Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Do I Give IT a Login On Our Dept. Server?

Posted by CmdrTaco on from the would-they-give-one-to-you dept.

jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"

33 of 1,307 comments (clear)

  1. In my corporate environment.... by Anonymous Coward · · Score: 5, Insightful

    .... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.

    1. Re:In my corporate environment.... by Ferzerp · · Score: 5, Insightful

      I think the real question should be should IT shut down any network port they see your rogue equipment connected to.

      Hint: the answer is yes

    2. Re:In my corporate environment.... by postbigbang · · Score: 5, Informative

      Depending on the poster's country, there may be a lot of regulatory, compliance, legal, and other issues at play here. This appears to be a rogue server as you cite. If I were the head of IT, I'd have it outta-there in a heartbeat and write up whomever deployed it-- on the surface and without other information, this is a problem.

      WIthout more information, it sounds to me like a convenience issue for the department head, but it's a legal nightmare looking for a spot marked X-- that server, for starters.

      --
      ---- Teach Peace. It's Cheaper Than War.
    3. Re:In my corporate environment.... by PFI_Optix · · Score: 5, Informative

      Some questions not answered:

      Did the OP ask the IT department what sort of services they are capable of providing? Hospital IT departments are usually in the habit of trying to provide departments with what they need, as department heads and doctors generally win the battle for "I want ________" when it goes up the chain.

      Did he inform IT of his plans prior to executing it, or just bring in a server and set it up, then start asking for access? If he did the former, they might have worked with him, providing him with rackspace, security, and expert administration so that his workload was limited to application administration. if he did the latter, he's lucky they haven't made an issue out of it and gotten him written up.

      Did he make sure he's not violating any federal regulations regarding patient data security? A rogue server on the network is a MAJOR security threat, no matter how competent the administrator is (or believes himself to be).

      Did he think about the precedent this sets? If every department decides to go running their own servers on their own terms, IT can't support them and the whole hospital steps back about 20 years in how their network functions.

      Did he consider the idea that maybe the service he's setting up for his own department might be useful to scale to the entire hospital at a later date? it sounds like he's found a service he considers worth putting a lot of effort into providing...for just his department. If it's good for radiology, it's likely good for lots of others. But HIS server probably can't accommodate that scale. HIS server isn't centralized. HIS server...well, is his.

      --
      120 characters for a sig? That's bloody useless.
    4. Re:In my corporate environment.... by synthesizerpatel · · Score: 4, Insightful

      A good IT manager would mosey over and have a sit-down to explain the IT policy concerning servers, lay out all the reasons why IT is responsible for them - backups, security scans, keeping antivirus up to date, tracking hardware assets, etc.

      By the end of the conversation, the owner of said rogue device would be thinking 'Wow, I really should hand this over, this guy is much more capable than I am at maintaining a server.. and why would I _want_ to maintain a server anyway?'

      No need for threats or derision for being ignorant. (note: ignorance isn't a bad trait as long as it isn't willful and repeat, it just means you don't know)

    5. Re:In my corporate environment.... by haruchai · · Score: 4, Informative

      I've worked in healthcare - if there's a chance of leaking patient records, then the Information Security officer would have to sign off on any server after a full assessment.

      --
      Pain is merely failure leaving the body
    6. Re:In my corporate environment.... by nschubach · · Score: 4, Insightful

      Give them a user account with no privileges. They can look at the command prompt all day if it makes them happy.

      Besides, it shouldn't kill them to white list your server on one freaking port.

      I certainly hope IT would hire someone smart enough to realize that you gave them no access. In fact, I'd hope they were smart enough to place that machine on it's own VLAN or outside the firewall so that you (the employee) couldn't grab whatever data was available on the internal network and broadcast it on whatever port you were given.

      --
      Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
    7. Re:In my corporate environment.... by ZenDragon · · Score: 4, Insightful

      Same here... I work for a bank. Anybody caught setting up a server that was not explicitly sanctioned by IT would be fired on the spot. Period, no questions asked and no quarter. For compliance, all communication in and out must be logged. This is FEDERALLY mandated, and not just IT being nazi's. I worked for a company prevously that provided call center and info management services for a medical provider and we didnt even allow people on the floor with cell phones. Is it abnormal that, as a IT professional, that this post almosts makes me angry?? lol

    8. Re:In my corporate environment.... by Stargoat · · Score: 5, Insightful

      That machine on the network without IT approval is a violation of HIPAA Security Rule. Frankly, the fact that your ISO hasn't written you up means he is too nice of a guy. Yeah, you need to give IT access, and then thank them for not written you up and turning your name over to the BoD.

      --
      Hoist Number One and Number Six.
    9. Re:In my corporate environment.... by Moryath · · Score: 4, Insightful

      Welcome to HIPAA requirements.

      You're precisely right. There is a REASON that there are policies - in this case, federal law that can turn into massive, multi-million-dollar lawsuits.

