Is Win2k + SP3 HIPAA Compliant?

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Re:What a waste of time

[Kristoffor]

Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".

Re:MS Windows EULA not HIPAA compliant

[bjiujitsu3]

hmmm intresting point. It should be stated this is only an academic point. The government wants health care to provide resonable effort in it's privacy and security efforts. Win2K, NT, and XP pro will be easy to justify as resonable. 95,98,ME, XP home may be a little tougher..... Anyway, to take the argument a step further, a covered entity could choose to create a Biz agreement or Chain of Trust agreement with M$. This would cover any issues that arose from the EULA. I wonder if M$ would sign it :)

Some clarification?

[dr_dank]

How exactly would medical records relate in any way, shape, or form to student loans?

Re:What a waste of time

[NumberSyx]

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.

Re:Problem is EULA not SP

[cr@ckwhore]

"Access to the system" is a broad term... there are many ways to access a system and stay within HIPAA guidlines.

Re:What a waste of time

[yasth]

A firewall does not prevent the possibility of MS getting access by other means. If it is an agreed to part of the EULA, then they can take such steps as needed to effect the clauses. I would also be worried about the no cause software audits that some MS volume plans have. I mean obviously if you have a search warrant then you have to let them in, even if they might incidentally find some records, but by lowering the standard needed to perform an audit might have legal implications. I would ask your in house counsel, about both the EULA and the licensing agreements.

IANAL, and even if I was this would not be legal advice.

Re:What a waste of time

[rseuhs]

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

Microsoft has the right to ignore all settings for auto-updating whenever they want.

Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

Watch out for the 'disable' option

[RobertNotBob]

I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

It does not.

The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

oh, DARN ! ;)

And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

Re:Problem is EULA not SP

[Anonymous Coward]

I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

Ergo, we haven't installed SP3 and doubt that we will.

Also facing this problem

[Dredd13]

To make matters worse, remember that as of 9/30, you can't GET Win2K, and the WinXP EULA (the only one you'll have available to you at that point) suffers the same legal issues.

We're in the process of forwarding this off to our legal staff for review, but in IT, we're now giving serious consideration to a conversion to Macs on the desktop (which would still allow compatibility and ease of use while avoiding the problematic issues involved).

Woah, woah...hang on a second here....

[no_nicks_available]

I'm in the middle of upgrading a pharmacy's computers to privacy "compliant" software that is supposed to be secure. One of the perks of the new software is the ability to use the internet for data transfers instead of 56Ghey. While talking to the tech support guy on all the details I'd need to know, I asked him whether the transfer was done VPN and what sort of encryption I'd need to setup. He got back to me a few minutes later and said there is NO VPN, NO ENCRYPTION done at all. This pharmacy deals with hundreds of patients a day and for each one, a stream of data is sent CLEAR TEXT across the internet. Makes you feel secure doesn't it?

Re:Problem is EULA not SP

[itsJools]

True. With MS sooner or later you will have to do a security update (or be stuck with an insecure system), and chances are that there will be a EULA that will conflict with your company's (privacy) policy. I'm currently working on a database project which will contain very privacy-sensitive (medical) data. We chose for postgresql (not to start an mysql pg flamewar, but pg was the more suitable for our purposes) because it's open, and thus safer. We would never trust this data to be stored in a database made by a company that will possibly break into the data. Of course, MS (and Oracle and the rest) will say that they would never do such a thing, but that's beside the point. Once I agree to the EULA they have the _right_ to do it. And even if the current EULA looks OK, there is no guarantee that future ones will be OK.

Re:What a waste of time

[jackb_guppy]

We are placing secondary firewalls, between the servers the desktop. We have found that most servers have extra ports open, then even if you them off, some thing will get them turned on again. Like a Patch "fixing" a break.

By placing isulating the servers from the rest of the network, we are able to control the port issues both ways. So ODBC and Remote Job Submits can be sent. The app is all green screen based.

Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the defualt route from the firewalls, so they do not know where the gateway to the internet is.

Re:I've been trying to get an answer to this mysel

[Phil the Canuck]

Yes, it's up to me to be HIPAA-compliant, not Microsoft. However I can be HIPAA compliant by restriciting Microsoft's ability to access my servers. As has already been stated, this is easy to do - turn off automatic updating. For an added measure of security, I can block all traffic to and from Microsoft, which I'll have to be able to do under HIPAA anyway. From this point, it's Microsoft's job to come after me for violation of their licensing agreement, and I have federal law on my side.

