Why would you host it on prem? Cloud bitwarden has been great, and is affordable

@popester said in Random Thread - Anything Goes:

The full rebuild is going well, I love the new server naming schema, I named my server Gina.

:thumbs_up:

@DustinB3403 said in Documenting Firewall Exceptions and Rules:

I had to add some rules to a CentOS 8 server because some things stopped working that were previously working. (Not sure why this worked before, but it did)

Adding a few rich rules resolved the issue immediately.

None of this makes any sense. It's deny all and permit by exception. Why would you do anything else?

What type of firewall rules are you running that are so advanced you need to label them?

It really sucks to have to lock it down by IP. You might as well not have a cloud service at that point.

I can also think of some valid reasons for employees to clock in our out off-site. Compliance training, travel, etc.

I would put this responsibility on employees and not IT. Using a time clock is just part of working a job.

@Fredtx said in Virtualization when there is only one VM?:

Although I don't disagree with choosing virtualization over physical install, but what about small Dental or Medical practices who have a local DB where their practice management software resides? I'm guessing clients like that would just require additional training on how to login their hypervisor and into their vm? There's cases where they need to remote software support in their DB for software related issues?

Always virtualize.

I see no reason they need to login to their hypervisor or DB. I could see opening up RDP to allow them to issue reboot or something. I would want them to be familiar with SQL Management Studio at all, though. lol

@DustinB3403 said in Virtualization when there is only one VM?:

@IRJ said in Virtualization when there is only one VM?:

I mean if you are talking about one server, I would just throw it on the cloud, schedule snapshots, sync file level backups with s3/blob storage and call it a day.

This is true, but it's still virtual. He's asking why would you virtualize just a single server (on premise) if that is all that would be on that host.

The OP is just confusing to me. Why would be want to buy a dedicated server to run one VM?

I am wondering if he is considering running it using desktop hardware which is even worse lol.

I mean if you are talking about one server, I would just throw it on the cloud, schedule snapshots, sync file level backups with s3/blob storage and call it a day.

@pattonb said in SEO primer:

@scottalanmiller Is Matomo,Open Web Analytics,AWStats of any value. I suspect am I asking as to whether tying into the Google World provide any advantage. or will the other software provide me with the data I need. as for as data , I only really need traffic, visits, pages, how long they stay, or pages they view. Basic ( in my mind) , to see whether traffic is increasing/decreasing , and which pages draw the most interest. The audience is local, services provided don't extend beyond the local area , pop, ~1.4 million

Matamo provides all this. It is what I use.

@fuznutz04 said in Greenfield HA environment choices:

Example:

• Windows VMs with software that is not designed for shared databases, shared web hosts, etc.

This is definitely not a modern application. Not one any serious business would consider.

@G-I-Jones said in HelpDesk Options:

Okay guys, all my other important shit is done and I have some time to really grind out some learning here. I'm going to try making a VM with one of the options listed on zammad.org for a HelpDesk. This is a prime opportunity to get my feet wet in Linux as it's something we need to get up, but there isn't a terrible rush. Plus, I enjoy coding.

As far as Linux goes, and of the list provided below before I start reading trying to figure out what the hell I'm doing, does anyone have anything helpful to point out about any of the options?

So far I have:

Source: All command line?
CentOS: better at Ubuntu with server stuff, but may lack in end user experience
Debian: tiered releases, lacks the user friendliness of Ubuntu.
Ubuntu: desktops or servers. free and common.
Docker: something about a container that works well inside Ubuntu?

I'm planning on reading more, but I'm just scratching the surface here and don't want to get off on the wrong path here spending hours learning one I won't use. Any tips would be appreciated.

I would run on either CentOS or Ubuntu. Docker containers can be nice, but if you are brand new to linux you are better off learning how to do things from base OS level first. Especially if you dont consider running other containers on this host.

@scottalanmiller said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.

That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.

You do not understand what everyone is trying to tell you.

1. Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
2. Excel has code review and is patched super regularly with millions of users
3. You and your management has a responsibility to first and foremost protect PHI.
4. You will be scapegoat if anything happens (rightly so)
5. Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.

I don't believe that Excel provides any HIPAA statements, either. And people have the same concerns about it as you do about AppGini.

https://www.excelforum.com/excel-general/1050696-protecting-patient-data-in-excel.html

Funny, they link a SW forum.

That MS has "review" and millions of users are really artefacts, not excuses. MS is actually famous for bad code review and being insecure. Yet I think we all feel confident that using an in house app like Excel, if treated properly, is "good enough" for HIPAA. It goes way above and beyond HIPAA compliance.

AppGini doesn't say it isn't compliant (unless I missed something), they refuse to sign indemnification for something that they aren't responsible for. That's unrelated.

