Chris,
Just because your paranoid doesn't mean that everyone isn't out to get you. <grin> If you really want to get paranoid you could start laying your own telephone cable ( you HAVE heard of the giant sniffers the phone company has on all the T1 lines) and decompiling all the applications and system software to make sure the instructions being performed are actually doing what you have been told they are doing. Then there is the hardware. Have you downloaded and examined the firmware from each device to make sure there is not a routine to ship everything that goes to the network printer out over the internet? If you want paranoid, I can show a level of paranoia you never knew existed. But who has the time or resources to indulge in that sort of thing?
 
Remember that our concern is the security of the patient information stored in our systems. I have written in the past about healthcare learning some lessons from other industries. We can learn something from the military here. The Department of Defense classifies health care information as "sensitive but not classified" which is the lowest level which requires any protection at all. I am not downplaying the importance of that information but we must make sure that our approach to this is both reasonable and appropriate. This is required by the security rule.
 
As IT mangers, it is incumbent upon us to review and evaluate the security risks from the standpoint of damage and likelihood. How likely is it that this could be a source of problems and how much damage could those problems cause? At our sites, we have been de-emphasizing the importance of the desktop. Because of that we have a number of programs that auto-update including Windows, virus scanner, ICA client, etc. Because the potential for damage is so much greater on servers, we watch those more carefully. There are also fewer servers (150+ servers vs. 10,000 workstations). Those patches we review and do literature searches and run in test environments before we update. Even so we do get bitten from time to time. It is inevitable. When that happens you fix it. But these incidents are few. How much more likely is it that you will get hit with a virus or a hacker? What is the damage level from those? If you have done a good job of identifying the threats to your systems and prioritizing in terms of damage and likelihood, I can assure that this Microsoft issue will be close to the bottom of the list. It may even be below the threshold of caring.
 
As for the issue of switching the software off at the end of the lease, we already have this situation with other services. What happens if you fail to pay the electric bill or water or telephone. How devastating would these be to your operations if any one were shut off. In software it is pretty standard for pharmaceutical systems to shut themselves down after a certain time has gone by without a subscription update. This is actually a safety feature to prevent out of date information from being used in prescribing medicine. So how do you manage that? You make your payments on time.
 
If, in the course of your evaluation, there comes a time where Microsoft proves itself to be an unreliable partner to the extent that it makes more sense to choose an alternative, that is when you pull out your plans for the Linux Conversion project. <grin>
 

Roy G. Clay, III
HIPAA Security Project Coordinator
Louisiana State University Health Sciences Center
Health Care Services Division & New Orleans Campus
Phone: (504) 568-6130
Email: [EMAIL PROTECTED]

-----Original Message-----
From: Mazur, Jake [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 18, 2002 1:02 PM
To: 'Clay III, Roy G. (MCLNO)'; 'Chris Riley'; [EMAIL PROTECTED]
Cc: 'WEDI SNIP 6 (E-mail 2)'
Subject: RE: Windows Security & HIPAA

Roy, Chris, others,
 
While I agree with most of your comments, I do have a worry that was not brought forward in this thread:  My worry has to do with Microsoft's L6 enterprise level agreement that is more of a lease than an out-right purchase.  When coupled with Auto Update (that is on by default), are you not worried about your Windows machines just turning themselves off one day...  when the contract is up?  Forcing product updates should "improve the operating system".  Therefore, it is in line with EULA, is it not? 
 
Of course the above statement assumes that proper testing was not done... and a bit of what some people would perceive as "paranoia" on my part.
:)
 
Yes, I know my example is an extremist one, but please remember that HIPAA covers smaller entities... entities that can not afford to have a testing environment.  These entities may opt for the L6 agreement because of the improved support and upgrades Microsoft touts.  Also, do not forget that Auto Update is on by default in SP3 for Win 2K. 
 
Something else, what is stopping an end user from downloading another update from Microsoft if he/she has access to the web?  One way to get around that would be to block access to all of the Microsoft mirror sites.  Any other suggestions?  The worry is that if individual PC's have web access, effectiveness of testing is limited (i.e. Auto Update will run on that PC).  Windows are not open source, so you can not custom configure the OS.  You may remove the update icons from menus, but the applications will still be there. 
 
Access to PHI is not the main worry when it comes to Auto Update.  The main worry is stability of the OS.  Microsoft is known to provide faulty patches.  The risk of installing a faulty patch is minimized if you have a testing environment, but it is not eliminated.  I believe that Auto Update is a serious issue for smaller entities that do not have a testing environment and run mission critical applications on Win 2K.  Will the average user know how to configure Auto Update?  Or even that is can be done? 
 
Just my $0.02.
 
-Jake Mazur
GovConnect, Inc.
 

To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to