Steve Harrison
Chief Information Officer
HCC Benefits
Corporation
225 TownPark Drive
Suite 145
Kennesaw, GA 30144
770-973-9851
770-973-9854 fax
-----Original Message-----
From: Chris Riley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 18, 2002 7:51 AM
To: [EMAIL PROTECTED]
Cc: 'WEDI SNIP 6 (E-mail 2)'
Subject: Re: Windows Security & HIPAA
I'd like to agree with Roy in theory and reserve the right to disagree with him in practice. If you subscribe to the thinking that a PC is one type of appliance on a network (Sun claims "The Network is the Computer"), who's purpose is to provide a user interface, then the benefits of delegating the responsibility of patch management to Microsoft probably out weigh the risks (assuming their is a contingency plan in place). I think where we get into trouble is when se start to think that one size fits all. As we start to look at other types of network appliances ( File, Print , Database Servers, Firewalls, Routers, Intrusion Detection, etc...) the risk/reward ratio changes. The example given in a previous email about the special purpose imaging device used in brain surgery is a tremendous illustration. There is really no one but the original equipment manufacture who is qualified to understand the impact of a change to that operating system. Although it is important to ensure the security of the device via patch management, I would argue that Microsoft is not qualified to install the patch.Just my two cents,
Chris Riley, CISSP
Information Tool Designers Inc.
http://www.info-tools.com/
Rachel Foerster wrote:
Roy,I appreciate your cogent and clear assessment of the vulnerability on this. In a world of Microsoft bashers (and I'm not one of them) I sometimes think people go off the deep end. I've been away from this level of technical detail for many years and so wanted to hear what folks here thought about this.Even though I'm a very small office, I use Windows auto update and quite frankly, I'm grateful for it.Thanks,Rachel FoersterPrincipalRachel Foerster & Associates, Ltd.39432 North AvenueBeach Park, IL 60099Voice: 847-872-8070Fax: 847-872-6860eMail: [EMAIL PROTECTED]http://www.rfa-edi.com-----Original Message-----Rachel,
From: Clay III, Roy G. (MCLNO) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 7:52 AM
To: '[EMAIL PROTECTED]'; WEDI SNIP 6 (E-mail 2)
Subject: RE: Windows Security & HIPAA
This is really much ado about nothing. If anyone else but Microsoft had done it, no one would bother. The fact is that all one has to do is disable the auto-update feature and the risk is mitigated. I have been evaluating this for some time now and it is really benign. If properly configured, it can actually remove a large burden of staying current with patches on workstations from computer supporters. This is just like any other risk that must be dealt with from a security standpoint. Covered entities give access to all kinds of outsiders all the time in the form of software vendor support. Unless you are decompiling the machine language to see what these patches are really doing you are putting a lot of trust in those vendors. If you are really concerned, block access from the firewall. In a large organization, OS updates to servers should be handled centrally and run in a test environment before being put into production. If Mr. Shock (the guy in the infoworld article) had adhered to that simple principle, he would not be ranting about having to recover his web development server.Let's assume the worst and that Microsoft uses this to gain access to PHI.
1. That action violates the EULA which states that such access is to be used only to improve the operating system.
2. Upon discover of Microsoft's violation, the covered entity should act quickly to mitigate the disclosure including notifying the Secretary of DHHS. This should fulfill any obligation on the covered entity's part.It appears that one of the ways that HIPAA resembles Y2K is in the hysteria it generates, unfortunately.
Roy G. Clay III
HIPAA Security Project Coordinator
Louisiana State University Health Sciences Center
Health Care Services Division and New Orleans Campus
Email: [EMAIL PROTECTED]
Phone: (504) 568-6130-----Original Message-----
From: Rachel Foerster [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 16, 2002 2:23 PM
To: WEDI SNIP 6 (E-mail 2)
Subject: Windows Security & HIPAAI found this article interesting. What is the consensus of the security
experts here on this issue?Thanks,
Rachel Foerster
Principal
Rachel Foerster & Associates, Ltd.
39432 North Avenue
Beach Park, IL 60099
Voice: 847-872-8070
Fax: 847-872-6860
eMail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
http://www.rfa-edi.com
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.--
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
================================================================================================
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other that the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from the computer or device.
Harrison, Steve.vcf
Description: Binary data
