Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Win2k + SP3 HIPAA Compliant?

Posted by Cliff on from the EULAs-vs-government-regulations dept.

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

2 of 401 comments (clear)

  1. Watch out for the 'disable' option by RobertNotBob · · Score: 5, Interesting
    I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

    It does not.

    The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

    Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

    Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

    oh, DARN ! ;)

    And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

    --
    ___ I don't respond to Anonymous Cowards, and I Never Mod them UP.
  2. Re:Problem is EULA not SP by Anonymous Coward · · Score: 5, Interesting

    I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

    At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

    No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

    The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

    Ergo, we haven't installed SP3 and doubt that we will.