<<< Date Index >>>     <<< Thread Index >>>

RE: Microsoft technologies. By default, non-HIPAA compliant?



I must deal with HIPAA everyday.

In support of the claim that Microsoft is not HIPAA compliant, show me ANY 
Microsoft machine that actually does Healthcare and show me that I cannot 
recreate a patient from data stored on the computer in cache or other areas.

The machine does NOT have to be connected to anything in order to automatically 
violate the HIPAA mandate that patient data is secure and that a patient record 
of other information available on the system can reconstruct a patient record.

If the machine IS connected to anything, including an Intranet or Internet, 
then it is susceptible to virus and hacking attacks and data can be 
reconstructed.

Most machines connect to a clearing house via the Internet using a browser.

Clearing houses may include WebMD, ProxyMed, Medifax, and others.

The mere fact that a Microsoft browser is used, leaves the machine and all data 
vulnerable to attack and retrieval.

Even if certificates, which really are NOT used, are used, they merely encrypt 
the data to and from the websites, but do nothing to the data in the computer.

Simple forensic programs can retrieve all patient data and doctor records and 
this does not require a brain surgeon to perform this.

The machines NOT connected to anything are still vulnerable, as users, 
non-users, janitorial, and others physically in the same location of the PC can 
turn it on and run forensics against it and retrieve data.

I have tested the Microsoft products and cannot use them and feel secure in 
that the data is really safe.

I have many competitors out there who do use Microsoft, because they get to 
market fast. But, they will also CRASH fast too.

Sorry to say that abm may be correct in the statement that Microsoft is not 
secure.

Sure on the surface they appear to be, but simple hacking will crash the 
systems and simple hacking will retrieve patient data.

Bob





At 10:43 AM 6/30/2004, Jeremy Epstein wrote:
>I'm no Microsoft apologist, but let's not go off the deep end.
>
>HIPAA has very few direct requirements.  A lot of what needs to be done
>depends on the environment.  For example, if I have a closed environment
>with no Internet connections (yes, this happens in some places) and
>sufficient controls to protect servers against insiders, then the latest IE
>problems are of no concern at all.  So saying that ipso facto you're not
>HIPAA compliant if you use Microsoft products is clearly wrong.
>
>A slightly less draconian configuration might have a filtering router that
>only allows users to visit particular sites; in that case also, the IE
>problems would be of no concern (since the redirect to the Russian and
>Estonian sites could be prevented).  Again, this may not be the average
>network configuration, but I suspect these are used in places like call
>centers to avoid having people off web surfing.  And it's certainly the case
>that some libraries limit sites that can be visited, in the (misplaced) aim
>of preventing web surfing porno sites.
>
>Some might say that any use of passwords for authentication (as opposed to
>something stronger like a SecureID or a biometric) is in violation of the
>spirit of HIPAA.  But I'd disagree with them too: it's all about looking at
>the total risk environment.
>
>The latest set of attacks demonstrate some pretty bad problems, and
>Microsoft deserves a lot of criticism.  But let's not go overboard.
>
>> -----Original Message-----
>> From: Anything But Microsoft [mailto:abm@xxxxxxxxxxxxxxxxxxxxxxxx]
>> Sent: Tuesday, June 29, 2004 10:43 PM
>> To: <@securityfocus.com BUGTRAQ
>> Cc: secure@xxxxxxxxxxxxx
>> Subject: Microsoft technologies. By default, non-HIPAA compliant?
>> 
>> 
>> The US health care system is the only industry where best network and
>> security practices are a federally mandated requirement.
>>  
>> In light of last weeks MS vulnerabilities with no known patches or
>> usable work around (text only mode in a browser, or security settings
>> that disable most usage, is not a suitable work around) I have a
>> question for everyone here with an answer for interpretation.
>>  
>> Are Microsoft technologies by default non-HIPAA compliant in 
>> regards to
>> protecting confidential patient information? If you are a health care
>> provider and use any Microsoft technology where alternatives 
>> exist, such
>> as for e-mail and web usage, is that exposing your PC/network to
>> unnecessary risks? (Thereby violating the spirit of HIPAA?)
>>  
>> When security experts en-mass suggest you find alternatives to IE, and
>> you as an information technology services provider to the health care
>> industry do not provide these Microsoft alternatives, are you not
>> providing HIPAA compliant services?
>>  
>> My view is that any health care provider using replaceable Microsoft
>> technologies is not HIPAA compliant, in regards to privacy or security
>> of patient data.
>>  
>> Your thoughts and comments?
>>  
>> <duck and cover...>
>>  
>>  
>>