Everyone Please Respond 13

[shannanl]

I am over the computer department at a hospital. Our server room is the first office that you encounter when you come through the front door. Until today it was my policy to keep the server room door locked. The server room is also our office with a couple of workstations. If someone needed us they would just knock on the door or call, etc. Because we often display patient related information on those screens and just plain old good security I thought that was the best policy. I was told this morning that we must keep the door open if someone is in the office. I am sure that it was because of a nosy employee that wants to know what is going on. This really burns me because we do an outstanding job here and everyone knows it.

What is your opinion on this? At the least we will have to purchase privacy screens for the workstations and those are not cheap. I believe that the boss should have told the person to mind their own business and get back to work. What do you guys think?

Thanks in advance,

Shannan

 

[ALT27]

Shannan,
Any chance you can use this as an excuse to move your people's desks out of the server room ?
Personally I hate working in the server room. Its too cold and noisy. Perhaps you could leverage this for that corner office you've had your eye on. Yeah right !
I'm going to guess that if your hospital is like most I've seen, there are people working with desks in the hallways.
Good Luck,

 

[EdiTek]

We had the same problem at my hospital with the location of the server farm being accessible from a main corridor. We've now installed biometrics ID badge reader for access to the room. We've also installed video cameras in the hallway & inside the server room for additional security.
The we we were able to fix this was to bring the "lack of security" info to the right management people & pull the HHSS/CMS/HIPAA guidelines for security.

 

[iownroot]

Very interesting. How's the IT security awareness efforts at your hospital looking. Maybe you guys could spearhead this effort?

 

[iownroot]

Or at leat get the ball rolling in the right direction.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+

 

[derajer]

I'm glad to see that I'm not the only person in the world who is being adversely effected by a CFO/Accountant. In my company I am the whole IT dept. The CFO essentially runs the company and he has put his head accountant in charge of the IT dept. (ie yours truly). She doesn't even understand the most basic concepts of IT and yet she takes credit for all of the work I do. Sorry to steal some of your thunder Shannan, but I feel you pain.

 

[shannanl]

Actually the I.T. security at our hospital was very poor before I arrived (not bragging). The users basically left username/passwords in sight of others. They had every kind of software know to man installed on their computers. No anti-spyware measures at all. They had just installed a firewall before I arrived! That is one thing that really confused me. I cleaned all of that up and had the place working well. It was a blindsided punch to be sure! Derajer, if she is willing to take credit then I am not sure but I might try to make her take the fall also, if you know what I mean. Why can't supervisors just recognize a good employee and let them do their job? I was in a supervisory position in the Army for 8 years and I can tell you that some of the crap I see go on would never work in the Army. It was a big shock when I got out. Sometimes I wish I had stayed in.

Shannan

 

[HughSamson]

Not sure about your location specifics, but I assume you would have to have ISO accreditation for your hospital - a great chunk of which is in the IT arena. Given the above, you would almost certainly fail your next ISO accreditation audit - you may be able to leverage off this.
Your situation also doesn't meet ITIL standards - information security, both physical & logical, is covered by this - maybe suggest to your CEO that you undergo an ITIL assesment by an external vendor? This would certainly flag your situation as a major problem...
Here (Australia), OH&S regulations would also cause you some grief, if you are working in the server room - inappropriate noise levels, environmental issues (too hot/cold/hot-spots etc). In any facility I have ever worked in, we have never been permitted to work (full time) in the server room (not that I would have wanted to either!)...
Don't know if the above helps, but it may give you another couple of avenues to explore (especially the ITIL one - this shouldn't cause too many hackles to raise, if you present the idea as being pro-active, and in the best interests of the hospital, esp if you mention the correct buzz words e.g. "best practice", & the like...

 

[shannanl]

Actually we just underwent a ISO audit and we passed it. I.T. is only just barely covered by the audit. He came in and asked what kind of backup scheme we have and that is about it for I.T. I believe he was in the I.T. dept. about 15 minutes. I will look at the other suggestion though.

Thanks,

Shannan

 

[TAiNiUM]

I work in a health care environment also. I realize that HIPAA would definately play a big part in the defense but if I am not mistaken you as the admin would also get some of the blame. Luckily here my server room is locked and I don't work in it. Good luck with your situation and hopefully someone will wake up and smell the coffee..

 

[dkediger]

From the NIST (American National Institue of Standards and Technology):

HIPAA Security Recommended Paractices:

http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf

A nice guide that breaks HIPAA security implementation into functional groupings/tasks.

Facility Access Controls starts on page 58.

