Is Win2k + SP3 HIPAA Compliant? 489
Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA
compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?
Re:What a waste of time (Score:4, Interesting)
Re:MS Windows EULA not HIPAA compliant (Score:2, Interesting)
Some clarification? (Score:2, Interesting)
Re:What a waste of time (Score:4, Interesting)
Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.
This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.
Re:Problem is EULA not SP (Score:3, Interesting)
Re:What a waste of time (Score:3, Interesting)
IANAL, and even if I was this would not be legal advice.
Re:What a waste of time (Score:3, Interesting)
Microsoft has the right to ignore all settings for auto-updating whenever they want.
Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.
Watch out for the 'disable' option (Score:5, Interesting)
It does not.
The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.
Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.
Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.
oh, DARN ! ;)
And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.
Re:Problem is EULA not SP (Score:5, Interesting)
At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.
No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.
The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.
Ergo, we haven't installed SP3 and doubt that we will.
Also facing this problem (Score:4, Interesting)
We're in the process of forwarding this off to our legal staff for review, but in IT, we're now giving serious consideration to a conversion to Macs on the desktop (which would still allow compatibility and ease of use while avoiding the problematic issues involved).
Woah, woah...hang on a second here.... (Score:2, Interesting)
Re:Problem is EULA not SP (Score:3, Interesting)
Re:What a waste of time (Score:2, Interesting)
By placing isulating the servers from the rest of the network, we are able to control the port issues both ways. So ODBC and Remote Job Submits can be sent. The app is all green screen based.
Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the defualt route from the firewalls, so they do not know where the gateway to the internet is.
Re:I've been trying to get an answer to this mysel (Score:2, Interesting)
Re:Locked down != autoupdated (Score:3, Interesting)
Perhaps the answer is yes today, but will this always be the case? Remember, because of Microsoft you have a "license" to use the software, you do not own it. I believe there will come day when you will need to pay to continue to use the operating system or it will disable itself. For corporations, it might not be so harsh, but may involve sending billing information to Microsoft to provide a count so they can bill the corporation, a large lump sum.
This kind of activation system will also, I'm sure update the system with at least the keys to run for another year and more than likely many more updates, and it WON'T be optional.
Default routes (Score:2, Interesting)
defualt route from the firewalls, so they do not know where the gateway to the internet is.
Removing the default route does not effectively prevent traffic from the servers getting out to the internet, nor does it effectively prevent traffic from the internet getting to the servers. A properly configured firewall can do that, but just removing default routes is not sufficient.
Re:I still think this is all one big troll (Score:3, Interesting)
You don't remember that hue? Neither do I. Yeah, they agreed to pay a 500k "settlement". Big whoop. Your data was "repurposed" and you had no say. Too bad!
sPh
Re:Default routes (Score:2, Interesting)
This is just another "hurl" to prevent the connections.
You see, you do not rely on just one "hurl" to prevent problems... you rely on multiple. Simple ones like removing a default from routers and servers to complex like vpn tunnels, certificates, and auto removal of "unsafe" programs from the desktops.
Re:Read the EULA. (Score:4, Interesting)
Oh come on, we know why the question was put. It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.
It is kind of like a 'proof' that 1 = 2. We are not meant to agree with the conculsion, we are meant to admire the devious application of logic.
It is quite obvious to anyone but a moron that MSFT is not going to enforce license agreements that prevent sale of their product for use regulated by HIPPA.
It should also be obvious that the EULA term was written very broadly by a lawyer who was attempting to minimize the probability of a lawsuit if someone complained about auto-update or the like.
And it should be completely obvious that Microsoft as a US corporation is obliged to comply with HIPPA. Microsoft is one of the few US companies that actually has a privacy policy and has agreed to be regulated under the EU privacy directive.
The other fact to consider is that the Clinton era HIPPA act has since gbeen gutted by the Bush administration who have issued 'guidance' that essentially negates the whole act. Under the Bush guidelines you lose the right to opt-out. Hospitals can refuse service if you don't waive all your rights to patient confidentiality which they can do in small print. So while the act may require hospitals to install firewalls etc. etc. none of it will make any difference because the hospitals can now sell all your confidential data to the people you least want to have hold of it.
