I’m presently a member of a healthcare records team that is sorely understaffed and has an incredibly low bus factor, with only two people with the majority of system knowledge, myself – allocated temporarily, and a consultant – also allocated temporarily. As a result I’m aware the system must be documented or face clinical risk.
Why it’s being documented
There is an incredible amount of system sprawl, complex processes with very little documentation, and I’ve taken it upon myself to start documenting the internal systems (including IPs, ports and database names, but no usernames, passwords or personally identifiable information) on an internal Wiki which the entire organisation can view (which if kept behind a username/password, might be lost in the event of either or both of us leaving).
The consultant has reasonably raised that they are not comfortable with the idea of IPs and ports for databases etc being found in a central location accessible by the entire organisation.
Whilst I acknowledge that could be useful information for an attacker, my counter-argument is a simple IP and port scan would reveal the same information (if not more), that no usernames or passwords are included on the Wiki, and if they can get in with an IP/port, then that process wasn’t secure to begin with.
My greater concern, on balance of best interests, is to document the system in a transparent manner such the organisation is able to train replacements, which otherwise, if left undocumented, could become an unmaintainable mess and cause all sorts of clinical risks and issues.
Is the approach I’m using for the current situation the correct approach security wise, or is there a better way of handling it?
[It’s worth noting this organisation has no coherent usable system of documentation of available skills, knowledge etc with similar situations in other departments, and I’m trying to encourage an organisation-wide adoption of a Wiki to help mitigate this problem.]