I need a technical reality check here.
I am currently under direction to set up some interation with a service that provides automated appointment reminders by phone. The information I'm to share with these people is HIPAA-protected information.
The setup process has been rocky: first the technician I'm working on didn't seem to understand the difference between FTP and SFTP, then he - after giving me my login information to their SFTP server by phone - did me the courtesy of e-mailing the password to me. Great.
So today I'm getting into their management interface website for the first time. It's IE-only, but whatever. It needs an ActiveX control to display properly. Okay, fine. The ActiveX auto-downloader doesn't work, so the technician directs me to a downladable EXE that installs the necessary components. My hackles go up, but it's a secure site so I fetch it. I ran the thing and it's unsigned, but again it came from a https site and that's not so uncommon, so I continue.
But the damn thing is trying to change some DLLs and/or OCX files in use by my Practice Management application... something far more critical than this reminder service. And what the hell is a website doing messing with DLL and OCX files, anyway?
When's the last time y'all interacted with a website that requires messing around on the DLL/OCX level of your windows system?
I do not trust these people. Every It instinct I have tells me that if I use this service, I am going to end up reading abbout my own HIPAA data loss in the paper. Am I just being too paranoid, or does it seem like there's really something wrong here?