VPNs and HR
Posted by GreenEggPage@reddit | talesfromtechsupport | View on Reddit | 105 comments
I run a small IT service company. Before I burnt out and drastically scaled back my customer base, I had a very large medical practice as a customer - multiple sites, multiple doctors, multiple lack of communications...
One Saturday, I get a call from one of the newer doctors who is having issues connecting via the VPN. Generally, it's because they have forgotten their password since they only use the VPN once in a Blue moon. As I'm logging in to do the reset we're making idle chatter. I'm about to tell him his new password when he drops this little nugget of information, "yeah, I'm down in
Me - "wait - you're no longer with
Dr - "no, I work for
Me - "well, that's a different issue then. I can't allow you access to their system. I'm locking your account and disabling all access. Have a nice day, doc."
And then on Monday I had a conversation with HR about why they needed to let me know when personnel depart the company, because they almost had a HIPAA violation on their hands.
hennell@reddit
I deleted a load of old accounts that left over a year ago. Then undeleted some because the account was being used as some sort of critical information holding system.
My efforts at pushing a proper off boarding process are resisted as not important.
Thankfully I'm not in healthcare đ
RatherGoodDog@reddit
Hey that sounds familiar. Our head of finance left 2 years ago, and her account is still active. Why? Because instead of organising things in the shared finance directory and central email inbox, she did most of her work on her individual email account and local drive.
Because she was sufficiently senior and answered only to the CEO, nobody was looking over her shoulder to tell her she had shit IT practice. Now we're stuck with a virtual employee account that cannot be terminated because it's linked to so many third party services like payroll, payment processors, tax reporting logins and so on.
Ich_mag_Kartoffeln@reddit
I'm sure they'd have changed her password. Probably to "password".
Troneous@reddit
If it was changed then it would now be âpassword2â.
commentsrnice2@reddit
Or âPasswordâ or hopefully âPassword2!â
DarkRitual_88@reddit
Password2!!!!!!!!
NotYetReadyToRetire@reddit
I quit worrying about security at one past job because the CEO and COO wouldn't let me do anything - not even expire passwords. My bet is that I could still get in 10 years after I left; the CEO's password was his first name, and I spent untold hours reimaging the COO's laptop because he wouldn't stay off random gambling sites and was always getting viruses.
OrthosDeli@reddit
Ah yes, the eternal and invisible web of "we've had [intern] signing into [former employee A's] account so they can use [former employee B's] files! Turn it back on!]
Saint_Dogbert@reddit
No.
Submit an access request and the Intern can access ex-Bs files on a share setup for that purpose.
ThunderDwn@reddit
We had that happen. Developers deploying business critical systems that we sold to customers with their own credentials.
Of course, every time one left - or changed their password - Systems X, Y and Z would crash down in a heap and it'd take two days for someone to remember where the config file which held the credentials was located and change it to match.
I, of course, was refused permission to force them to use service accounts which were configured with least-privilege access levels.
I got tired of dropping everything to fix their fuckups and simply pointed whoever was complaining at the developer or manglement.
Fo0ker@reddit
I'm in "healthcare adjacent" shall we say.
I'm also the first cybersecurity hire since the company was started.
Sooo much work, soo much sec oriented culture to build from scratch, soo many things to fix.
And getting product owners to give us two hours of their time to switch their product fom the account of the employee who quit 7 years ago to a dedicated account for the software is worse than pulling blood from a stone tooth.
alf666@reddit
At what point do you start deactivating accounts and force them to come to you to implement a proper fix?
Basically, start invoking the scream test deliberately and with full knowledge that someone will scream, because they need to be made to scream in order to allow you to do your job.
MikeSchwab63@reddit
Password change required time. Say they change the password then quit that day. When it expires and no longer on time keeping / payroll system.
