I am livid. Click here to learn why.
-
The Health Science Center recently installed new IT leadership, and apparently that leadership is dominated by unethical dickheads. IT has been sending out operatives in the colleges to "inventory" computers systems used by faculty and staff. They are doing this after 8 pm so as to avoid getting caught. Legions of us have returned to work to find notes left that tell us our personal computers have been confiscated or have had monitoring software installed on them.
I was hit this week. I just found two iMacs had been "inventoried" overnight. One was removed and one had IT monitoring software installed. This is the email I just sent the IT Director (cc to my Chair, the Dean, and the Speaker of the Faculty Senate):
Dear Mr. Kissee,
I am a faculty member in the Dental School. This week, I was left notes informing me of a visitation by IT minions telling me that one of my research group iMac computers was removed and another had monitoring software installed. Sir, I write this email to inform you that this behavior is inappropriate and in violation of System policy and NIH rules regarding stewardship of research data collected with federal funding. You see, these computers, purchased with NIH grant funds, contain confidential research data for which I am responsible. If IT determines that there are issues such as OS version or network security concerns, the appropriate action is to contact me, as the principle investigator, and I will work with my IT colleagues to ensure compliance of my systems. Needless to say, the removed computer must be returned immediately.
IT personnel letting themselves into our offices and laboratories after hours has been a wide spread problem recently, and it is unacceptable. To combat this behavior, I will be installing firmware passwords on all my work group computers so that it will be difficult to impossible for anyone but me, the sole person with administrative access, to manipulate them. If attempts to modify or confiscate my computers continue, I will buy laptops for my research group and store them in a padlocked box in a hidden location at the close of business each day. This should inhibit IT ninja strike teams from future clandestine operations.
TL;DR: do not touch my research equipment.
The Faculty across the entire University is up in arms over this, and the Senate is taking it to the Provost. Not only is this BS in violation of research data retention policies and federal regulations, many of the stolen computers also have student grades and course information and/or protected health information of patients on IRB-approved clinical studies. That means these bozos are in violation of FERPA and HIPAA. They are also breaking OSEH and IBC regulations when they enter research laboratories to take "aging computers". Some of these spaces have elevated biosafety designations.
I hope one of them goes into a lab and gets radioactive material on something and takes it back to the IT department so that the University gets cited and put on probation by the NRC.
Excuse me now. I have to go up to the 5th floor and collect my iMac.
-
New leadership often tries to impose their rule rather than listening and learning first. That was a great letter and I hope your work helps set them straight. Give them hell!
-
@chariotoflove I have never known IT departments to willingly take on extra work. This is weird.
-
@forsweden I suspect their motivation falls under the "I'm the boss and you'll do what I say or get fired" category. It's sometimes easier to be maliciously compliant (I think there's a whole sub-reddit on this) and let the boss get burned than it is to stand up and argue with an asshat.
-
@chariotoflove IT for my organization is only able to install monitoring/security software on windows machines. We just buy macs. If we end up with a windows computer, it gets wiped and linux'd.
Also, I could have sworn you were in Geology, for some reason
-
@qaaaaa said in I am livid. Click here to learn why.:
Also, I could have sworn you were in Geology, for some reason
While all Oppos rock, not all Oppos work with rocks
-
@chariotoflove Seems like someone is trying to make a name for themselves but unfortunately they're not very smart.
-
@forsweden said in I am livid. Click here to learn why.:
@chariotoflove I have never known IT departments to willingly take on extra work. This is weird.
If it allows them to avoid having to interact with human beings down the road, they may be coerced into making the investment.
-
@chariotoflove holy shit that is some borderline if not straight up illegal shit going on there.
-
@bj said in I am livid. Click here to learn why.:
@forsweden I suspect their motivation falls under the "I'm the boss and you'll do what I say or get fired" category. It's sometimes easier to be maliciously compliant (I think there's a whole sub-reddit on this) and let the boss get burned than it is to stand up and argue with an asshat.
This is what my College IT guys are under. Want their salaries and benefits? Do what the uber-boss commands.
-
@chariotoflove Plot twist : I am the provost, and I've been watching you spending all your time on the Hyphen during your hours of duty.
-
@qaaaaa said in I am livid. Click here to learn why.:
@chariotoflove IT for my organization is only able to install monitoring/security software on windows machines. We just buy macs. If we end up with a windows computer, it gets wiped and linux'd.
