| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jun 2004 16:40:51 -0400 From: "Boring, Andrew" <Andrew.Boring@...lerzell.com> To: "Anything But Microsoft" <abm@...thingbutmicrosoft.org> Cc: <BUGTRAQ@...URITYFOCUS.COM> Subject: RE: Microsoft technologies. By default, non-HIPAA compliant? Anything But Microsoft [mailto:abm@...thingbutmicrosoft.org] wrote: > The US health care system is the only industry where best network and > security practices are a federally mandated requirement. Note the word "practices" and NOT the word "products". Aren't financial institutions (banks, credit bureaus, etc) also subject to similar requirements? > In light of last weeks MS vulnerabilities with no known patches or > usable work around (text only mode in a browser, or security settings > that disable most usage, is not a suitable work around) I have a > question for everyone here with an answer for interpretation. > > Are Microsoft technologies by default non-HIPAA compliant in > regards to > protecting confidential patient information? If you are a health care > provider and use any Microsoft technology where alternatives > exist, such > as for e-mail and web usage, is that exposing your PC/network to > unnecessary risks? (Thereby violating the spirit of HIPAA?) Why does email/web access need to be performed from an patient-information terminal? In other words, if Best Practices (as opposed to "best products") are mandated and enforced, then web surfing should NOT be available to anyone dealing with such information. All internal systems accessing such information would likely be segregated onto a separate "private" network not accessible to the Internet. Presumably, there could be "email" and "web" terminals scattered or concentrated elsewhere for those desiring access. Unfortunately, this is not "convenient" for normal business operations. Customer service reps may need web access to look up local doctor's office address, sales personnel would need email for routine communication, executives will want their pet video conferencing project started up again, but the whole business-technology model might have to be reworked from the ground up. Other alternatives include developing in-house replacements for common applications (wanna calculate the cost for that?) or heavy restrictions on what is available on a patient-information machine (heavily-filtered company email, no personal email, web access restricted to b2b/extranet/application sites only, hardware firewalls sprinkled liberally on every floor in every building between every department workgroup switch with software firewalls on all machines, etc). Note these are all "best practices" using best or "not-so-best" products. Best practices are also documented, scrutinized, audited, etc, and change when necessary to accomodate the shifting technological and social whims of the world. Best and not-so-best products are purchased, leased or licensed, ideally according to the audited and enforced Best Practices documents, and eventually retired from service when they have reached end-of-life. > My view is that any health care provider using replaceable Microsoft > technologies is not HIPAA compliant, in regards to privacy or security > of patient data. What are the specific regulations? A case can be made either way (remember, Windows NT did receive C-2 certification in certain configurations and Mozilla, Eudora, Opera, Pine, "Linux", et al, have all had their share of occasional security issues - some very serious). Just because there is a replacement for Microsoft (or Linux or Solaris or [insert favorite OS here]) doesn't necessarily mean it is more secure or fits in with mandated Best Practices.
Powered by blists - more mailing lists