      I always am amused when someone kludges something together behind IT's back because "it's easier" than actually following protocol to get a function. If you need a function, we'll work with you to get it done, provided we can legally do so. If we can't do it, we will tell you why.

      Going around behind IT's back is asking for trouble. Worse than that, it ensures that IT looks at you askance from that point forward. There are users we work with and have no problem with, and then there are the assholes who do something behind our backs and cause trouble when we have to chase down their mistakes. Guess who gets first priority on the list of new feature/function requests?

    10. Re:In my corporate environment.... by Moryath · · Score: 4, Informative

      Highly irregular that the first thing IT heard about it would be an 'open this port on a firewall request'; which is basically taboo for anything storing security sensitive info anyways -- proper security design is a major factor, including requirements such as server administrators at arms length from devs of the application and from auditors/security team.

      Actually, that's usually how this crap happens.
      "I want project X set up yesterday so me and my fellow tenured people can do it immediately." - IT response, "Give us some time to look into it and ensure we can come up with a solution that meets regulations.

      A week later: "IT is too slow. I want it yesterday. I'll just go kludge something together (or have my incompetent Indian grad student do it) and plug it into the network."

      Happens all the time, especially when you have douchenozzles with tenure running around. IT can only "see" the device once it's plugged into the network jack, and even then if they're monitoring a ton of machines, they won't know it from an iPhone or Blackberry or iPad until it either (a) pops up as unscannable, (b) they get the "open a port for my kludge project" request, or (c) it attempts to send some data packet that triggers an alarm.

  2. I dunno by EvanED · · Score: 5, Insightful

    But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"

    It becomes a lot less clear in that formulation, huh?

    1. Re:I dunno by Vlado · · Score: 5, Interesting

      I heard such stories about hospitals over and over again.

      Essentially what it boils down to is that hospital IT departments have almost no chance of establishing good environments, because every doctor that has 5 seconds of free time feels like they have both the authority and obligation to directly interfere with how IT does things.

      Situations can vary from either the I've-been-working-for-50-years-without-a-computer-and-I'm-not-gonna-learn-how-to-use-one-now to what we have here where someone know how to make things better by themselves and simply bypasses the whole system with an application that is not supported or endorsed by the IT. And for sure does not integrate with other data-flow activities that are going on in the hospital.

      In the end IT guys run for cover anytime when some local "god" decides that their way is best and things will run how they seem fit, because they just bought a new iPhone and want to have EVERYTHING interact with it. Screw the company-issued smartphones!

      I'm aware that there might be bureaucratic red tape involved in getting things done. But if you go outside of system in the end you just make sure that nothing works for anyone instead of having a list of services that are stable and continue growing at a steady pace, based on a good input from everyone.

      In any case, at the end of the day, why does a service like that even need to be hosted from within a hospital? Plug the server in at home and you avoid any problems if the calendar in iPhone is such a big deal for you. /Disclaimer: iPhone is just an example here. Enter your preferred/hated brand instead

    2. Re:I dunno by drakaan · · Score: 5, Insightful

      Actually, you're giving IT access to a server for a service that they were not required to provide, and probably would have to a lot of asking for.

      Seriously, people...a hospital stores confidential, privileged data about patients and medical conditions that is supposed to have certain safeguards applied to it in order to protect that confidentiality.

      As has been repeated here already (and will be plenty more), placing an piece of personal network equipment on a medical network is bad enough. Asking for no oversight, giving your good word that everything will be OK, and requesting a port in the firewall be opened up to the public internet is lunacy.

      Even if you're well-intentioned, capable, and reasonable about what you're asking for, this isn't a home server and family pictures you're providing access to.

      The most disturbing thing to me about this story and question is that someone in the IT department was willing to open the port and allow the machine to stay connected without having root access, intimate knowledge of all installed versions of software and packages, and without relocating the server to an access-controlled datacenter. If I'm the head of IT, first I unplug and remove the box, then I talk to legal to see what needs to be done (audits, interviews, scans, etc), and then I reprimand the person in IT who said it could be done.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  3. Obvious question from their perspective by tomalpha · · Score: 5, Insightful

    Why does a server that is not owned or managed by the IT department exist inside the firewall?

    In my workplace that's a sacking offence.

    1. Re:Obvious question from their perspective by shentino · · Score: 4, Insightful

      Also, this is a hospital.

      Wouldn't this also be a HIPAA violation?

    2. Re:Obvious question from their perspective by MaerD · · Score: 5, Insightful

      Indeed. Be happy they haven't fired you for violating acceptable use and/or purchasing policies. Don't expect to take this server with you when you leave, either.

      IT not supporting the application is one thing, YOU buying unknown, unsupportable hardware, plugging it into their network and then being arrogant enough to decide they shouldn't even have a log in? You seem to be running a bit short on common sense here.

      Also, this is not a random user requesting access, it is your information technology people who A) should know what they are doing and B) are on the hook for what happens on the network security-wise.

