Is Win2k + SP3 HIPAA Compliant? 489
Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA
compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?
Waiting for clear definition (Score:5, Informative)
This is one of those standards that has yet to be clearly defined.
Re:What a waste of time (Score:3, Informative)
Additional thouughts:
Use a firewall to block all traffic into and out of your network, and make the machiens inside use proxy servers (for http) and relays (for smtp) to access the internet. In other words, disallow all traffic that is not explicitly permitted. Log what goes through the proxies and relays, and log attempts at initiation of direct outgoing traffic.
Easy sollution really... (Score:4, Informative)
In stead you have a server running SUS, aka Software Update Services [microsoft.com]. It solves the problem of Microsoft accessing your workstations as you deploy the fixes from a central server of your choosing. This is what Microsoft recommends us to use, I spoke a few weeks ago with the Product Manager for the Finnish division and he recommended this.
"How to defang Win2k SP3's auto updating" (Score:4, Informative)
basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.
now, the original submiter could really consider an alternative.
if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?
does you REALLY need win2k ????
MS Windows EULA not HIPAA compliant (Score:1, Informative)
Anyone care to argue/agree?
Re:Waiting for clear definition (Score:5, Informative)
Here's a couple of Linux Medical Sites (Score:5, Informative)
http://www.euspirit.org/ [euspirit.org]
A few thoughts (Score:3, Informative)
- Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one).
- Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.
Re:Morons, Idiots, and Fools...Oh My! (Score:3, Informative)
If so, I guess I would be a bit slower to call other people "morons & idiots". Because the fundamental problem is in the EULA, not in the service packs or download mechanism. One could take all the steps you have described and (potentially) still be in violation of the privacy statutes, since by agreeing to the EULA you have agreed to allow Microsoft access to your systems under circumstances controlled only by Microsoft.
sPh
Check Out MSHUG.ORG or HL7 (Score:5, Informative)
They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.
The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.
1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.
2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.
3. IF the product is home grown. Cover your ass.
MSHUG is microsoft centric but a good start for you.
I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.
PUTO
Re:Easy sollution really... (Score:5, Informative)
Q. Does SUS support Service Packs?
A. No, it is not possible to use SUS to deploy Service Packs.
Re:Here's a couple of Linux Medical Sites (Score:3, Informative)
Re:MS Windows EULA not HIPAA compliant (Score:4, Informative)
It doesn't matter if Windows systems are a monopoly, and everyone has them. They will find everyone they audit to be out of complience. Auditors are looking for a score, they don't give a shit about your ability to do business.
BTW: This EULA aslo is not FDA part 11 compliant either. Locked down systems would need to be revalidated after any and all autoupdates.
Re:Morons, Idiots, and Fools...Oh My! (Score:3, Informative)
That said, I'm almost certain that Win2k, with or without a service pack, will be HIPAA compliant since many, many medical and scientific organizations use it for their main operating system, and coordinating an upgrade to something else in the next 7 months would be near impossible. We really don't have much of a choice in what OS to use, though, since if all the programs we need are only available in Win32 versions, that's what we'll use.
Get More Than Just a Lawyer (Score:5, Informative)
It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.
First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.
Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.
Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.
One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.
I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.
The Actual EULA Reproduced Here (Score:2, Informative)
Well, fight FUD with facts I say, so I downloaded SP3 and here's the actual supplemental EULA. Note bulleted point #3...it does not begin with the same "If you choose..."" qualifier as point #2. I'll leave it the legal scholars and armchair lawyers to talmudically wrangle over what sort privacy violation is inherrent in allowing "OS product" version checking and update installation. I know nothing about HIPPA.
And as for "Severability" clause the parent post referes to...Not there. So, I've never been clear, do I get Dollars or Donuts for winning the bet?
Long-ass EULA follows:
SUPPLEMENTAL END USER LICENSE AGREEMENT FOR
MICROSOFT SOFTWARE
IMPORTANT: READ CAREFULLY - These Microsoft
Corporation ("Microsoft") operating system components,
including any "online" or electronic documentation
("OS Components") are subject to the terms and
conditions of the agreement under which you have
licensed the applicable Microsoft operating system
product described below (each an "End User License
Agreement" or "EULA") and the terms and conditions of
this Supplemental EULA.
