Everyone Please Respond 13

[shannanl]

I am over the computer department at a hospital. Our server room is the first office that you encounter when you come through the front door. Until today it was my policy to keep the server room door locked. The server room is also our office with a couple of workstations. If someone needed us they would just knock on the door or call, etc. Because we often display patient related information on those screens and just plain old good security I thought that was the best policy. I was told this morning that we must keep the door open if someone is in the office. I am sure that it was because of a nosy employee that wants to know what is going on. This really burns me because we do an outstanding job here and everyone knows it.

What is your opinion on this? At the least we will have to purchase privacy screens for the workstations and those are not cheap. I believe that the boss should have told the person to mind their own business and get back to work. What do you guys think?

Thanks in advance,

Shannan

 

[rtichnor]

I wonder if you could use "HIPPA" comliance as a way to keep the doors closed.

 

[schtuffseeker]

Being in the health care/information field, I'm sure HIPAA would govern keeping this information secured.

 

[EBGreen]

What was their reasoning for the door being required to be left open?

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]

 

[flapeyre]

Where I work, the security folks just implemented a policy that your password-protected screen saver must kick in after 10 minutes of inactivity. I guess too many folks have been looking at other peoples' screens, when it was none of their beeswax.

Ask why your doors have to be open, and until you get an answer, password-protect your screensavers in there.

If you are in a hospital, then they surely have a legal department of some kind? Perhaps they could guide you regarding HIPAA.

Me transmitte sursum, Caledoni!

 

[shannanl]

HIPAA Electronic Security is the security of electronic information. Because the server room is where all this information is stored, I think it is good practice to keep it secured.

They did not give a good reason. Its the CFO that is driving all of this. He thinks that we should be accessible to the employees. That was his reason. A server room SHOULD NOT be accessible to employees. The funny thing is that we have other departments that keep their door shut and they were not mentioned. The CEO just told me that we were doing a great job. She said that she had not had any complaints or problems at all. I told her that we were taking it personally and she said not to. I told her that they were singling out a department and applying a policy to that department and that is not right. She said she is going to go back and talk to him.

Shannan

 

[shannanl]

Actually we do password protect with screensavers that come on after 5 minutes.

Thanks,

Shannan

 

[eyec]

HIPPA compliance would have a hiccup over such a policy!

IT server rooms should be controlled access for authorized personnel only. this is the nerve center of the hospital's IT resources and private information depository. ANDthe most likely place for someone with less than honorable intentions to stick a keylogger or virus!

have your legal dept inform your CEO & CFO they are in deep dooo dooo if they are audited.

 

[shannanl]

Thank you guys for your posts. I appreciate the feedback very much.

Shannan

 

[johnherman]

I think you have a good case just with the door being the first one encountered by an entering stranger.

From my days as a Security Officer in the military, there are four major pieces to Operational Security:

Physical Security - i.e. restricted access to those who need it only.

Information Security - HIPPA, Privacy Acts, logins, etc.

Communications Security - using secure communications, secure file transfers, etc.

Electronics Security - defense against wiretapping, listening devices, etc.


It would seem that your open door is a breach of physical and information security.



-------------------------
The reasonable man adapts himself to the world. The unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. - George Bernard Shaw

 

[shannanl]

John,

I was also in the military and although I was not a security officer, I am aware of the principles. I was told yesterday to "humor" the CEO and leave the door open. I typed up a statement and signed it and gave it to her stating that I felt that it was not good security and it was a potential HIPAA violation waiting to happen. It is amazing to me that all of this started from a CFO who is actually a contract employee. He has about 8 hospitals that he travels around to. A contract accountant is now setting our security policy. This is one of the more stupid moves that I have encountered in my 36 years on this Earth!

Thanks,

Shannan

 

[netmanrick]

You have done the "CYA" bit so that's alerted management to your concerns.
I would put some type of physical intrusion detection/monitor on the doorway.
Better yet,get a door that is split(upper half and lower half).that way you can keep the lower half secured against physical intrusion.
I guess my main concern is what is a CFO meddling in IT security ?

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[shannanl]

Rick,

I appreciate your input. I feel the same way. You should let the people that you hire do their job. If they don't know how, train them. If they are trained and don't do it, counsel them. If they still don't do the job, get rid of them. To the best of my knowledge, I am doing an excellent job. My reviews are always top notch and the employees here speak very highly of the job we do. I am very disappointed in the CEO. She should back us in this.

Thanks,

Shannan

 

[oisnds]

Light reading (maybe a few ideas), just don't tell anyone I sent you. .

 

[oisnds]

Forgot the link !!!

http://www.theregister.co.uk/odds/bofh/

 

[shannanl]

Thanks, I will check it out.

Shannan

 

[tyant]

It is important to have your enviorment controlled. A server room can generate alot of heat and for that reason alone, the room needs to be kept at the right temp. I presume that there is air conditioning in that room and with the door open, you can no longer condition the air.

 

[shannanl]

Yes tyant. And the funny thing is that we just spent about $2000.00 to install a small unit on the roof so that this room could be controlled. That was about 3 months ago. With the door open, it is useless.

Thanks,

Shannan

 

[EarlAllen]

I've been programming and managing computers 43 years. In the sixty's we learned to hide and protect our data processing equipment from the nosey and sometimes angry employees and customers. One of the most critical resources in a company is its computers.

If a disgruntled employee or patient destroyed your server, how much havoc would it cause the hospital?

Who will physically protect your server from a disgruntled employee or patient with a knife or gun? Are they paying you enough to put your life and limbs on the line?

 

[Spirit]

In the UK its just plain common sense: Health and Safety. If I am in the server room I keep the door unlocked because if I fall over / knock myself out etc. I want someone to be able to get in and help me.

But when no one is in the server room the door is LOCKED. Security. Also due to the Privacy Laws in the UK you could argue that it is a legal requirement to lock the door to safe gaurd the housing of personal data.

Iain