Re:Locked down != autoupdated

[JWW]

If the EULA you agree to entitles MS to automatically download updates and you turn off autoupdate, are you still in agreement with the EULA, can you still use the software?

Perhaps the answer is yes today, but will this always be the case? Remember, because of Microsoft you have a "license" to use the software, you do not own it. I believe there will come day when you will need to pay to continue to use the operating system or it will disable itself. For corporations, it might not be so harsh, but may involve sending billing information to Microsoft to provide a count so they can bill the corporation, a large lump sum.

This kind of activation system will also, I'm sure update the system with at least the keys to run for another year and more than likely many more updates, and it WON'T be optional.

Default routes

[???]

Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the
defualt route from the firewalls, so they do not know where the gateway to the internet is.

Removing the default route does not effectively prevent traffic from the servers getting out to the internet, nor does it effectively prevent traffic from the internet getting to the servers. A properly configured firewall can do that, but just removing default routes is not sufficient.

Re:I still think this is all one big troll

[sphealey]

The EULA states that MS has the right to install patches. it doesn't say anything about being able (legally) to transmit your personal data back to the mothership.

Can you imagine the cry that would be raised if someone discovered that MS was transmitting personal info or documents in Windows Update Requests? Do you remember Prodigy? Do you remember the Quicken scare? Compared to the number of installations of Win2k, those are tiny issues in comparison.

Yeah, can you imagine the hue and cry if Doubleclick started reselling your personal information in violation of the privacy agreements of every web site it was collected from as well as their own privacy agreement?

You don't remember that hue? Neither do I. Yeah, they agreed to pay a 500k "settlement". Big whoop. Your data was "repurposed" and you had no say. Too bad!

sPh

Re:Default routes

[jackb_guppy]

It is configured corrected. We also removed the route to prevent an open port say :80 from getting access to internet, if other settings fail or are overriden.

This is just another "hurl" to prevent the connections.

You see, you do not rely on just one "hurl" to prevent problems... you rely on multiple. Simple ones like removing a default from routers and servers to complex like vpn tunnels, certificates, and auto removal of "unsafe" programs from the desktops.

Re:Read the EULA.

[Zeinfeld]

FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

Oh come on, we know why the question was put. It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.

It is kind of like a 'proof' that 1 = 2. We are not meant to agree with the conculsion, we are meant to admire the devious application of logic.

It is quite obvious to anyone but a moron that MSFT is not going to enforce license agreements that prevent sale of their product for use regulated by HIPPA.

It should also be obvious that the EULA term was written very broadly by a lawyer who was attempting to minimize the probability of a lawsuit if someone complained about auto-update or the like.

And it should be completely obvious that Microsoft as a US corporation is obliged to comply with HIPPA. Microsoft is one of the few US companies that actually has a privacy policy and has agreed to be regulated under the EU privacy directive.

The other fact to consider is that the Clinton era HIPPA act has since gbeen gutted by the Bush administration who have issued 'guidance' that essentially negates the whole act. Under the Bush guidelines you lose the right to opt-out. Hospitals can refuse service if you don't waive all your rights to patient confidentiality which they can do in small print. So while the act may require hospitals to install firewalls etc. etc. none of it will make any difference because the hospitals can now sell all your confidential data to the people you least want to have hold of it.

Re:Morons, Idiots, and Fools...Oh My!

[leonbrooks]

In order for MS to have access to the records, they need access to the DB. If the DB is not on a system w/ an MS OS, they have no right to that machine. Period. Get it?

Yes, I get it. But you're wrong. (-:

The machine is not the problem, the data are the problem. One of the constellation of possible actions which you authorise Microsoft to take when you agree to the EULA on any Windows workstation in the LAN is to install a sniffer (call it `Microsoft Diagnostics for a Networked Medical Environment 6.0' to drive the point home). The data is no use to anyone if it stays on the server, but as soon as it leaves the server and wanders past a Windows box, Bill can glom it and shove it into the `My Data' folder.

BTW, you didn't think the `My' in `My Computer' and `My Documents' referred to the user, did you?

there's all kinds of things you can do to keep this theoretical problem under control.

Ah, that reminds me of l0pht's motto: `Making the theoretical practical since 1992 [com.com]'.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Read the FAQ.

[small_dick]

You've got three years to deal with the issue until they start fining you (if your company has under $5 million in annual revenue).

If over $5 million, you've still got two years to comply.

Either way, the max fine for non-compliance is $25K/Year, and they don't even know how they're going to find you...

