Out of all the replies, both on and off-list, I believe this quote is the best to work with at this point. >>> "Alun Jones" <alun@xxxxxxxxx> 7/4/2004 12:05:51 PM >>> > Whenever you advocate a switch from Microsoft to another platform, whether > it's an operating system platform, or merely a browser platform, you need to > be providing technical reasons why the new platform is better than the > other. Wishy-washy arguments of the kind of "there are lots of bugs found > in Microsoft products" /don't/ wash. You have to make arguments of the kind > of "this entire class of bugs have been made impossible in the system I'm > proposing". My decision making process as to what I interpret as HIPAA compliant with my health care customers begins precisely by "providing technical reasons" regarding an "entire class of bugs." (Please also note that I understand even my strongest convictions and beliefs are interpreted differently by others. I welcome all comments) But let's look at this issue on a more micro level, the view most of us IT guys "in the trenches" have of the problems we must face daily. Let's start with an analogy: Microsoft Office is to Macro Virus, as Anything But Microsoft Office is to Immune To Macro Virus. I have searched high and low, and have yet to see anything even resembling a macro virus in any non-Microsoft document format. In fact, I have more than once deliberately opened Microsoft Macro Virus infected documents in Corel Word Perfect, Lotus SmartSuite, and OpenOffice without any harm to the PC or spread of the virus. In most cases the document can be modified and saved in MS format and the offending MS Macro Virus is no longer present in the document. So by your own definition, an "entire class of bugs" is eliminated by never using Microsoft Office. In my 15 years of providing IT services to health care professionals I have yet to see one instance where a non-Microsoft Office solution does not fit the needs of my clients both large and small. Therefore, my conclusion is that installing Microsoft Office on a health care provider's PC under the circumstances I face disqualifies that PC/Network from HIPAA compliance regarding system security. The counter argument I look to you for, is to define a situation where having Microsoft Office installed instead of an alternative is required to provide health care services. Are the non-MS alternatives immune to all security issues? No, I never said that and never will. But as I stated above, we both share a similar definition of what is HIPAA compliant. Now, please tell me where I went wrong in the interpretation of our shared methodology using only the MS Office example above. As much as I would love to now similarly discuss LookOut and IE, let's move on... > If you don't make those arguments, then the only argument you're making is > to move to a system that the hackers aren't _yet_ as interested in. That's > a security by obscurity argument. It may help you survive against > broadcast, scattershot attacks, that don't care where they're aiming, but it > won't help you against an attacker that has chosen to target your > organisation. This and other similar statements to the effect of "Microsoft is a big target, that is why hackers find so many security holes" I not only find amusing (off topic for here) but I interpret as all the more reason to avoid MS products while striving for HIPAA compliance. I hate to sound like my Mother, but "If everyone was jumping off a bridge, would you jump too?" Think of it this way, does putting your customers in front of that MS target when alternatives exist meet this criteria? (as quoted from Adrian Marsden) "You have to be able to show that, within your environment, you did the best you could to maintain the security and privacy of the data you hold." In the IT environments I maintain my actions are based on the meaning of that quote. With any client I first investigate the feasibility of the client's app running in wine on Linux. If that fails and the Windows OS is required, I will hide IE icons and configure the LAN settings to proxy a non-addressable IP address preventing the use of IE. If everyone drops using IE in favor of Mozilla, and next year two other people are having this same conversation about Mozilla's browser, e-mail, etc. I'll be one of the first to argue that if Mozilla is the target of choice, it is time to move on. The CCIA's CyberInsecurity Report, for instance, points more at the dangers of a lack of 'biodiversity' in IT more than MS itself being the problem. And if that happens, you can address me as AnythingButMozilla. Lastly: "But the cost of having that feature custom coded is beyond what most small offices would even consider when MS's 'X' is built right in..." What part of HIPAA states "But if it is too difficult or costs too much, just forget the whole thing"?
