, or possibly frustration with the (lack) of support from IT.
I've been on both sides, and I can understand his frustration. As the quote by Plato goes, being ruled by lesser men is a punishment. Maybe the IT people where he works are competent, and he should try to get to know them better, get on their good side, etc. But if he needs something, and the IT department isn't providing it, it's not his fault. Could be the IT department is underfunded or apathetic. I wouldn't want to give someone who's apathetic access to a machine I rely on. OTOH, the guys who run the network *need* to know WTH is going on it.
Nathan's blog
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law.
Now who's the doctor here?
I think your instincts are on spot here, not allowing IT to have a log in seems like it might help protect your intellectual property. You put together a great solution where your department had a real need that wasn't being filled. You have invested in tangible assets here, too. The IT department has a very valid claim also, they really need a login in for anything they may need to support or integrate. Compliance in hospitals is also a huge factor, as you know. The good news: You are on the brink of the solution! My recommendation, for what it's worth: Step 1. Go way up the chain, to the Chief Compliance Officer, or whoever has authority in compliance, as well as the ability to make decisions to purchase software licenses, hardware etc. Request a meeting to show him your prototype. Step 2. Bring the prototype and demonstrate it. Step 3. Then ask for what it is worth to you, ( $1000? $20,000? you decide) That number is to allow them to license your solution and to cover hardware costs. Offer the hospital a trial period of 30 days. Tell him about dozen or so are excited about the trial period.If your team will put that in a cheerful looking petition, even better. During the trial period, you will implement both the old system and your new solution. This will take a tiny little time more to perform the same tasks as before, but your solution will work, hopefully be implemented and save a lot of time and improve efficiency in the long run. Tell him you have spoken to IT briefly about security and feasibility and they seem willing to work with you. Tell him the IT department will need a login and request permission from the Chief Compliance Officer to provide the IT department a login. Step 4. Let the IT department know you have received permission from Compliance to provide a login and give them one. Step 5. Whether or not your hospital implements your solution, I would recommend contacting several other hospitals' Chief Compliance Officer and making the same offer. Step 6. Cash your hard earned check. I believe in you!
That said, he shouldn't be hooking up hardware to the network, especially in a hospital.
Better to have this as an "external example/proof of concept" that his management can use to demonstrate "this problem isn't that hard" and "the solution shouldn't cost $5mil".
is why your IT guy is only asking for limited access. He should get fired straight up for that.
Even if you are not in the US and HIPPA does not apply, I am guessing your patients would not like this setup. At least not the ones who understood networks.
As a person doing IT at one of the larger Universities in the US, the answer is most assuredly NO!
There is no valid reason what-so-ever that a 'tech' managing the FW needs an account on your machine.
It's pretty obvious that "person doing IT at one of the larger Universities" is not the same as "member of the IT staff at one of the larger Universities". Let me guess - you're a undergrad student, or maybe a grad student, and you are the go-to computing guy for the lab you work in.
#DeleteChrome
I'm surprised at all the tech people here whom are so far behind the tech curve. Being able to use a computer is no longer a specialty. It is expected of any worker to be able to use and maintain a computer for job specific tasks. While I have meet some admins that were very restrictive of their networks, they usually did so out of fear and ignorance. They didn't want anything they didn't issue because they didn't know what might happen. Most professionals realize that a computer not issued by them is not the boggie-man.
these little POS solutions suddenly become the most critical production apps without anyone telling IT. this means you have to buy clustering, SAN storage and all other expensive and overpriced crap
or suddenly a restore of data is needed and it's IT's fault that it wasn't magically backed up
few years ago we started doing database snapshots because our SQL replication was kind of whacky at the time. it was simply for people to do simple data lookup. next thing we hear someone tried to use the snapshot copy for an executive demonstration to a client for new software right at the time that the snapshot was scheduled to go down for a refresh of data.
and Access is the worst of the crap i have to deal with. it's notorious for locking millions of rows of data to update one or two rows. and some people leave for the night with a linked table open causing blocking that screws up the nightly maintenance.
I can understand why an IT department would have a problem with a user bringing in their own server. Some rare places do allow employees to provide their own equipment but probably not a hospital with HIPA and all.
;-) Either way, you better hope your IT guy doesn't read Slashdot. Good luck on that!
BUT!
Why did it ever get to the point where he felt the need to bring in his own server? IT infrastructure exists to help people get their jobs done. IT departments exist to support that. Corporate IT culture these days is absurd! Remember, unless the business is a server farm it isn't the IT dept that produces wealth for the company. It's the workers. If something simple like installing an LDAP server helps the workers be productive then the IT department should be doing so long before it gets to a point that a user has to take it upon himself to fill the need. This was a failure of the IT department before the user even bought the box. Buying one's own server is a pretty extreme step, a real need must have existed.
I've worked for a large corporation with a lock it all down corporate IT culture. Daily I had to deal with irate customers with simple problems that were totally the company's fault and should have been fixable by a few simple clicks but IT had crippled our tools. Try telling a customer you have to send a ticket up to a higher level of support so they can get their email when the last 10 people they talked to said the same. Now I work in a place where often I am the one calling for better security. I can understand both sides.
Meanwhile... to the author. I'd probably give him the login. You are probaby really lucky he is nice enough to let you have your server let alone not get you in trouble. I only hesitate because not asking for root seems really weird to me. What is the IT guy really wanting to do with it that he doesn't need root? I'd be watching that account to make sure it doesn't become his personal MP3, Divx or P0rn store.
If you really are feeling rebellious about this then you could always give IT their own personal jailroot.
I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.
And... and... c'mon why the cliff hanger? Tell us already... did the plane go down or not?
Questions raise, answers kill. Raise questions to stay alive.
I'd disconnect the server, let hem watch me securely destroy any and all writeable media found in the machine and only then could he put it in his car.
And that's on a good day, because if he raises so much as an eyebrow the whole server gets destroyed while he is escorted out of the building by security.
What a nutcase.
Why even bother setting up a server with the numerous excellent online calendars? A little company called Google comes to mind. Many schools have already moved their users over to google apps for education.
Do you know anything about HIPAA? You can't just plug random systems into a hopsital IT network. Despite what many people think, the HIPAA "Security Rule" covers all systems on the network, NOT simply ones that contain patient data.
If the system is on the network, IT is responsible for ensuring it is compliant with HIPAA, including auditing and storage of all security events on it.
As others have likely pointed out, this server, not owned by the company, is connected to the business network! As this is a medical business, there are likely countless government regulations with regard to information security. There may be reasons outside of IT's control for not being able to provide your operating group with a calendar server. Among them is resource restrictions/limitations, support requirements and, of course, "x group has calendar! I want calendar too!" which leads to more problems of resources and support.
Turn that server off now, take it home and run it there. If your ISP blocks ports, then buy business class service.
Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Un-frigging believable.
I wish there were hints at to which hospital this was. OP really needs to be led out by security *today* with his box of belongings -- after it's been carefully searched and any recording media erased and confiscated. The server needs to be confiscated and picked over by competent professionals to make sure it hasn't been doing god-knows-what on their network. (And the bill for this sent to OP, deducted from his last check.)
The tech that opened the port -- or was considering it -- doesn't really have a clue what kind of of trouble he's tacitly authorizing. HIPAA violations are some serious shit, up to $1.5 million a year. Even if we weren't talking about a hospital: any reasonable management of an organization with IP or trade secrets would be having a fit about this.
Get off my lawn.
There's no way I'd open a port on a firewall from the public interface to the inside interface. That completely defeats the purpose of having a DMZ. You set something up in the DMZ to proxy the requests.
It's still a hospital. It still needs to abide by whatever laws & rules that apply to hospitals.
Shame on the powers-that-be in the "academic environments" that eschew laws & policies that protect patients.
Your server would be rather useless.
It wouldn't be functional on my network, you may be able to plug it into a port, but you wouldn't move any data through those wires.
I'd know about it the instant you plugged it in, the switch port would throw you into NULL land, and that would be that, followed by someone showing up at that port promptly to ask wtf you thought you were doing.
Its unlikely, being that managing the network isn't your job, that you are fully aware of all the requirements and conditions that apply to data in your hospital. Its unlikely that you are as well versed at managing the server as they are.
Without rambling on about all the other reasons why you shouldn't be running your own server, to put it bluntly, the fact that you asked on slashdot is proof enough that you shouldn't be running a server in that environment. Of course, to follow up, the fact that they simply want a login/admin access is a good indication that your IT department is substandard as well.
Nothing talks on my networks that I don't have complete control over. Its my job to make sure things are done right, that includes preventing people like yourself from having any possible way to break company and legal requirements, of which I'm sure you are bound as a hospital. My job is to make sure everyone else can do what they need to do and make sure no one else screws it up for them. Letting someone who isn't part of my management domain have control over something that isn't separated into its own private unreachable network isn't going to happen ... opening a firewall port? I don't think so. Thats just begging for problems.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I think the central problem here is that neither the department director nor the IT manager "knows how many regulatory issues" are violated, because there's either not a written policy or the policy isn't being communicated to the people who need to follow / enforce it. That alone is enough to be out of compliance.
-fb Everything not expressly forbidden is now mandatory.
Inside the hospital? Comply with IT rules. In fact, turn the whole thing over to them to manage. You're getting off easy only having to provide a non-root account. (By inside the hospital, I mean on the property or connected to the Intranet).
Outside the hospital? Then you are basically providing a service to your staff in much the same way that Google, Facebook, Twitter, etc. do. If department policy doesn't prohibit employees from using such services, then you are doing nothing different. If calendaring is not a function provided as a part of the work flow your IT people manage under published organization policy, use what you want. The fact that you are using paper tends to suggest that this is not an IT responsibility if by paper you mean scribbling things on your own desk calendar or day timer.
Have gnu, will travel.
Why even bother setting up a server with all the excellent online calendar applications? For instance, many schools use Google apps for education or MS Live.
That aside, going rogue, not talking to IT, and making a custom solution just for your one area, is one of the things that makes working in IT so frustrating at times. Among the many, many problems that implementing your own solution can create, just think about one: what happens if you change jobs? I can personally attest to getting calls from random new department heads saying "Joe Smith (former department head) set up system xyz to do abc for us and now he's gone, I expect IT to now support system xyz".
This scenario is especially prevalent in academia. Academic freedom is important, but all too often it spills over into areas that it really doesn't belong.
Why even bother doing that when you could get a FREE Google Apps account that has up to 50 (used to be 100) users? Then you get great calendaring, anywhere. On iOS, Mac, PC, Android, etc.
Seems sorta like inventing the wheel again. plus what are you going to do if it crashes or the IT bozos mess it up?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
First of all, to the OP, I am sorry you are having so much difficulty with your internal IT group that you (felt you) had to spend your own money. That's always no fun.
Secondly, why didn't you just use Google calendar? Free, works with iCal, etc. It sounded like you just need a shift calendar for the doctors, not something that would need HIPAA protection. Also, what calendar system is your IT department using that won't work with the iOS devices? I can't think of one off the top of my head that doesn't work with iOS anymore. Exchange works with the web services turned on at the server, so if that's it then you're dealing with an inflexible IT department and I'm sorry.
FInally, if the above two options aren't possible, hosting a secure calendar offsite (insert the name of web hosting company here) for less than $120 a year is also quite possible.
