lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: fjaffe at netcom.com (Frank Jaffe)
Subject: EULA

Actually,

HIPAA is an incredibly complex law and set of regulations, and I don't
think anyone fully understands it at this point.  Several observations,
however.

First, HIPAA penalties as outlined below are for deliberate violations
of medical privacy with an intent to profit from the violation.

Second, HIPAA regulations, particularly the security regulations, are
supposed to be "scalable", meaning that each institution is supposed to
conduct a business risk analysis, and implement appropriate security
solutions (some things are mandatory, some are optional) based on their
risk assessment.

Third, HIPAA regulations stipulate that everything must be "reasonable".
While we can have much fun arguing about it, no one will seriously argue
that patching MS systems, even if alledgedly giving up "change control"
through the EULA, is not a reasonable course of action.

Fourth, HIPAA does not govern what a company must do internally vs.
externally. A company may be required to have change control processes,
but there is no requirement that they manage them themselves.  Of
course, while I may argue that patching MS software is reasonable, it
may be much harder to claim that turning over your change control to MS
is reasonable ;)

Lastly, DHS has indicated that they are looking for good faith
compliance efforts at this point. Believe me, any company discussing
change control issues is ahead of 90% of the other guys out there on
HIPAA compliance.

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Curt Purdy
> Sent: Tuesday, September 09, 2003 7:25 PM
> To: 'Gregory A. Gilliss'; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] EULA
> 
> 
> Actually, failure to achieve compliance with  HIPAA could 
> find hospital executives and physicians facing fines of up to 
> $25,000. Certain  criminal violations could cost individuals 
> and  organizations $250,000 and up to 10 years in jail.  This 
> is quoted out of more than one reference.
> 
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
> cpurdy@...ol.com
> 936.637.7977 ext. 121
> 
> ----------------------------------------
> 
> If you spend more on coffee than on IT security, you will be 
> hacked. What's more, you deserve to be hacked.
> -- former White House cybersecurity zar Richard Clarke
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of 
> Gregory A. Gilliss
> Sent: Tuesday, September 09, 2003 5:13 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [inbox] Re: [Full-Disclosure] EULA
> 
> 
> Okay, this is from my girlfriend, so flame her if it's wrong :-)
> 
> Basically, a HIPAA compliant hospital/practice/etc. that is 
> found to be in violation of, say, the regs on software change 
> control, can be fined up to US$ 10,000 per violation. I would 
> guess that tha *could* be construed as "per personal 
> computer" if they wanted to be dicks about it...
> 
> But, it gets better...if they hospital/practice/etc that has 
> been inspected and cited doesn't comply with the violated 
> HIPAA regs, they can be closed down.  BAM!  In practice I do 
> not think that this has happened (yet) because the whole 
> HIPAA thing is so new. However if you look at it from the 
> security perspective, I expect that M$ legal will be amending 
> their existing EULA for health care providers as soon as they 
> read about this...
> 
> G
> 
> On or about 2003.09.09 14:08:04 +0000, David Hayes 
> (david.hayes@....com)
> said:
> 
> > So, if a HIPAA site uses Windows and accepts the SP3 EULA, they're 
> > screwed.  If a HIPAA site uses Windows and does not accept the SP3 
> > EULA, they're screwed.
> >
> > Logical conclusion, if a HIPAA site uses Windows, they're screwed. 
> > Thus they should use a different OS?
> >
> > --
> > David Hayes    Network Security Operations Center     MCI 
> Network Svcs
> > email: david.hayes@....com      vnet: 777-7236     voice: 
> 972-729-7236
> >
> >
> > On Mon, Sep 08, 2003 at 01:13:21PM -0400, Valdis.Kletnieks@...edu 
> > wrote:
> > > On Mon, 08 Sep 2003 08:43:14 PDT, D B <geggam692000@...oo.com>  
> > > said:
> > >
> > > > does the EULA of Microsoft violate lawyer client 
> privilege ..... 
> > > > as in  if my lawyer is using windows is he violating my rights
> > >
> > > I can't speak for the legal profession, but the SP3 EULA (the one 
> > > where
> you agree to
> > > allow Microsoft to install, without warning or notification, 
> > > anything
> labeled a "security
> > > patch", even if it breaks 3rd party software), is known 
> to be very 
> > > bad
> mojo for sites
> > > covered by HIPPA, because it cedes software change control.
> > >
> > > Of course, if you fail to agree to the EULA and you're a 
> HIPPA site,
> you're still screwed
> > > because then you can't install post-SP3 patches.
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> --
> Gregory A. Gilliss                                    
> Telephone: 1 650 872
> 2420
> Computer Engineering                                   E-mail:
> greg@...liss.com
> Computer Security                                                ICQ:
> 123710561
> Software Development                          WWW:
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 
> D9 B4 14 0E 8C A3
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



Powered by blists - more mailing lists