Re:Morons, Idiots, and Fools...Oh My! (Score:3, Interesting)
Yes, I get it. But you're wrong. (-:
The machine is not the problem, the data are the problem. One of the constellation of possible actions which you authorise Microsoft to take when you agree to the EULA on any Windows workstation in the LAN is to install a sniffer (call it `Microsoft Diagnostics for a Networked Medical Environment 6.0' to drive the point home). The data is no use to anyone if it stays on the server, but as soon as it leaves the server and wanders past a Windows box, Bill can glom it and shove it into the `My Data' folder.
BTW, you didn't think the `My' in `My Computer' and `My Documents' referred to the user, did you?
Ah, that reminds me of l0pht's motto: `Making the theoretical practical since 1992 [com.com]'.
Comment removed (Score:3, Interesting)
Read the FAQ. (Score:3, Interesting)
If over $5 million, you've still got two years to comply.
Either way, the max fine for non-compliance is $25K/Year, and they don't even know how they're going to find you...
I'm not saying you should slack on this, I'm just saying it's not a "huge,huge" crisis situation. Deal with basic, common sense security and do more research. You've got time to do this right.
Re:Problem is EULA not SP (Score:3, Interesting)
Re:Attorney's Take (Score:2, Interesting)
Re:Perhaps a lawsuit would be appropriate (Score:3, Interesting)
You will need damages. You can't sue without showing damages.
However this HIPAA concern carries with it some dire implications. I wonder if it will actually get the attention of the appropriate people (let's say, a large hospital, prefereably one
that is either a very influential one, e.g., the
Naval Hospital in Bethesda which has the added benefit of being a governmental body, or say a
big research institution, Johns Hopkins or Northwestern will do fine).
If it occurs to the right people (the ones with the bread to make a real difference) that the current licensing is entirely incompatable with the laws that the must follow, and that the exposure to liability is huge (it only takes one malpractice suit to end a doctor's career), then
we might someday hear about a secondary license that is granted for certain institutions by Microsoft.
Unfortunately, I don't suppose many people are aware of this problem, so the phones at MS headquarters have not been ringing off the wall
with attorneys who represent hospitals and physicians demanding satisfaction on this matter.
I suspect that it will take a federal lawsuit against someone who has been caught with their pants down, and this will be but one of many incidents of noncompliance with various regulations raised in the case.
The problem that many slashdot posters don't seem
to understand is that we're not talking about an
"illegal contract", but rather, that is might be
technically illegal for a party to agree to a particular contract. This is only a problem if the party with the problematic contract will not negotiate, and is also only a problem if there is no alternative.
In many cases, there is only one choice for an operating system. If it is illegal for physicians to use that one choice, then it may be too high-risk for a physician to use computer systems for certain tasks at all.
Re:Redundant. (Score:3, Interesting)
In fact, the wording is so vague Microsoft could associate this permission with any product or mechanism they choose, given the pervasiveness of 'internet-based services' such as IE.
With reference to your earlier posts, I'm obliged to point out that these are far from consistent in the argument that they are advancing.
In order, we have:
1) The suggestion that any machine connected to the net contravenes the HIPAA and that therefore the whole debate is moot. Presumably because this is obviously an impractical limitation, no further mention is made of it.
2) The suggestion of a technical fix to the auto-update mechanism to prevent it from functioning. Several responses then point out that the problem lies with the license, not any specific mechanism.
3) Several posts quoting the portion of the EULA concerning opt-in auto-updates, omitting the general update permission clause. This is in an effort to prove that auto-update requires explicit permission.
4) After apparently retreating from (3), a new proposition is advanced that auto-update, while admittedly not being under explicit control of the user, applies only to mechanisms consciously 'utilized'. Presumably the implication is that the user will always be aware of such use and therefore should not be surprised by an auto-update.
5) A synthesis of (2) and (4) is then proposed where by 'firewalling the box' the mechanisms in (4) will be used and therefore the general auto-update clause does not apply. This is then immediately undermined by the admission that firewalling does not prevent mechanisms from accessing the internet, and so "[a]ny of [sic] MS's software that uses the Internet can check itself and update itself.". This doesn't prevent the same argument being forwarded again later, this time with the recommendation to use SUS to distribute patches as a workaround.
6) Yet another new angle is introduced, this time that the EULA itself can be disregarded because any 'illegal or unreasonable' clause will be found invalid when legally tested. It is not clear how this relates to previous points made.
It seems from this summary that you are content to chop and change your argument as you go along, shifting ground from one proposition to the other where necessary, only to restate earlier points in other places. It might be better for all concerned if you drew together whichever parts of the statements above now constitute your position and posted it once for further discussion.