ProjectSend
-
@scottalanmiller said:
@Dashrender said:
But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.
How could that be useful? Why would you want to track the "Normal Range" for a user? Are you prepared to disclose to all of your customers that you are doing Google-like tracking of them? As a medical facility, I would never want to hold onto that kind of personal information unless a court order made me do it.
You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.
-
@Jason said:
@scottalanmiller said:
@Dashrender said:
But, tracking IPs to show that an IP that is significantly outside the range of those normally used to access your system while possibly a red herring, is still useful as a stepping stone when looking for inappropriate access.
How could that be useful? Why would you want to track the "Normal Range" for a user? Are you prepared to disclose to all of your customers that you are doing Google-like tracking of them? As a medical facility, I would never want to hold onto that kind of personal information unless a court order made me do it.
You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.
Use me as an example. I travel all over the US and around the world. I access from desktops, laptops, cell phones, over VPN connections back to the US, etc. I have no idea how you would ever determine normal for me and attempting to do so would seriously violate my privacy. Only in a way that I implicitly allowed, but it does so all the same. But storing that information and using it to determine patterns about me seems very illegal in a medical context. As any medical in the US is a partial extension of the government (doctors are government agents via certification and not performance workers like normal people in the workforce) this is an extension of the government using my medical needs to track me. I don't like this idea at all. There is no positive use case for it but lots of negatives.
-
@Jason said:
You have to do a lot of tracking to determine what is normal.
And even then, it would constitute opinion.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.
And as normal, every day end users use international VPNs to access media and content as users from all over the world.
And as people travel. If you have my US medical records, would you want to deny them to me when I am traveling or living abroad?
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?
-
@scottalanmiller said:
@Dashrender said:
Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.
No, you certainly do not need to know that.
I disagree. If I am the one responsible for that server, I want to know everything that is happening. You may not think I need to know it. And you may be right, but it is my system, and I want to know, it so I will have it logged. Period.
Edit: The above paragraph is assuming log files from a web server that are generated any way, not any extra logging or analitics is being done with the data aside from identifying country of origin.
If somebody's IP address shows up in Japan, and they live 5 miles down the road from the office, I will block that IP address until the user calls me saying "Hey, I can't get to the file website.". I believe in erring on the side of caution.
@scottalanmiller said:
Things you cannot know:
- That the IP is from Japan
- That the person is not supposed to be in Japan
You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?
I can easily answer the second question. dials phone "Hey, are you in Japan? No? Okay, that's all I need to know. hang up ... block ip
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.
And as normal, every day end users use international VPNs to access media and content as users from all over the world.
And as people travel. If you have my US medical records, would you want to deny them to me when I am traveling or living abroad?
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?
Aren't you the ONLY one to say? Who is getting to determine that Americans in those countries are banned?
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.
And as normal, every day end users use international VPNs to access media and content as users from all over the world.
And as people travel. If you have my US medical records, would you want to deny them to me when I am traveling or living abroad?
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?
Aren't you the ONLY one to say? Who is getting to determine that Americans in those countries are banned?
The vendor is, not us.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller does have a good point that Geo IP tracking is becoming more fruitless as IP blocks are being bought and sold in areas of the world they were not originally destined to be used, and GEO IP's aren't being updated as frequently as they could be.
And as normal, every day end users use international VPNs to access media and content as users from all over the world.
And as people travel. If you have my US medical records, would you want to deny them to me when I am traveling or living abroad?
That is solved with a simple phone call, and verification. If it is something that you need to have done in an emergency, they would likely be working on you while they are waiting on your medical records (if it were life threatening, for sure!). Granted, I know nothing of medical protocol outside of the US.
-
@dafyre said:
If somebody's IP address shows up in Japan, and they live 5 miles down the road from the office, I will block that IP address until the user calls me saying "Hey, I can't get to the file website.". I believe in erring on the side of caution.
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
-
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
-
@dafyre said:
You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?
I can easily answer the second question. dials phone "Hey, are you in Japan? No? Okay, that's all I need to know. hang up ... block ip
- Really? You are going to call anyone and everyone that accesses your systems? You, in IT, are going to start pulling their HIPAA regulated data illegally to do so? This violates HIPAA very clearly. As an IT pro, you don't have a need to see my HIPAA data, which includes my location and phone number. If I get that call, I call a lawyer. This means your systems are bleeding my data and that's very bad.
(Baylor Hospital in Texas did this, they got in huge trouble for selling data.)
-
Also, you're looking at this from the side of the patient. Because this is hosted, I don't care about the patient (maybe I should, and perhaps I will in another thread) but this discussion is around employee access, not patient access.
My normal employees have no need to access this anyplace outside of my city at this point in time. The Physicians on the other hand are a bit more flexible and as such when they are known to be traveling we can choose to ignore the GEO IPs for them, but once they return we can once again lock them down and pay attention to attempted location access in an attempt to thwart inappropriate access.
-
@JaredBusch said:
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
-
@Dashrender said:
Also, you're looking at this from the side of the patient. Because this is hosted, I don't care about the patient (maybe I should, and perhaps I will in another thread) but this discussion is around employee access, not patient access.
Why would an employee not use secure, internal systems? How did employees come into this picture?
-
@scottalanmiller said:
@JaredBusch said:
As far as I understand the use @Dashrender is implying, this is tracking employee location not clients. Employees should not be randomly logging in from unexpected locations.
This has nothing to do with tracking people traveling.
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Nothing was about anything but employees until someone else, I read it as you, brought up external people.
-
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
-
@scottalanmiller said:
Looks like the main goal, though, is for doing external file management to clients rather than owncloud that focuses on internal storage.
It was the second post. No one brought up that this was wrong....
And I did not "bring it up." Here is the logo for what we are discussing...
-
@Dashrender said:
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
That's what I thought we were discussing.
-
@scottalanmiller said:
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
-
@JaredBusch said:
Nothing was about anything but employees until someone else, I read it as you, brought up external people.
I read it as the topic both because the topic is specifically about a product to "share files with clients" and because I pointed this out at the beginning for clarity.