If the poster were part of my network, I'd have calmly sent one of my techs to his office, found the machine, turned it off, unplugged it, unhooked it, taken it to my office where it would stay. ...plug an unauthorized, unaudited, uncontrolled server in my network... the nerve, the arrogance...
YOU should not be placing a non company owned system in there network, the fact that they only want a login is letting you off easy. if it was my network i'd be turning the uplink to your network off until corporate security is able to go ensure the machine is removed. if its just for schedules and benign information thats not medical info HOST IT EXTERNALLY as a network admin its incredibly irritating when people think bringing there crap from home and plugging it in is an acceptable idea, its not, working in medical i assume the information stored throughout the network is sensitive. and the IT people are the one who are responsible for ensuring it stays safe, allowing your crap on the network introduces an unknown which they would have to be responsible "I'm happy to allow any scan, to ensure it has no security issues," there is no rudimentary scan that they can do to ensure there is nothing malicious hidden on the machine, its a tedious audit like process that no IT staff wants to do, they have approved software/images etc for a reason, so they don't have to spend hundreds of man hours inspecting every good idea an employee implemented.
In the United States, the hospital as a whole is legally responsible for maintaining the privacy of all patient records. You are asking to open a port that has a very high probability of transmitting patient records (for example patient names, appointment schedule time and exam type) to hand-held devices that are taken off hospital premises and frequently lost, stolen or casually discarded when upgraded. iPhones do not have passwords or encryption turned on by default. Calendars are frequently shared between multiple calendar services like Google and Yahoo.
I think it is completely inappropriate for you to provide this service outside of the enterprise environment in the first place. I believe that your IT group is being excessively lenient allowing you to do it at all.
Any more red meat like this in the submission queue?
the no
I've worked in university IT, and call BS on the story too.
On the other hand, weird things happen and university departments can be woefully disorganized. We had a security group that learned, to their total surprise, that our engineering college had a functional nuclear reactor. It was a small reactor for creating medical isotopes, but after 9/11 they had to work out new security policies to deal with this nuclear reactor on campus that apparently very few people outside of one small department even knew about. They wanted to shut it down but it turns out that it is the only source for certain medicines within transportation range of a bunch of hospitals, so it got a permit for being essential to national security, and now the streets around the building have crossing gates and doghouses with 24 hr guards.
-fb Everything not expressly forbidden is now mandatory.
The OP is a troll.
The user ID "jddorian" is a fictional character on the US TV program Scrubs.
No head of department at any hospital or university I have been associated with would have had the time in their career to be more than passingly conversant on computer IT issues, forget know about ports. Heads of departments get to those positions only because they do nothing else with their lives.
A head of department would know better than to set up something themselves. They wouldn't also have the time to do something like that. They would be familiar with the idea that the hospital IT infrastructure is far more highly managed than normal corporate IT structures.
And, unless this is a seriously podunk hospital, they likely already run Microsoft Exchange for email, and so have electronic calenders.
Troll. It's a troll.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
I strongly suspect that there is a documented set of rules that is supposed to be followed for all servers/workstations on the network. You probably violated those rules the moment you put your server on the network. In some companies this would be grounds for termination. It sounds harsh, but this is one classic method for accidentally compromising security on the internal network. If there is a procedure for setting up a server, ask IT, they can probably get you the information you need.
If IT opened a port for you in the firewall and some malicious hacker used that port to hack into your server, they would then have access to everything that server had access to. After this happens, the IT department would have to explain why they allowed that port to be opened to a server they knew nothing about. If you were the person in IT who allowed that to happen without asking any questions, how would you explain your thought processes to senior management? You may think that your server is perfectly secure, but it's not. Nobody knows what security holes they have until they are later published. This is why IT needs to know what is on all of the servers so that when there is a published security weakness, they will know which servers are affected. When management asks if they are vulnerable, they will not be able to give an honest answer when there are servers they do not have access to.
If it is considered a security violation to install unapproved servers on the network, do you really want to go over IT's head so that you can publicized that you are violating security? Worse yet, you are trying to take it a step further by having that server accessible from outside the firewall?
There is a real need for the solution he developed, and management is probably already struggling to find that solution. I know a few hospital administrators in our city looking for a solution exactly like that. Several of the obstacles management would encounter in implementation, he has already overcome. And he is just the kind of guy who would know what and how to implement. He has so much going for him here, technical knowledge, an academic hospital environment, willing staff. I bet this really works well. So no, in response to your question, no I do not think he should sell IT services, he should give the IT department a login and let them handle the IT. But he could and maybe SHOULD sell a product he developed on his own time. I expect anyone with his level of intelligence knew enough to not develop this while on the clock, or using sensitive data.
The impression I get from the OP is that there isn't a clear policy, and that the IT manager is making ad-hoc policy. There's a compliance problem before the server and the firewall enter into it, because of the absence of a policy. How can they represent to a federal auditor that they are following their policy (and in an audit you have to be *specific*) if they have no policy?
-fb Everything not expressly forbidden is now mandatory.
..or have them set up a similar service.
Less headache for you.
Would you let one of your IT bods to wander into your operating theatre and start assisting during an operation? Thought not.
"Do you like being employed?" is a valid question for the poster. I would be shocked if any reputable corporation allowed employes to connect their own devices to the corporate network.
If you don't want IT to have access to a machine on their network, perhaps you should find another network.
I think the question is academic. Should you give the IT department access to a server that they should disconnect from the network?
It just doesn't matter.
Besides, does the "envisaged" server and apps (CalDAV, BSD, and OpenLDAP) comply with HIPAA or any other rules/laws/IT policies at this hospital? Are the iPhone's device security policies persistent? What else aren't you telling the IT people?
First I'd stalk you on all systems in the hopsital that I had available to me. I would start fucking with the traffic on your little LDAP server that could be used to cache/query/steal LDAP passwords. I'd refuse to support you as your little calendar mysteriously functions part time. I'd let you start dick swinging and "go up the line".
When you've gone about as far "up the line" as you can go, I'd report you to the medical review board for anything nasty I found about your behaviour at the hospital. Even if you were completely clean, I would serve hospital administration and medical review boards with notice of your recent HIPAA violation. I would possibly call the police and tell them you'd deployed a server which was quite possibly being used to harvest credentials for nefarious activity.
Then I would find your little POS bsd/ldap liveinstall server, unplug the shit out of it, pour kerosene on the thing and burn it in front of your car as you were escorted out the building. Long story short - I hope your server dies in a fire and you lose your license to practice.
In a hospital environment? All they want is an interactive login? I would say that's pretty hot that they didn't come to your door with torches and pitch forks. You do sound like you know what you're doing, but how people come to IT and say, "Don't worry about, I know what I'm doing." I myself work internal IT at a technology company. "IP Engineers" for our production network saw no problem in plugging in "a hub" to our corporate network. They actually had plugged in a home router. They managed to loop the network, flood it with rogue DHCP traffic and open up an unencrypted wireless network. This from people that are paid (a lot more than me) to run a customer facing network. Long story short, its IT's job to trust no one because most of the time, they're right.
4.) The next time some other department head wants something else that IT doesn't provide, someone gets the bright idea that, "Hey, we've got a BSD server running in the office here, why don't you just hang it off that?" Next thing you know, you've got a flatbed scanner plugged into the back and a file server that supports fourteen user accounts, some of whom are interns, and the server is still connected to the open Internet.
Breakfast served all day!
The snarky part of me wants to suggest that the author attempt to go over the IT guy's head and take it up with management so that he gets the kick in/up his ass that he deserves. The article author is wielding an overdeveloped sense of pride like an amphetamine hyped scalpel. He clearly assumes that his knowledge and intelligence rival that of the silly IT staff that don't understand his needs yet doesn't understand enough of the basic principles of IT that he is offended when IT asks him for admin privileges to the machine that he connected to the network.
If you think you have a bright idea for IT, bring the idea through the proper channels...
Evolution: love it or leave it
The fact that your IT department will allow non-sanctioned servers in their environment and on their network means you've already won a very big battle. Don't get greedy: If you escalate up the you won't be in a better spot, because somebody higher in the IT chain will put their foot down for territorial reasons and you'll end up selling your server on eBay. At that point you'll also find the advocate who was willing to open the port for credentials will be forbidden to do anything for you.
Also, I'm not clear on how you expect somebody to evaluate your server's security without being able to login... If this was my network I'd shut-off whatever network port this device was plugged into, and ban it's MAC-adddress from all my switches until I either had a login I could use for auditing, or until you gave up.
Who did what now?
I get your point, but there is one important difference - it's not illegale to 'practice IT' without a license - there's no licensing regime for IT.
As a medical organization, your IT director has to make a legal certification that all systems within the organization are HIPPA complaint. If they do so and you set up a rogue server and someone places patient medical information on it and it becomes compromised, your IT director could go to jail. Or possibly you, you'd need to consult a lawyer to find out.
I work in a computer science group in a hospital, we constantly run ins like this with the IT group and we would deal with an issue like this by saying a straight out no. We manage our own servers, if IT screw them up then our systems are up the creek and we get shouted at. It is worth pointing out that we try to keep as upfront as possible with IT about ongoing projects that will directly influence their infrastructure i.e firewall etc.
Putting the server out there makes YOU entirely responsible for it, and removes any connection with IT or the hospital. So if someone decides to sue for disclosing Sally's appointment at a cancer ward, they will sue you, and not the hospital. This is also helpful from the IT dept. perspective because by making it external, they will use their web scanners to look at the traffic in-bound and outbound, virus scan it, etc...
Mind you, IT will likely still have their shorts in a knot because you by-passed them and got an external service, which is likely not HIPAA certified, etc... but they would have a harder time and a lot less leverage.
It is running a calendar application not storing sensitive patient information.
I've seen plenty of sensitive things in a calendars. For example, all the freaking time there are teleconference passcodes in meeting invites I get. For (ostensibly) sensitive teleconferences. You can't know what's going to be stored there. What keeps a physician from using it for more than just "on call" calendaring? "12:25 AM: Visit Mr. Smith and give him a referral for AIDS counseling".
Here in the IT department, we are amused every time some genius 1) Assumes IT can't provide something without bothering to ask, 2) slaps together part of a solution, 3) discovers they need IT's help in some critical way, 4) is appalled when IT thinks they have the right to do their jobs, and 5) never, under any circumstances, manages to realize what's wrong with their sloppy little 2nd grade crafts project of an IT service. You work for a hospital, you say???
Taken from wiki. This is a breach on at least 3 HIPAA technical safeguards.
Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be.
Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
If so, there is someone in the IT department who has to swear under penalty of perjury that the entire network, and every device connected to it, is PCI compliant. And he's on the hook for any mistakes he allows. And he cannot possibly know your server is PCI compliant if he has no access to it. You are literally expecting him to break the law, and putting your employer at risk for considerable liability (if they say they're PCI compliant, and there's a breach, and it turns out they're not - and the presence of your server on the network that the IT people can't access at all is, itself, non-compliance). In fact, if they're non-compliant, they are liable without limit for all costs related to the investigation, and all damages resulting from the breach. And the average breach adds up to six figures in costs. This can put a company out of business.
