RE: Microsoft technologies. By default, non-HIPAA compliant?

[Jeremy Epstein <jeremy.epstein () webmethods com>]

I'm no Microsoft apologist, but let's not go off the deep end.

HIPAA has very few direct requirements.  A lot of what needs to be done
depends on the environment.  For example, if I have a closed environment
with no Internet connections (yes, this happens in some places) and
sufficient controls to protect servers against insiders, then the latest IE
problems are of no concern at all.  So saying that ipso facto you're not
HIPAA compliant if you use Microsoft products is clearly wrong.

A slightly less draconian configuration might have a filtering router that
only allows users to visit particular sites; in that case also, the IE
problems would be of no concern (since the redirect to the Russian and
Estonian sites could be prevented).  Again, this may not be the average
network configuration, but I suspect these are used in places like call
centers to avoid having people off web surfing.  And it's certainly the case
that some libraries limit sites that can be visited, in the (misplaced) aim
of preventing web surfing porno sites.

Some might say that any use of passwords for authentication (as opposed to
something stronger like a SecureID or a biometric) is in violation of the
spirit of HIPAA.  But I'd disagree with them too: it's all about looking at
the total risk environment.

The latest set of attacks demonstrate some pretty bad problems, and
Microsoft deserves a lot of criticism.  But let's not go overboard.

> -----Original Message-----
> From: Anything But Microsoft [mailto:abm () anythingbutmicrosoft org]
> Sent: Tuesday, June 29, 2004 10:43 PM
> To: <@securityfocus.com BUGTRAQ
> Cc: secure () microsoft com
> Subject: Microsoft technologies. By default, non-HIPAA compliant?
>
>
> The US health care system is the only industry where best network and
> security practices are a federally mandated requirement.
>  
> In light of last weeks MS vulnerabilities with no known patches or
> usable work around (text only mode in a browser, or security settings
> that disable most usage, is not a suitable work around) I have a
> question for everyone here with an answer for interpretation.
>  
> Are Microsoft technologies by default non-HIPAA compliant in 
> regards to
> protecting confidential patient information? If you are a health care
> provider and use any Microsoft technology where alternatives 
> exist, such
> as for e-mail and web usage, is that exposing your PC/network to
> unnecessary risks? (Thereby violating the spirit of HIPAA?)
>  
> When security experts en-mass suggest you find alternatives to IE, and
> you as an information technology services provider to the health care
> industry do not provide these Microsoft alternatives, are you not
> providing HIPAA compliant services?
>  
> My view is that any health care provider using replaceable Microsoft
> technologies is not HIPAA compliant, in regards to privacy or security
> of patient data.
>  
> Your thoughts and comments?
>  
> <duck and cover...>
>  
>