Re: Microsoft technologies. By default, non-HIPAA compliant?

To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Re: Microsoft technologies. By default, non-HIPAA compliant?
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Jul 2004 15:26:02 +1200
In-reply-to: <s0e1f0a1.078@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Personal account
Priority: normal
Reply-to: nick@xxxxxxxxxxxxxxxxxxx

"Anything But Microsoft" <abm@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

<<big snip>>
> My view is that any health care provider using replaceable Microsoft
> technologies is not HIPAA compliant, in regards to privacy or security
> of patient data.

In general I agree with your comments, which should surprise no-one as 
I have been advocating for a _very_ long time that it is simply wrong 
to allow (far less, "require" as so many "corporate lock-down" desktop 
designs/policies do) the use of IE on Internet-connected machines.  In 
fact, when I started such advocacy, I was widely seen as a bit loony, 
or worse.  I guess that tells us something about US-CERT -- it's either 
a bit loony or very slow to see the light.  Guess which I'm picking?

However, for systems with HIPAA concerns, there is an alternative to 
not using IE...

Where is it written that machines with access to HIPAA-concerned data 
_must_ have access to the Internet?  In fact, I'd suggest that any 
HIPAA-concerned applications must only be run on machines that never 
have direct access to a public sewer of a network such as today's 
Internet.  The Internet that we have is so far from being adequately 
auditable (in HIPAA-like terms) that you would have to ensure that no 
HIPAA-concerned data were ever allowed near machines that are able to 
access such a network _if_ you were trying to attain HIPAA compliance.

Of course, that position makes MS OSes quite unsuitable as server 
platforms for many small-ish to medium-ish sized operations that have 
HIPAA exposures because, by sworn admission of senior MS executives in 
US court, "IE is part of the OS and cannot be removed", and worse 
still, it is an intimate part of the MS-mandated update process for 
such machines.  Yes, you can get around the direct access requirements 
but the nouse and other resources to do that are typically beyond small-
ish to medium-ish sized businesses, and why should they even consider 
those approaches when there are much cheaper alternative systems that 
do not have such ugly compliance overheads?

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

References:
- Microsoft technologies. By default, non-HIPAA compliant?
  - From: Anything But Microsoft

Prev by Date: [ GLSA 200407-01 ] Esearch: Insecure temp file handling
Next by Date: SUSE Security Announcement: kernel (SUSE-SA:2004:020)
Previous by thread: Microsoft technologies. By default, non-HIPAA compliant?
Next by thread: RE: Microsoft technologies. By default, non-HIPAA compliant?
Index(es):
- Date
- Thread