Were you employed at the company I work for (and I run the IT department), you probably wouldn't be any more. If I were feeling generous, you might be given exactly one chance to remove the server until such time as I, personally, could verify that it is compliant (and the requirements are pretty strict if it's visible to the internet, as they should be). If you made much of a stink about it, you'd be at risk of criminal prosecution. If any actual damage resulted, I would certainly push for criminal charges.
It's not your network. It is the property of the company, and they have designates someone else to be in charge of it.
The only reason you want it inside their network is because of LDAP and you want to log in with the same credentials. Unfortunately that's a challenge with their IT trying to be compliant with federal regulations.
Your choices are:
1) Drop LDAP, host this yourself somewhere, let the users create their own passwords.
2) Talk IT into buying and supporting your server. Just take the hands off approach.
3) Have IT firewall your machine to only allow LDAP (port 389) connectivity inside their network and only outgoing/receiving on that port you requested. Hopefully that's all the access you'll want to get it to work.
4) Give IT admin login. If you don't trust them, then back up your setup and also run a backup on your calendar program. Worst case is that IT ruins your system/setup, you just restore. It's probably some tiny app that writes to mysql or sqllite or whatever.
Honestly for a small scheduling app like that, LDAP is nice but totally unnecessary. IT is supposed to help people do their jobs, not hinder it. Bring it up in a staff meeting or some such, go through the proper channels and make them support you.
Why not run the server externally - co-location, or some other hosting service - and then IT won't be involved at all?
Was going to suggest this, but I would try asking the appropriate people before doing this.
Gorkman
IT should have shut down the network port and had security escort you from the building long ago. HIPAA, Corporate Policy, Common Sense, you've ignored a bunch of regulations.
Testing 1,2,3,4, Testing
Who gets mad when IT doesn't jump at his request.. Just maybe your IT department has other priorities? I see it on a daily basis... For whatever reason some people think the IT department is just playing solitaire waiting for their phone call. Just like you, we have priorities dictated to us from management. Follow the proper process and put a request in for a new calendaring application. If you have a sound business case, then it will get approved, prioritized, etc.. For all they know, your app is only used by you and your buddy to schedule poker nights.
Who is going to support this application? You? Or are you going to expect IT to do it? Who's going to support it while your on vacation/sick? Who's going to maintain the server, apply security patch updates, upgrading, backup and recovery, etc? Is the server in a proper location or is it under your desk? Does the cleaning lady unplug it so she can vacuum? (Seen this one happen, don't laugh..)
You know, setting up and configuring an application, especially if there are no customizations, is the easy part. The expensive part, which no one talks about is the lights on maintenance. Its funny how everything thinks they are an IT expert cause they have a computer at home. I wonder what would happen if I spent an evening reading Teach yourself Radiology in 24hrs book and took a stroll over to that department.
"Thanks to the remote control I have the attention span of a gerbil."
Is there an Android equivalent of DAViCal?
In the words of Donald Trump: "Your Fired!" My ass would be out of a job even before I asked IT for a port to be opened. Especially at a Hospital, didn't you take HIPAA training? I had to do that when I volunteered at the info desk.
It's nonsense like this that makes Slashdot less relevant every day. Whether or not the incident in the story is real, it's so blindly obvious and stupid that it ought not to have warranted consideration for posting. And yet, here it is, and brought to us by CmdrTaco, Mr. Slashdot himself. Between the product-placement ads & book reviews, the old news dredged up from digg, reddit, and fark, and "ask slashdot" ridiculousness like this, what are the editors doing with their time that they aren't filtering out this crap any better?
Rather, he said he needed IT to open a connection through the firewall, implying to me that this server is on the other side of the firewall; aka not on the network.
No, that would make no sense whatsoever. If you claim that you need a port opened, you clearly have something inside the network that listens on that port.
A confusion exaggerated by the Department of Health and Human Services when they named their mascot the HIPAA HIPPO
http://www.google.com/images?q=hipaa+hippo
Circa 1996 the health care provider I worked for was penalized on an audit for using the incorrect acronym - the judgment; "you are not taking the implementation serious"
As most others here are, I'm somewhat stunned that your IT staff would allow a user managed server inside the firewall, even with them having a login. If they actually do open the port, I'd seriously question their competence. But the solution here is relatively simple - return the server you bought and go pay for a year of cheap calendar hosting somewhere. Or better yet, just tell everyone in your department to set up a free Gmail account and use that for calendaring. I find it kind of hard to believe that IT doesn't have any iPhone-compatible calendaring software. Most organizations are using Exchange, Notes, or Google Apps, all of which are compatible with iPhones.
For the same reasons you cannot knowingly allow an unmitigated security risk, you also cannot "cut them out of any form of network access" because doing so might negatively impact provision of medical care to a patient.
Horse-hockey. They can have another staff member retrieve the info for them.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
If your IT department is so understaffed they can't provide basic support for a service they set up, you have a funding problem that doesn't originate in your IT department. You don't fix the funding problem by inviting multi-million dollar lawsuits. And yes, I realize that your hypothetical involves a bad solution with a high cost, but maybe that's the route they have to go because they don't have the manpower to implement a good solution?
If your IT department works like you've described, the smart money is on the problem coming from someplace above them, even you see a significant number of poor sys admins at the bottom. They are probably there because somebody didn't want to spend the money on a more qualified candidate.
You should escalate. Go over his head so you can show the bosses what an arrogant idiot you are; how you are willing to risk the hospitals money and reputation so that you and your team can conveniently get your calendar on your iPhone.
While you do that, I recommend you polish up your resume. You'll need it.
"Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup."
The short: Give them an account. For a hospital IT department they're unusually permissive about this. If you're giving them an account with suitably circumscribed permissions, there's zero harm they can do to the machine. Likely the most they'd need to do is shut it down in the event that there's some sort of information leak via the system.
The long: Your IT department requires access to the machine because they need to be able to show HIPPA compliance. This is federal law in the US and breaking it can lead to expensive fines, civil lawsuits, and if severe enough, could do SERIOUS damage to the hospital's ability to continue functioning.
As I mentioned, your IT department is being unusually permissive about this. Prepare for them to want to dissect the setup vigorously as part of their risk management and get ready for additional demands to be placed on you as the price for them allowing this system onto the network. Again, they're not being dicks just to be dicks about it. They're doing this because it's part of their job, and keeps the hospital from getting sued and fined into oblivion.
Grant the an account. And ask them what sort of permissions they need on the box. It may be that they want to add the system to their backup routine, or as a node being watched by the network monitoring system. It could be as simple as needing to be able to cleanly shut the machine down (rather than breaking into your office and pulling the plug) if there is an issue where sensitive data is being released by the system. Go out of your way to be accommodating and IT should, baring issues beyond your control, respond in kind.
Chas - The one, the only.
THANK GOD!!!
Given the possibility of needing to comply with healthcare regulations you might as well give him a limited login (it is HIS network, not yours, dept head or not), but they should be able to configure it in the dmz or some other fashion as to isolate it from confidential information as well as to keep it from affecting anything if it gets compromised.
...... blah blah blah ....
The real can of worms is that YOU brought it into the building, so if it blows up (so to speak) it's your fault. I'm surprised the IT guy even is allowing this, period, login or not. I can hear it now...
You attached WHAT to my network and want to do WHAT with WHAT? Why, I never, this flies in the face of
Flappinbooger isn't my real name
In an academic environment, e.g. somewhere where people do tech research, I wouldn't expect that every electronic thing hooked up needs to be run by IT. That's a very inflexible solution, that might work if network security and stability is valued higher than innovation and experimentation, e.g. if you're in a production environment, and not doing research... You can't do research if you're not allowed to act on your own initiative...
(In fact I wouldn't want to work anywhere I'm not required to act on my own initiative).
I don't futz with the IT guys' systems. They have their process, I have my home network if I want to tinker. Amusingly enough though, they caught wind of my IT background and had my office located across from their cube-pod. So they can keep an eye on "the guy who thinks he knows computers." Ironically, many of the systems here are so old that I do know how they work inside and out, even after 7 years out of the buisness... but, I've got my home network if I want to tinker. :D
Obviously he meant "Threat Level Rouge", the one above "Condition Fuchsia" and second only to "Alerte Noire"
Sure, Give IT the access they want to the server. Then after things calm down after 2 weeks or so disable that account. IT has bigger fish to fry.
A 1 year application process is insane of course, but if any of our teachers would do what you did without our permission, they would be in deep deep doo doo and probably get fired.
The network, the infrastructure, all of it is our responsibility and if it fails, our heads will roll and rightfully so, but not if others had their hands in our cookiejar.
We do our best to keep everything running as smoothly and efficiently as possible and we work our asses off to do it.
Then again, I guess you didn't ever work with us and I can't judge on the places you've been.
This is the sig that says NI (again)
If it exists on a network where the information passes, it falls under HIPAA for providers. HIPAA is a general PITA and I only have to deal with it as a third party. That said, I think that the issue between IT and users is normally that users that cause problems typically are competent at getting things done, but don't necessarily understand the full impact of their actions. (For example, the server mentioned by the OP is a very real and very legitimate threat and leaves the organization open to multi-million dollar lawsuits if something goes wrong.)
IT isn't just in the business of making things happen, but also making sure that things keep working... all the time. A corporate network is a lot different from a home network. If you screw up and take your router offline for a bit, it doesn't matter. If the same thing happens in the corporate world, it rapidly can start adding up to more than the tech makes in a year if not in his life time. This tends to make a very cautious culture which seems to be slow or disinterested to users. The best way to get what you need is to make a strong argument for what benefit it gives and why you need it and keep pestering periodically to make sure it doesn't fall to a back burner. This is something we have to do even within IT. I've been working for about a month and a half to get an instant messaging server up (I'm a developer but farming out to the infrastructure side of the house on this one.), but when it is done, it will be done right and will be supportable going forward.
In the end, trying to do an end run around IT is generally a huge risk for everyone. If you really need something and think you could do it yourself, talk to IT about it before hand so they know what is going on and can raise any objections or concerns you might not know about. Having the open communication will really help and the fact you are willing to approach it yourself will help show the level of need you have.
AJ Henderson
Well, all these IT problems come from IT always saying "no" to the "business users" or coming up with ridiculous proposals for a solution.
Believe me, the "business users" aren't just sitting out there trying to come up with ways to make IT work harder. They're trying to run a business and make money. When IT consistently says "no" or comes back with ridiculous proposals, the business users have no choice but to go find some other way to do it; and that usually means hacking something together with the limited tools and knowledge available... typically excel with some vba and/or Access. They don't have a choice... they have to get the job done because it's how the company makes money. And eventually you get tired of all the countless hours of bureaucratic meetings trying to get IT involved and you just give up.
In a recent example, we have a relatively simple problem... there are 3 simple excel sheets that have some 100 elements of data that need to be handled each month and put into a database to hold the history. Then an excel file needs be generated based on that history. We've been in countless hours of scoping meetings, with a consultant writing the BRDs and Business Cases over the last 4 months. All the while, the business users are handling this process by-hand in Excel (how accurate and error-free do you think they are that way?). Finally a solution was proposed... they can do it in 6 months and will charge the business $200k.
