Fine - IT is reasonably concerned that a vulnerability in my setup is a hole into the network.
Patient information is on other networks and machines, and above my pay-grade to make sure it is compliant with policies and security is kept up to date.
I would just like to point out:
1. There are more low-hanging fruit for security holes, such as all the unpatched Windows XP machines at the nurses stations.
2. How is giving the IT tech a non-root account onto my OpenBSD machine going to work - is he really going to know how to probe it from the command line? If he wants to control (shutdown) my machine - wouldn't he need root or sudo?
(Truth be told - my suspicion was that he just wants to learn how I did it, so he can implement it for other depts and look the hero)
Lastly - your point about when I leave - please leave that to some other post/question - its off-point.
If I left, my colleagues would know better than to expect IT to take over the server of Dr "Dorian".
Okay - original poster here.
To clear up some issues:
1. I assure you - I'm not a troll - though the name is obviously fake. Real honest question.
2. Having servers on the network is not unprecedented. It is a medical school. Several labs have UNIX (even old Solaris machines) in their lab, that they have websites on. A simple email request to IT allowed port 80 and 443 to be unblocked.
3. HIPAA - very important. But no patient information will be on this machine. Only "May 7-8: on-call Dr X"
4. I'm perplexed by the paradox of half the people being up in arms about HIPAA, but many posters simply advocating Google calendars. Make up your mind - it could be super-sensitive but we should let it be on the cloud?
Slashdot Mirror
Fine - IT is reasonably concerned that a vulnerability in my setup is a hole into the network. Patient information is on other networks and machines, and above my pay-grade to make sure it is compliant with policies and security is kept up to date. I would just like to point out: 1. There are more low-hanging fruit for security holes, such as all the unpatched Windows XP machines at the nurses stations. 2. How is giving the IT tech a non-root account onto my OpenBSD machine going to work - is he really going to know how to probe it from the command line? If he wants to control (shutdown) my machine - wouldn't he need root or sudo? (Truth be told - my suspicion was that he just wants to learn how I did it, so he can implement it for other depts and look the hero) Lastly - your point about when I leave - please leave that to some other post/question - its off-point. If I left, my colleagues would know better than to expect IT to take over the server of Dr "Dorian".
Okay - original poster here. To clear up some issues: 1. I assure you - I'm not a troll - though the name is obviously fake. Real honest question. 2. Having servers on the network is not unprecedented. It is a medical school. Several labs have UNIX (even old Solaris machines) in their lab, that they have websites on. A simple email request to IT allowed port 80 and 443 to be unblocked. 3. HIPAA - very important. But no patient information will be on this machine. Only "May 7-8: on-call Dr X" 4. I'm perplexed by the paradox of half the people being up in arms about HIPAA, but many posters simply advocating Google calendars. Make up your mind - it could be super-sensitive but we should let it be on the cloud?