Everyone Please Respond 13

[shannanl]

I am over the computer department at a hospital. Our server room is the first office that you encounter when you come through the front door. Until today it was my policy to keep the server room door locked. The server room is also our office with a couple of workstations. If someone needed us they would just knock on the door or call, etc. Because we often display patient related information on those screens and just plain old good security I thought that was the best policy. I was told this morning that we must keep the door open if someone is in the office. I am sure that it was because of a nosy employee that wants to know what is going on. This really burns me because we do an outstanding job here and everyone knows it.

What is your opinion on this? At the least we will have to purchase privacy screens for the workstations and those are not cheap. I believe that the boss should have told the person to mind their own business and get back to work. What do you guys think?

Thanks in advance,

Shannan

 

[shannanl]

Up until this decision, we always locked the door. Even if we were in the server room, the door stayed locked. There is a lockbox in the hospital with a master key in case of an emergency, fire, etc. The rack with all the switches, etc. is about 1 foot from the door. I have had small children come straight in the room to the rack wanting to play with all the pretty colored cables. We also end up being a reception desk because people are always coming in the front door and going straight to our office to ask directions. We also have patient information displayed on our monitors that are just inside the door. That is a violation of HIPAA privacy rules if there ever was one. Its sad but maybe a disaster or a HIPAA complaint against the hospital is what it will take to wake them up.

Thanks,

Shannan

 

[jaymaechtlen]

You may want to look at building codes for your area, as to requirements for doors, etc.
Having the doors locked sounds bad- It is surely a fire safety violation to have personnel inside a locked room. The doors would have to open from the inside without the use of locking/unlocking devices, I'd suspect. Push-bar releases might not be needed.
The air conditioning needs might be a source of leverage, if you can show a risk of downtime or other problems due to lack of temperature control. (can you quantify it?)
How about a door with a security-glass window?
You mentioned privacy screens for the computers- may as well just put them on order...
Let us know how it plays out.

 

[GlenJohnson]

The door from the outside should be locked, with a handle on the inside that can be opened by just bumping it with any part of your body, like a hip. If a server gets wasted by someone either with a grudge or just playing around, how will you know what meds are being given? The servers I've maintained have ALWAYS been locked up.

Glen A. Johnson
If you're from the Illinois or Florida area, check out Tek-Tips in Chicago IL
To get the best answers to your questions, check out faq950-5848
Tickety-boo all.

 

[michigan]

Personally, I could see if a fire code stated doors must remain open (usually they state they must be closed) or if the CFO walked-in on inappropriate use of PCs or something. I agree with others. Between HIPPA standards, public access to private data, controlled environment, health & safety, etc.... Come to think of it, I believe there is even a "Homeland Security: critical infrastructure information - protected from public disclosure" law that may apply. (I could be reaching on that one). Either way, there are be more factors working for you then against you in this situation.

If they must know if someone is in your server room, perhaps one of those chezzy little slider signs that shows: IN / OUT would do the trick.

Best of luck with it.

 

[shannanl]

The fire codes here state that if the door is closed and people are behind it, a door handle that is easily opened must be used. No locks, it must be one of those lever types or push bar types that allow easy exit. We have one of those on now. The CFO did not walk in on inappropriate use of the pcs. The door was locked and he could not walk in. It basically all comes down to the fact that he is a nosey old bas#*&%# and he appears to have much more pull than he should. The CEO just blindly goes along with him no matter what. I tried to point out the cons of leaving the door open. It seems that HIPAA, common sense, security, etc. means nothing here. Well at least it is 2nd behind what the CFO wants. Maybe a HIPAA violation and a hefty fine will wake them up?

Shannan

 

[Arctific]

The room needs to be secured to physically protect the computing assets in the room. Ask for the funds to make it a fire exit only door. If the door is not secure, the risk exposure in dolars and cents can lead to management decision sense.

A) Physical theft of hard drives with PHI counts as a HIPAA fine area.

10,000 patient records on a stolen hard drive.
$100,000 fine per patient in an accidental HIPAA release.
Odds of theft 3/1000 people.

10,000 * $100,000 * 3/1000 = $3,000,000 Risk Exposure.

Thus, if replacing the door cost $3,000.
The measure would save the hospital an average of
$2,997,000 to get you a better door.

Surely a CFO can appreciate that kind of savings!






.......................................
Don Turnblade Arctific Inc
MS, MCSE, CISSP 602.881.3348
Essential Information Security.........

 

[compuveg]

Sounds like the CFO guy's loopy, as must be the rest of the organization to allow someone to guide operations so far from their area of expertise. I expect that this is the same mentality that allowed a server room to be located in a high traffic area.

I would look for another job. Until you can find one, you can give that CFO jerk a hard time because I can't imagine anyone with a lick of sense in this area backing him up.

 

[shannanl]

Compuveg, you summed it up. The people making these decisions have no sense. We are looking at a partnership/buy out so I may stick around and see what happens with that.

Thanks,

Shannan

 

[eileen1309]

Well with the privacy act there should be no reason why the door can not remain locked.. unless it is for fire saftey. why not use card access if the person has card acces they can come in if not they can't. Further more the protection of personal information should be held to the utmost security levels and as stated in previous thread I'm sure the legal department of your hospital would agree.