Really? For that money, we could just hire a new analyst and just have them keep doing this by hand. But that's not allowed by HR. So I'll be hacking this together over the next couple of weekends. And then IT will get to support it when I won't. They better hope I do it well. I'll do the best I can, but like I always say, "I'm not a database person".
Now wouldn't it have been better to not have all those hours and hours of meetings and just have a database person and a report-writing person sit down with me and spend a week building this "lightweight" application in a way that IT will prefer to support?
We're not talking enterprise-class software that has to have 24x7 availability with multiple redundancy. We just want a database to hold a trivial amount of data, import data from a standard format each month, and generate a standard report. If I can hack together over a weekend or two a solution that works, how is it that nobody in IT (who should know how to do this) can spend even quadruple that time and deliver something that works but is also built in a way IT would like to support?
It's inevitable that the business users will need lightweight applications. And as you know, it's inevitable that IT will have to end up supporting it. Wouldn't it make more sense to get out ahead of it then, and offer lightweight solutions in a reasonable manner, and not force the business users to hack their own crap together?
What most people here don't get is that academia is very different than business. I have no experience with academic hospitals, but it if's primarily a research hospital, I wouldn't be surprised if it's similar to most places in academia. I'm currently a PhD student, and neither my current university nor my previous one had any restrictions on servers so long as you didn't generate too much traffic. Most departments (in fact, most large groups) in universities have their own IT person who runs their own servers, and the main IT department is only responsible for managing campus-wide services (i.e. non-departmental services). Hardware owned by each department is subject to the policies of that department - some will enforce much more control than others. But I've never seen the situation where you couldn't bring in your own laptop and use it to work.
Again, this may or may not apply to academic hospitals, but the notion of a port being closed in a university is absurd.
Every businessman should be a programmer and sysadmin.
Exactly.
Attention, all you "professionals" who advocate the tar and feathers: Both you and the "luser" are equally wrong in this scenario. If you dread rogue servers, you'd better be prepared to ask why the users are setting them up and how you're not meeting their needs rather than crushing their initiative. The dept. head in this example is the type you should actually talk to to
find out how you can (mirable dictu!) make your services better.
No, this doesn't excuse the user. But have some fucking sense, people. This fire-the-bastard attitude (seen in several posts here) is exactly the kind of thing that makes people think outsourcing I.T. is a good idea.
Given your desire to have a calendar server to arrange call schedules and the difficulty with the hospital IT and/or Federal regulations, just move the server. Get a fixed IP at home and set up the server in your basement. Give all your colleagues appropriate logins. Neither IT nor the Feds will care.
Problem solved.
duke out
Hugely successful troll is hugely successful.
The health privacy act or HIPPA (http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html), is very clear about this. This is untrusted HW running on a network dealing with medical record and other private data. There may indeed be h*ll to pay.
I'm actually surprised you managed to get the device networked without IT involvement. Network best-practice requires the network to not admit untrusted hardware so that an infiltrator can't find a quiet spot and hack the servers from within the "trusted" private network.
they should explain to you the responsibilities which come along with running 'your' machine on the network and ask you if you are willing to do the necessary patches and updates all along!
if they are Stasi like they send the security and confiscate your hardware and might put you before the disciplinary commission.
-
In my workplace IT is Stasi like ( US-gov influenced )
You need to host this server externally (ie from home, on your own domain name, using something like dyndns). You've got no business having personal equipment inside the corporate firewall.
really this thread is 'over in 1', as I totally agree with the initial comment. Ad-hoc servers on the net, you're lucky they don't give it and you the boot.
I'd have a personalized plate on my car, but "toxic bachelor" won't fit into 7 letters.
Pretty fluffy clouds...
It sounds like it does not have to be physically located in the hospital, just for scheduling. Get a home static IP address and run it, or host it somewhere. This avoids hospital IT, HIPAA and it sounds like the OP is willing to pay a little for the convenience.
Well It's too bad you didn't share the clinic and/or hospital because I'd be emailing a HIPPA violation instead of this comment. You do understand that IT allows you to surf the web during all that downtime you probably have. You don't bite the hand that feeds you. /facepalm
You have good intentions and you want to work more efficiently but the execution was bad. You should involve the IT staff and got them on board because then you wouldn't be at risk for possibly loosing your job.
My advice is, take your initiative to another workplace that will appreciate it with infrastructure in place that suites your working desires. Docs are cheap and they would rather pocket the money for a server than allow you and your co-workers to be productive. They will also go as far as telling the accountant to not fund the 401k with employer contributions because they'd rather have a bonus for that quarter and the funds can be done later(which was a lie but...whatever).
Sometimes, the answer is to just destroy it all.
They are worried about their information escaping, and their network being compromised. If you put the server somewhere else (or use a google calendar or similar), you would not need the network security hole, and you can access it from anywhere (iPhone, hospital computer, etc.) You just have to make sure no proprietary or confidential information ends up in that calendar.
if the plane went down, the company would probably be dead within a week.
This is a real concern especially for smaller companies. At my company we don't do anything particularly noble, just fun (high-end residential audio/video integration), but whenever a number of us go to a convention or training, boss-man insists that we travel separately (1-2 per flight). It seemed a little self-important considering the field we're in, but if we lost half of our engineering or installation or management staff to a plane crash or similar, that would be extremely tough to recover from.
Nope, never been bounced out of anywhere. And by offsite, I mean not on the local machine, and not within the server farms geographic location - but still within the secured private network of the organization.
as for being "windows weenies" our SA covers us if we need deep help...
Is that supposed to make it ok to be a windows weenie?
I haven't called tech for support since before Y2K, but since I spent a number of years taking level 3 support escalations, I don't hold it against anyone for calling tech support. Some people are just incapable.
"Lame" - Galaxar
No, you don't need to give IT a password on your server. That is, as long as you don't plug it into IT's network.
If someone were to do that where I work, well ... nothing would happen because you'd be put on the guest network VLAN. But if you could, and did, it would be very poorly looked upon.
I see a lot of responses here from people who seem to have very narrow experience in system administration. Allow me to offer a slightly broader perspective.
It depends.
We don't know the administrative or security policies of this hospital. We don't know its regulatory environment or even what country it's in. We know that it's an "academic hospital", and those of us with experience in academic computing environments know that these tend to be very open both philosophically and in practice.
So, it depends. If there is an established practice of allowing groups within the organization to manage their own facilities, then it's completely appropriate to have done so here. And it's completely inappropriate for staff in the IT department to request access to those facilities, especially after the fact. It's either strictly not their business, or only their business within a mutually agreed SLA. As a senior system administrator, I'd regard that as an attempt by staff to undermine security within the organization. Unfortunately we often deal with junior staff who don't know any better but think they do. That's why I think it's appropriate to take up this issue at a more senior level.
Maybe you'll get your knuckles rapped when you do. It depends on whether there is an established policy that defines how such facilities are to be managed, and whether this particular facility is being managed in line with that policy. On the other hand, if there is no policy, then it's the CIO whose knuckles should be rapped.
One thing I can say for sure is that these scenarios come up all the time. Senior IT people have to anticipate this in formulating policy, and they have to build their networks and train their staff toward the goal of making the organization productive and secure. That's why we all get paycheques. It means obvious things like ensuring that patient treatment and administrative facilities are on their own subnets, behind their own firewalls, with DHCP administered very tightly and switch ports locked down. It many mean the same for individual research labs and other groups, depending on their legitimate needs and budgets. It means having a service catalogue. It means having SLAs. That way, if someone comes along and plugs in a laptop or whatever, it's not the end of the world.
Parity: What to do when the weekend comes.
Maybe he could convince them to put the server on a firewalled DMZ. Isolate it from the rest of the network as if malicious; enable the port that he needs. I don't see any reason a compromise couldn't be worked out.
Hospital security, though, must not be compromised. He's already made one critical mistake. He's unknowingly poked IT in the eye by bringing in outside computer hardware. That's a big no-no anywhere data security is important (and can lead to big lawsuits).
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It's just a server at work. It's not your bank account.
Go out of your way to let IT do their jobs as easily as possible.
Give them the account and even go to lunch with them later that week.
IT being your friends is the smart way to go.
Cheers!
I'm replying here because this is the first post I found mentioning the name of the OP. This story screams: "TROLL TROLL TROLL!" to me. The alleged original poster Dr. John Michael Dorian is a fictional character from a tv series.
Avantslash: low-bandwidth mobile slashdot.
I can see another side to all of this. You tell the IT guys that you need a calendar that the iPhone can connect to. They don't comply. Your choices are to not have one or do it yourself. I have chose do it yourself a lot. I guess what I am saying is that maybe if IT were more receptive / accommodating to requests from their users then they would have less of a problem with people bringing in their own servers.
How many millions of pages does your website have? Mine is pushing 135 million (unique) pages.
Reading the About Us page, is an explanation that the site is an experiment to monitor search engine response to large numbers of pages.
Upon the next rewrite, the pagecount will be around 500 million pages. The reaction from Google should be interesting when presented with 135 million 301 redirects, and 370 million new pages.
"Lame" - Galaxar
So, a doctor dies and goes to heaven. He's waiting in line at the Pearly Gates, but he figures, "I'm a doctor, I shouldn't have to wait in line like normal people." He goes up to ask St. Peter, who tells him everyone has to wait their turn. Then he sees another doctor walk right up to the Pearly Gates, wave to St. Peter, and walk right in. "Hey, how come THAT doctor got to cut in front," he asks. "Oh," says St. Peter, "That's not a doctor. That's God. He just likes to play doctor sometimes."
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Seriously... My first thought - what the hell were you thinking?
You bought a server with your own money. Plugged it into the hospital's network. And you think that's going to be OK?
Does anybody else know how to run the thing? If you get hit by a bus tomorrow, what're they going to do with the machine?
You bought it with your money. If you get fired tomorrow, are you planning on taking it with you? Is it legally documented anywhere that you or the hospital own this thing? Is its value being tracked like every other asset in the hospital? If the auditors show up while you're out of the office, and ask what that box is and how much it cost and which department owns it, can anybody answer them?
Is the thing safe for use in a hospital environment? Every single piece of equipment in my server room (I work in a hospital) has a little tag on it indicating the last time it was tested to make sure it is safe to plug in to an electrical outlet. We don't do the testing ourselves - another company comes in once a year or so and audits absolutely everything in the building that plugs in to an electrical outlet.
Is the thing going to pass HIPAA regulations? You said it's a calendar server... Any chance you'll be putting any PHI on there? What safeguards are in place to make sure that any PHI on there will be protected? Or what kind of safeguards are in place to make sure PHI doesn't show up on there?
And you find it worrying that IT wants to know what you're planning on using port 8443 for? 8443 isn't a standard port number. I've seen it used for a number of different things - not all of which I'd want running on a random box on my network. And it doesn't sound like you asked for any kind of clearance ahead of time... Do you even know if they run public-facing servers on the same network you've got the thing plugged in to? Do you know if they've got a DMZ somewhere that this thing should be plugged in to? Do you know if they're already using 8443 for something? Do you know if they've got a public IP address available for your use? Hell, were you even given a private static IP to use, or did you just grab something that didn't respond to ping?
And you're thinking it's unreasonable for IT to have a login on the machine?
