RE: Microsoft technologies. By default, non-HIPAA compliant?

From: Boring, Andrew (Andrew.Boring_at_millerzell.com)
Date: 06/30/04

  • Next message: Andreas Klein: "Unprevileged user can change quota on Domino" 
    Date: Wed, 30 Jun 2004 16:40:51 -0400
To: "Anything But Microsoft" <abm@anythingbutmicrosoft.org>

    Anything But Microsoft [mailto:abm@anythingbutmicrosoft.org] wrote:

    > The US health care system is the only industry where best network and
    > security practices are a federally mandated requirement.

    Note the word "practices" and NOT the word "products".

    Aren't financial institutions (banks, credit bureaus, etc) also subject
    to similar requirements?

    > In light of last weeks MS vulnerabilities with no known patches or
    > usable work around (text only mode in a browser, or security settings
    > that disable most usage, is not a suitable work around) I have a
    > question for everyone here with an answer for interpretation.
    >
    > Are Microsoft technologies by default non-HIPAA compliant in
    > regards to
    > protecting confidential patient information? If you are a health care
    > provider and use any Microsoft technology where alternatives
    > exist, such
    > as for e-mail and web usage, is that exposing your PC/network to
    > unnecessary risks? (Thereby violating the spirit of HIPAA?)

    Why does email/web access need to be performed from an
    patient-information terminal? In other words, if Best Practices (as
    opposed to "best products") are mandated and enforced, then web surfing
    should NOT be available to anyone dealing with such information. All
    internal systems accessing such information would likely be segregated
    onto a separate "private" network not accessible to the Internet.
    Presumably, there could be "email" and "web" terminals scattered or
    concentrated elsewhere for those desiring access.

    Unfortunately, this is not "convenient" for normal business operations.
    Customer service reps may need web access to look up local doctor's
    office address, sales personnel would need email for routine
    communication, executives will want their pet video conferencing project
    started up again, but the whole business-technology model might have to
    be reworked from the ground up.

    Other alternatives include developing in-house replacements for common
    applications (wanna calculate the cost for that?) or heavy restrictions
    on what is available on a patient-information machine (heavily-filtered
    company email, no personal email, web access restricted to
    b2b/extranet/application sites only, hardware firewalls sprinkled
    liberally on every floor in every building between every department
    workgroup switch with software firewalls on all machines, etc).

    Note these are all "best practices" using best or "not-so-best"
    products.

    Best practices are also documented, scrutinized, audited, etc, and
    change when necessary to accomodate the shifting technological and
    social whims of the world.

    Best and not-so-best products are purchased, leased or licensed, ideally
    according to the audited and enforced Best Practices documents, and
    eventually retired from service when they have reached end-of-life.

    > My view is that any health care provider using replaceable Microsoft
    > technologies is not HIPAA compliant, in regards to privacy or security
    > of patient data.

    What are the specific regulations? A case can be made either way
    (remember, Windows NT did receive C-2 certification in certain
    configurations and Mozilla, Eudora, Opera, Pine, "Linux", et al, have
    all had their share of occasional security issues - some very serious).
    Just because there is a replacement for Microsoft (or Linux or Solaris
    or [insert favorite OS here]) doesn't necessarily mean it is more secure
    or fits in with mandated Best Practices.

  • Next message: Andreas Klein: "Unprevileged user can change quota on Domino"

    Relevant Pages

    • Re: Now wait just a dab non minute - this is getting out of hand
      ... administrators should not use servers to browse the ... best practices on computers using Microsoft Internet Explorer." ... Managing Internet Explorer Enhanced Security ...
      (microsoft.public.security)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • SecurityFocus Microsoft Newsletter #75
      ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)
    • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
      ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
      (microsoft.public.security.virus)