Is Win2k + SP3 HIPAA Compliant?

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Morons, Idiots, and Fools...Oh My!

[killmenow]

First off, if you're storing the medical records on individual workstations instead of a centralized database, you're a moron.

Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

And third, if you don't have proper egress filtering and logging in place to make sure this isn't happening and know who keeps hitting the damn Windows Update buttons when they're not supposed to...then you're a fool.

And a fool and his job are soon parted.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Read the EULA.

[Zeinfeld]

Many uninformed newspaper reporters took this position in their newspaper articles, but in fact for CEs, HIPAA remains almost entirely intact.

Oh right, we take the word of a GOP flack posing as an Anonymous Coward over Prof Sobel from Harvard Medical school in the LA Times.

At least there is no confusion over where I stand concerning my opinion of his inadequacy (follow the link in my .sig).