[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40E42D0A.22385.2056C484@localhost>
Date: Thu, 01 Jul 2004 15:26:02 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: BUGTRAQ@...URITYFOCUS.COM
Subject: Re: Microsoft technologies. By default, non-HIPAA compliant?
"Anything But Microsoft" <abm@...thingbutmicrosoft.org> wrote:
<<big snip>>
> My view is that any health care provider using replaceable Microsoft
> technologies is not HIPAA compliant, in regards to privacy or security
> of patient data.
In general I agree with your comments, which should surprise no-one as
I have been advocating for a _very_ long time that it is simply wrong
to allow (far less, "require" as so many "corporate lock-down" desktop
designs/policies do) the use of IE on Internet-connected machines. In
fact, when I started such advocacy, I was widely seen as a bit loony,
or worse. I guess that tells us something about US-CERT -- it's either
a bit loony or very slow to see the light. Guess which I'm picking?
However, for systems with HIPAA concerns, there is an alternative to
not using IE...
Where is it written that machines with access to HIPAA-concerned data
_must_ have access to the Internet? In fact, I'd suggest that any
HIPAA-concerned applications must only be run on machines that never
have direct access to a public sewer of a network such as today's
Internet. The Internet that we have is so far from being adequately
auditable (in HIPAA-like terms) that you would have to ensure that no
HIPAA-concerned data were ever allowed near machines that are able to
access such a network _if_ you were trying to attain HIPAA compliance.
Of course, that position makes MS OSes quite unsuitable as server
platforms for many small-ish to medium-ish sized operations that have
HIPAA exposures because, by sworn admission of senior MS executives in
US court, "IE is part of the OS and cannot be removed", and worse
still, it is an intimate part of the MS-mandated update process for
such machines. Yes, you can get around the direct access requirements
but the nouse and other resources to do that are typically beyond small-
ish to medium-ish sized businesses, and why should they even consider
those approaches when there are much cheaper alternative systems that
do not have such ugly compliance overheads?
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists