Reliable, Trustworthy Reporting, Capturing The Heartbeat Of Our Community

Password protector?

Password access, decommissioned drives cause concern for district health board

Following the North Central District Health Department board of health's Sept. 9 meeting, in O'Neill, one thing is clear: who controls employee's computer passwords.

What remains unknown is if the department has a signed service contract with Norfolk-based Precision IT for technology services and what those duties entail, in addition to why health district computers are decommissioned when data is housed on a server and not individual computers.

The answers may just be embedded deep within a computer hard drive that no one is currently able to access.

Cherry County Commissioner James Ward, who serves on the NCDHD board, asked executive director Roger Wiese what the district's relationship is with the IT company.

Wiese said he does not know if the health department has a contract or agreement.

"It's probably just more of an agreement that we hire them to do our services," Wiese said.

Who sets up or changes passwords on each employee's computer?

According to Wiese, NCDHD computer passwords "follow a code" and have "for about the past four years."

"Passwords are usually established," Wiese paused. "Usually, I pick the password. IT implements the password so that those permissions follow the employee, so they can go to any desktop and those permissions follow them to what they can access on the server," the director said.

"So, you have their usernames and passwords?" Ward pressed.

Board of health chairman Kelly Kalkowski, of Lynch, interjected, "They get to, hopefully, pick their own password after you give the original one."

No, according to Wiese.

"We try to mitigate 'fizzing' and other options that can happen into the office. What happens if an employee picks their own password? What has happened, they may associate with anything personal, so if any of their personal accounts are hacked, it could lead into the office as well. It's not uncommon for businesses to do that," Wiese asserted.

Kyle Kellum, chief executive officer of Cherry County Hospital and member of the NCDHD board, said he has never heard of another business using this type of system, suggesting Wiese and IT employees could set parameters. He provided an example of using a pet dog's name, followed by four numbers and three other characters.

"I guess we could, but we set the parameters in advance," Wiese said.

Can the director track which employees log into a computer?

"It can be tracked, but is it tracked? It isn't necessarily tracked," Wiese said.

When asked a second time, by Ward, if employee logins are tracked, Wiese responded, "I suppose IT can, to a certain extent."

Ward asked if a Precision IT technician has ever tracked logins.

"Can you ask them to do that? I suppose you can. Can they track how many applications have been opened by that person during a period of eight hours in a workday? I suppose they can. Do I ask them to do that on a daily basis? No," Wiese said.

Other concerns about IT services and department practices were also discussed.

Ward referenced an email "floating around that said a computer was removed."

Wiese said an order to decommission the computer was discussed in January and February and put in place in March. He said parts weren't available before for three systems that were more than five years old. He said computers are decommissioned every three to five years.

Later in the meeting, Wiese told board of health members, "We either take a computer out of service if nobody is using it or decommission it after three to five years."

When a system is decommissioned, Precision IT takes the machine, destroys the hard drive and then destroys the computer, according to Wiese.

Ward asked Wiese if the three computers were related to "incidents discussed in executive session," on Sept. 9.

According to the director, one computer was involved and then he replied, "It wasn't related to that, it was already scheduled to be taken out. The other two just happened."

"I really question whether we should be destroying computers that are department property. Those are health department property. They were never 'surplused,'" Ward said.

"Data is capped," said Celine Mlady, a Knox County board representative. "The data is still on the server."

Dean Smith, representing Antelope County, said he contacted Precision IT to find out if any computers had been picked up from the O'Neill office and was told technicians have been told to only talk to the executive director or "executive committee."

"I've never talked to them," Kalkowski said.

Mlady admitted she spoke with company representatives.

"The tech felt harassed," Mlady said.

Smith reiterated all he asked was if a computer had been picked up.

"I didn't feel we wanted every board member calling," Mlady said.

Ward asked why the tech reached out to Mlady.

"I've known him (Tim Udell) for 20 years," she said.

"What's your relationship with Tim Udell?" Smith asked.

"Precision IT," she responded.

Wiese noted Udell has performed IT work for the department for "many years."

Ward questioned why the company was told to only speak with executive committee members or the director.

Mlady responded, at the time, she thought the executive committee had "a little authority."

"Now I know we don't. I just don't want everybody calling. Precision IT did not want to get a bunch of phone calls," she said.

"That's Precision IT's problem," Ward retorted.

Susan Taylor, a former office manager for NCDHD asked, if prior to decommissioning a computer, all work is saved on the computer or if it's saved directly to the server. She said policy is to keep work for seven years.

According to Wiese, shortcuts are on the desktops.

"One employee's desktop was just recently transitioned and decommissioned out. What had happened, there were shortcuts plus a few documents they had open that they were working on that normally get saved on the server. Everything was saved, cut and then put on the new desktop," Wiese said.

Kellum asked if Wiese could log in to his computer, go to another computer and log in, and have full remote access to everything on his desktop.

"I don't have anything saved on my desktop," Wiese said. "I don't have shortcuts either because I'm not good at that."

Taylor said while she was employed by the district, she had to switch desktops on "a few occasions."

"I had to have IT send all my documentation from my previous desktop to my new desktop because I did not have access to those items," Taylor said.

Wiese said all department documents are to be saved on the server.

"It (the computer) is made to be a vehicle to go to the server," he said.

"If they're just a vehicle and there's nothing saved on those computers, there's nothing to destroy on those hard drives. What are we doing?" Ward asked.

Wiese said, "It's just a practice. We've been destroying the hard drive for 20 years. It's got Microsoft stuff on it..."

Ward interjected, "You destroy the hard drive to get rid of the information on it. That's the only way, to physically destroy it. You can chop it up and still recover data off it. Are we destroying the hard drive, if there's nothing on it, then why are we going to that point?"

Wiese said he believed, to be HIPPA-compliant, hard drives need to be wiped or destroyed.

"If they (IT) can look at that info, then we have a potential problem. We have a whole can of worms there," Ward said. "I'm to the point, Precision is not representing us. They're not providing good information. They're not providing current policies and practices. These are things IT guys should be bringing up to us ... I don't feel like we're getting best-practice advice or we're getting industry standards we should be getting."

Kalkowski asked if NCDHD received a certificate of destruction, "so we know it's been destroyed properly."

"No," Wiese responded.

Brown County Commissioner Dennis Bauer suggested the board of health issue a Request for Proposals for IT services.

Most board members expressed agreement.

Wiese was instructed to include RFP discussion on the board's September meeting agenda.

 

Reader Comments(0)

 
 
Rendered 11/02/2024 20:26