The Official Status Thread
-
There's a 30-day trial. It's worth a shot. I like it. It just isn't always worth it, certainly not for everyone.
-
Status:
Was my response accurate? I'm not really well versed in the field of HIPPA regulations, but I would think if they got in so far as to be able to access the network drives (controlled by the DC) having the files encrypted wouldn't really help, right?
-
It's been awhile, but IIRC HIPAA doesn't require encryption for data "at-rest" (meaning, sitting on a server but not being transmitted anywhere.)
It wouldn't be a bad idea to use encryption everywhere, as I'm not sure you're accounting for an attack where the server's HD is physically removed from the server. Full-disk encryption would help there. Sure you have physical protections against that, but, you know, defense-in-depth.
-
as I'm not sure you're accounting for an attack where the server's HD is physically removed from the server.
Yeah, I'm trying to describe this scenario to one-who-doesn't-know.
At the moment their server is unmanned, and nobody at that office would be able to enter in the encryption passphrase were I to encrypt the disks (requiring me to interrupt my day-job and travel the hour-long commute to get there and boot up the server). I have most of it automated so in the case of an unplanned shutdown it (kinda) recovers (mostly) automatically, but I'm not sure I should introduce the complexity (despite how small it is) to add it to the office setup...
-
How physically secure is it? Password on the door? RFID lock? Anything?
That would decide it for me.
-
Anything?
Lol nope. It's in the corner of a back office quietly hiding in dark mode. That particular office is typically locked when not in use by the proprietor. The situation has... improved, from what it was before.
It's in a case that looks identical to the rest of the PCs in the office (some prior idiot convinced our dear friend that he needed beefy gaming-quality machines in order to display pictures), so if the theifs actually get into the office they have a 50% chance of snagging his workstation instead of the server (his is more out-in-the-open and much brighter).
I've been meaning to get it into a better location, but there just aren't too many in this office and I don't have the time/resources to build something up for it. I'm still working on getting time to have a proper second DC to alleviate the unexpected-shutdown issues and provide on-site backup.
-
Status: Wondering why Community Server was the only forum I've ever heard of that was written in a compiled language.
-
Get something like this:
Add a quality padlock. (EDIT: actually it looks like most of these models contain their own keys, I'm having trouble finding one with a padlock loop.) Cable it to something in the building that can't be moved (the building itself, preferably.)
Seriously, you can take care of this problem for less than $300. Do it. Do it now. Expense it on your own corporate account if you have to.
-
HIPAA doesn't require encryption for data "at-rest"
It's more of a it isn't technically required by the standards. But they do say you need to do it if reasonable, which basically means it is. You could argue that it wasn't reasonable to encrypt but the costs are so low that it could be hard to win with it.
-
Well sure, but "servers sitting out in the goddamned open" also is certainly against the spirit, if not the text, of HIPAA too. He needs to physically secure that server no matter what else he does, ASAP.
And, again, it's not like locking server cabinets are expensive. They're not. They're cheap. They're on goddamned Amazon with free shipping. There's no reason not to do it.
-
something like this:
That looks do-able. Right now the location is under a dark-colored desk, so it should fit in style.
contain their own keys
I'm sure if you really wanted to you could swap out the tumbler or whatever it's called. It should be possible to mount it to the wall.your own corporate account
I'm not official enough to have one of those.
I believe I'm technically a freelance technical consultant on the books.
if reasonable
It was hard enough to train the users to log on to the domain (though they're all using the same account
), I'm not sure I'm up to the task of teaching them how to log on to a freshly-restarted server to enter in the encryption key so that their services start up.
Sure, I can reasonably encrypt the disks, but who's going to be there to unlock them?
Is a day's worth of surgeries and operations unable to be performed due to system lockdown worth it? I don't know, I'm not legal and don't have the time to investigate that.He needs to physically secure that server no matter what else he does, ASAP.
Yeah, this isn't my job, otherwise I would have been right on it.I suppose the office is just lucky there aren't more crooks in that area of the suburbs. Despite how easy it would be to get access, it doesn't appear that anyone's even tried (like, literally, the target room is across the hall from Post-Op, though the hallway is recorded on camera).
At the very least, I'm sure they can handle a simple equipment lock and screw it to the desk until we get something better...
-
HIPAA requires your company to have a compliance officer, and a way of anonymously (or not, your choice) passing them hints. So via. the Rules Of HIPAA, you should have a direct line to someone who's ass is in the fire if he doesn't get the servers secured ASAP.
I do know that much about HIPAA because it's in the yearly training (which, BTW, is also required). Details on how exactly servers are to be configured are not.
