Title: RE: Windows Security & HIPAA


Rachel,
This is really much ado about nothing. If anyone else but Microsoft had done it, no one would bother. The fact is that all one has to do is disable the auto-update feature and the risk is mitigated. I have been evaluating this for some time now and it is really benign. If properly configured, it can actually remove a large burden of staying current with patches on workstations from computer supporters. This is just like any other risk that must be dealt with from a security standpoint. Covered entities give access to all kinds of outsiders all the time in the form of software vendor support. Unless you are decompiling the machine language to see what these patches are really doing you are putting a lot of trust in those vendors. If you are really concerned, block access from the firewall. In a large organization, OS updates to servers should be handled centrally and run in a test environment before being put into production. If Mr. Shock (the guy in the infoworld article) had adhered to that simple principle, he would not be ranting about having to recover his web development server.

Let's assume the worst and that Microsoft uses this to gain access to PHI.

1. That action violates the EULA which states that such access is to be used only to improve the operating system.
2. Upon discover of Microsoft's violation, the covered entity should act quickly to mitigate the disclosure including notifying the Secretary of DHHS. This should fulfill any obligation on the covered entity's part.

It appears that one of the ways that HIPAA resembles Y2K is in the hysteria it generates, unfortunately.

Roy G. Clay III
HIPAA Security Project Coordinator
Louisiana State University Health Sciences Center
Health Care Services Division and New Orleans Campus
Email: [EMAIL PROTECTED]
Phone: (504) 568-6130

-----Original Message-----
From: Rachel Foerster [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 16, 2002 2:23 PM
To: WEDI SNIP 6 (E-mail 2)
Subject: Windows Security & HIPAA


I found this article interesting. What is the consensus of the security
experts here on this issue?

Thanks,

Rachel Foerster
Principal
Rachel Foerster & Associates, Ltd.
39432 North Avenue
Beach Park, IL 60099
Voice: 847-872-8070
Fax: 847-872-6860
eMail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
http://www.rfa-edi.com



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to