AppGini - building a webpage/db
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. 
- 
 @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? This should be forked into a thread called "When is it ok to say no to your boss?" We talk about this too much, not to have a thread on it. 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. 
- 
 @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered. 
- 
 @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. There are things you let go, and things were you stand ground. I have not been in IT for nearly 15 years to have some hobby business owner tell me what to do and me just reply "yes daddy." They are paying alot of money for my experience and expertise. So they will get my real unfiltered opinions. At the end of the day, I dont get what I always want. However, there are certain things which could be career ending, which I will not do. 
- 
 @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered. Dude, their own website says it isn't HIPAA compliant... 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 I don't believe that Excel provides any HIPAA statements, either. And people have the same concerns about it as you do about AppGini. https://www.excelforum.com/excel-general/1050696-protecting-patient-data-in-excel.html Funny, they link a SW forum. That MS has "review" and millions of users are really artefacts, not excuses. MS is actually famous for bad code review and being insecure. Yet I think we all feel confident that using an in house app like Excel, if treated properly, is "good enough" for HIPAA. It goes way above and beyond HIPAA compliance. AppGini doesn't say it isn't compliant (unless I missed something), they refuse to sign indemnification for something that they aren't responsible for. That's unrelated. You are assuming that Excel having "code review" and lots of users protects you. But it doesn't. And you are assuming that AppGini isn't patched or reviewed. If you believe you have to be HIPAA certified end to end, that's impossible. No org in the world has that, at the end of the day, the final in house implementations in every shop, including medical research centers, comes down to their IT following proper practices. Always. This level of solution can't be HIPAA certified because the end users are part of the equation. I think you'd find if we treated Excel with the scrutiny that we are applying to AppGini, it'd be ruled out as an option instantly. As would Windows. But HIPAA doesn't work that way. 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered. Dude, their own website says it isn't HIPAA compliant... Where does it say that? HIPAA compliance and not signing a BA are unrelated. You don't get a BA for every piece of in house software that you use. Imagine all the software that would have to be involved, and all the companies that would never, ever consider signing a BA for things that they have no control over, like in this case or Excels. 
- 
 A BA applies to service vendors. Not software vendirs or tools. 
- 
 @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered. Dude, their own website says it isn't HIPAA compliant... No, that was Airtable that says they aren't. 
- 
 @scottalanmiller said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered. Dude, their own website says it isn't HIPAA compliant... Where does it say that? HIPAA compliance and not signing a BA are unrelated. You don't get a BA for every piece of in house software that you use. Imagine all the software that would have to be involved, and all the companies that would never, ever consider signing a BA for things that they have no control over, like in this case or Excels. Again - My copying of the - won't sign a BA - is from AirTable - not AppGini. AppGini can be either locally hosted or cloud hosted - it's up to you. That is not the case with AirTable. 
- 
 @IRJ said in AppGini - building a webpage/db: If dealing with PHI, then 100% yes you are not just able to design your shit on a whim. This statement is the basis for my push back. @IRJ said in AppGini - building a webpage/db: - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 - uh ok
- There is nothing in HIPAA that says you have to have code review, there is mention of patching, but I'd have to lookup the specifics,
- we can protect the data within reason with firewall rules, user logons, etc
- no one can protect themselves from this - if management is going to blame you, they are going to blame you
- You're right, my opinion doesn't matter, see above.
 
- 
 @scottalanmiller said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: @IRJ said in AppGini - building a webpage/db: @Dashrender said in AppGini - building a webpage/db: I think you're being over cautious. Nope. Not something I am willing to ruin my career over. Nice to be in that position, I guess. Are you that afraid to say no? As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them. That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist. You do not understand what everyone is trying to tell you. - Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
 I don't believe that Excel provides any HIPAA statements, either. And people have the same concerns about it as you do about AppGini. https://www.excelforum.com/excel-general/1050696-protecting-patient-data-in-excel.html Funny, they link a SW forum. That MS has "review" and millions of users are really artefacts, not excuses. MS is actually famous for bad code review and being insecure. Yet I think we all feel confident that using an in house app like Excel, if treated properly, is "good enough" for HIPAA. It goes way above and beyond HIPAA compliance. AppGini doesn't say it isn't compliant (unless I missed something), they refuse to sign indemnification for something that they aren't responsible for. That's unrelated. You are assuming that Excel having "code review" and lots of users protects you. But it doesn't. And you are assuming that AppGini isn't patched or reviewed. If you believe you have to be HIPAA certified end to end, that's impossible. No org in the world has that, at the end of the day, the final in house implementations in every shop, including medical research centers, comes down to their IT following proper practices. Always. This level of solution can't be HIPAA certified because the end users are part of the equation. I think you'd find if we treated Excel with the scrutiny that we are applying to AppGini, it'd be ruled out as an option instantly. As would Windows. But HIPAA doesn't work that way. Office 365 (Which includes Excel) is HIPAA compliant. I think @Dashrender is already using Office 365? So on one side you have a very large company that has the best office suite in existence. Their office suite is well trusted and used by 90% of companies and releases common, well documented updates. Then on the other side you have some company with a few employees that is known by nobody outside of IT (even most in IT have never heard of it). If you have ever done risk management the answer is quite clear on where the company takes a higher level of risk. Not only to actual infrastructure, but in dealing with auditors, courts, and government (which are not IT). Those people will not understand the decision, and honestly those are the ones you should be worried about. Likelyhood is that dash's company will stay under radar and it wont be an issue. That's small IT thinking. If you were ever pull this stunt in a larger company and you have to not only show this type of stuff to auditors on a regular basis, but your large customers may audit you as well. Everyone is going to ask "WTF is appgini? and do you have PHI in it." "What are your reasons for doing this?." "Show us a detailed diagram of how it works?" 