SCPaddlePirate@reddit
Offboarding is a HUGE issues where I worked. Full timers had end dates which was fine. But temporary/contractors were a different story. HR didnât let IT know so we made the call to set a specific date every year and all non-full timers expired on that date. It was a pain but if HR would communicate, it wouldnât be necessary. GrrrrrâŚ.
quetzalcoatlus1453@reddit
The scream test is perfectly cromulent.Â
VernapatorCur@reddit
So many Directors of IT I've known were fans of the Scream Test. Don't know what it's for? Shut it down and see who screams. đ
Jonathan_the_Nerd@reddit
Sometimes it's appropriate.
"This server is still running Microsoft Bob. It needs to be upgraded or retired. Who owns it?"
Crickets
"Is the server still in use?"
Crickets
"Okay, since no one uses it, we're going to decommission it on. Any objections?"
Crickets
"Thank you for confirming that you don't read your email."
VernapatorCur@reddit
The place I'm at is in that phase right now. We have a server that no one knows what it's for, and we're getting ready to shut it down and see which department freaks out.
SoundsProfessional@reddit
I was at a company that had a lead tech/sysadmin who âleft for other opportunities.â Afterward, when trying to clean up his workstation, it was discovered he had multiple desktop PCs under his desk running for one off purposes. It was a series of Scream Tests. âOh, apparently that one ran the clocks.â âBusiness Office shared drive is offline. Did someone shut down another of [leadâs] computers?â
Fun times
FireLucid@reddit
An old version of windows had an online lookup tool to check what program opened unrecognised file extensions. That ran under some devs desk when Windows went live and there was scrambling when it got turned off one day.
warlock415@reddit
"I read my email, I didn't know that THAT app needed THAT server."
castlerobber@reddit
IBM has just deprecated their Merlin project for the IBM i, and is replacing it with Project Bob.
All I could think of while reading the article was Microsoft Bob. đ
CZC_39@reddit
Can confirm đđ I'm no IT Director but if I'm asking about the use of a particular server and no one on the IT team knows, then I shut it down and wait. No one screams then we're golden đđ˝ one less device to harden.
warlock415@reddit
I hate the "scream test". As I said to a previous boss who suggested turning off all the servers and then only turning on the important ones:
"Hey, so I found a weird box outside your house, I just unplugged it and you didn't scream so I got rid of it.
In six months when you're yelling "Where the fuck is my air conditioning??", hey, not my problem, it passed the scream test in December..."
WildMartin429@reddit
We had something similar setup and the temp workers who had contracts renewed would always call in because their accounts would be locked in preparation for deletion/off boarding and when they would tell us are contract was renewed for another year we'd be like that's great you need to talk to your management and have them fill out the appropriate paperwork so that we can turn everything back on and if they don't do it in the next 90 days your account will be deleted.
Tathas@reddit
My company just nukes accounts at the drop of a hat. Oh you weren't actually termed? Too bad. Here's a new account with a new sid, go request access to everything again. They even do that when someone converts from contractor to full time employee.
jkarovskaya@reddit
Our infra group had to explain in detail to new techs why we disabled AD accounts instead of deleting them for most of the contractors, temps, & seasonals
Deleting an acccount required a serious process, especially for VIP's, because of discovery, legal, etc
LaundryMan2008@reddit
Happy cake day!Â
lincolnjkc@reddit
I have a client who has just started scheduling me to fly in every 2 my months for a day primarily so I can swipe my badge and no one gets idea of deactivating my badge or killing remote access (apparently 90 days is the magic "if their bag hasn't been tapped they just not need any access at all" date...
warlock415@reddit
Why are they flying you and not just your badge?
lincolnjkc@reddit
Mostly security policy re: sharing badges or passwords/codes.
WildMartin429@reddit
Worked at a place that did similar at one point and it was freaking annoying. My email address was first name. Last name at company name when I first started as a temp worker then I got hired on as staff with what was apparently an internal temp company that was company name LLC instead of company name Inc so that they could avoid certain labor laws and whatnot and they nuked my account and made me lose all my email and gave me a new account with first name not last name 11 at companyname.com then I got hired on to the actual company at some point and they did it again but with 22 and then I got transferred to a different division that was semi separate and they did a third time and gave me 33 on my email. It was very frustrating experience
Bemteb@reddit
I was on the other side of that once: Working as a contractor for a company, contract got renewed, suddenly lost all access. When asked I was told that IT blocked my accounts because no one told them that the contract got extended. Took them three whole days to unblock it. Next renewal, I asked multiple times if they informed IT; and got still blocked.
