Is Win2k + SP3 HIPAA Compliant? 489
Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA
compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?
Comment removed (Score:2, Insightful)
HIPAA Compliance (Score:4, Insightful)
Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?
Problem is EULA not SP (Score:5, Insightful)
The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.
sPh
Re:"How to defang Win2k SP3's auto updating" (Score:3, Insightful)
Submit a request to HIPAA not /. (Score:5, Insightful)
Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)
Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."
This is an issue for your lawyer(s) to resolve, not Slashdot.
Read the EULA. (Score:3, Insightful)
Contracts aren't allowed to violate the law. A contract to kill someone isn't legally binding, because murder is illegal. If Microsoft wants to claim they get remote access at will to your boxes, then you get to say "neener neener neener, no you don't, under HIPAA I'm forbidden from allowing you that access".
The proper Microsoft response? "Oh. Well, we're sorry about that. All the other clauses of the EULA stick, though."
So go ahead, get Windows SP3, and then figure out some way to disable remote-root.
Oh, and one more thing--
FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!
(Sorry, just had to get that knee-jerk reaction out of my system.)
Remember this? (Score:3, Insightful)
"Nobody ever got sacked for buying IBM"
If you're just worrying about covering your behind, extent to "Nobody ever got sacked for buying Microsoft" and then to "Nobody ever got sacked for clicking through default Microsoft licenses."
I actually think that people should get sacked for doing this if they compromise their business for the sake of avoiding raising a thorny issue, but it's not going to happen in our lifetime.
Don't forget about MSN Messenger (Score:3, Insightful)
Having said that, if either of these two represents your biggest problems, then you're probably safe for a while. I don't understand what you're trying to accomplish by asking Slashdot - maybe you should try checking with your MS rep first to at least get the company line. MS is wild about HIPAA - they produce a lot of BizTalk stuff for hospital EDI needs.
Re:HIPAA Compliance (Score:5, Insightful)
However, when seeking assistance from a lawyer (or any similar professional) it is best to have a basic understanding of what is going on, and what you need, before you set up a meeting. You will get a lot more accomplished that way.
Similarily, lawyers aren't born knowing everything (even though they try to foster that impression!). If your hospital's legal dept. primarily handles malpractice and billing cases, and you bring an intellectual property / EULA problem to them, they are also going to have to do some research to get up to speed. Being able to provide background helps here too.
sPh
How will a firewall help... (Score:4, Insightful)
(Unless, of course, you want to cut off MS's websites from your browsers as well.)
Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.
Re:What a waste of time (Score:4, Insightful)
Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?
All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)
Re:Time for your company to dump microsoft. (Score:3, Insightful)
Elitist IT Moron: We have decided that Microsoft products are no good, and we're going to switch all of our operations to Linux-based solutions.
Docs: Well, OK, just as long as we can still get our work done. Will we still be able to send our grant applications and other records to the various governmental agencies, other hospitals, and such without and problems?
Elitist IT Moron: Well you'll be using this open source word processing program that is designed to be compatible with Word, but there is a chance that some places won't be able to view it properly, or it will look slightly different. Medical companies aren't sticklers for complete and total accuracy, are they?
Docs: What about these hundreds of legacy DOS and Windows applications that do one thing for us, but do it incredibly well, that we absolutely have to have? Will they still run?
Elitist IT Moron: Umm...No. But there may be 0.85 pre-beta versions of comperable apps up at SourceForge we could try! Or we could maybe try Wine and see if we can get a few of them to work.
Docs: So basically you're telling us that by switching to Linux, we won't be able to properly communicate with the people we need to, and we won't be able to use the applications we need to.
Elitist IT Moron: Uhh....W1nd0ze suxxor?
Re:How will a firewall help... (Score:3, Insightful)
1. Firewall. FIREWALL.
This does not address my point that permitted protocols may be used to do the job.