BY INSTALLING, COPYING OR OTHERWISE USING THE
OS COMPONENTS, YOU AGREE TO BE BOUND BY THE
TERMS AND CONDITIONS OF THE APPLICABLE OS
PRODUCT EULA AND THIS SUPPLEMENTAL EULA. IF
YOU DO NOT AGREE TO THESE TERMS AND
CONDITIONS, DO NOT INSTALL, COPY OR USE THE
OS COMPONENTS.
NOTE: IF YOU DO NOT HAVE A VALID EULA FOR
MICROSOFT WINDOWS 2000 PROFESSIONAL, WINDOWS
2000 SERVER, WINDOWS 2000 ADVANCED SERVER, OR
WINDOWS 2000 DATACENTER SERVER (each an "OS
Product"), YOU ARE NOT AUTHORIZED TO INSTALL,
COPY OR OTHERWISE USE THE OS COMPONENTS AND
YOU HAVE NO RIGHTS UNDER THIS
SUPPLEMENTAL EULA.
Capitalized terms used in this Supplemental EULA and not
otherwise defined herein shall have the meanings assigned
to them in the applicable OS Product EULA.
General. The OS Components are provided to you by
Microsoft to update, supplement, or replace existing
functionality of the applicable OS Product. Microsoft
grants you a license to use the OS Components under the
same terms and conditions of the OS Product EULA for the
applicable OS Product (which are hereby incorporated by
reference except as otherwise set forth below) and the
terms and conditions set forth in this Supplemental EULA,
provided that you comply with all such terms and conditions.
To the extent that any terms in this Supplemental EULA
conflict with terms in the applicable OS Product EULA, the
terms of this Supplemental EULA control solely with respect
to the OS Components.
Additional Rights and Limitations.
* With respect to the OS Components only, if the licensor of the
applicable OS Product was an entity other than Microsoft,
then for the purposes of this Supplemental EULA Microsoft
will be the licensor with respect to such OS Components in
lieu of the "Manufacturer" or other entity and support, if
any, for such OS Components shall not be provided by
Manufacturer. With respect to the existing functionality
contained in the applicable OS Product which is not updated,
supplemented, or replaced by the OS Components, the EULA
for the OS Product shall remain in full force and effect as to
that OS Product.
* If you choose to utilize the update features within the OS
Product or OS Components, it is necessary to use certain
computer system, hardware, and software information to
implement the features. By using these features, you
explicitly authorize Microsoft or its designated agent to
access and utilize the necessary information for updating
purposes. Microsoft may use this information solely to
improve our products or to provide customized services or
technologies to you. Microsoft may disclose this
information to others, but not in a form that personally
identifies you.
* The OS Product or OS Components contain components that
enable and facilitate the use of certain Internet-based
services. You acknowledge and agree that Microsoft may
automatically check the version of the OS Product and/or its
components that you are utilizing and may provide upgrades
or fixes to the OS Product that will be automatically
downloaded to your computer.
* If you have multiple validly licensed copies of the applicable
OS Product(s), you may reproduce, install and use one copy
of the OS Components as part of such applicable OS Product
(s) on all of your computers running validly licensed copies
of the OS Product(s) provided that you use such additional
copies of the OS Components in accordance with the terms
and conditions above. Microsoft, its subsidiaries and/or
suppliers retain all right, title and interest in and to the
OS Components. All rights not expressly granted are
reserved by Microsoft, its subsidiaries and/or suppliers.
IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
YOU BY MICROSOFT OR ANY OF ITS WHOLLY OWNED
SUBSIDIARIES, THE LIMITED WARRANTY (IF ANY)
INCLUDED IN THE APPLICABLE OS PRODUCT EULA
APPLIES TO THE OS COMPONENTS PROVIDED THE OS
COMPONENTS HAVE BEEN LICENSED BY YOU WITHIN
THE TERM OF THE LIMITED WARRANTY IN THE
APPLICABLE OS PRODUCT EULA. HOWEVER, THIS
SUPPLEMENTAL EULA DOES NOT EXTEND THE TIME
PERIOD FOR WHICH THE LIMITED WARRANTY
IS PROVIDED.
IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
YOU BY AN ENTITY OTHER THAN MICROSOFT OR ANY
OF ITS WHOLLY OWNED SUBSIDIARIES, MICROSOFT
DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE
OS COMPONENTS AS FOLLOWS:
DISCLAIMER OF WARRANTIES. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT
AND ITS SUPPLIERS PROVIDE TO YOU THE OS
COMPONENTS, AND ANY (IF ANY) SUPPORT SERVICES
RELATED TO THE OS COMPONENTS ("SUPPORT
SERVICES") AS IS AND WITH ALL FAULTS; AND
MICROSOFT AND ITS SUPPLIERS HEREBY DISCLAIM
WITH RESPECT TO THE OS COMPONENTS AND
SUPPORT SERVICES ALL WARRANTIES AND
CONDITIONS, WHETHER EXPRESS, IMPLIED OR
STATUTORY, INCLUDING, BUT NOT LIMITED TO,
ANY (IF ANY) WARRANTIES OR CONDITIONS OF OR
RELATED TO: TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, LACK OF VIRUSES, ACCURACY OR
COMPLETENESS OF RESPONSES, RESULTS, LACK OF
NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT,
QUIET ENJOYMENT, QUIET POSSESSION, AND
CORRESPONDENCE TO DESCRIPTION. THE ENTIRE
RISK ARISING OUT OF USE OR PERFORMANCE OF
THE OS COMPONENTS AND ANY SUPPORT SERVICES
REMAINS WITH YOU.
EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND
CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, IN NO EVENT
SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE
FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING,
BUT NOT LIMITED TO, DAMAGES FOR: LOSS OF
PROFITS, LOSS OF CONFIDENTIAL OR OTHER
INFORMATION, BUSINESS INTERRUPTION, PERSONAL
INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY
DUTY (INCLUDING OF GOOD FAITH OR OF
REASONABLE CARE), NEGLIGENCE, AND ANY OTHER
PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING
OUT OF OR IN ANY WAY RELATED TO THE USE OF OR
INABILITY TO USE THE OS COMPONENTS OR THE
SUPPORT SERVICES, OR THE PROVISION OF OR
FAILURE TO PROVIDE SUPPORT SERVICES, OR
OTHERWISE UNDER OR IN CONNECTION WITH ANY
PROVISION OF THIS SUPPLEMENTAL EULA, EVEN IF
MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
LIMITATION OF LIABILITY AND REMEDIES.
NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT
INCUR FOR ANY REASON WHATSOEVER (INCLUDING,
WITHOUT LIMITATION, ALL DAMAGES REFERENCED
ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE
ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS
SUPPLIERS UNDER ANY PROVISION OF THIS
SUPPLEMENTAL EULA AND YOUR EXCLUSIVE REMEDY
FOR ALL OF THE FOREGOING SHALL BE LIMITED TO
THE GREATER OF THE AMOUNT ACTUALLY PAID BY
YOU FOR THE OS COMPONENTS OR U.S.$5.00. THE
FOREGOING LIMITATIONS, EXCLUSIONS AND
DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, EVEN IF ANY
REMEDY FAILS ITS ESSENTIAL PURPOSE.
Re:"How to defang Win2k SP3's auto updating" (Score:3, Informative)
Comment removed (Score:4, Informative)
Re:Easy sollution really... (Score:4, Informative)
A. No, it is not possible to use SUS to deploy Service Packs.
Yes, but that's not the point of SUS, if you wish to deploy a service pack to a windows 2000 domain, you push it out via an Active Directory published package.
On a side note, I have realized a lot of people here don't realize the amount of control an adimistrator has with Active Directory. I suggest some of you read up on that.
