ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ProjectSend

    IT Discussion
    storage projectsend
    9
    157
    74.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre @Dashrender
      last edited by

      @Dashrender said:

      @scottalanmiller said:

      @Dashrender said:

      @dafyre said:

      ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

      You can share multiple folders like this to keep clients / government entities separated.

      That is not good enough for HIPAA.

      Are you sure? What is the HIPAA requirement?

      You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

      @dafyre doesn't mention anything about usernames.

      No, I didn't. I thought we were talking simple file sharing. ownCloud does allow you to share files among users as well though. it can run using its own stand-alone user database or run using LDAP / AD for the User database.

      drewlanderD 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        Of course you're right @scottalanmiller, as long as you can show that a specific password was used to access said files. If you can't, well then you haven't identified the user.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @coliver
          last edited by

          @coliver said:

          @Dashrender said:

          @scottalanmiller said:

          @Dashrender said:

          @dafyre said:

          ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

          You can share multiple folders like this to keep clients / government entities separated.

          That is not good enough for HIPAA.

          Are you sure? What is the HIPAA requirement?

          You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

          @dafyre doesn't mention anything about usernames.

          You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

          While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

          Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.

          coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
          • coliverC
            coliver @Dashrender
            last edited by

            @Dashrender said:

            @coliver said:

            @Dashrender said:

            @scottalanmiller said:

            @Dashrender said:

            @dafyre said:

            ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

            You can share multiple folders like this to keep clients / government entities separated.

            That is not good enough for HIPAA.

            Are you sure? What is the HIPAA requirement?

            You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

            @dafyre doesn't mention anything about usernames.

            You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

            While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

            Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.

            So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

            scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              Of course you're right @scottalanmiller, as long as you can show that a specific password was used to access said files. If you can't, well then you haven't identified the user.

              If there is only one password, then you know for sure. If not, then you are in the same boat as with usernames needing to track which one was used.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                @coliver said:

                @Dashrender said:

                @scottalanmiller said:

                @Dashrender said:

                @dafyre said:

                ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

                You can share multiple folders like this to keep clients / government entities separated.

                That is not good enough for HIPAA.

                Are you sure? What is the HIPAA requirement?

                You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

                @dafyre doesn't mention anything about usernames.

                You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

                While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

                Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.

                how would IP tracking help that? As we've seen this morning IP geotracking doesn't work and often gets the country wrong (@Carnival-Boy reported as in France rather than the UK, me in Germany rather than the UK, etc.) And even when it works, how do you know where the other person is "supposed to be?"

                There is no reliable IP Geolocation system so using that with HIPAA seems like a bad idea.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @coliver
                  last edited by

                  @coliver said:

                  So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

                  I'd say tracking IPs is bad because there is nothing good that could come from storing that information.

                  drewlanderD 1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre
                    last edited by

                    @scottalanmiller I'd agree with @Dashrender here. If something happens and a user's account is being used from Japan when the live in Texas... that would be information nice to have.

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • DashrenderD
                      Dashrender @coliver
                      last edited by

                      @coliver said:

                      So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

                      Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.

                      coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
                      • coliverC
                        coliver @Dashrender
                        last edited by

                        @Dashrender said:

                        @coliver said:

                        So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

                        Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.

                        At that point you would want to look into a intrusion detection system rather then doing it at the application level.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @dafyre
                          last edited by

                          @dafyre said:

                          @scottalanmiller I'd agree with @Dashrender here. If something happens and a user's account is being used from Japan when the live in Texas... that would be information nice to have.

                          To whom would you supply that info? And what would you say "Our database that isn't accurate says you should be here but are using an IP address here?"

                          Remember they do NOT know that you should be in Texas nor do they know that the IP address is Japan. Those are both presumptions based on information a medical facility would not have.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by scottalanmiller

                            @Dashrender said:

                            Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.

                            No, you certainly do not need to know that.

                            dafyreD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender
                              last edited by

                              @scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.

                              But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.

                              coliverC scottalanmillerS 3 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                Things you cannot know:

                                • That the IP is from Japan
                                • That the person is not supposed to be in Japan

                                You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?

                                drewlanderD 1 Reply Last reply Reply Quote 0
                                • coliverC
                                  coliver @Dashrender
                                  last edited by coliver

                                  @Dashrender said:

                                  @scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.

                                  But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.

                                  This goes beyond the scope of an application like ProjectSend though. This would be more along the line of an IDS.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    @scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.

                                    And as normal, every day end users use international VPNs to access media and content as users from all over the world.

                                    And as people travel. If you have my US medical records, would you want to deny them to me when I am traveling or living abroad?

                                    DashrenderD dafyreD 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.

                                      How could that be useful? Why would you want to track the "Normal Range" for a user? Are you prepared to disclose to all of your customers that you are doing Google-like tracking of them? As a medical facility, I would never want to hold onto that kind of personal information unless a court order made me do it.

                                      J 1 Reply Last reply Reply Quote 1
                                      • J
                                        Jason Banned @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        @Dashrender said:

                                        But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.

                                        How could that be useful? Why would you want to track the "Normal Range" for a user? Are you prepared to disclose to all of your customers that you are doing Google-like tracking of them? As a medical facility, I would never want to hold onto that kind of personal information unless a court order made me do it.

                                        You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.

                                        scottalanmillerS drewlanderD 3 Replies Last reply Reply Quote 2
                                        • scottalanmillerS
                                          scottalanmiller @Jason
                                          last edited by

                                          @Jason said:

                                          @scottalanmiller said:

                                          @Dashrender said:

                                          But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.

                                          How could that be useful? Why would you want to track the "Normal Range" for a user? Are you prepared to disclose to all of your customers that you are doing Google-like tracking of them? As a medical facility, I would never want to hold onto that kind of personal information unless a court order made me do it.

                                          You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.

                                          Use me as an example. I travel all over the US and around the world. I access from desktops, laptops, cell phones, over VPN connections back to the US, etc. I have no idea how you would ever determine normal for me and attempting to do so would seriously violate my privacy. Only in a way that I implicitly allowed, but it does so all the same. But storing that information and using it to determine patterns about me seems very illegal in a medical context. As any medical in the US is a partial extension of the government (doctors are government agents via certification and not performance workers like normal people in the workforce) this is an extension of the government using my medical needs to track me. I don't like this idea at all. There is no positive use case for it but lots of negatives.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Jason
                                            last edited by

                                            @Jason said:

                                            You have to do a lot of tracking to determine what is normal.

                                            And even then, it would constitute opinion.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 2 / 8
                                            • First post
                                              Last post