How do I prevent change in access to my computer with a new server?
January 22, 2008 1:30 PM   Subscribe

My computer at work is being changed to a new server - I'm concerned about tracking of information and lack of access.

I work in a private clinic and we just moved to Electronic Medical Records, which requires enhanced security, etc. All the doctors log in through an A4 application to the server when we need to access the EMR program. Otherwise, we all have separate, private passwords and our desktop files are not accessible by anyone else.

Right now, I have a login to a standard Windows XP Pro screen for my computer and I log in under my name and my own password. With this new server, they will be changing my login screen so I would have to do a Ctrl-alt-delete and use a given password (which I won't be authorized to change).

Of concern is my privacy - patient notes (not part of new Electronic Medical Record), private files that no one has access to, and tracking my internet usage, etc.

Is there any way to circumvent this system before the IT guy comes and makes this change? If so, what can I do now to preserve the standard login screen, desktop and ability to change passwords to my own computer?

Anonymous because this is work-related, so any questions can be sent to:

posted by anonymous to Computers & Internet (8 answers total)
I would strongly recommend against attempt to trick the IT guys. Not an insult, merely statement of fact, you don't seem technically savvy enough to safely avoid them detecting what you're doing, and it would almost certainly get you fired if you were caught. In fact, I'd wager IT would view your attempt to circumvent as worse than any websurfing you're actually doing at work that you're ashamed of. Nevermind the legal liability you're asking to take on by deliberately trying to avoid the legal HHIPA requirements for security.
Bad idea.
If you really want a private computer, you need to buy one of your own.
posted by nomisxid at 1:49 PM on January 22, 2008

I'm guessing here that the computer at work belongs to your employer? If is not your computer it is their computer and you should not expect any privacy rights. My best suggestiong would be to pull all your personal stuff off now and cease doing anything that you do not want nor could not defend to your employer.
posted by malter51 at 1:50 PM on January 22, 2008

Of concern is my privacy - patient notes (not part of new Electronic Medical Record), private files that no one has access to, and tracking my internet usage, etc.

The odds are good that you are being naive in thinking "no one has access to" these things.

Anyone with physical access to the computer, now or in the past, or anyone who has ever been trusted to install software (including all the way back to whoever installed the OS) has already got everything they need. They have no use or need for your password.

"Patient notes" sounds like a clinic wide issue, so on that one challenge the plan. How will the confidentiality of patient notes be maintained? is a good, honest question.

On the rest... you're asking for security of a system that you do not control. Impossible.

Maybe we are misunderstanding the situation, but it sounds like you are asking "How can I hide my personal things on someone else's business computer?"
posted by rokusan at 2:13 PM on January 22, 2008

Before IT gets there, clean any personal stuff off the pc. Zip it up and mail it to yourself, or whatever. Things that you do to circumvent the iron fist of IT may inadvertently allow others into your pc. I'm in IT, and someone created a local account with a weak password, and ran Remote Desktop. Next thing, hackers from other lands are merrily using the machine to send gobs of spam and malware. Circumventing IT on a pc that is intended to be secured & private may be a violation of policy, resulting in getting fired.

Instead, call IT, explain that you feel crappy about not even being able to choose your password, are worried about your privacy, and have a dialog.
posted by theora55 at 2:17 PM on January 22, 2008

I could be wrong, but with the lack of using Ctrl+Alt+Dlt in the past, is sounds like you were on a workgroup model and am now migrating to a domain model. The entire purpose of being part of a domain is centralized everything and they can maintain your computer from afar. It also makes IT's job helluva lot easier.
About the only way around this is to create a local account and as theora55 mentions. Or load on their a copy of Linux. Bad news when IT finds out.

Of concern is my privacy - patient notes (not part of new Electronic Medical Record), private files that no one has access to, and tracking my internet usage, etc.

What rokusan said. Regarding personal information on XP (such as stuff you save to My Documents), an administrator can access the files regardless unless you password protect your files.
As an IT admin, I would not allow any computers on the network I cannot have access to. That doesn't necessarily mean logging in under you username (I don't keep track of user passwords anyways), but at least as an administrator account.

Regarding Internet usage, I doubt they're recording it directly from your PC bur rather through the server and/or firewall. About the only way around that is a proxy. Another bad idea if the IT people find out.

Really, just about every option will purposely circumvent protocols set up by IT and can lead to bad results.
posted by jmd82 at 2:47 PM on January 22, 2008

I second that you're moving from a workgroup model to an Active Directory one. I think you should really address this concern with your IT department, as it might very well be a better situation than you're envisioning.

When you move a PC into an AD enviroment that's properly set up and managed, it protects your privacy even more with the use of GPOs (Group Policy Objects) to ensure that your pc is running healthy.

In a workgroup environment, even though you may think that passwords secure the machine, you're probably not taking into account the scope of privilages other users could have on that PC once logged in (even as a Power User).

I would write an e-mail to their helpdesk or department contacts, simply stating your concern and inquiring how the new system could help address them. I think you'll be surprised how helpful the change could be (if it is a well run IT department it should be ok).

As for your passwords, inquire if you could change the supplied one the same day of distribution (this can then be done by pressing ctrl-alt-delete while logged in and selecting "change password" to make it something only you will know). After that, there may be a password policy that could have restrictions (again, this is with security in mind).

The only caveat is that your IT department's network administrator (Domain Admin) will have full rights to any PC connected to the servers. It's very likely however that the only concern is making sure the network is healthy. Regardless of being in a workgroup or domain, you should not assume that one is more "private" than the's very easy to watch network activity on a subnet...or even log into a machine remotely if there is a local admin account. Think of this is as being more in your best interests, rather than as a bad change.
posted by samsara at 3:19 PM on January 22, 2008

As "samsara" states... (assuming your IT dept is competent).. moving to a domain-model security is actually better (more secure) than a workgroup model.

Although it sounds like your management is being a little anal (not allowing you to change your own password is IMHO kind lame).. but they might have company-wide reasons to be implementing those policies.

There are 2 ways you could get around it.

1.) do your own thing.. attempting to subvert the security. Not a wise idea. IT and/or management will find out at some point and then you look like the bad guy.

2.) Explain your needs to management/IT ... if you have an actual legitimate case for special configuration on your computers files, then I would hope they would accommodate your needs.

In all the businesses I've contracted to do domain-switchovers.. there were always lots of people upset about the change and fearful of the new security changes. If your IT dept is worth its salt - it would have prepared a live video training or some sort of printout/email explaining WHY the changes are being made and WHY its a positive thing (assuming it is).
posted by jmnugent at 4:58 PM on January 22, 2008

We just did this where I work. The whole point of this kind of change is to better manage and keep track of what's on the machines. I would imagine that a medical records office absolutely must be able to control all documents and correspondence and the like being created and distributed on their machines, for liability reasons. Being part of a domain also allows for a much easier and secure system for sharing information, which would also be very beneficial in this case.

In any case, as people have said above, it's not your computer, and you shouldn't expect any amount of privacy when using it. Your IT department has been tasked to make sure that the sensitive information stored on the network is secure, and it will take whatever measures needed to do that, including locking down and tracking usage. Depending on how IT goes about this, you might still be able to log in to your old account off the domain, but probably not.

I would suggest that you just assume that from now on you are being watched.
posted by tjvis at 11:10 AM on January 23, 2008

« Older How do hotels get their artwork and how does an...   |   Credit card cancellation consequences? Newer »
This thread is closed to new comments.