-
I'm not sure I'm up to the task of teaching them how to log on to a freshly-restarted server to enter in the encryption key so that their services start up.
It is really easy to motivate them to learn "Not doing this is a HIPAA violation". Or if they do want to argue it tell them to talk to their lawyer and that you think the protection is super basic.
-
HIPAA requires your company to have a compliance officer, and a way of anonymously (or not, your choice) passing them hints. So via. the Rules Of HIPAA, you should have a direct line to someone who's ass is in the fire if he doesn't get the servers secured ASAP.
Hmmm... Yeah, I don't think they have anyone like that (to my knowledge). If there is, they've certainly not been in contact with myself, as I remain the sole person who knows the
that is going on with their (non-medical) stuff. Even if some of those s were bodged by me due to emergency and time crunch and gotta-get-back-and-running-last-week situations (which, thankfully, have drastically reduced in frequency for a while).It is really easy to motivate them to learn
Oh sure, I can convince them to learn. Getting them to actually learn is a different story. You'd be surprised how often I get calls where the only thing wrong is that someone turned off the monitor.At least they know that rebooting is one of the first things I'll ask them if they talk about "just this one computer can't connect" so I'm confident when guiding them through basic troubleshooting that they won't be distracted by whatever random stuff they decided to do before experiencing the problem.
-
I'm going to sound like an asshole, but so be it: HIPAA also generally assumes (and guarantees, if you follow it closely) your company has its shit together.
For example, the rules on encrypting data and physically securing servers don't take into account shitty software that crashes every few hours and requires manual intervention to be rebooted or the network sometimes drops a bunch of packets and it all gets disconnected. The HIPAA rules about having a compliance officer don't take into account that the officer is too lazy to provide training, he never checks his compliance email inbox, etc.
The better a company complies with HIPAA, generally speaking, the more they have their shit together as well.
Have you ever hung out with a web search optimization expert? You realize that 99% of their advice is basically just, "dude, your website does not have its shit together. Get its shit together." There's nothing MAGICAL about getting more Google ranking; Google just looks for the common-sense "your shit is together" types of things. (You know, are there broken links? Is there a EULA/Legal Statement? Are pages accepting user data encrypted? Basic shit-together stuff.) HIPAA's a little bit like that. Except the Federal Government will give you company-ending fines if you fuck it up.
You don't need to be a HUGE company or a SUCCESSFUL company to implement HIPAA, you just need to be a company that has its shit together.
-
has its shit together.
Yeah, it's definitely not together. For a sample nugget for enlightenment on the situation, before I got involved the server shared its C: drive to Everyone with full permissions (because, apparently, one of the business softwares requires all clients have full direct access to the installation directory of the server, located at the root of C: (and it must be C:)). This was also partly because all of the client computers were running Home editions of Windows, so of course they weren't using their shiny (at the time) Windows 2003 Server for anything at all.
Now at least I'm slowly getting things locked down and (somewhat) secured, but a lot of things are still balancing on marbles (for instance: If the server goes down, DNS goes with it, so no internet for those in the internal network, but at least the Guest Wifi will works ;) ).
-
Status: Despite having spent the last 5 hours on my tax returns, I'm quite happy. The US of A owe me a lot of money.
-
Then you gave the government an interest free loan, congratulations.
-
@Lorne_Kates said:
{sigh} Why cannot people just
move to a warmer climate and leave
to the polar bears? If temp. falls below a certain threshold it is a sign that nature is asking you to 
off.
-
Status: Found Discotime in Visual Studio:
-
One answer came close, pointing out that glass recycles easier/better than plastic.
UV damage is also a major shortcoming for optical plastics in outside applications. Within a decade there will be visable damage even with stabilised plastics.
Polycarbonate also likes to spall giving it a frosted look. Plastics are just a bad choice for the job a window is supposed to do.
Edit: 502 NOT OK, do your damn job forum software.
-
STATUS Didn't get as much data as I would like. I think I've flushed out the bugs and can run again tonight. I do have enough to start looking at coverage though. A dark art but interesting none the less.
-
STATUS:
After bugging me incessantly during my 4 day weekend, the client deserves some snark.
-
Status: Car loan is now officially paid off!
-
Off to the cupcake thread with you! ;)
-
Status: Car loan is now officially paid off!
Famous last words before parking it in a tree
Edit: 500 Internal Server Error
If it's internal why are you telling me?
-
-
@mott555 said:
Status: Car loan is now officially paid off!
