1 of 1 people found this helpful
If I were you I would document your conversation with him. Save the email. Might need an "I told you so" or perhaps an "I told him so". For CYA. Also, based on information from your profile, he might find the HIPAA rules pertinent: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
STANDARD § 164.312(a)(1) Access Control
The Security Rule defines access in § 164.304 as “the ability or the means necessary to read,
write, modify, or communicate data/information or otherwise use any system resource. (This
definition applies to “access” as used in this subpart, not as used in subpart E of this part [the
HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access
and perform functions using information systems, applications, programs, or files. Access
controls should enable authorized users to access the minimum necessary information needed to
perform job functions. Rights and/or privileges should be granted to authorized users based on a
set of access rules that the covered entity is required to
implement as part of § 164.308(a)(4), the Information Access
Management standard under the Administrative Safeguards
section of the Rule.
Even personnel who do need admin privileges should use a non-privileged account whenever possible, and the privileged account whenever necessary.
Thank you d09h! I really appreciate. This is exactly what I needed.
Happy to help s-bolyard . With such a cavalier attitude toward security, you may find that your boss has issues on other fronts. You wouldn't want to be the next ransomware victim. Maybe you can get a security assessment done somehow to show where work is needed.