If the thing starts misbehaving in the middle of the night, are they supposed to page you in to fix the issue? If some segment of the network develops issues and they need to move your machine elsewhere, are they supposed to call you in to do it? If it becomes compromised and starts spitting out garbage, do they call you to clean it up? Are you going to be come an honorary member of the IT department, solely tasked with maintaining this single machine? And are you going to personally train a replacement when you leave the company? Or when you go on vacation? Or when you get sick?
"Work is the curse of the drinking classes." -Oscar Wilde
It's not that employee schedules are necessarily protected under HIPPA (more on that in a minute). It's that the entire network is protected under HIPPA in that data breaches would violate HIPPA whether it's IT's fault or not. Since they're on the hook for any data breaches that happen as a result of technology (rather than a malicious doctor printing off his patient's records and mailing them to newspapers, for instance) they have a very good incentive to make sure that they know everything about everything on that network. If you start plugging in a server, even if it's only to schedule employees, you're expecting IT to take your word for it that employee scheduling is all that will ever be on that server, and also that your server is properly protected from attack, and *also* that you aren't giving logins/passwords to people who might decide to see how far they can get cracking the network.
And that doesn't even address the problem that employee schedules can indeed be HIPPA issues, depending on the format of the scheduling. If it's "Dr. Jones, 9-9 Monday" that's one thing. But if it's "Dr. Jones, Smith Hysterectomy, 3pm Tuesday" then now you have confidential patient data on your employee schedule, and so IT needs to make sure that only people who need to know that are seeing it.
"I disagree with you" does not equal "flamebait."
If this touches the network that the servers that contain HIPAA (not HIPPA) then that is where the HIPAA violation may occur.
Do you Gentoo!?
who actually let this topic get to the front page? dude, stick the server in your basement and be done with it...
-----
petes-brain - it's in his basement
I work in a similar environment, and I understand both the user of technology and the IT sides of things.
What it basically boils down to is this.
I was to use technology A, I contact IT and ask if it is possible, they say sure anything is possible, but it will cost you X dollars. At which point jaw his floor. Looking outside of IT structure I see I can have it built for Y dollars with is a merest fraction of X.
Though I understand on the IT side of things as well. Who is going to maintain A, particularly after you up and leave and it is not a critical system? Not to mention all their security policies they must adhere to etc...
Anyway for this particular example I would say, no IT shouldn't have a login to your private server, however you also shouldn't have access to their network. If you want to develop external to the system, then it should be external to the system, don't expect to be able to connect to it.
But consider the unexpected. The machine in question is behind the primary firewall and can expose the rest of the network to risk.
What if your box is not patched properly and catches a worm? The IT department probably receives memos and straight away that morning runs a script to login to all machines on the network and execute some check for versions of something, followed by a request to you to patch it up. With no login, they can't do this.
What if your box is the weak point of the network and becomes a haven for some hacker. With a login the IT department can check to see if there are attacks on that server. In essence, remember that the IT department is called "IT services". With the login they provide babysitting services for your server. Evidently you weren't able to get resources paid for by your organization to make this happen, but since you have provided the hardware, and they're willing to service it for free, might as well. This will take more time for your actual job, which is... I missed that but somehow related to actually serving patients. So, that's good. Personally I would provide them with both root and a standard login, with the expectation that they will safeguard this info appropriately. At any rate, this entire situation seems to me to stem from a lack of communication, and poor communication skills. IT folks are known for this. Give them a break. Their usual human interactions is limited to phrases such as:
What should have happened is your IT guy (or girl?) says "Oh. Servers on our network need regular security audits. Could you set up a login for us to facilitate that? It will take X days and then we can open the ports you need."
Sales skills are required in every human interaction in which you wish to get your way without question. Simply provide some information, a benefit, then request what you need, and if possible follow up with more information involving a benefit.
I would hope that the owner of this indy office server can submit receipts and get the server paid for and ownership transfered in the future, after all the red tape gets dealt with.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
As a retired IT manager with a duty to provide a secure network, I would not require an account on your system.
As soon as I discovered your action, I would call for your immediate dismissal, get security to escort you from
the site (sans box) and then I would assign a tech to wipe your drives with extreme prejudice before shipping it to you at your cost.
This may seem harsh, but I have seen the cost of similar acts in real life, and users need to be aware of the penalties.
Incidentally, I would charge my time and that of the tech to your line manager, and include the cost of a thorough security audit of all systems in their department. Hopefully all involved would emerge sadder but wiser.
nec sorte nec fato
I am head of an IT department at an academic hospital. My fellow faculty (a dozen or so) want to switch from a caffeine to amphetamines (night and weekend on-call schedule). Most have an hypodermic or similar, so I envisaged a ephedra lacing. The Hospital Doctor doesn't offer any ephedra laced amphetamines, so I bought (with my cash) a chemistry set, combined methamphetamines and ephedra for kick, and buffered it with saline. After I tested it out on a neighbor's cat, I emailed the doctor to ask to allow extra hypodermics for this dosing. The doctor (after asking what the sodium hydroxide was for), said he would allow the dosage after I provide him with a record of clinical trials. I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any local trial, to ensure it has no major issues, but I'd rather not let anyone else have the secret formula. What do the readers of Slashdot think? Should I give doctor the clinical trials of a formula that is not owned or managed by him?
So go ahead, inject caffeine into your veins all you want.
You can have it fast, accurate, or pretty. Pick any 2.
Cmdr, please stop taking the trolls out for a walk in the park. Admittedly, the trolls do enjoy it, and there seems to be a lot of public interaction, but really,it's a bit of a nuisance. Please, the next time they ask, just say no....
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented).
I don't watch "Scrubs", but Wikipedia says that J.D. Dorian is a "residency director" on the show's teaching hospital.
I don't let random employees set up machines on the network and then allow outside access to them. I would want root access and a full rundown on what you were running on the system and who would have access.
They are being completely reasonable by requesting a non-root account.
Check out JoshJitsu.info for Brazilian Ji
Setup a dummy computer that does nothing. Put in all sorts of interesting looking things.
Then let him have access to it.
"I've worked at 4 colleges, and the IT departments were invariably mouth breathing morons at all of them."
Why you blame the IT department then, instead of the real culprit, which is the HR department?
Once you plug a server into someone else's network, it's their server. IT has all kinds of accountability for anything plugged into their network. You plug your server into their network without their knowledge or consent, and you are basically operating a black box that they cannot control or audit for compliance.
So....I vote YES...give IT whatever they ask for.
If a simple non-root account is all they're asking for, consider yourself lucky that they are still granting you the privilege of operating a server on their network.
If your IT department was anything like ours, they'd shut down the port your rogue server is on as soon as it was detected. Then you would make the dejected call to your helpdesk demanding that the port be re-enabled. The helpdesk would log the call, and most likely refer it to their manager. IT would probably then refer the matter to your manager for disciplinary action.
Just... stop! IT departments hate users like this who think they are above established policies simply because they know more about computers than the average bear. Chances are that they will be less likely to accommodate future requests after this incident.
"Ask not what your country can do for you." --John F. Kennedy
It isn't an approved machine on the corporate network. IT not only has the right, but the duty to have it shut down immediately.
You wanna run your calendar from off site? That's fine. But inside the corporate network?
Naughty user. Bad user. Stop. Stop.
I'm of two minds on this one.
On one hand, my experience with corporate IT has been very poor. Usually, they're the ones preventing you from having the tools you need to do your job, or making poor use of resources, or sneaking in and doing something to break a previously working situation. One good example, my department is responsible for maintaining a number of industrial PCs and servers, and not only are we blocked from the Microsoft download site (so we have to download patches on our own time at home), but there have been times in the past where IT has sneaked in and made changes to working machines that make them non-working machines. These machines control and monitor life or death situations, so we're working on getting IT off our machines out out of our systems.
On the other hand, It *is* their network right up to your server. You have to understand that their mandate is to operate and protect that network.
It's been a long time.
iPhone compatible calendar tool
Your hospital must be big enough to have active directory and exchange. Exchange is iphone compatible! If your IT refuses to set up exchange for iphone, tell your boss to hire a new CIO. This is not how your IT department should be working. p.s. I am the head of IT of radonc, I feel your pain.
Your eloquent response didn't answer the question. Would this prevent someone from running a packet sniffer?
Godaddy is a scam and a ripoff.
1. register MyDepartmentOnCall.com (don't name the hospital for various reasons)
2. sign up for google apps
3. set everyone up with accounts on there
4. pray no one puts patient info there,and only "i'm working/I'm not working/I'm on call" info, because you'll be the one sued.
Did Slashdot take up trolling?
Lots of hate-ons from the sys-admin crowd here, probably understandable though. Why don't you try a scheduling company like DocRoster, or use Google Calender. Google Calender works seamlessly with Android smartphones and is the favoured tool for scheduling classes for students at my university.
Just kidding.
Seriously the only real answer is to get that server out of the building and far away from the network and setup a calendar server correctly with monitoring and backups.
Actually, the real problem is corporate attitudes spilling over into academia. Maybe an insurance company or a sprocket manufacturer can lock-down its network to run only the handful of services that an obedient little cubicle-dweller at needs - but part of the point of academia is to experiment and investigate, so that system is really not fit for purpose.
That's why there must be separate RD/lab/whatshamacallit network (usually several, so things like DHCP can be set up as needed). Experimentation and investigation has no place in any office network (at least after all users aren't within shouting distance of each others). Regular company/office network is indeed not fit fo the purpose of research and development work, for very obvious reasons.
Heya jddorian, A lot of slashdotters have jumped straight onto the defensive bandwagon, and given that most of us are IT professionals it's understandable. I'm suspecting that if you have to go to the effort of building your own servers, there’s a distinct lack of IT support from your IT support. I've seen both sides of these types of arguments; I hope you can resolve it! There's no harm in asking IT and Networking why they want access to the machine. Good Luck!
Right on! Mordac, the Preventer of Information Services, (not "the goat with a thousand young", more like "the ass with a thousand cracks") seems to have posted along with all of his/its clones in this thread. If they won't do what is requested, they must be bypassed or fired. They don't seem to understand that they aren't meant to have any power to delay or prevent use of computers and networks for whatever the real producers say they want to do. Advise, fine. Try to get broad support for more integrated solutions, fine. But if they don't provide requested services immediately, if they carve out fiefdoms and try to throw their weight around, pretending to be "administrators" and "owners" they need to be replaced. Their value somewhere between janitor and mechanic, they should not put on airs.
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
Study the OWASP top-ten & you might get an inkling *why* IT would want this. It's to plug into automated scanning tools that, among other things, try documented hacks for privilege escalation. The best way to accomplish that is to start with a normal user account.
I have about 25 years as a sysadmin, and a manager of sysadmin departments. Sometimes my department was corporate admin, and sometimes I was hired as a local admin for a development group within the organization.
What I've observed, from both sides, actually, is that if corporate admin does not meet the needs of its users, little IT departments will (not may, will) spring up all over the company. Many of them will be manned by wannabees who don't know what they're doing and/or don't understand security issues. The trivial example is the department that's tired of requesting that the corporate wifi gets extended into their building, and puts up their own unsecured wifi in order to get their work done. Yes, they had a point. No, they shouldn't have done that.
Some departments will hire a professional and start loading a wiring closet up with servers.