But that is nothing compared to another contractor at the same company. For him, IT deleted his accounts. Thus, all his tickets, comments, every document he ever created or participated in was suddenly under "unknown". That account had lots of other stuff though, so no way to identify what he worked on. After IT said they couldn't roll it back, he said fuck that and left the company.
bhechinger@reddit
Offboarding at the university hospital I worked at was such a train wreck. We had 3 sources of employee information (doctors were a different system than regular employees, etc) that fed into our identity management system. We had to constantly harass all three groups because none of them ever sent offboarding to us.
flaser_@reddit
My experience with HR has been that they're incapable of any business function other than fucking with and fucking over employees.
chattytrout@reddit
But rarely fucking employees, because that'd be sexual harassment.
Kuddel_Daddeldu@reddit
When I was in charge of that, all user accounts had end dates. For new permanent employees it was the end of the probation period, for contractors the contract end date. For permanent employees it was every six months. I sent a list to HR two weeks before expiry and extended the end date on their feedback. It happened from time to time that someone could not log on because of that, but a quick call to HR or their manager quickly resolved that one way or the other.
samdiatmh@reddit
Typically that happens at the "December 31" or something equally as inconvenient too
I remember a story where that happened, and was just expected to carry on - so that "oh it's now Jan 1 and we all no longer have access because we're technically unemployed now" was a FUN conversation with the boss when he's pressing us all on this "urgent' task
kg44000spklz@reddit
I understand⌠and I also understand that âone oneâ is an all hands on deck day in healthcare tech. Ay dios mĂo.
DiodeInc@reddit
You're not employed, so no. You don't work for free.
cornponious@reddit
Is it normal for a medical practice to outsource its IT, insomuch as the IT service is even doing account unlocks in AD? This seems like a huge security risk.
GreenEggPage@reddit (OP)
Most of my business was medical and dental practices. I'm pretty sure that even the local hospitals have outsourced IT. Most of your practices aren't big enough to be able to employ a full-time IT guy. The biggest one I had took about 40 hours per month unless there was a big project.
cornponious@reddit
How in the world could a medical practice, with as much money that is made in medicine, not be able to afford one full time IT guy?
GreenEggPage@reddit (OP)
1 doctor, 3 dental hygienists, 1 front desk/office manager. They only need 5-10 hours of work done per month. It doesn't make sense to pay someone a full time salary for that. If they don't outsource, then they end up with the most tech literate employee trying to do all the IT - and you know how bad that becomes.
Bigger offices still can't justify a full-time salary for an IT guy. And if they can justify for 1 guy, he's never getting any vacation, sick time, or weekends. Servers down and the IT guy has the flu? Too bad - he's wearing a mask and getting it back up. So they can't justify a secondary person.
It all boils down to what does the IT guy do for the company? He doesn't generate revenue. He definitely costs money. All he does is sit around all day waiting on work to do. And when doctors talk,, they find out that they're spending $50-100k per year on an IT guy while their buddy has hired an MSP for $25k. It's a no-brainer.
nowildstuff_192@reddit
Just today I asked HR why in the name of all that is good and holy don't they loop me into their offboarding process.
The context was that I figured out that an employee had been fired a month ago, and I only guessed because I had just gotten a request to set up a new user package with the same privileges, and I new there weren't any empty seats in that office.
dustojnikhummer@reddit
And what was their answer? "We didn't think it was important"?
nowildstuff_192@reddit
More like, "you're IT, can't you automate it?"
No, no I can't. They manage manpower using a web-based service I don't have access to, and evidently doesn't have email notification abilities I could leverage.
dustojnikhummer@reddit
"We can't and we won't, we don't want the responsibility"
dog2k@reddit
At my last place IT took away card and key assignment from Facilities when an audit revealed they couldn't account for 100 master keys (all offices and classrooms minus admin\finance\hr) and 40-ish grand-master keys (all access). They couldn't even account for who had been assigned these keys.
