AppGini - building a webpage/db
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Well - I still don't make the decisions.
-
@IRJ said in AppGini - building a webpage/db:
@scottalanmiller said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Excel has that code review, and depends 100% on Windows OS security.
Yes
Interesting - so you don't consider any software that hasn't gone through code review good enough to store PHI or PCI, etc type data?
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@scottalanmiller said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Excel has that code review, and depends 100% on Windows OS security.
Yes
Interesting - so you don't consider any software that hasn't gone through code review good enough to store PHI or PCI, etc type data?
Yup.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Well - I still don't make the decisions.
I dont make final decisions either, but that doesnt mean I wont fight doing the wrong thing.
Its your job to say NO sometimes. Plain and simple. If you dont say NO to something like this you aren't doing your job.
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Well - I still don't make the decisions.
I dont make final decisions either, but that doesnt mean I will fight doing the wrong thing.
Its your job to say NO sometimes. Plain and simple. If you dont say NO to something like this you aren't doing your job.
Interesting - I'm seriously believing that my EHR company doesn't have code review, other than internal review - is that good enough?
So basically, you're staying I'm stuck - I'm forced to hire someone to custom write me a system, and then hire someone to review that software before I can actually use something.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.
This is in-house for in-house use only. How is this any worse than storing PHI in Excel?
Well - I still don't make the decisions.
I dont make final decisions either, but that doesnt mean I will fight doing the wrong thing.
Its your job to say NO sometimes. Plain and simple. If you dont say NO to something like this you aren't doing your job.
Interesting - I'm seriously believing that my EHR company doesn't have code review, other than internal review - is that good enough?
They certainly do more than that if you are using Athena Health. They are HIITRUST certified
-
@Dashrender said in AppGini - building a webpage/db:
So basically, you're staying I'm stuck - I'm forced to hire someone to custom write me a system, and then hire someone to review that software before I can actually use something.
If dealing with PHI, then 100% yes you are not just able to design your shit on a whim.
-
@IRJ said in AppGini - building a webpage/db:
If dealing with PHI, then 100% yes you are not just able to design your shit on a whim.
Why do you trust Excel but not this app? You trust MS?
Is it possible they put backdoors, etc into shit - yeah, but it's generating PHP would can all be audited, so I don't fear this like you do.
I can also lock the server down to prevent it from talking to the internet.
AppGini is self hosted solution, not a cloud solution.I think you're being over cautious.
-
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
This should be forked into a thread called "When is it ok to say no to your boss?"
We talk about this too much, not to have a thread on it.
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
You do not understand what everyone is trying to tell you.
- Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
You do not understand what everyone is trying to tell you.
- Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
There are things you let go, and things were you stand ground. I have not been in IT for nearly 15 years to have some hobby business owner tell me what to do and me just reply "yes daddy."
They are paying alot of money for my experience and expertise. So they will get my real unfiltered opinions. At the end of the day, I dont get what I always want. However, there are certain things which could be career ending, which I will not do.
-
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
You do not understand what everyone is trying to tell you.
- Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered.
Dude, their own website says it isn't HIPAA compliant...
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
You do not understand what everyone is trying to tell you.
- Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
I don't believe that Excel provides any HIPAA statements, either. And people have the same concerns about it as you do about AppGini.
https://www.excelforum.com/excel-general/1050696-protecting-patient-data-in-excel.html
Funny, they link a SW forum.
That MS has "review" and millions of users are really artefacts, not excuses. MS is actually famous for bad code review and being insecure. Yet I think we all feel confident that using an in house app like Excel, if treated properly, is "good enough" for HIPAA. It goes way above and beyond HIPAA compliance.
AppGini doesn't say it isn't compliant (unless I missed something), they refuse to sign indemnification for something that they aren't responsible for. That's unrelated.
You are assuming that Excel having "code review" and lots of users protects you. But it doesn't. And you are assuming that AppGini isn't patched or reviewed.
If you believe you have to be HIPAA certified end to end, that's impossible. No org in the world has that, at the end of the day, the final in house implementations in every shop, including medical research centers, comes down to their IT following proper practices. Always. This level of solution can't be HIPAA certified because the end users are part of the equation.
I think you'd find if we treated Excel with the scrutiny that we are applying to AppGini, it'd be ruled out as an option instantly. As would Windows. But HIPAA doesn't work that way.
-
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
@IRJ said in AppGini - building a webpage/db:
@Dashrender said in AppGini - building a webpage/db:
I think you're being over cautious.
Nope. Not something I am willing to ruin my career over.
Nice to be in that position, I guess.
Are you that afraid to say no?
As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.
That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.
You do not understand what everyone is trying to tell you.
- Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
- Excel has code review and is patched super regularly with millions of users
- You and your management has a responsibility to first and foremost protect PHI.
- You will be scapegoat if anything happens (rightly so)
- Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.
and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered.
Dude, their own website says it isn't HIPAA compliant...
Where does it say that? HIPAA compliance and not signing a BA are unrelated. You don't get a BA for every piece of in house software that you use. Imagine all the software that would have to be involved, and all the companies that would never, ever consider signing a BA for things that they have no control over, like in this case or Excels.
-
A BA applies to service vendors. Not software vendirs or tools.