Also, I could have sworn you were in Geology, for some reason
Teeth, rocks, whatever.
They seem to have procured some monitoring engine software for Macs.
-
@bloody-the-resident-shitposting-saffer said in I am livid. Click here to learn why.:
@chariotoflove Seems like someone is trying to make a name for themselves but unfortunately they're not very smart.
Oh they are making a name...but they are not going to like the names they are earning.
-
@frinesi2 said in I am livid. Click here to learn why.:
@chariotoflove holy shit that is some borderline if not straight up illegal shit going on there.
It is straight up illegal.
-
@darkbrador said in I am livid. Click here to learn why.:
@chariotoflove Plot twist : I am the provost, and I've been watching you spending all your time on the Hyphen during your hours of duty.
My Hyphen use comes under permissible personal incidental use policy.
Didn't think I payed attention to the training videos, did you, Your Majesty?
-
@chariotoflove Teeth are just mouth rocks
-
@qaaaaa or are rocks just Earth teeth?
-
@chariotoflove As a member of the senior IT team in a medical school, I'll bet you they haven't broken any laws (I'd love the see the provision in any of the laws you quoted that says that the school IT team can't secure the hardware and software), that the school IT rules are probably broken by the users with unsupported and unmonitored machines, and that you'll be in compliance after you work with IT.
We deal with individual departments and labs and PhDs and MDs all the time, and they choose simple consumer options instead of enterprise, properly backed up and properly secured options. Then they come to us when their data is lost when their external hard drives die, or when they move data into non-HIPAA approved cloud solutions and have it stolen, when they lose stuff that is supposed to be kept for 7 years based on their grants...
I know this is not what you want to hear, but I hope you can find some common ground with the IT team and figure out why they are doing what they are doing.
That said, doing it without notice, after hours, is really shitty. We still dangle carrots for the worst offenders and tell them what they are missing instead of taking the stick approach that your IT teams seems to be taking.
-
@chariotoflove Dentists are not real doctors, anyway ...
-
@darkbrador I need to get a PhD so I can complain when the
MedTech School grads start gatekeeping the title "Doctor." -
@chariotoflove if uhhh this is deemed a HIPAA breach in full, hit up your boy here. It's part of what we do over in my world
-
damn that is real shitty by the IT department, keep us updated as what happens next
-
@musashi66 so, Chariot is mad enough to post a big rant, and your response is "you're wrong and IT is right and did nothing wrong"
ouch, bud. rough approach.
-
This is an IT department that tried to migrate our data storage to cloud storage servers that were not HIPAA or FERPA compliant two years ago. That cloud solution has since been closed down. The root problem is that our new leadership seems to come from enterprise with no experience in academic computing, and that means little experience with NIH, FERPA, and HIPAA regulations. For IRB clinical studies, for example, patient health information must be maintained in a locked room and container with access granted only to those whose names are listed on the protocol as approved. There is no legal provision for an IT employee to use a skeleton key to remove the data from its designated storage facility to another, possibly not secure, location.
But even if it was legal, it's still the wrong way to do things. It's in violation of all professionalism guidelines specified in System policy. It didn't use to be this way. Our local IT guys used to have more autonomy to work with us. They were my friends. They'd help me with stuff, and I'd buy them beer. If there was a problem, we would work together to fix it, and make sure everything was in compliance. Even last year, the outgoing local IT director would tell his people that they don't install stuff on our research systems; only we do, because we had special scientific packages with specific licensing issues. I know this because I am the department equipment committee chairman. I worked with the server guys to solve these problems.
The problems hit when IT down at the main campus started centralizing administration of everything. They have tried to get us to not talk to our IT guys directly but to put in work orders online. They are actively trying to dismantle constructive working relationships here.
Sure we have non-compliant faculty who have out of date systems or practice unsafe behaviors on the network, and they are always a source of eye-rolls and ulcers for the computing guys. But, they have never been at odds with each other before. That is what's changing.
-
@tysmagic said in I am livid. Click here to learn why.:
@chariotoflove if uhhh this is deemed a HIPAA breach in full, hit up your boy here. It's part of what we do over in my world
Thank you. I'll remember that as this develops. It'll be interesting to see how it all plays out.