2. Auto-update uses a service called "BITTS". Disable that. Auto-update offers a way to disable it. IF you dont trust it, shut it off and hitch the box to a packet sniffer. Prove to us and the world that its not actually off. You'd be a hero. But of course that's not going to happen.
I wasn't suggesting that MS was likely to do this. Rather, that they'd be ALLOWED to do this, because you gave them permission when you clicked-through the EULA
3. On a LAN of any size, use SUS from MS to distribute your patches[...]
Yes but you're missing the point. Even if you do that, you've already given MS permission to update through any backdoor mechanism they like.
Re:Submit a request to HIPAA not /. (Score:2, Insightful)
Say it with me now: Health Insurance Portability and Accountability Act.
Re:A few thoughts (I agree, but...) (Score:3, Insightful)
I agree with what you are saying, but I feel that these questions need to be asked. Well, they shouldn't need to be asked, because MS shouldn't be doing what they are doing, but I digress.
I work for a very large company and we are implementing HIPAA into our software now. We do all kinds of software for hospitals. The reason I think that this issue needs to be brought up is because most people don't even think about the holes that MS creates. I asked a very similar question to our director of operations a while ago, and he said basically that if the hospitals don't have firewalls, then they have bigger problems. While this may be true, I still think it is good to ask the question, so that people are aware of the "Microsoft issue". The people who maintain the firewall need to know about the autoupdate, so that they can block it at the firewall. They need to know about these vulnerabilitites, so they can plug them. I don't trust that they will be keeping up on these things. After all, who would have thought that the OS you run could create a huge gaping hole in your security and potentially hold you liable for violating federal regulations?
Re:HIPAA Compliance (Score:4, Insightful)
You must not work in a corporate environment. (Score:1, Insightful)
Now think of a large company.
And now, just think.
It has been my experience that one should do a clean install when a new service pack has been released. Integrate it with the original media and install.
This way you rule out any weird things happening that a hotfix might have caused. And besides, we are talking about hotfixes here. That's what 'Automatic Update' was designed to install, granted it can be used to apply service packs as well.
Why do you fail to acknowledge the real problem? (Score:2, Insightful)
The problem is with the EULA.
The problem is with the EULA.
They have to be compliant with a law that says their system is not accessible to third parties.
The EULA allows a third party access to the system.
This is the issue the user has. Why oh why can't you comprehend this?
Furthermore, Slashdot is not purely a "technical forum".
Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.
Perhaps a lawsuit would be appropriate (Score:5, Insightful)
It seems to me that unacceptable changes to the EULA for a service pack might void the implied warranty usability of Windows 2000. By releasing the service pack, they are admitting that Windows 2000 has problems. If I cannot get access to fixes for those problems without agreeing to a contract substantially different from that which governed my license for Windows 2000, I think that I might have a good basis for a lawsuit to get a court order that Microsoft supply fixes to their software under the terms of the original EULA.
Re:Don't forget about MSN Messenger (Score:2, Insightful)
Then I gave my analysis: it's connected to the office LAN via wide-open 802.11b (using DHCP, so I was able to attach to their network from the parking lot -- with full green bars as signal strength -- and get on their LAN, browse the wide-open shares...), each computer is loaded with standard XP Pro, including Outlook Express, Internet Explorer, MSN Messenger...all which give capacity to export data, screen shots, whatever from the desktop to any computer on the Internet (yes, it's on the Internet). As a matter of fact, because it didn't have a firewall, I was using my laptop's cdrom to install some software on the legacy-free pc (without the optional cdrom) and I pointed out that I could just as easily push data on to my CD-R/CD-RW drives as pull it.
Of course, it was the lawyers who had approved the purchase...
Re:Morons, Idiots, and Fools...Oh My! (Score:3, Insightful)
Re:You must not work in a corporate environment. (Score:1, Insightful)
In a company with 150 users, each users documents and settings would be stored on a server or domain controller (depends how often people log into the domain). That way, disk images with SP3 could be pushes easily to clients, without any data loss.