BTW, as I would assume your hospital is a HIPAA Covered Entity, then there would be defined/named a HIPAA Security Official. This person is ultimately repsonsible for HIPAA implementations. They aren't personally liable to the degree that SOX holds CEO/CFO's repsonsible, but none the less, HIPAA does force an org to put a name to the butt on the line.

There should also have been documented HIPAA training covering security of PHI. What did the training outline security measures should be?

 

[NickFerrar]

I'd just get a cheap push-button entry lock installed, the non-electronic versions are dirt cheap. Swipe card systems are nice but expensive especially if just covering one room. For health and safety reasons I'd want authorized people outside to easily be able to get inside.

Ideally of course you wouldn't be located in the server room, not sure how many servers you have but I can only stand about 15 minutes in our server room due to the noise and cold

Never worked in a hospital environment myself but why would you have patient data regularly displayed on screens? I'd hope that would be a violation of some code, IT people should have no more right to view confidential information, I'm assuming it is at least closely audited...

 

[ghjkl]

Hi Shannon,

My guess is Fire safety for the employees, being able to get out in a timely manner. Put the servers in another secure room or partition part of your office and lock that part.

Fred!

 

[nightrdr]

Just my 2 cents, but it seems the CFO needs to be reminded about LAWS requiring protection of privacy information (ie medical records). Just let one person find out their STD results were viewed by an unauthorized person and the CFO (or hospital lawyers) may change his mind.

Document your concerns and CF your supervisor NOTE: Sometimes the squeaking wheel gets grease, and somtimes it gets replaced.

 

[CobolKid]

Sometimes the squeaking wheel gets grease, and sometimes it gets replaced.

That should read,

The squeaking wheel GETS replaced!

During years past, as an employee, I've seen this happen multiple times:
A department head documents a potentially devastating problem. When the problem finally occurs, the department head is sacked. Why? Since the department head put it in writing, that person intended it to happen. Thus he or she becomes the "fall guy" for the real culprit, as he or she must of been the cause!

One must be careful in such a situation.

Question. I see references to the Chief Financial Officer, How about the Chief Executive Officer? You may face an angry CFO for doing so, but let me tell you, as CEO (and the majority stockholder) of my firm, I'd kick my CFO's butt all the way to H*LL if he ever ignored such a situation, Additionally, I’d be very, very angry over the fact that an employee in a critical position did not immediately inform me that this was occurring!

If this type of situation ever went to the point that I had to authorize a payment of a large fine or penalty, a whole lot of heads would roll, and quite possibly min too, as I doubt I could financially survive a such a hit!

FYI: My firm is an “Access Device Issuer,” we processes hypercritical data and issues access devices, including medical insurance I.D. cards for several “major” insurers; we face this exact concern daily!

Steve

 

[shannanl]

Steve,

I feel that I have made every effort short of quitting to show the CEO how serious this problem is. I even typed up a statement explaining to her that in my professional opinion this was a security issue that needed correcting immediately. I outlined the problems and what needed to be done to fix them. I even quoted parts of the HIPAA reg where we were in violation. I asked the CEO to sign it so I would have a record that I informed her of the problem and solutions. She refused to sign it. I also filed a possible HIPAA violation with our HIPAA officer and documented this well. I suspect that there may be some heads roll soon. It appears that our facility has been using HIPAA grant money to pay bills, electricity, phone, etc. at the direction of the CEO. That is fraud, period. The fat lady has not made it to the stage yet! Stay tuned.

Shannan

 

[compuveg]

Interesting developments, indeed. I didn't know there were HIPAA grants to help folks stay compliant, and misuse of those funds is an interesting turn in this thread.

Speaking of this thread yet, have we set any records yet?

 

[shannanl]

It has been a long thread

Shannan

 

[dgagne316]

Well, let me add to trying to break the thread-length record.

I suggest finding out who really wants the door left open, then post something "really interesting" about that person (e.g. a pic, a story, etc.) to appear on all the PC's monitors. Then see how long afterward the word comes down to lock, seal, and barracade the door. -dg

Denny G

http://www.placer.ca.gov/admin/infotech.htm

 

[tomed]

ALT27 had it right. You shouldn't be sitting in the server room. You should have a seperate office and the server room should be locked at ALL times. That is what I would push for if possible.

Our Network Admin had his office in the server room here until just recently. Our company was purchased by a larger company and their IT Dept had a fit that he was in there with the door open every day. We also had the Safety Coordinator complaining about the situation because it was so loud in the room.

 

[iownroot]

Quite frankly, If I were you I'd be looking for another job in a hurry. Misuse of any federal grant is very serious and often ends up in some sentencing for some people. If you think it's nasty now, you probably wouldn't want to be around to "hear the fat lady".

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+