I'm not saying you should slack on this, I'm just saying it's not a "huge,huge" crisis situation. Deal with basic, common sense security and do more research. You've got time to do this right.

Re:Problem is EULA not SP

[dbrutus]

Since this effectively cripples your ability to maintain a secure box, when are you going to start migrating off MS in order to maintain your NDAs?

Re:Attorney's Take

[BuzzSawer]

Forgive me, I'm not a HIPAA guy, I'm more of a FDA Part 11 guy. If I'm correct, the original post was with regards go being found 'out of compliance'. To be found 'out of compliance' you must first be audited. Either your procedures are not HIPAA compliant, or you are not following your procedures. The Part 11 solution is to make sure your procedures are 'close enough' (I'm taking a little liberty here) then follow them exactly. Does that work with HIPAA and the issue we are discussing? Cant you just proceduralize the 'locking down' of your servers? I hope it is that simple. PS: Even if you have Linux (which I prefer) you still need to create the proper procedures.

Re:Perhaps a lawsuit would be appropriate

[fishbowl]

"For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it. "

You will need damages. You can't sue without showing damages.

However this HIPAA concern carries with it some dire implications. I wonder if it will actually get the attention of the appropriate people (let's say, a large hospital, prefereably one
that is either a very influential one, e.g., the
Naval Hospital in Bethesda which has the added benefit of being a governmental body, or say a
big research institution, Johns Hopkins or Northwestern will do fine).

If it occurs to the right people (the ones with the bread to make a real difference) that the current licensing is entirely incompatable with the laws that the must follow, and that the exposure to liability is huge (it only takes one malpractice suit to end a doctor's career), then
we might someday hear about a secondary license that is granted for certain institutions by Microsoft.

Unfortunately, I don't suppose many people are aware of this problem, so the phones at MS headquarters have not been ringing off the wall
with attorneys who represent hospitals and physicians demanding satisfaction on this matter.

I suspect that it will take a federal lawsuit against someone who has been caught with their pants down, and this will be but one of many incidents of noncompliance with various regulations raised in the case.

The problem that many slashdot posters don't seem
to understand is that we're not talking about an
"illegal contract", but rather, that is might be
technically illegal for a party to agree to a particular contract. This is only a problem if the party with the problematic contract will not negotiate, and is also only a problem if there is no alternative.

In many cases, there is only one choice for an operating system. If it is illegal for physicians to use that one choice, then it may be too high-risk for a physician to use computer systems for certain tasks at all.

Re:Redundant.

[alext]

The problem you appear to be encountering is that you interpret 'use/utilize' to be a conscious act and one which users will be able to identify and predict. No such meaning necessarily applies.

In fact, the wording is so vague Microsoft could associate this permission with any product or mechanism they choose, given the pervasiveness of 'internet-based services' such as IE.

With reference to your earlier posts, I'm obliged to point out that these are far from consistent in the argument that they are advancing.
In order, we have:

1) The suggestion that any machine connected to the net contravenes the HIPAA and that therefore the whole debate is moot. Presumably because this is obviously an impractical limitation, no further mention is made of it.

2) The suggestion of a technical fix to the auto-update mechanism to prevent it from functioning. Several responses then point out that the problem lies with the license, not any specific mechanism.

3) Several posts quoting the portion of the EULA concerning opt-in auto-updates, omitting the general update permission clause. This is in an effort to prove that auto-update requires explicit permission.

4) After apparently retreating from (3), a new proposition is advanced that auto-update, while admittedly not being under explicit control of the user, applies only to mechanisms consciously 'utilized'. Presumably the implication is that the user will always be aware of such use and therefore should not be surprised by an auto-update.

5) A synthesis of (2) and (4) is then proposed where by 'firewalling the box' the mechanisms in (4) will be used and therefore the general auto-update clause does not apply. This is then immediately undermined by the admission that firewalling does not prevent mechanisms from accessing the internet, and so "[a]ny of [sic] MS's software that uses the Internet can check itself and update itself.". This doesn't prevent the same argument being forwarded again later, this time with the recommendation to use SUS to distribute patches as a workaround.

6) Yet another new angle is introduced, this time that the EULA itself can be disregarded because any 'illegal or unreasonable' clause will be found invalid when legally tested. It is not clear how this relates to previous points made.

It seems from this summary that you are content to chop and change your argument as you go along, shifting ground from one proposition to the other where necessary, only to restate earlier points in other places. It might be better for all concerned if you drew together whichever parts of the statements above now constitute your position and posted it once for further discussion.