      --
      I put on my robe and wizard hat..
    3. Re:Obvious question from their perspective by Attila+Dimedici · · Score: 4, Insightful

      And when the government regulators ask the IT Department how they know that private health information isn't being disseminated over this server, their answer would be...?

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    4. Re:Obvious question from their perspective by Lumpy · · Score: 5, Insightful

      "He's a doctor, a faculty member (professor), and a division head (administration/management). I promise you he's not a moron."

      I have met professors with multiple PHD's that are in fact morons.
      I have a Sister in Law with 3 Masters degrees that cant keep a car on it's tires, she has flipped 6 cars in 4 years.

      Education does not eliminate you from the moron pool.

      --
      Do not look at laser with remaining good eye.
  4. Doing it wrong by dzr0001 · · Score: 5, Insightful

    You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?

  5. Wait, what? by 0100010001010011 · · Score: 5, Insightful

    You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?

    You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.

  6. Their business, their rules. by rotide · · Score: 4, Insightful

    You are operating a server, behind the firewall, on their infrastructure, in their facility. You, (un)fortunately, don't make the rules. What you're doing sounds great and the lengths you've gone to make it happen are commendable. But I can't imagine any decent business being run while allowing any employee to run any server they want behind their firewalls without at least some oversight. You're going to have to follow their rules, sorry.

  7. RTFP (Read the Foolish Policies) by cbelt3 · · Score: 5, Interesting

    What you've done would cause any professional IT group to get out the hot tar, feathers, and rail. Or at least come into your office and ask you politely to remove the damn server from their facility. And never do this again. You must have missed all the security briefings, the issues with HIPPA, and whatnot when you were looking at systems. What you've done is to create a 'rogue system'.

    Imagine one of your kids sets up a server in your house. You don't understand it, you don't know if it's happily sniffing network traffic to steal passwords so pizza can be ordered using your credit cards, serving up pr0n, or just running minecraft. Would you willy nilly allow the kids to open a port on your firewall without the ability to audit what they're doing ?

    Of course not.

    Personally I'm amazed that they only asked for an account on your little server. I would have gone over and watched while you removed it from the facility and put in in your car.

    1. Re:RTFP (Read the Foolish Policies) by Anonymous Coward · · Score: 4, Funny

      If my parents need a port to be opened, they have to come down to the basement and ask me.

  8. Re:Fuck no by h4rr4r · · Score: 4, Insightful

    They can also not provide it a network port. When the server gets pwned it will be IT people blame.

  9. Re:Tell them to reimburse you by h4rr4r · · Score: 4, Insightful

    Sounds great. He can have access to the network switch port and the firewall opened up as soon as that transaction is complete. The Hospital IT should have switched off the network port the second they heard of this machine. Well really the network ports should just not all be on to begin with.

  10. Head of the division, you say? by spun · · Score: 5, Insightful

    That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.

    Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.

    The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.

    In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:Head of the division, you say? by spun · · Score: 5, Insightful

      Doing our jobs and complying with Federal regulations does not make us dickwads, it makes us professionals.

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  11. So, if the IT guys watch Grey's Anatomy??? by Kamiza+Ikioi · · Score: 5, Informative

    More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.

    Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.

    I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.

    But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""

    Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!

    --
    I8-D
  12. Medical advice by ElMiguel · · Score: 5, Funny

    The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law.

    Now who's the doctor here?

  13. Sysadmins VS Lusers, lets get ready to rumble! by spun · · Score: 5, Insightful

    Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:Sysadmins VS Lusers, lets get ready to rumble! by Capt.+Skinny · · Score: 4, Insightful

      Hilarious. This story has polarized Slashdot into the "I work in IT as a sysadmin and managing tech is my job" camp and the "I don't work in IT and need tech to do my job" camp. The sysadmins are actually taking offense that the non-IT folks won't immediately recognize their superior policies and procedures. The non-IT folks, for their part, seem used to this crap. Here's the deal, IT: we will respect your mad skillz only after you have demonstrated that that your hoops are justifiable and not unduly burdensome. Until then, you are just like the PHBs. No insult intended, but this is our job, and our butts on the line, not yours.

      There, fixed that for you. At the risk of being modded "-1 Disagree" to oblivion.

  14. Troll. by pz · · Score: 4, Informative

    The OP is a troll.

    The user ID "jddorian" is a fictional character on the US TV program Scrubs.

    No head of department at any hospital or university I have been associated with would have had the time in their career to be more than passingly conversant on computer IT issues, forget know about ports. Heads of departments get to those positions only because they do nothing else with their lives.

    A head of department would know better than to set up something themselves. They wouldn't also have the time to do something like that. They would be familiar with the idea that the hospital IT infrastructure is far more highly managed than normal corporate IT structures.

    And, unless this is a seriously podunk hospital, they likely already run Microsoft Exchange for email, and so have electronic calenders.

    Troll. It's a troll.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.