It cost $15,000 for a crew of locksmiths to come in over the weekend and rekey every damn door in the building.
Arokthis@reddit
That must have been fuuuun.
How many doors and how many in the crew? 15k for a semi-emergency sounds rather low.
dog2k@reddit
We had a certified locksmith on staff (working as an hvac guy) who called in an outside company and 4 or 5 Facilities guys (who got a 20 minute training session) to rekey 2-300 doors. We eventually switched to card access with physical keys only for areas where this was impossible\impractical.
Ich_mag_Kartoffeln@reddit
One place I worked NOBODY had a super-dooper access-all-areas master key. Good security.
But nearly everyone who had a key (of any description) had access to the "secure key cupboard" where the super-dooper access-all-areas master key was kept. Said cupboard was not in a high traffic office where somebody might see you, and ask what you were doing -- it was in the store room, next to the cupboard of stationery.
LupercaniusAB@reddit
Ah, âsecurity through obscurityâ in the physical world! Brilliant!
Ich_mag_Kartoffeln@reddit
More, "security through hoping that nobody would do the wrong thing".
It might have been a defence against an outsider, but everybody who worked there knew where it was. And key security (don't let anybody borrow your keys) was pretty lax too.
LupercaniusAB@reddit
Ich mag Kartoffeln auch!
RatherGoodDog@reddit
Wait, you guys account for your keys?
My building has physical keys, lots of them. We don't know how many we have, we don't know who has (had) them, we don't even know which doors they all open.
Let's give it to the dumbest office admin in the building to sort out. So far, we have a spreadsheet last updated in 2023. Most of the employees on there are no longer employees.
Flimsy_Category4211@reddit
I used to be in HR and left for IT because of how much HR sucks
-VWNate@reddit
Wow ;
All these stories from the folks who worked IT, I was an employee for 32 years and when I mentioned I was going to retire in a month they cut all my access and deleted my E-Mail account so I basically had nothing to do my last month .
Good to know some cared, I didn't understand how it all worked until reading these replies .
-Nate
kapeman_@reddit
This is the perfect use case for AD integration. Let someone else handle all the account deletion.
dragzo0o0@reddit
Ideally, tied to their People Application. The amount of crap Iâve seen out there by IT depts trying to script ways around Hr fuckups..
arslearsle@reddit
Healthcare and HRâŚalways the same shitshow
Joe_Peanut@reddit
Had something similar happen. Working at a large org. Big boss comes into my office fuming to yell at me why I hadn't terminated an user's account. I told him nobody had informed me that the user had left. Turns out the user, who was located in a different country by the way, had been fired months prior, and was suing the organization, yet still had access to our systems and email lists. I showed the boss the search of my email box and the tech support ticketing system search for the user's name, and no mention that he had left or requests to terminate the account. Boss still blamed me.
SCPaddlePirate@reddit
Our date was October 1. Itâs a university and the bosses decided the middle of a semester was the best time. We do have a notification system in place so users whose expiration dates are at 30,14,7,3,2 and 1 days out get an email about it. If they let us know, we verify with HR they can be extended and they get another year. It is so much unnecessary work because HR doesnât want to take the time to notify IT and the IT boss doesnât want to take the time to get the team to integrate the HR end date into the IT use mgmt system. Itâs a crock of sh!t. The reason is that sometimes users are given extra time to wrap up things after their official last date and an automated system wouldnât work for that. Total BS. They have been told MANY times about the security risks and how users no longer employed shouldnât be allowed to retain access. But they always make exceptions to the point where I always say it was an âexceptionalâ university.
JeffTheNth@reddit
it'll change the dqy they get burned by someone leaving. When it becomes their headache - or hits the pocketbook - suddenly it'll become an emergency to fix... and of course, it'll then become YOUR emergency. Might I suggest sending an email about it and include the department heads? Then when it happens, you can say "why wasn't it fixed when I brought it up here?" and you can show it shouldn't be rushed.....