Famous last words before parking it in a tree
Edit: 500 Internal Server Error
If it's internal why are you telling me?
TBH I think the tree would come out worse.
-
TBH I think the tree would come out worse.
That's why you end up with a fine for damaging a tree around here.
-
STATUS I was coughing so hard that my headphones fell off and now I have to press my right mouse button harder for it to work :(
-
Status: Been in a meeting about our Data Management Architecture Plan (result: it'd be nice if we had one, but we have someone whose job it is to convene a committee to look into who will be doing the fact-finding required to make the plan). It was interesting to hear just how many different research groups around this place have data problems that are essentially similar to ours: how do we collect data accurately and ensure it remains meaningful and useful for a decade?
Also, why do Operations insist on never talking to users? Seriously, that's going to end up with them in deep shit, as the users ultimately control how much money they get…
-
I was coughing so hard that my headphones fell off
OK
now I have to press my right mouse button harder for it to work :(
For the mouse to work? How are those two connected? Or if it is for your headphones to work, how the fuck does pressing harder on the mouse button make it work?
-
For the mouse to work? How are those two connected?
*sighs* Do you not know that all things are fundamentally interconnected?
Filed under: In order to make this post it was necessary to purchase a fridge, I will invoice
for the expense.
-
This post is deleted!
-
OK. Including the fact that the headphones hit the mouse would have made this much clearer. I guessed that was what had happened, but wanted to avoid another annoying "I can't tell what is implied here therefor telepathy required" rant from the rat.
-
OK. Including the fact that the headphones hit the mouse would have made this much clearer. I guessed that was what had happened, but wanted to avoid another annoying "I can't tell what is implied here therefor telepathy required" rant from the rat.
I have deleted that post in the hope of making this happen.
-
well belgium you too
-
UV damage is also a major shortcoming for optical plastics in outside applications.
As Blakey alluded to, a number of people made that exact point, which this guy seems to have steadfastly ignored.
-
That's why you end up with a fine for damaging a tree around here.
Not if nobody else sees.
-
but... does it make a sound?
-
but... does it make a sound?
Of course--"you" were there! How else would you have hit it?
-
and what if a self driving car hits it?
-
-
Status: Boss and coworker are investigating a way of removing something with a vacuum and are performing experiments with a plunger.
The best bit is the office divider is hiding most of the action, I can just see two red-faced people vigorously doing something at groin height.
"Just pull harder, don't worry about breaking it!"
"Don't get yourself in the eye"
-
don't know.
the presence of a microphone causes the sound to exist?
-
We have forms for our healthcare customers to sign that say "You have asked to transmit unencrypted PHI data to us. This is a violation of HIPAA. By signing this you acknowledge that this is against regulations and agree to hold WTFCorp blameless in the event of any breach and to cover any costs incurred by WtfCorp including fines, damages, legal costs, etc."
Every. Singles. Fucking. One of them has signed it.
-
but wanted to avoid another annoying "I can't tell what is implied here therefor telepathy required" rant from the rat.
Are you joking?
That post was hilarious.
It reminded me of that MST3K line in Red Zone Cuba, where the guy says, "she went blind when her husband was killed in the war" and the 'bots were all like, "whaaa?"
-
don't know.
the presence of a microphone causes the sound to exist?
No, it's analagous to an ear.
-
The more I hear about that series the more I want to watch it but none of my subscriptions have it. :( It's the same with the original Twilight Zone(Which is the best fucking series ever). It would be cheaper for me to buy the dvd set and rip it than buy it episode by episode from Amazon. There is something really fucked about that.
-
The more I hear about that series the more I want to watch it but none of my subscriptions have it.
Most of it is on YouTube. When they're taken down off YouTube it's not because the MST3K guys took it down, but the company that owned the original film copyright did.
http://mst3konline.blogspot.com/ <- Out of date with many broken links, but you can search the episode titles.
This is generally seen as ok, since the end credits of the show had "keep circulating the tapes" on it for basically its entire run.
There's actually an "official" MST3K Digital Archive Project, which only archives episodes not otherwise available through commercial means. (a.k.a. the ones they haven't put on DVD.) I think they make them available via. Bittorrent. Right now their website says, and I quote: "Session initialisation failed".
Anyway, all I'd ask is if you enjoy it, buy something from the guys. Either a DVD set, or some of the episodes from RiffTrax, whatever. Just buy something.
BTW, Netflix has all of the Twilight Zone except the hour-long episodes. (Which generally speaking weren't as good anyway. The kind of stories they ran don't require a full hour to tell, and heck, some run out of steam before their half-hour is up.)
