Is Win2k + SP3 HIPAA Compliant?
From: Paul Hosking (phosking@networkcountermeasures.com)Date: 08/28/02
- Previous message: shawn merdinger: "smbdie - GUI remote smb DoS tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Hosking <phosking@networkcountermeasures.com> To: security-basics@securityfocus.com Date: 28 Aug 2002 13:16:20 -0500
A recent discussion on Slashdot [1] asks this question. The initial
comment reads:
Our company deals with medical records in a peripheral sort of way
(as they pertain to student loans), and due to new laws we are
required to be HIPAA compliant by April. After reading the discussion
on here about the new EULA for Win2k SP3, I had a disturbing thought.
As far as I can tell, if you use Windows 2000 then you're going to be
out of compliance whatever you do. If you install the patch, then
theoretically Microsoft could access those medical records (possibly
by accident) without 'due cause or need' in the process of updating
your machine. If you don't patch your system then you'll fail the
security requirements of the law.
I would like to note that I was a bit hesitant to send this to the list
mainly because of the source. For those of you who are not familiar
with Slashdot, it is a technical, scientific, social, and political
forum (with an emphasis on the technical and political). It tends to be
very critical of Microsoft and very supportive of Open Source software -
which attracts a good amount of "OS zealotry" all around. Unless you
use the filtering system (i.e. highest scores first), be prepared for a
pretty sizable amount of noise.
Having said that - it still seemed appropriate. Issues with the SP3
EULA and what this does to Win2K's standing in an infosec-conscious
environment have already been mentioned here. HIPPA compliance is
simply an extension of this issue.
Filtering the Slashdot noise is worth it. There are some interesting
points and conversations in the ensuing discussion. And it may present
some issues you may want to address in your environment.
[1] http://slashdot.org/article.pl?sid=02/08/27/2030205
--.: Paul Hosking . phosking@networkcountermeasures.com .: InfoSec
.: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
- Previous message: shawn merdinger: "smbdie - GUI remote smb DoS tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
