I'm no Microsoft apologist, but let's not go off the deep end. HIPAA has very few direct requirements. A lot of what needs to be done depends on the environment. For example, if I have a closed environment with no Internet connections (yes, this happens in some places) and sufficient controls to protect servers against insiders, then the latest IE problems are of no concern at all. So saying that ipso facto you're not HIPAA compliant if you use Microsoft products is clearly wrong. A slightly less draconian configuration might have a filtering router that only allows users to visit particular sites; in that case also, the IE problems would be of no concern (since the redirect to the Russian and Estonian sites could be prevented). Again, this may not be the average network configuration, but I suspect these are used in places like call centers to avoid having people off web surfing. And it's certainly the case that some libraries limit sites that can be visited, in the (misplaced) aim of preventing web surfing porno sites. Some might say that any use of passwords for authentication (as opposed to something stronger like a SecureID or a biometric) is in violation of the spirit of HIPAA. But I'd disagree with them too: it's all about looking at the total risk environment. The latest set of attacks demonstrate some pretty bad problems, and Microsoft deserves a lot of criticism. But let's not go overboard. > -----Original Message----- > From: Anything But Microsoft [mailto:abm@xxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, June 29, 2004 10:43 PM > To: <@securityfocus.com BUGTRAQ > Cc: secure@xxxxxxxxxxxxx > Subject: Microsoft technologies. By default, non-HIPAA compliant? > > > The US health care system is the only industry where best network and > security practices are a federally mandated requirement. > > In light of last weeks MS vulnerabilities with no known patches or > usable work around (text only mode in a browser, or security settings > that disable most usage, is not a suitable work around) I have a > question for everyone here with an answer for interpretation. > > Are Microsoft technologies by default non-HIPAA compliant in > regards to > protecting confidential patient information? If you are a health care > provider and use any Microsoft technology where alternatives > exist, such > as for e-mail and web usage, is that exposing your PC/network to > unnecessary risks? (Thereby violating the spirit of HIPAA?) > > When security experts en-mass suggest you find alternatives to IE, and > you as an information technology services provider to the health care > industry do not provide these Microsoft alternatives, are you not > providing HIPAA compliant services? > > My view is that any health care provider using replaceable Microsoft > technologies is not HIPAA compliant, in regards to privacy or security > of patient data. > > Your thoughts and comments? > > <duck and cover...> > > >