SCPaddlePirate@reddit
HR and the head of IT have been informed numerous times. And not just by some internal IT folks but also by an external cybersecurity audit firm. They are fully aware and there is plenty of evidence if there was ever a question about it. Also, I recently retired from there so itâs not my problem anymore. I just feel bad for those who would get stuck with it as they are good, hard workers. Just stuck in a bad environment.
Saint_Dogbert@reddit
Please tell me its a public university, and thus open records law would apply.
RotationSurgeon@reddit
I feel your pain. I just did my biannual HIPAA training last weekâŚ500+ slides later, I can say: âthat would have been expensive.â
GreenEggPage@reddit (OP)
HIPAA is one reason I burned out. So glad that I don't have to deal with it any more!
Rainthistle@reddit
As an HR person, I'm a little aghast. They what now? Literally the first thing we do when someone leaves is to lock down their access with our IT guys. Glad you caught it!
anomalous_cowherd@reddit
I worked in IT for a global megacorp for a long time. HR never let us know when people were joining or when they left. I'm glad you do it better!
jdog7249@reddit
I am a teacher but I help with some technology stuff occasionally and enjoy the stories here.
I am no longer affiliated with the district I did my student teaching in. Despite that I still have full access to all the district systems I did when I was a student teaching. I am still listed on their district website as a student teaching. Still get the all staff emails from that building. Could log in and change grades and attendance for any student currently in my cooperating teachers classes.
Only reason I know this is because I was chatting with someone about how disorganized the district tech department was and checked to see if I could still log in.
This could easily be a major FERPA violation. Instead I am just going to sit back and see how long it takes for them to deactivate my account. I won't abuse it (beyond the occasional use of the free canva pro they provide staff).
no_regerts_bob@reddit
This type of thing is more often due to a disorganized HR department. IT can't take action on things it doesn't know about
jdog7249@reddit
HR was actually quite organized from my limited interaction with the district. They properly communicated with the building secretaries and admin staff so they all knew I was starting. They told IT when I was starting. IT then set up my email address and account but then didn't communicate it to me at all. Other student teachers in the district were informed by IT about their account but I wasn't.
HR properly told everyone when my last day was. The secretaries and admin knew. HR said IT was informed. IT just didn't deactivate my account.
Everything involving technology at that district was so disorganized and chaotic that I fully believe the failure here was IT.
no_regerts_bob@reddit
Ok. My experience after 3 decades in IT across many industries is that HR often fails to notify IT when staff is terminated. Or hired for that matter.
faithfulheresy@reddit
Just a warning: even logging in "just to check" is technically unauthorised access and could get you into a world of hurt. I would never recommend that anyone attempts it.
BerkeleyFarmGirl@reddit
You're one of the good ones!
I have absolutely seen similar in my last two jobs.
VernapatorCur@reddit
Nice thing about HR where I'm working now is they're quick to notify us when a termination is coming up. Usually an hour before the meeting, but on one occasion a full week out (I prefer the shorter notice)
Jezbod@reddit
I've found out people have left the organisation when I realise their laptop has not been on the network for a while, as in months.
HR have said nothing.
deeseearr@reddit
That suggests that there are still some people who have left the organization, but still have their laptops on the network.
Jezbod@reddit
Yes and no, they have left, but the laptops have been inactive for some time. That's what draws my attention to them.
Ranger7381@reddit
I walked out quit at a job a few years back. Later that evening out of curiosity of wondering if a certain task had gotten done (force of habit) I tried to log into a third party site. My account was already locked out
samdiatmh@reddit
depends on the person who does it tbf
I'm half-in-charge of my orgs one (as the not-IT-but-they-treat-me-like-it)
with people in the immediate team, they're locked out when I next sign in after their last day,
with people I don't have interactions with (field agents), they can be gone for about a month and I haven't heard about it - I usually have to pester payroll (which I'm not the biggest fan of) to ask "yo, has anyone left recently?"
CriticalMine7886@reddit
Never feel bad locking out the account of someone you know - you are protecting them from the accusation of wrongdoing. You can hand on heart say your friend could not have been accessing company data because their account was disabled.
