Roy G. Clay, III
HIPAA Security Project
Coordinator
Louisiana State
University Health Sciences Center
Health Care Services Division & New Orleans Campus
Phone: (504) 568-6130
Email: [EMAIL PROTECTED]
-----Original Message-----
From: Mazur, Jake [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 18, 2002 1:02 PM
To: 'Clay III, Roy G. (MCLNO)'; 'Chris Riley'; [EMAIL PROTECTED]
Cc: 'WEDI SNIP 6 (E-mail 2)'
Subject: RE: Windows Security & HIPAARoy, Chris, others,While I agree with most of your comments, I do have a worry that was not brought forward in this thread: My worry has to do with Microsoft's L6 enterprise level agreement that is more of a lease than an out-right purchase. When coupled with Auto Update (that is on by default), are you not worried about your Windows machines just turning themselves off one day... when the contract is up? Forcing product updates should "improve the operating system". Therefore, it is in line with EULA, is it not?Of course the above statement assumes that proper testing was not done... and a bit of what some people would perceive as "paranoia" on my part.:)Yes, I know my example is an extremist one, but please remember that HIPAA covers smaller entities... entities that can not afford to have a testing environment. These entities may opt for the L6 agreement because of the improved support and upgrades Microsoft touts. Also, do not forget that Auto Update is on by default in SP3 for Win 2K.Something else, what is stopping an end user from downloading another update from Microsoft if he/she has access to the web? One way to get around that would be to block access to all of the Microsoft mirror sites. Any other suggestions? The worry is that if individual PC's have web access, effectiveness of testing is limited (i.e. Auto Update will run on that PC). Windows are not open source, so you can not custom configure the OS. You may remove the update icons from menus, but the applications will still be there.Access to PHI is not the main worry when it comes to Auto Update. The main worry is stability of the OS. Microsoft is known to provide faulty patches. The risk of installing a faulty patch is minimized if you have a testing environment, but it is not eliminated. I believe that Auto Update is a serious issue for smaller entities that do not have a testing environment and run mission critical applications on Win 2K. Will the average user know how to configure Auto Update? Or even that is can be done?Just my $0.02.-Jake MazurGovConnect, Inc.
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.