this post was submitted on 16 Jan 2024
97 points (93.7% liked)

Technology

59589 readers
2962 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] 0110010001100010@lemmy.world 60 points 10 months ago* (last edited 10 months ago) (2 children)

In before some company pops up to "centrally manage" all this data that 90% of the hospitals start using then said company gets hacked. There is exactly zero chance this gets stored securely and a minuscule chance it gets stored locally.

[–] BearOfaTime@lemm.ee 8 points 10 months ago

It probably is already a contracted service, and not installed and managed by local IT.

Partly because no one has the IT resources to do it all to start with, secondly it's probably how it's sold (vendors love getting their foot in with installations, then have a years-long contract for maintenance). Third, it's a typical business move to offset risk by contracting a service - since they're paying someone else to install and manage the system, if something goes sideways the vendor eats it.

It's also financially useful - business doesn't own the hardware or anything, so the cost of the contract comes out of your profit column, reducing tax liability. While ownership it's part of assets. Bean counters really like contracted services.

Source: worked in enterprise IT for some time, this is SOP for these kinds of systems.

Also, this is a crock of shit, because we know it will get messed with.

The only orgs I'd have any faith in making such systems would be the data or physical security orgs within companies. Their whole reason for being is to reduce risk to the company. For example - to even get a sql script from/to a vendor, we create an sftp box specifically for that purpose/vendor. But setting up the dropbox requires multiple levels of approvals, from different internal orgs, with all of us attached to the risks.

Then the password is provided through a checkout system, with a limited lifespan (depending on the dropbox), which is tracked, along with accesses to the box, and what's transferred and to where. Every few months everyone has to re-approve the box (you're really re-approving permitting a known risk).