- 
 - There is nothing in HIPAA that says you have to have code review, there is mention of patching, but I'd have to lookup the specifics,
 That's not the point. Code reviews catch the things that are required. The app needs unique user identification, automatic logoff, possibly encryption at rest if the OS isn't going to handle it, emergency access to PHI, auditing to track access, etc. Unless the tool has that pre-built into it you're going to have to create all of that at the minimum. You have some of that through Excel because you can audit from audit records in the OS who accessed files when and authentication is done at the OS level. What you don't have it in is a tool to attempt make non-developers into people who can make web apps. 
- 
 @stacksofplates said in AppGini - building a webpage/db: - There is nothing in HIPAA that says you have to have code review, there is mention of patching, but I'd have to lookup the specifics,
 That's not the point. Code reviews catch the things that are required. The app needs unique user identification, automatic logoff, possibly encryption at rest if the OS isn't going to handle it, emergency access to PHI, auditing to track access, etc. Unless the tool has that pre-built into it you're going to have to create all of that at the minimum. You have some of that through Excel because you can audit from audit records in the OS who accessed files when and authentication is done at the OS level. What you don't have it in is a tool to attempt make non-developers into people who can make web apps. I think part of this is assuming that Excel will be used in one way (locally, not talking to a database) and that AppGini will be used to make something used another way (public, published to multiple users) when both work both ways. My point is that in all cases, IT is responsible for understanding the app, how it is deployed, and managing how it is used. Is AppGini fair to assume that the intention is to use it in a specific way? It's a decent assumption, but far from a given. However, if it can be used that way, then chances are Excel was either used similarly or not able to meet the need. I'm pretty sure that when Excel talks to a database that, by default, you have the largest possible issue with no auditing or controls unless, again, you build those in yourself. All of the things mentioned as requirements, are missing by default in Excel. 
- 
 @IRJ said in AppGini - building a webpage/db: Office 365 (Which includes Excel) is HIPAA compliant. I think @Dashrender is already using Office 365? Office 365 is a licensing model, HIPAA compliance doesn't really mean anything in that context. The way that you subscribe to software isn't applicable for compliance. https://www.hipaajournal.com/microsoft-office-365-hipaa-compliant/ If you read that, it's clear that HIPAA Journal has to be extremely careful how they state that something is HIPAA compliant here. They point out that it is the hosting portion of O365 alone that is covered by the agreement with MS, not the software. For the software to be "HIPAA compliant", like any software, is up to the end user. Software makers can't make software be HIPAA compliant as compliance demands end to end compliance, not just one piece. So this seems to agree with previous assessments that Office is not HIPAA compliant, not because it doesn't meet requirements, but because software isn't an applicable component to the discussion. 
- 
 @IRJ said in AppGini - building a webpage/db: Office 365 (Which includes Excel) is HIPAA compliant. I think @Dashrender is already using Office 365? 
 https://www.microsoft.com/en-us/microsoft-365/blog/wp-content/uploads/sites/2/2019/04/HIPAA-Compliance-Microsoft-Office-365-and-Microsoft-Teams.pdfActually that link only says that if you buy lots of additional tools, and do certain steps, that in using O365 you can still be compliant. That's extremely different from saying that it is compliant. It's clear that choosing O365 doesn't preclude you from compliance. But that is both as far as they go, and as far as any vendor of this nature could possibly go. 
- 
 @IRJ said in AppGini - building a webpage/db: So on one side you have a very large company that has the best office suite in existence. Their office suite is well trusted and used by 90% of companies and releases common, well documented updates. Then on the other side you have some company with a few employees that is known by nobody outside of IT (even most in IT have never heard of it). This is really FUD. That MS Office is the best is arguable and not agreed upon. That it is famously insecure and often a risk is well known. It's security is famously a joke and is a primary gateway for malware. That it is well known and used nearly everywhere is an absolutely terrible security position to take. Ignoring its realities or track record just because the vendor is enormous is really dangerous. By that logic, most of the most insecure software on the market would be considered secure. In nearly every market position, the most insecure, risky, foolish products are the ones best known - because of end users and consumers. In some industries, you even get malware as a top known product, ransomware in one case that I know. I think it is a dangerous position to take to assume that HIPAA will simply overlook your requirements because a product is from a well known vendor, or that they will punish you if you use a small vendor. In fact, that would be a crime for them to do so. I can't imagine trying to argue in front of a judge that you shouldn't be accountable simply because "everyone else seems to be doing it." 