The way to prevent this is not to forbid it. Life finds a way. Instead, take the hint and try to understand what they're trying to do and why, and how this incorporates into the existing infrastructure. Sometimes the answer really is "no", but you will be able to articulate why, and offer alternatives.
If you insist on battling your users over control of your infrastructure, you will lose, because there are more of them than you.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The original poster could be a troll, or they could be someone trying to get advice without revealing who they are. In some academic environments, IT is stretched very thin and it lacks authority to enforce what should be standard operating procedure. If someone wants something done, they refer to their local, unofficial IT staff and jury-rig it.
Eventually IT inherits the kludge and has to figure out how to make it work. If IT is lucky, it comes before a disaster occurs. If IT is unlucky, it happens because of a disaster.
I am the CIO/CTO of a major medical organization. Had you plugged that server in on my network without authorization from IT, without a security audit performed, and without any compliance auditing performed - you'd be looking for a new job. That being said, I completely understand the desire for tinkering and providing a good solution to your colleagues and peers. But, to do that without consulting the IT department is very inconsiderate. They are working their asses off to make sure that everything is working as it should, while managing user complaints, hardware failures, asset tracking, data retention policies, and a myriad of other odds and ends. By plugging in that server, you've just undermined everything that they are doing. You're putting an untested application onto a network that you're not familiar with and hoping it doesn't break anything - without any consideration of the port mapping schema, or IP addressing schema that is in place. The next time you're feeling technically savvy, my recommendation would be to consult your IT department beforehand. At the very least, you should be severely reprimanded for your actions. You are jeopardizing the reliability and security of hospital systems with your little project.
If this were my dept I'd block the port, initiate an audit of all your machines, and have already reported this to my superiors.
Before you even get into liability or fines just the mandated actions that have to be taken after a HIPAA breach can cost your institute a small fortune.
You might not have personal health information on that machine but what happens if somebody compromises it and uses it to launch attacks on the internal network against machines that do ?
I'm amazed your IT dept even allowed your new machine on the network (our switches won't even *talk to a system before it goes through IT)
Actually I'm guessing they do have a policy and either you don't know it or are ignoring it.
If you're the head of the dept you owe it to your institute to make sure this is done right - else you deserve to be fired.
Is your system HIPPA compliant? If it's not vetted for HIPPA compliance, then you potentially place the hospital as a whole at legal risk.
It's been my experience that Hospital IT are guys who want to empower the end user who have legitimate reasons, but can be constrained by their own budgets to give "cutting edge" technology to the end user. However, it's always easier to catch flies with honey than vinegar. I would tend to agree that you need to be pretty transparent to the IT group. They certainly can help you do what you want, and perhaps even make what you're doing more efficient and maybe even more broadly available.
If you have patient information on the schedules, or potentially could have patient names or other details, you really need IT to help you be HIPPA compliant.
(And, if you're not in the US, then whatever version of HIPPA compliance your country has in place.) :-)
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
No, in a properly run network you don't have random open ports to plug in to. If there isn't a device currently plugged in that is authorized, the port is OFF. Leaving open hardware ports "laying around" is a huge risk.
Now, that doesn't mean that you couldn't cheat and try putting a switch of your own on that one live port in your cube, but there are solutions to prevent that from being effective too.
---- Booth was a patriot ----
Hi, I work as a doctor in the NHS in the UK and over here we can't do what you propose. The main problem here would be connecting your server to the NHS network. I know of a senior consultant (the equivalent of the US attending physician) who was disciplined for connecting his own computer to the NHS network. Another problem would be that IT would not be able to control your iPhones or whatever remotely, so if you lose one with confidential data, they would not be able to delete the data remotely. In my hospital we wanted email/calendar/dictation on the go, we asked the nice IT people and they set this up with Blackberries. This works well. The way we organised this was through the hospital's IT/IG group. When something does not work, when the dictation client needs to be reinstalled, when we don't know what we are doing we ask them and they do know and are very helpful. We look after the patients, they look after the computers. They backup everything. Say your hospital agreed to let you have your little server. Would you be doing the backups and help people get their data back when something goes wrong? Are you going to give your colleagues your mobile number so they can ring you whenever they have a problem? Would this interfere with whatever it is that you normally do at work? Don't bother. It is going to be a major headache even if your hospital agrees to let you do this. Regards
OP, You sound some what security conscious so I would ask you the question: Would you let the IT guy plug a small server into your home network. Would you let IT guy plug the server into your home network if he gives you a regular user account on the machine? Would you let IT guy plug the server into your home network if he gives you a root account on the machine? If you are actually security conscious I assume that you would answer no to all 3 questions. A better solution would be: why not plug your little server into your home network and punch open the hole in your own firewall. You would have full control, and would never have to give IT guy an account. In the mean time you can keep pushing them to set up the service on an official hospital machine.
hmm... I dunno... "Mrs. Rebecca Smith's Posterior right upper quadrant XRay to look for evidence of : 2PM" being sent through the internet via the IT departments network seems like it could happen in such a situation. If IT does not know about it... especially in Healthcare where we are highly trained and smart, then we have a huge problem.
Is encryption used? who has rights to build the schedule, is there data validation being used to block certain information that looks like PHI? Who is handling Security patching to prevent this server from infecting the rest of the network? Who deals with the support calls when the physician can't open his calendar? (IT actually tried to help because we like to provide a good customer experience in health care).... I am sure If I thought about it more I could provide you with 50 more reasons it is stupid to expect this rouge server to be allowed in a health care situation.
even better way to get something done... go to the IT department, say, I want a project to build X feature for my Doctors. How much will it cost?
IT returns with the best quote, you take that to your budget committee and ask for the funds... they give you the funds, you go back to IT and say, Here is the money... I need it by the end of the fiscal year so I don't loose the money...
IT project manager talks to you and starts spending your money... a few months later you have feature X.
seriously.... if you have the budget and worked with IT while securing the funds for the project so it gets on their calendar...the project will be on the front burner.
Consider it to be a CYA type thing. It is a computer. It is on the network. While you may have set it up, IT ultimately has to answer for things that are on the network. If your machine ends up being a security hole, they will get the blame at first because some part of the network was hacked. If they can't sign in to your machine to verify that everything is up to date, they can only assume that your machine is the cause and they can't fix it.
Note that the lab servers are probably locked down so they won't do much damage if they are hacked. They may even be managed by IT, even if the content comes from the labs.
of course it did, wouldn't be a good horror story otherwise.
Remind yourself: You may be technical but you don't work in IT. You job responsibility is not IT.
This scenario is especially prevalent in academia. Academic freedom is important, but all too often it spills over into areas that it really doesn't belong.
Actually, the real problem is corporate attitudes spilling over into academia. Maybe an insurance company or a sprocket manufacturer can lock-down its network to run only the handful of services that an obedient little cubicle-dweller at needs - but part of the point of academia is to experiment and investigate, so that system is really not fit for purpose.
Like I said in my post, Academic Freedom is important, but it too often spills over into areas that it doesn't belong. Some health care administrator installing a server is one of those areas. Operations wouldn't let the academic dentistry department experiment with the building wiring, nor would the security officers allow the nursing academy to experiment with investigating crimes and detaining people.
That aside, despite the many problems that arise when people homebrew solutions, the one that is immediately obvious is support. What happens when that academic leaves, his co-workers are now dependent on his custom system. Is it now IT's responsibility to support it? The ideal solution in the Academic world is a flexible, cooperative, intelligent IT department, and an academic staff that has clear direction on how to approach IT, start a project, and develop a solution together.
I'm sure that there are some IT departments out there that aren't flexible, or understaffed and unable to meet the needs of every academic they serve, but over time, dealing with everyone's custom solutions really becomes a support nightmare, further hurting IT's chances of providing good services.
You'll note that I didn't stress security concerns. A properly designed network should greatly minimize the chances that any rogue device could cause damage. What custom solutions do more often, is create support issues, often are less valuable solutions than if they had consulted with IT experts, and in general, are an inefficient use of employee time.
Working 10 years so far in IT healthcare and I can say this, every-time there is any hint of a possible data being compromised whether it be incoming or outgoing (this isn't even touching on HIPPA and the incredible pain in the ass it is) the hospital IT department ultimately has to to answer to the CEO why server X is on the network and why is it doing XYZ. I can tell you that in every facility I have worked in as soon as this came to light the switch port would be shut down and there would be a nice little team from IT in the dept asking alot of questions as to why there is a piece of equipment on the network that the hospital didn't purchase. My advice, take your server home and go through IT channels for your scheduling.
The world called out for a hero and all it got was me...
What makes you think that will stop them from trying ... then reimaging the server when it doesn't respond?
So you want to hang out in a city of a million ungoverned men? I hope your Uzi-wielding and ultimate fighting skills are up to snuff, not to mention your ability to gather a protective gang around you through a combination of intimidation and loot-sharing.
Where are we going and why are we in a handbasket?
"these little POS solutions suddenly become the most critical production apps without anyone telling IT" .. You mean, other than the time when the manager asked IT if they could create a solution from scratch, and instead got an excuse from designed to make the manager want to give up on the solution that is urgently needed.
they DID ask IT.
IT said: its too hard.
The number of aggressive, obscenity laced postings from supposedly "professional" IT practitioners exemplifies the deep problems in that field today.
Over the last 30 or so years, I've had the privilege of working with many truly talented and effective IT people.
The best of them, like the best people in all fields, were modest, flexible and had a keen understanding of how they could best contribute to the wider enterprise.
Over the past decade, or so, I've seen a cultural change in IT. There are still a lot of awesome people in the field, and I respect the profession highly.
But I've noticed an upswing in practitioners who seem to be poorly skilled and highly aggressive (perhaps to compensate for any self perceived inferiority).
Strangely, these people are often not promoted and so they are increasingly in the front line of IT.
So when a person talks to IT, they often are confronted by appalling poor skills and overblown aggression. Overtime, this taints all IT people.
Have you wondered why supposedly smart people do "end runs" around IT? Have you ever experienced people diverting funds that should go to IT into other groups? Do you complain that people never come and talk to IT about their projects anymore?
Conversely, do you find yourself simply saying NO to people rather than trying to solve their problem? Do you find yourself getting angry when people challenge your "authority"? Do you regard IT processes as superior to your organization's goals?
I'm going to play Devil's Advocate and go against the IT sympathizing majority and say that it depends. I can see it being entirely possible that inside a place like a hospital, in a department that is as high tech as the OP is claiming, that a Department Head may be in charge of organizing the set up and maintenance of medical equipment that is outside of IT's direct (or at least day to day) control. A territorial Department Head, especially a knowledgeable, may want to keep IT's involvement as minimal as possible, if only to avoid red tape.
I work as the head of IT for a library which, admittedly, is not nearly as regulated as a hospital, but we've had some similar issues. The library system we are a member of will, for a fee, manage our network, we choose to run our network and servers internally. Every once in a while, we'll make a change to our internal network, such as a superscope addition, and they'll scream bloody murder, and say we can't do that, that they need access to everything to keep it all from blowing up or something. Without telling us why. So, without knowing the full scope of IT's role at the hospital, I can potentially see a situation where the Department Head may not be completely unjustified in asking why IT wants access.
Except, you forget, this is a doctor we are dealing with. He'll skip the "ask forgiveness" part and skip right to the "I make more money than you" or "peal out of the parking lot in his BMW" step.