You are assuming that Excel having "code review" and lots of users protects you. But it doesn't. And you are assuming that AppGini isn't patched or reviewed.

If you believe you have to be HIPAA certified end to end, that's impossible. No org in the world has that, at the end of the day, the final in house implementations in every shop, including medical research centers, comes down to their IT following proper practices. Always. This level of solution can't be HIPAA certified because the end users are part of the equation.

I think you'd find if we treated Excel with the scrutiny that we are applying to AppGini, it'd be ruled out as an option instantly. As would Windows. But HIPAA doesn't work that way.

Office 365 (Which includes Excel) is HIPAA compliant. I think @Dashrender is already using Office 365?

https://www.microsoft.com/en-us/microsoft-365/blog/wp-content/uploads/sites/2/2019/04/HIPAA-Compliance-Microsoft-Office-365-and-Microsoft-Teams.pdf

So on one side you have a very large company that has the best office suite in existence. Their office suite is well trusted and used by 90% of companies and releases common, well documented updates. Then on the other side you have some company with a few employees that is known by nobody outside of IT (even most in IT have never heard of it).

If you have ever done risk management the answer is quite clear on where the company takes a higher level of risk. Not only to actual infrastructure, but in dealing with auditors, courts, and government (which are not IT). Those people will not understand the decision, and honestly those are the ones you should be worried about.

Likelyhood is that dash's company will stay under radar and it wont be an issue. That's small IT thinking. If you were ever pull this stunt in a larger company and you have to not only show this type of stuff to auditors on a regular basis, but your large customers may audit you as well.

Everyone is going to ask "WTF is appgini? and do you have PHI in it." "What are your reasons for doing this?." "Show us a detailed diagram of how it works?"

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.

That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.

You do not understand what everyone is trying to tell you.

1. Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
2. Excel has code review and is patched super regularly with millions of users
3. You and your management has a responsibility to first and foremost protect PHI.
4. You will be scapegoat if anything happens (rightly so)
5. Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.

and what are you using to claim it's not compliant? This is why I disagree with you. HIPAA compliance is actually pretty easy, all things considered.

Dude, their own website says it isn't HIPAA compliant...

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.

There are things you let go, and things were you stand ground. I have not been in IT for nearly 15 years to have some hobby business owner tell me what to do and me just reply "yes daddy."

They are paying alot of money for my experience and expertise. So they will get my real unfiltered opinions. At the end of the day, I dont get what I always want. However, there are certain things which could be career ending, which I will not do.

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

As Scott says - IT's job is to enable the business. If they make decisions against our recommendations, that's really on them.

That said - I disagree with you. I do believe you're being over cautious. Our use of Excel with formulas, etc break your rules because those formulas are "design your shit on a whim" add-ons to a product that we are not going to pay someone to review before we use them. Hell, users create them all the time and IT has no clue they even exist.

You do not understand what everyone is trying to tell you.

1. Nobody is saying Excel is a great solution, just a better one that using some random in house app with no review.
2. Excel has code review and is patched super regularly with millions of users
3. You and your management has a responsibility to first and foremost protect PHI.
4. You will be scapegoat if anything happens (rightly so)
5. Whatever you think is safe or isnt safe is irrelevant. Its about being HIPAA complaint which this solution is not.

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

This should be forked into a thread called "When is it ok to say no to your boss?"

We talk about this too much, not to have a thread on it.

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

Nice to be in that position, I guess.

Are you that afraid to say no?

@Dashrender said in AppGini - building a webpage/db:

I think you're being over cautious.

Nope. Not something I am willing to ruin my career over.

@Dashrender said in AppGini - building a webpage/db:

So basically, you're staying I'm stuck - I'm forced to hire someone to custom write me a system, and then hire someone to review that software before I can actually use something.

If dealing with PHI, then 100% yes you are not just able to design your shit on a whim.

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

@Dashrender said in AppGini - building a webpage/db:

@IRJ said in AppGini - building a webpage/db:

I would say there is a never a case where you want to design something in house to store PHI. Unless, of course you are a software company that is willing to go through things like external code review, pen testing, HIPAA certification, etc. It is just a HUGE risk that could potentially put your upper management in a hot seat (or prison) if there is a breach.

This is in-house for in-house use only. How is this any worse than storing PHI in Excel?

Well - I still don't make the decisions.

I dont make final decisions either, but that doesnt mean I will fight doing the wrong thing.

Its your job to say NO sometimes. Plain and simple. If you dont say NO to something like this you aren't doing your job.

Interesting - I'm seriously believing that my EHR company doesn't have code review, other than internal review - is that good enough?

They certainly do more than that if you are using Athena Health. They are HIITRUST certified

https://www.athenahealth.com/hitrust