threat or over-cautious?

[FLATcura]

hey,

one of my domains is in a building that has a homeless shelter and one of the workers has just called me and asked me to install .net on her workstation. when i inquired why she said because her husband had created a program for her to track the clients medications and information (assuming our current software doesn't or she cant figure it out)

my question is this, i don't know her husband or how well his programming skills are.. should i be worried? perhaps the application has holes in it a mile wide. i already told her i had reservations about doing it but i figured i would ask the opinions of the all powerful internet maybe i should request the source code just to be snoopy? maybe that's being a prick...

the workstations are windows XP on a 2003 domain with a moderately strict GP, but they do have internet access and roughly 10 different users


thanks for your time

-dave

 

[tgabe213]

Did you figure out why she can't use the company paid for software?

 

[modi123]

At bare minimum I would look at it first. Make sure the current paid for software doesn't subsume this programs needs - if it does a small training session solves it.

Second, I would be wary of HIPPA issues - misuse of medical information and user information means the hammer comes down on you.

Third, yes you should look into it. If your job is to maintain the software and network for that building then YES!

 

[nameless_centurian]

As an outsider to ANY type of medical IT work, this seems like a no-brainer to me. It should NEVER be permitted unless it has been legally cleared. Unless that such clearing/vetting/certifying is part of your official duties, DO NOT permit it. PERIOD.

The leagl risk isn't worth it in the event that an "accident" happens and something is released.

 

[maw]

HIPAA privacy rules are VERY strict on patient information and the penalties can be quite harsh. I would never trust confidential client info to any unproven piece of software, though I'd imagine the greatest threat probably wouldn't be the software itself, but the carelessness of the person using it. (e.g. - leaving their workstation unlocked when leaving their desk, sending client info via unencrypted email, copying info onto removable drives, etc...)

BTW, that computer she's using should be encrypted if it's tracking personal info.

 

[Arainach]

I'd be very worried with HIPAA; I'd tell her flat out no unless legal OKs it.

 

[XOR != OR]

As an IT technician, our jobs are to minimize a company's liability while increasing productivity. To that end, having a custom written app play with my core data...seems far too risky for my tastes. As others have pointed out, HIPAA alone could be your downfall in this situation. To say nothing of having data in two separate locations now ( a logistic nightmare waiting to happen ).

I'd of course say HELL NO. Were I pressed, I'd say I need the source code so I could verify the app against HIPAA ( stressing that it would take a lot of business hours to complete the eval ), and I'd also point out the data being in multiple spots.

 

[mrgstiffler]

Second, I would be wary of HIPPA issues - misuse of medical information and user information means the hammer comes down on you.

That would be my first reservation. That alone should be enough for you to deny the request.