Is Win2k + SP3 HIPAA Compliant?

From: Paul Hosking (
Date: 08/28/02

From: Paul Hosking <>
Date: 28 Aug 2002 13:16:20 -0500

A recent discussion on Slashdot [1] asks this question. The initial
comment reads:

   Our company deals with medical records in a peripheral sort of way
   (as they pertain to student loans), and due to new laws we are
   required to be HIPAA compliant by April. After reading the discussion
   on here about the new EULA for Win2k SP3, I had a disturbing thought.
   As far as I can tell, if you use Windows 2000 then you're going to be
   out of compliance whatever you do. If you install the patch, then
   theoretically Microsoft could access those medical records (possibly
   by accident) without 'due cause or need' in the process of updating
   your machine. If you don't patch your system then you'll fail the
   security requirements of the law.

I would like to note that I was a bit hesitant to send this to the list
mainly because of the source. For those of you who are not familiar
with Slashdot, it is a technical, scientific, social, and political
forum (with an emphasis on the technical and political). It tends to be
very critical of Microsoft and very supportive of Open Source software -
which attracts a good amount of "OS zealotry" all around. Unless you
use the filtering system (i.e. highest scores first), be prepared for a
pretty sizable amount of noise.

Having said that - it still seemed appropriate. Issues with the SP3
EULA and what this does to Win2K's standing in an infosec-conscious
environment have already been mentioned here. HIPPA compliance is
simply an extension of this issue.

Filtering the Slashdot noise is worth it. There are some interesting
points and conversations in the ensuing discussion. And it may present
some issues you may want to address in your environment.



.: Paul Hosking . .: InfoSec

.: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9