They didn't buy it, they don't maintain it, they don't use it. Let them scan it and check everything over, but don't give them login credentials.
Unfortunately it's just another IT department with a God complex.
I think not. If you want to put something on my network, I need to approve it *before* you connect it to my LAN. We get root/Administrator/whatever and you get user access to the application only -- certainly not console access. If you don't want us to have access, then don't put it on our network. That's not a god complex -- We're *responsible* when something goes wrong, not you. We're expected to make it go when it breaks, not you. When bad things happen it's our fault, not yours. As such, users *will* keep their greasy little paws off of *my* servers. Period.
If the OP's IT staff has a problem (e.g., they're morons or provide crappy service to their customers) then they should fix the problem, not start their own IT infrastructure.
The IT folks at the OP's site should implement NAC. That'd fix his wagon but good.
No device (mobile devices and laptops on my guest wireless network don't count) gets on my network without the explicit knowledge and approval of IT *first*. That's how it's supposed to be. Not because we like to annoy users, but because if we know about it, we can (gasp!) monitor and support it. We can also make sure it's not going to interfere with other network traffic or cause problems for other applications.
i've seen way too many rogue implementations over the years and, for the most part, they were far more problematic than any systems we knew about. Invariably it was IT's fault of course. "So what if I didn't tell you that we hired consultants to install this Sun cluster and a half-dozen workstations eight months ago. Those consultants were costing way too much money so I fired them. But now it's broken! Fix it! How should I know what the root password is? You're IT! Figure it out!"
I'm sure the above paragraph will sound painfully familiar to many.
No, no, you're not thinking; you're just being logical. --Niels Bohr
I've been where you are now, and I've been the other side of it.
The problem is that IT have a bunch of standards that they have to obey. Those standards are there for good reasons, and ultimately stop the company infrastructure from degenerating into a mess.
What you've (and the OP has) done have circumvent all those standards and create a mess. I know it works now, and it 'gets the job done'. But in 3-5 years you'll leave, and it'll stop working, and your VP's will ask/demand/scream at IT to come fix them, and some poor bastard will have to unpick all your work and migrate it to a stable state on stable platforms that actually allow it to work properly. That effort is going to cost a lot more than the 2 years and half a million dollars that it would take to do it properly from the start.
Basically, what your VP's have asked you to do will take 2 years and half a million dollars to do, at the cheapest. They either pay that now, or pay much more later fixing the mess you've just created.
You think you're doing good and helping the company make money. Trust me, you're not. Stop now and go back to the VP's and tell them IT stopped you from fulfilling their request and they need to go through IT to get it done.
Remember the Maker's Triangle: Quick, Cheap, Good...Pick 2. Ultimately, someone has to take your Quick & Cheap and make it Good, and that will be Slow and Expensive.
Business/App ideas are like arseholes: everyone's got one, they're mostly shit, but very rarely they contain a diamond
There is another variation of this problem that's worth mentioning that involves hosted services. Individuals in the company may be tempted to create unauthorized individual accounts on cloud services and put company information there. Like the OP could have created a bunch of calendar accounts for his coworkers on some popular service. This has the potential to be even messier than the rogue in-house server case as the data is likely already non-compliant by being on some other organization's servers.
Another more minor issue is if the company decides to use such a service and create logins linked to the domain name. In that case there may be account clashes whereby the users much jump through some hoops to access their rogue account as well as the official one since they may use the same email account to access both services.
Your eloquent response didn't answer the question. Would this prevent someone from running a packet sniffer?
That depends. On my network, unless your MAC address is configured to access the production network, you get kicked to the guest network with all the access to the Internet you like -- but no access to my production network. As such, you could absolutely connect a sniffer and, if it suited you, you could capture all the broadcast and multicast traffic you wanted *on the guest network*.
However, the network policies where I work aren't nearly as paranoid as I'd like them to be. If I had my druthers, any unapproved device plugged in to the network would get no access at all, in which case a sniffer would be completely useless.
Then again, if (and it seems that it is at OP's place of business) you're not using some form of NAC, then yes you could plug a sniffer into the production network. However, in a switched network (assuming the switch port in question isn't trunked), all you would see is broadcast and multicast traffic, plus any unicast traffic directed at you.
N.B., this applies only to a snffer such as Wireshark. Using other tools in conjunction with the sniffer, coupled with knowledge of the network you're hacking could net you much, much more.
No, no, you're not thinking; you're just being logical. --Niels Bohr
Yes it went down. Luckily for us his grave was directly over a network cable so he could post it.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
I work in the IT department for a level 1 trauma hospital and can say unequivocally you are completely off base with this one. There are rules we all must follow, but apparently you have trouble following the rules set forth by your IT department - which are there for specific reasons. Your "cowboy" approach could cause irreversible and catastrophic damage to all of IT and thereby potentially cause personal injury - or death - to patients. You should be ashamed of yourself.
If the IT person wants access to the system, it's to make sure that nothing is going to cause any harm to the network or infrastructure. Man up and give him access.
But why can't the IT organization come up with "quick solutions"? Are there no people in IT who know more than me who could make something "as good" as the POS I cobbled together in a week or two?
Because you asked the IT staff for a solution that everyone in the business can use. So they were trying to make one that would be able to handle the load, and the stress, and the security requirements.
YOU, on the other hand, cobbled together a piece-of-shit implementation that will cause nothing but headaches over time, will crash when it hits the Windows filesize limitations, and that can't be used by anyone but you.
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. Considering how much time and effort they have to spend on the back-end of it, dealing with crappy databases and data, it would probably actually require less time and effort if they availed themselves at the front-end when the business needed a quick solution.
See above, you fucking incompetent nitwit. They offered you the solution that would WORK FOR THE ENTIRE COMPANY. You wanted everything now and for zero cost.
Fast, Cheap, or Correct. Pick ONE.
You've failed.
I used to sell outsouced IT. When we ran into an inflexible IT department that would not support new stuff (which at the time were PDAs and old-school Blackberries), it was almost a guaranteed sale. Why? When people hate something, they are willing to commit ritual suicide to get rid of it. Companies with IT departments that constantly veto business plans, treat users with contempt and basically are hated by everyone will give up a great deal of control to get rid of pain.
The way you beat outsourcers is to destroy their value proposition which is: "same thing you got, cheaper" or "same thing you got, without the pain in the ass"
Here's how you beat it: understand business reality and deliver a net positive. That's the part where revenues are down, and the company has to shrink/adapt/change/deal with new challenges. When a board is seeing IT as an outsource play, it means one of two things: either they can get the same thing, or they are sick of IT standing in the way. In either case, it means IT IS TIME FOR A SURVIVAL DEPENDENT CHANGE IN HOW IT DOES BUSINESS.
BTW - when you start seeing lots of SAAS invading your company... you are being outsourced.
-- $G
I once worked for a boss who promoted a policy that this was forbidden unless she was one of the travelers. I thought it was funny. Sadly, she was serious.
MAC addresses are configurable.
My point is, you have to be careful who you hire and then give them the resources to get their work done. In corporate IT, users are the customers, not the adversaries.
Godaddy is a scam and a ripoff.
See above, you fucking incompetent nitwit. They offered you the solution that would WORK FOR THE ENTIRE COMPANY. You wanted everything now and for zero cost.
Actually, we have about 500 users using the application in 30 countries, and the application is actually quite stable. In five years, we've only had a couple hours of unplanned downtime, and half of that was a Citrix server problem (out of my control). Most of our planned downtime has typically been for upgrading servers (moving from SQL2000 to SQL2008 servers, or from a single Citrix box to a farm of Citirix servers for the application) and happens on holidays.
When I started, we supported this process for 8 countries and it took over 3 weeks every month to do (we were doing it by hand, in multiply-linked excel sheets, checking things in and out of an "e-room"). Now we support 30 countries and complete the process in 5 business days (with about 10 times the amount of data and detail). We have daily backups and have never lost a piece of data that couldn't be restored within a day.
Every year or so, we keep going back to IT asking them to propose a replacement solution. We're not even asking them to "take over" what I've done, but to come up with their own way of solving the problem with whatever tools they want to use (Teradata/Cognos, in-house job?). After about 40 hours of meetings, they come back and say they can't do it (for any price). And unlike the first effort with them, we now have a working prototype that actually captures all the business requirements and business rules. We're now in a position to more clearly explain exactly what we need and they still can't or won't do it.
So, exists and doing it its job, or doing it by hand waiting for a solution that will never come. Pick one.
Note, I'm not struggling with the entire IT organization. The people in IT who provide servers: SQL servers, shared-drives, and Citrix platforms, etc. are fantastic. I ask for what I need and they work with me to clarify what's actually needed then cheerfully provide it. I couldn't keep this going without them.
I have 2 words for you... hipaa and DMZ
The fact that you felt you needed to create this server in the first place means that you and your IT department are not working together. If there is a need for something from the clinical side weather that is scheduling or medical records then your IT department should be working with you to get what you need. If you don't have that kind of relation with your IT department then you need to build it. If its your fear that the problem then you need to suck it up and deal with what IT's policy is. If your IT group is being difficult and not working with the clinical side then you need help find ways that to create a better IT group.
Don't forget that the IT department is a service group if they are not servicing your needs then they aren't doing there jobs. As distasteful as that might be to admins like my self that's the truth. That's doesn't however give the right to mistreat them just a reminder that they are there to facilitate the organization as a whole.
Cutting off the IT group is no solution, just the same as the IT group cutting out the clinical side is no solution. Work together and if you feel strongly enough about IT then step and and become a liaison between the IT group and clinician.
C. Particle
Yes, HIPAA applies heavily... but there's the other question: does IT have any *Nix expertise, or are they all Windows (and maybe Mac)? If no *Nix, then the issue is that they have no idea of what to look for, and will a) want to misapply Windows criteria to a *Nix system, and b) want to take it over and make it M$.
mark
Yes, you should give IT a login on your rogue server. A root login. And you should beg their pardon for setting up a server on their network without their permission. How are they supposed to run their network and keep it secure with people like you popping up servers in every nook and cranny? (Rest assured you're not the only one.)
Stop with the anarchy. If I were running IT there, I'd give you 3 minutes to turn that box over to the people who run boxes like that for a living or get your whole department removed from the network.
Comment removed based on user account deletion
You have to look at the reasons why IT Fiefdoms develop.
On the one hand it's because information is power, so it's no wonder every department head wants their own info server and databases.
On the other hand it may be because "Official IT" is too slow-moving and conservative. Every had the meeting with Dr. No? Incredibly frustrating.
So what if IT services had a few 007 types (special agents) whose job was to "GET THINGS DONE AS WANTED, FAST" for the departmental
stakeholders, while the special agents themselves were totally expert at and immersed in the safe practices of IT. I'm not talking about
fixes of broken things here. I'm talking about rapid (but security compliant) implementation of new small info systems that departments need.
I'm talking agile.
Now wouldn't that be refreshing.
Where are we going and why are we in a handbasket?
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. ...
Actually, we have about 500 users using the application in 30 countries, and the application is actually quite stable. In five years, we've only had a couple hours of unplanned downtime, and half of that was a Citrix server problem (out of my control). Most of our planned downtime has typically been for upgrading servers (moving from SQL2000 to SQL2008 servers, or from a single Citrix box to a farm of Citirix servers for the application) and happens on holidays. ...