It's not just the company your actions protect.
deeseearr@reddit
Exactly. I make a point of following contractors around when they have to enter server rooms or anywhere else that they could possibly be accused of causing trouble. It's not that I don't trust them, it's that I want to be able to say "No, they couldn't have possibly done that" when something does go wrong and the powers that be are looking for someone to blame.
Mx_Reese@reddit
HR not informing it when somebody is terminated is unfortunately a pretty common cause for data breaches.
KnightRyder@reddit
We have a system that all HR has to do is term them in their ADP system, then it gets synced over to our active directory. Boom, nothin to do but cleanup when we get free time.
Ahindre@reddit
Is that a HIPAA violation or just theft?
Mx_Reese@reddit
What exactly do you think HIPAA is for if not preventing the unauthorized access of protected patient medical information?
GreenEggPage@reddit (OP)
A HIPAA violation can occur without theft. If I am doing my IT job and notice that you had an appointment at the doctor, it would be a HIPAA violation for me to look at your records (unless the problem specifically required that for troubleshooting/remediation) or for me to even mention to you or anyone else that I knew this information.
Ahindre@reddit
My understanding is that HIPAA as about providers and how they share information. Someone connecting to a network and accessing health records that they shouldn't have access to (in this case because they're not employed there any more) sounds more like straight theft of data to me, but I don't know and that's why I posed it as a question.
deeseearr@reddit
As I understand it he HIPAA violation would be with the organization which provided the data without authorization. Since the person requesting it is also bound by the same rules there may be separate violation on their part, but every time I try to read the full regulations my brain hurts and sometimes I summon demons from the netherworld by mistake.
Godlesspants@reddit
"Consistent with the Privacy Rule's "minimum necessary" standard limiting uses and disclosures of PHI,^(42) the Security Rule requires a regulated entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate for the user or recipient's role." This would be the portion that would cover needing to deactivate their account.
underground_avenue@reddit
Those aren't exclusiveÂ
CaptainPunisher@reddit
No but the pension said "HIPAA violation or JUST theft". I would say that it's an "exclusive OR" here. Generally speaking, though, yes, it could be both.
MoneyTreeFiddy@reddit
Its just premature. He would have access to them when Customer sends them, presumably for a patient still currently under his care. Controls stopped him from getting them via unauthorized access .
SilentRavenUK@reddit
I recently trained our HR person on how to disable or update user accounts whenever someone leaves the company or transfers to a different location. Honestly, she caught on really fast sheâs pretty sharp and didnât need much guidance. Itâs nice working with someone who actually pays attention and learns quickly.
Gnatlet2point0@reddit
I feel you. I work as the scheduler for our tech support team (worked my way up from being the front-line tech support to this semi-almost-management position) and I literally can't tell you how many times I've made schedules and then gotten yelled at because I scheduled a person who had been fired the week before. IT WOULD HELP IF YOU TOLD ME THAT STAFFING HAD CHANGED!!!
Every time I complain about not being told I get a ton of apologies (sincere ones)... and then it happens again, because I love my company but oh my god do we have corporate-wide ADHD...
RogueThneed@reddit
You need to find the actual specific person who handles the info. Not management. Not their supervisor. The actual person. There's a process somewhere that's breaking but mgmt doesn't know it.
snommisnats@reddit
That person was fired last week. đ¤Ł
Fake_Cakeday@reddit
No it was last Christmas.
It's been running automagically by putting the terminated person's name and email into a new row in an excel sheet on the network share.
The network share is a "proxy" link to another fired coworkers One Drive that has given share access to everyone đ
RatherGoodDog@reddit
Kill me now.
coyote_of_the_month@reddit
You just know if the practice got sued, they'd try to blame you for it, too.
Harry_Smutter@reddit
Ours is automated via our EIS via HR. It used to be manual and we'd find out sometimes months later that an employee is no longer with us.
Filosifee@reddit
Wow thatâs wild. Not surprising, but still wild
NotYourNanny@reddit
I trained our HR person on how to disable (or update) certain accounts when someone leaves (or changes location). But we have a pretty smart HR person.