The sound of your bubble bursting. (Score:1, Informative)
Read the next paragraph that ISN'T concerned with auto-updates.
The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
Again, this is a seperate line item.
It is not concerned with Auto-update.
It is not concerned with Auto-update.
It is not concerned with Auto-update.
ya dig it? I knew ya could!
Re:What a waste of time (Score:3, Informative)
Although MS engineers are not really well-known for implementing clever and working solution, I fear that they might have come up with a similar or even advanced technique of establishing a "stealth" connection.
A corporate firewall/packet filter with some sort of IDS enabled and all MS IPs blocked _might_ work if used in conjunction with an application firewall on each individual machine. On the other hand it might trade in too much flexibility for security. If the individual machine depends on http availability your pretty much lost. You can piggyback/tunnel basically anything through that. Disabling IE and using Netscape might put a hold to that.
But there ain't no verification of that unless someone can produce the w2k sources... And if someone does MS will have a patch ready and automatically deployed in RECORD time...
Attorney's Take (Score:4, Informative)
Reasonable Assurances... The writer who states that the covered entity need only take reasonable precautions. What is or is not reasonable depends on too many factors. I happen to think that if you disable the feature, that action seems pretty reasonable. I for one, am not worried about the EULA. I'm more worried about things like password protection, access to the file room and the like.
Illegal Contracts... As someone else correctly states, contracts that are contrary to law cannot be enforced (at least the illegal provision).
Covered entites... Chris, who wrote the original message may not need to worry about HIPAA. HIPAA covers mostly medical providers and insurance companies. It also covers self-insured companies and the like, but I don't think it covers loan applications. Of course, Chris could be a business associate of a covered entity.
Business associates... A covered entity must obtain satisfactory assurances from its business associates (accountants, lawyers, billing companies) that the health information is protected. As someone correctly notes, that requires an agreement known as a business associate agreement/contract.
As a side note, I've begun to draft an article about what HIPAA requires... the language in the law actually asks the covered entity to make sure that they have "satisfctory assurances" that the business associate safeguard personal health information ("PHI" although some call it "individually identifiable health information")
The *FURTHER* legal requirements (Score:3, Informative)
From the mouth of Microsoft:
Replacement, Modification and Upgrade of the Software: Microsoft reserves the right to replace, modify or upgrade the SOFTWARE at any time by offering you a replacement or modified version of the SOFTWARE or such upgrade and to charge for such replacement, modification or upgrade. Any such replacement or modified software code or upgrade to the SOFTWARE offered to you by Microsoft shall be considered part of the SOFTWARE and subject to the terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of or upgrade to the SOFTWARE). In the event that Microsoft offers a replacement or modified version of or any upgrade to the SOFTWARE, (a) your continued use of the SOFTWARE is conditioned on your acceptance of such replacement or modified version of or upgrade to the SOFTWARE and any accompanying superceding EULA and (b) in the case of the replacement or modified SOFTWARE, your use of all prior versions of the SOFTWARE is terminated.
Re:Easy solution really... (Score:3, Informative)
Yes, but that's not the point of SUS, if you wish to deploy a service pack to a windows 2000 domain, you push it out via an Active Directory published package.
Yeah, you're supposed to use AD to install all the great hotfix MSI's that Microsoft provides.
What? You mean they don't actually provide .msi format hotfixes? So, essentially, if I want to actually USE the feature the way they're advertising it, I need to repackage the hotfix or manually create a .zap [microsoft.com] file to make it work?
I guess there's no real rush. I mean, hey, how much can security possibly matter?
ActiveDirectory, was Re:Easy sollution really... (Score:2, Informative)
Yes, but do you know at what price?
AD on W2K have been known to be unable to scale gracefully on very large network. And NO fix for that issue EVER is going to be issued - you'll have to "upgrade" to
Then of course various reliability problems and quirks, etc.
NDS is much more reliable, and coupled with ZENworks now you really are in control.
Of course, if you want even better control and *cough* ROI, invest on *nix environment instead.