ProjectSend
-
@dafyre said:
If somebody's IP address shows up in Japan, and they live 5 miles down the road from the office, I will block that IP address until the user calls me saying "Hey, I can't get to the file website.". I believe in erring on the side of caution.
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
-
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
-
@dafyre said:
You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?
I can easily answer the second question. dials phone "Hey, are you in Japan? No? Okay, that's all I need to know. hang up ... block ip
- Really? You are going to call anyone and everyone that accesses your systems? You, in IT, are going to start pulling their HIPAA regulated data illegally to do so? This violates HIPAA very clearly. As an IT pro, you don't have a need to see my HIPAA data, which includes my location and phone number. If I get that call, I call a lawyer. This means your systems are bleeding my data and that's very bad.
(Baylor Hospital in Texas did this, they got in huge trouble for selling data.)
-
Also, you're looking at this from the side of the patient. Because this is hosted, I don't care about the patient (maybe I should, and perhaps I will in another thread) but this discussion is around employee access, not patient access.
My normal employees have no need to access this anyplace outside of my city at this point in time. The Physicians on the other hand are a bit more flexible and as such when they are known to be traveling we can choose to ignore the GEO IPs for them, but once they return we can once again lock them down and pay attention to attempted location access in an attempt to thwart inappropriate access.
-
@JaredBusch said:
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
-
@Dashrender said:
Also, you're looking at this from the side of the patient. Because this is hosted, I don't care about the patient (maybe I should, and perhaps I will in another thread) but this discussion is around employee access, not patient access.
Why would an employee not use secure, internal systems? How did employees come into this picture?
-
@scottalanmiller said:
@JaredBusch said:
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Nothing was about anything but employees until someone else, I read it as you, brought up external people.
-
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
-
@scottalanmiller said:
Looks like the main goal, though, is for doing external file management to clients rather than owncloud that focuses on internal storage.
It was the second post. No one brought up that this was wrong....
And I did not "bring it up." Here is the logo for what we are discussing...
-
@Dashrender said:
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
That's what I thought we were discussing.
-
@scottalanmiller said:
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
-
@JaredBusch said:
Nothing was about anything but employees until someone else, I read it as you, brought up external people.
I read it as the topic both because the topic is specifically about a product to "share files with clients" and because I pointed this out at the beginning for clarity.
-
@dafyre said:
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
You would break the law because you feel that violating HIPAA regulations protects the infrastructure? You would be the one stealing the data here and the one that the infrastructure needs to be protected from, right?
-
@dafyre said:
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
You are mixing concepts. Blocking by default is possibly very foolish and again, never an IT decision, BUT it has NO relationship to tracking people or violating data integrity laws by stealing HIPAA data for personal use (even if you feel that that personal use is to "Protect the infrastructure."
-
@dafyre said:
@scottalanmiller said:
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
But the difference is you aren't recording IP addresses at the application level that can be linked to records that were downloaded. Most IPS systems won't be able link IP addresses being blocked with patients or clients/vendors.
-
@scottalanmiller said:
Why would an employee not use secure, internal systems? How did employees come into this picture?
light bulb
Damn, thanks for bringing this back full circle.
Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.
Also, I get to choose how I release this data to you. I can choose to mail it instead of sending it electronically. So, I can demand to know the GEO IP you're going to download from if I want to before deciding if you'll be allowed to download from there or if I will fall back to using snailmail.Yes that's extreme, but doable.
-
Instead of thinking about IT, treat this as other security roles:
- Would a security guard at the front desk be allowed to go into private health records and call people at home because he "felt it was good security?"
- Would the receptionist turn down calls from numbers that they personally felt should not be used by the customers?
If not, why is IT different?
-
@coliver said:
But the difference is you aren't recording IP addresses at the application level that can be linked to records that were downloaded. Most IPS systems won't be able link IP addresses being blocked with patients or clients/vendors.
Linked to regulated, personal health data!
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
That's what I thought we were discussing.
But again, I'm not sending to patients, I'm sending to third parties on behalf of the patient.
And I'd love to see where location data is considered HPI and protected? As well as a phone number.
-
@Dashrender said:
Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.
Can you? Why? How do you know that? How do you determine where the IP is coming from? And WHY WHY WHY would you care?