 

[kitsunemeio]

Okay, after ready through that... What is the contract person doing?!?! The server, as stated before, is the nerve center. If that is breached, everything is down. Not only should you have a physical barrier between un-authorized persons, but you should also have the documents not only password-protected, but encrypted as well. It just makes sense to me. I have been working as the head technician for a major computer repair company and after my years of service, that's, by far, the worst and most idiotic thing I have ever seen. I'm sure most people can agree with me on that.

 

[shannanl]

I agree with you kitsunemeio. Not only is it a joke that the CFO is the major player behind this. The most unbelievable thing is that they went along with him.

Shannan

 

[mary808]

May I play devil's advocate here?

"I have had small children come straight in the room to the rack wanting to play with all the pretty colored cables. We also end up being a reception desk because people are always coming in the front door and going straight to our office to ask directions."

This sounds a lot like excuses made by the typical "I don't like human interaction" IT guy from RandomCorp.

I think a good compromise is this - Face your monitor away from the door, and lock your machine when you are away. Keep the door unlocked when you are in there. With the door closed (but unlocked), you will likely not be bothered by the public, and your co-workers will be able to reach you without a heads-up phone call.

I do believe that your CFO is probably a joke, though... sounds like he doesn't have a lot to do, so he's just making random changes to make it seem as though he's accomplishing something. I hate when they do that.

I'm not jumping on you in particular, Shannan; I really do understand your situation - I'm just pointing out what your argument might sound like to the people you are complaining to.

Mary Beth

 

[shannanl]

Mary,

I appreciate the input. I would be fine with closing the door but that is not even an option. I must leave it open if someone is in the room. I guess what gripes me the most is that someone who is completely ignorant about computers is making this judgement call.

Thanks,

Shannan

 

[mary808]

lol, perhaps wait until he moves on to another hospital, then thumb your nose at him and go back to the old way?

Mary Beth

 

[shannanl]

Well it may be coming sooner than later. We are looking at being bought by a much larger hospital and their financial people have been in and out and the other day I was told, while in a meeting with some of them, that the way we do our finances had to be changed. The guy that was here doing some of the audits was amazed at some of the stuff this guy does. So, maybe before long....

Shannan

 

[gpastorelli]

Have you gotten a reply regarding your letter mentioning HIPPA? Perhaps you can suggest they bring in an independent auditor if it is only the CFO is the squeaky wheel.

A locked server is something everyone should know. Perhaps you can go ahead and order those privacy screens. But also, put in an order for one of 2 things, either a secure heavy duty lockable rack w/ steel (non glass) door or have a portion of the room boxed in w/ walls and a locking door. Either way your servers are secure and your CFO will have to say "Hmm I can spend between $3,000 and $5,000 to make the appropriate adjustments to secure the data or they can lock the door for free."

If he's any CFO worth his salt he'll go w/ the free idea and stop being a busy body.

 

[compuveg]

I'm just suprised that a facility that needs security as badly as a hospital doesn't already have a 'swipe' system in place for getting into secure areas. This would most logically include the server room. Even if a swipe system isn't in place, they could install a punch-code type deadbolt which would only allow in people who knew the code.

Does the pharmacy have to keep their door open for anyone on the street who wants some morphine or duh-lot-ed? (Pardon my spelling, I'm not sure how it is spelled, I just know I've heard news stories about junkies holding up pharmacies for the stuff. The most entertaining where the gunman forced the poor pharmacist to shoot him up between the toes at gunpoint. While he was passed out from the experience the cops came in and locked him up)

Back to the subject though, from the thread it sounds like the guy isn't only stupid, but also doing some things wrong on the books, potentially taking care of your problem everything he's doing comes to the surface.

Regardless of what trouble this guy has or has not gotten himself into, physical security for a server room is required for real security. Otherwise don't even bother with a door.

If I were the system admin for that server room, I would write a memo that clearly disclaims any responsibility for the integrity of those systems until the physical security issues are properly resolved.

 

[shannanl]

Oh I did. I wrote a lengthy memo explaining the risks and my assessment of the situation and asked that the CEO sign it and give me a copy. She refused to sign it but I do have several witnesses that know I gave it to her. I also reported possible HIPAA violations to the HIPAA security officer in a memo.

Shannan

 

[MichealC4]

I work in the education sector, so I don't have to deal with HIPAA, but in our environment, we have a split door to our office that remains locked (you have to reach over to enter) so we can serve our users. Our main server room until recently had an electronic key access that was required to access it. The key access went berserk so we removed it. Even then, the door remains closed at all times, for both physical access and physical security (ac). We take physical security very seriously and have signs posted all around our office and server room that Authorized Personnel is allowed only. This alone gives us the muscle to require that our doors stay locked and closed (except our office of course). I think you were right in reporting it to the HIPAA officer. No CFO should ever control the IT deparment in any capacity in my opinion. Their job is accounting, by involving them in management, that can cloud their judgement when it comes to doing both jobs. The accountant should be independant of the company as far as interaction goes. This can create a conflict of interest. Of course, this is all IMO, so take it for what it is worth.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[shannanl]

Micheal,

I appreciate the info and agree with you.

Shannan