A Technical Forum??? (Score:5, Insightful)
I'd say that you have a lot to learn about Slashdot. While most of the stories on here are technical in nature or have something to do with technology a large percentage of them have to do with the legal and political issues surrounding something technical.
Think about all the stories on copy protection for CD's. Yes, it has to do with a technical issue, but the discussions are certainly not technical. I've seen no code posted no how to defeat the copy protection. 99% of the posts are opinions about whether it is right for the producers to restrict use of purchased CD's in the way they want to, and the other 1% are First Post!
Why don't you just come out and say it? You are a Microsoft appologist that wants to ignore the issue with their EULA by making fun of the issue and calling it a waste of time. You say it's an invalid clause, but you don't indicate that you are a lawyer (and even if you were I doubt you'd be offering official legal advise). So you want us to just ignore the issue and "agree" to the EULA?
What happens if the EULA is allowed to stand and then Microsoft actually builds in more of this access that you granted them? What happens when it eventually gets installed on all Windows systems and then the crackers find out how to manipulate it and steal information off your computer? Then it wouldn't be Microsoft accessing the sensitive information, as I doubt they actually would do something like that, but because of the EULA they provide additional access methods for others.
There are plenty of valid discussion items surrounding this issue. Ignoring them is not going to make them go away, and they definately fall right smack into the favorite topic on Slashdot -- Microsoft bashing.
Re:Waiting for clear definition (Score:5, Insightful)
I don't think the whole "trustworthy computing" thing is so much a standard waiting to be clarified as much as it is a purpose which is in direct opposition to the concept of well understood standards.
Micro$oft intends to remove you from concern over the security model of your computer, tracing paths of trust to a few "trusted authorities". HIPAA, and indeed any responsible security policy, requires you to know and be in control of what happens to your computers. The Win2ksp3 EULA makes that impossible, as does Microsoft's entire vision for "trustworthy computing".
Anyone know of and hard rules posted anywhere? (Score:3, Insightful)
Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...
Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).
Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.
Red herrings R us (Score:3, Insightful)
Re:Time for your company to dump microsoft. (Score:2, Insightful)
Know what? I'd answer that the 0.85 pre-beta apps could be sublicensed to develop them in-house or pay a local/big sw firm to polish up the job and sell you the source (or @ least agree to source disclosure agreements in case of business termination, etc...)
Remember ELITIST M$ GROUPIE, never surrended knowledge of your business to anyone or you balls will roll, sooner or later! And that includes how the bits that live in your ws work.
Re:Problem is EULA not SP (Score:3, Insightful)
be warned, this is not a universal truth
Re:Problem is EULA not SP (Score:3, Insightful)
* The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
Re:Problem is EULA not SP (Score:1, Insightful)
Meaning, if you firewall the box, and therefore do not use the component, you agree to nothing.
Let's see, so using an internet component (internet explorer, telnet,
From one who works with these issues (Score:2, Insightful)
Re:This is silly (Score:2, Insightful)
Re:What a waste of time (Score:1, Insightful)
No. That is not true.
The new EULA gives MS the _right_ to update and/or disable software on your machine. Disabling the auto-update does not remove this right, it only stops your machine inititiating one of the mechanisms by which this can be done.
MS can build other mechanisms into the OS via SPs, new versions or via IE and may already have done so. In fact I would be surprised if the combination of SP3 and EULA did not only give MS the right but also enabled it, regardless of the auto-update flag.
That is the beauty of closed source, you may never find out.
Re:From one who works with these issues (Score:3, Insightful)
Re:Perhaps a lawsuit would be appropriate (Score:2, Insightful)
Microsoft counts on those migration costs (barriers to exit?) being high enough that customers find it more advantageous to pay their licencing fees instead. Since, should you win the case, you would get Microsoft to pay for replacement of their own software (i.e. pay to lose future revenues), it would make some MS executives sit up and notice, and maybe put out a more reasonable EULA.