Note, I'm not struggling with the entire IT organization. The people in IT who provide servers: SQL servers, shared-drives, and Citrix platforms, etc. are fantastic. I ask for what I need and they work with me to clarify what's actually needed then cheerfully provide it. I couldn't keep this going without them.
Something you are saying here does not compute.
Seems you're getting a TON of support from IT with servers, from what should be a server-side application. Especially since you admit it already ties in to their existing databases.
Seems also, your little app requires a significant amount of money (in either parts or time monitoring) to support it.
Seems also, you admit that you gave incomplete design specs in your initial proposal and may still be doing so each time you propose it.
Seems also, we are still missing information from you. You say it's not the "entire IT organization." What are you doing, submitting this to the rejected Indian monkeys running your frontend helpdesk whose primary job is to handle people who are having "trouble" opening their email?
Have you submitted this to the head of IT? Or to the head of the server support desk? Or if not, where HAVE you been submitting it to?
I don't think it's IT's fault you are having this trouble. I think you're either holding information back from them deliberately, or you're so bad at communication that they can't make heads or tails of your proposals, or you're talking to the wrong damn people who are already under-budgeted and overloaded with crap from every OTHER person at your company that operates in this fashion.
MAC addresses are configurable. My point is, you have to be careful who you hire and then give them the resources to get their work done. In corporate IT, users are the customers, not the adversaries.
Yes, I am aware that MAC addresses are configurable. In fact, I use LAA (Locally Administered Addresses) for a number of purposes. Most of my users wouldn't know a MAC address if it came up and bit them.
Then again, I don't (at least not right now) work for a technology vendor. I have done so in the past and it adds additional dimensions to the IT management environment. In those circumstances, technical people will be given wide latitude to manage and implement on their own workstations and on development/engineering networks. I've been on both sides of that and, as a rule, that arrangement works well. On a production network however, I stand by my original statement: "Users *will* keep their greasy little paws off of *my* servers."
It is very important to hire trustworthy people. However, even scrupulously honest and reasonable people can do non-optimal things because they don't understand the implications of their actions. Anyone (other than appropriate IT staff) installing a sniffer has moved out of the realm of "non-optimal" to "potentially criminal."
I work for a large law firm and lawyers are notorious for thinking they know better than everyone else. At the same time, they need to generate billable hours, which limits their interest in running IT for themselves. That certainly doesn't stop them from making "helpful" suggestions. The solution here, just like any professional services environment, is for IT to get the bullshit out of the billable resource's way to give them more time to do their job -- generating revenue.
If you wanted to make a point about end-users being customers, then you should have said so in the first place. That is, of course, quite correct. I treat my customers with respect and do everything I can to exceed their expectations. Most of the time, I succeed. However, that has to be a two way street. Sometimes users do stupid things (as do IT people). I've had users forwarding confidential emails to personal email accounts, abusing the network and all manner of dumb stuff. The appropriate way to handle this is to discuss the issue calmly with said customer, gather their requirements and determine an appropriate solution.
That said, when a user tries to do an end run around IT, it's usually because they're doing something they know is inappropriate, has a huge ego, and/or isn't getting the appropriate support from IT. None of these are good reasons for circumventing the IT process for all the reasons detailed by me and other folks on this thread.
My language was colorful and certainly doesn't reflect how I would address my customers. However, you (and the OP for that matter) aren't my customers. The ire expressed by many on this thread is understandable, mostly because the few bad apples who go outside the IT process are the first ones to blame IT for the failure of the rogue implementation that the user spent significant time trying to hide from IT.
All in all, a well management environment and a responsive IT staff can head off these issues 95-99% of the time.
No, no, you're not thinking; you're just being logical. --Niels Bohr
You come of as a bit of an asshole (Indians are people not monkeys), but I'll answer your questions anyway.
So at my company (a Fortune 500), if you want/need things like shared-drives, generic email accounts, Citrix platform for an application, a sql server database, you submit a request and it gets made. I think of this is the "operational infrastructure" of our IT organization.
Now, it's up to you, as the user, to build that database, populate it with tables, views, stored procedures, etc. They won't help you with that. Just like if you ask for a shared drive, they won't make the files that you want to store in it - that's up to you. However, they do handle day-to-day backups of that database and will do restores as needed. And yes, there are costs for these services - and our department is billed for those. I never said we wanted anything for free.
We also have another part of our IT organization who take care of the data and reporting part of the business ("Business Intelligence", I suppose). They manage all the various systems that capture data out of our transactional systems (e.g. SAP) and make reports based on that data. This is the part of the organization that should be providing a tool or system that does what our "home-built" system does.
So this application is essentially a "balanced scorecard" tool. In a nutshell, it's standalone (not attached to other databases) and allows for data to be keyed in or loaded via excel and produces PowerPoint decks and Excel reports. There are also some trivial administrative forms that allow for things like users checking boxes to indicate the data from their country is ready for reporting. The key requirement is that it has to be flexible. If the primary VP for this reporting wants to see a new report or changes to existing reports, we need to be able to turn that around in a week or two, not several months. The other key challenge is that it has to handle data that isn't provisioned through the certified data paths. Some data that needs to be reported simply does not exist in any current systems and is the result of offline analysis or it may be in systems that are otherwise not connected (not even all the "sanctioned" systems inter-operate). We have to report based on that data, so it gets loaded via a manual process of some kind. And there's no way to avoid that.
We've engaged several times with the BI team (the appropriate part of the IT organization for this kind of proposal... and yes the VP of IT is aware of the situation) to see how they can try to support our needs. Again, I'm not asking them to take over the application we've built, but instead come up with their own proposal based on approved systems and tools.
Each time, we provide a detailed list of requirements (must haves, really should haves, and like-to-haves) along with use cases, example reports, lists of source-systems for data, etc), with lots and lots of meetings to clarify what we're asking for. And then we ask them to propose an "approved" solution (approved meaning one they will support and manage). And that's where it hangs up.
But here's the challenge. From my end, regardless of the tools and methods available, I'm required to collect data from global systems and from 30 countries and then prepare decks of reports (up to 20 pages each) for each of those, usually by the 10th of the month. I can do that manually with linked excel sheets, vba macros, and checking files in and out of e-rooms (like sharepoint)... and if that was the only way to do it, I'd still be expected to do it (though I don't think it would be possible to do now - with all we have to do). On top of all that, we have to provide ad-hoc analysis based on our data, because management may want to explore specific details of potential problems.
Now, I've seen the threads here about how bad it is for businesses to "store" data in excel sheets and I agree. A database is the right place to store data. So we asked for a database and "report building" solution. We were told it couldn't be done (or could only be done for an impossible amount of money and in a very long time), so we did it ourselves... because we had to or we'd have to do it all by hand.
So, what would you do (aside from quitting)?
I am part of the IT staff in a hospital. Once I needed a MR-Scan urgently, but the machine is always occupied and so I had to wait 3 weeks to get an appointment. I decided to buy a MR by myself and took pictures from myself and some other patients of the hospital, but after comparing the pictures with ones from google images to find suitable medication, the hostpital staff said, I am not qualified to prescribe medication....should I ignore them and order meds online?!?! My fellow slashdotter, this (satirical) story is only to convince you, that by setting up a server by yourself, you will end up in a big pile of poo-poo, if something goes wrong. Especially in health care, where data is higly sensitive, NOBODY should be able to bypass security policys....and this is what you do, by setting up your own server (without putting it into the DMZ and ignorig other security principles as well) If I would be working in your IT dept. I would shure find a suitable LART which could be applied, so give your dept. root access, and I am shure they find a way to get rid of your server.
You come of as a bit of an asshole (Indians are people not monkeys), but I'll answer your questions anyway.
I refer to the morons who get my order wrong consistently at the drive-thru as monkeys, too. As in, "trained monkeys could do this job and probably are." ...
We've engaged several times with the BI team (the appropriate part of the IT organization for this kind of proposal... and yes the VP of IT is aware of the situation) to see how they can try to support our needs. Again, I'm not asking them to take over the application we've built, but instead come up with their own proposal based on approved systems and tools.
Each time, we provide a detailed list of requirements (must haves, really should haves, and like-to-haves) along with use cases, example reports, lists of source-systems for data, etc), with lots and lots of meetings to clarify what we're asking for. And then we ask them to propose an "approved" solution (approved meaning one they will support and manage). And that's where it hangs up.
If I am reading your previous statements correctly (and I am pretty sure I am), what actually happened is that BI responded to your request with a proposal of a certain scope - probably including the cost of hiring someone to maintain it and purchasing hardware on which it would run. Their quote may even have included a quote cost from OI for server purchases, personnel that OI wants, etc.
Then, you told them it would take too long and be too costly, and you opted to use your own salaried hours from your own department to create an alternate front-end (which you then tied into the existing database setup available from the other side of IT) that consists of a semi-rogue install. Is that somewhere near the neighborhood of an accurate guess? For that matter, what sort of cost comparison have you made between the server-maintenance costs from OI and hours used on maintenance by your own group for your own solution, as opposed to what you were quoted by BI?
But here's the challenge. From my end, regardless of the tools and methods available, I'm required to collect data from global systems and from 30 countries and then prepare decks of reports (up to 20 pages each) for each of those, usually by the 10th of the month. I can do that manually with linked excel sheets, vba macros, and checking files in and out of e-rooms (like sharepoint)... and if that was the only way to do it, I'd still be expected to do it (though I don't think it would be possible to do now - with all we have to do). On top of all that, we have to provide ad-hoc analysis based on our data, because management may want to explore specific details of potential problems.
(paste from earlier in same)So this application is essentially a "balanced scorecard" tool. In a nutshell, it's standalone (not attached to other databases) and allows for data to be keyed in or loaded via excel and produces PowerPoint decks and Excel reports. There are also some trivial administrative forms that allow for things like users checking boxes to indicate the data from their country is ready for reporting. The key requirement is that it has to be flexible. If the primary VP for this reporting wants to see a new report or changes to existing reports, we need to be able to turn that around in a week or two, not several months. The other key challenge is that it has to handle data that isn't provisioned through the certified data paths. Some data that needs to be reported simply does not exist in any current systems and is the result of offline analysis or it may be in systems that are otherwise not connected (not even all the "sanctioned" systems inter-operate). We have to report based on that data, so it gets loaded via a manual process of some kind. And there's no way to avoid that.
If your proposals are as accurate as you claim (and I'm getting a better idea of what you are looking at here), it sounds like the problem is still that you aren't talking to them in
As others surely has mentioned already, the IT-department shouldn't have asked for a login-account on your private computer.
They should have told you to take your privately owned computer off the hospital network.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
It's probably also AGAINST THE LAW. Christ. Submitter is an unmitigated moron. People are going to jail for HIPPA violations and you want to dump any old crap on the hospital network for a CALENDAR? Just use an external web based thing ya moron. Try Google Apps.
Did you read your comment before posting?
Do you really think that using Google Apps to maintain appointments {which might be medical related such as "do 'x' surgery on patient 'y'" are acceptable under HIPPA?
You must be one of those people who use their personal laptop on the company LAN and use GMail for 'saving' company documents...