Fine - IT is reasonably concerned that a vulnerability in my setup is a hole into the network. Patient information is on other networks and machines, and above my pay-grade to make sure it is compliant with policies and security is kept up to date. I would just like to point out: 1. There are more low-hanging fruit for security holes, such as all the unpatched Windows XP machines at the nurses stations. 2. How is giving the IT tech a non-root account onto my OpenBSD machine going to work - is he really going to know how to probe it from the command line? If he wants to control (shutdown) my machine - wouldn't he need root or sudo? (Truth be told - my suspicion was that he just wants to learn how I did it, so he can implement it for other depts and look the hero) Lastly - your point about when I leave - please leave that to some other post/question - its off-point. If I left, my colleagues would know better than to expect IT to take over the server of Dr "Dorian".

Okay - original poster here. To clear up some issues: 1. I assure you - I'm not a troll - though the name is obviously fake. Real honest question. 2. Having servers on the network is not unprecedented. It is a medical school. Several labs have UNIX (even old Solaris machines) in their lab, that they have websites on. A simple email request to IT allowed port 80 and 443 to be unblocked. 3. HIPAA - very important. But no patient information will be on this machine. Only "May 7-8: on-call Dr X" 4. I'm perplexed by the paradox of half the people being up in arms about HIPAA, but many posters simply advocating Google calendars. Make up your mind - it could be super-sensitive but we should let it be on the cloud?