"Anything But Microsoft" <abm@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: <<big snip>> > My view is that any health care provider using replaceable Microsoft > technologies is not HIPAA compliant, in regards to privacy or security > of patient data. In general I agree with your comments, which should surprise no-one as I have been advocating for a _very_ long time that it is simply wrong to allow (far less, "require" as so many "corporate lock-down" desktop designs/policies do) the use of IE on Internet-connected machines. In fact, when I started such advocacy, I was widely seen as a bit loony, or worse. I guess that tells us something about US-CERT -- it's either a bit loony or very slow to see the light. Guess which I'm picking? However, for systems with HIPAA concerns, there is an alternative to not using IE... Where is it written that machines with access to HIPAA-concerned data _must_ have access to the Internet? In fact, I'd suggest that any HIPAA-concerned applications must only be run on machines that never have direct access to a public sewer of a network such as today's Internet. The Internet that we have is so far from being adequately auditable (in HIPAA-like terms) that you would have to ensure that no HIPAA-concerned data were ever allowed near machines that are able to access such a network _if_ you were trying to attain HIPAA compliance. Of course, that position makes MS OSes quite unsuitable as server platforms for many small-ish to medium-ish sized operations that have HIPAA exposures because, by sworn admission of senior MS executives in US court, "IE is part of the OS and cannot be removed", and worse still, it is an intimate part of the MS-mandated update process for such machines. Yes, you can get around the direct access requirements but the nouse and other resources to do that are typically beyond small- ish to medium-ish sized businesses, and why should they even consider those approaches when there are much cheaper alternative systems that do not have such ugly compliance overheads? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854