[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E7913F191C480F458C2B9B40F493FA3E9066F9@WS-EXCHANGE2003.corp.millerzell.com>
Date: Wed, 30 Jun 2004 16:40:51 -0400
From: "Boring, Andrew" <Andrew.Boring@...lerzell.com>
To: "Anything But Microsoft" <abm@...thingbutmicrosoft.org>
Cc: <BUGTRAQ@...URITYFOCUS.COM>
Subject: RE: Microsoft technologies. By default, non-HIPAA compliant?
Anything But Microsoft [mailto:abm@...thingbutmicrosoft.org] wrote:
> The US health care system is the only industry where best network and
> security practices are a federally mandated requirement.
Note the word "practices" and NOT the word "products".
Aren't financial institutions (banks, credit bureaus, etc) also subject
to similar requirements?
> In light of last weeks MS vulnerabilities with no known patches or
> usable work around (text only mode in a browser, or security settings
> that disable most usage, is not a suitable work around) I have a
> question for everyone here with an answer for interpretation.
>
> Are Microsoft technologies by default non-HIPAA compliant in
> regards to
> protecting confidential patient information? If you are a health care
> provider and use any Microsoft technology where alternatives
> exist, such
> as for e-mail and web usage, is that exposing your PC/network to
> unnecessary risks? (Thereby violating the spirit of HIPAA?)
Why does email/web access need to be performed from an
patient-information terminal? In other words, if Best Practices (as
opposed to "best products") are mandated and enforced, then web surfing
should NOT be available to anyone dealing with such information. All
internal systems accessing such information would likely be segregated
onto a separate "private" network not accessible to the Internet.
Presumably, there could be "email" and "web" terminals scattered or
concentrated elsewhere for those desiring access.
Unfortunately, this is not "convenient" for normal business operations.
Customer service reps may need web access to look up local doctor's
office address, sales personnel would need email for routine
communication, executives will want their pet video conferencing project
started up again, but the whole business-technology model might have to
be reworked from the ground up.
Other alternatives include developing in-house replacements for common
applications (wanna calculate the cost for that?) or heavy restrictions
on what is available on a patient-information machine (heavily-filtered
company email, no personal email, web access restricted to
b2b/extranet/application sites only, hardware firewalls sprinkled
liberally on every floor in every building between every department
workgroup switch with software firewalls on all machines, etc).
Note these are all "best practices" using best or "not-so-best"
products.
Best practices are also documented, scrutinized, audited, etc, and
change when necessary to accomodate the shifting technological and
social whims of the world.
Best and not-so-best products are purchased, leased or licensed, ideally
according to the audited and enforced Best Practices documents, and
eventually retired from service when they have reached end-of-life.
> My view is that any health care provider using replaceable Microsoft
> technologies is not HIPAA compliant, in regards to privacy or security
> of patient data.
What are the specific regulations? A case can be made either way
(remember, Windows NT did receive C-2 certification in certain
configurations and Mozilla, Eudora, Opera, Pine, "Linux", et al, have
all had their share of occasional security issues - some very serious).
Just because there is a replacement for Microsoft (or Linux or Solaris
or [insert favorite OS here]) doesn't necessarily mean it is more secure
or fits in with mandated Best Practices.
Powered by blists - more mailing lists