Is Win2k + SP3 HIPAA Compliant?

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What a waste of time

[1010011010]

Additional thouughts:

Use a firewall to block all traffic into and out of your network, and make the machiens inside use proxy servers (for http) and relays (for smtp) to access the internet. In other words, disallow all traffic that is not explicitly permitted. Log what goes through the proxies and relays, and log attempts at initiation of direct outgoing traffic.

HIPAA Compliance

[mosch]

If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?

Re:HIPAA Compliance

[Anml4ixoye]

Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

Normally I would agree wholeheartedly with this statement. However, I have already seen a comment from a person who is going through the same thing and had a bang-up answer that made since. I have seen a lot of crap, but I don't think that the author is intending on using Slashdot in court ("Your honor, but L0053c4nn0n on Slashdot said it was right!") but simply not wanting to duplicate steps that others have already taken.

Re:HIPAA Compliance

[miffo.swe]

Actually i think slashdot is an amazing pool of knowledge. Even if the information isnt correct all the time it gives very valuable hints on where to look and go furter.

Ofcourse you shouldnt read slashdot like the bible, use common sense if avaliable.

Re:HIPAA Compliance

[sphealey]

If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

In the long run, you are of course correct. This issue will need to be resolved by the hospital's CIO and Legal Dept.

However, when seeking assistance from a lawyer (or any similar professional) it is best to have a basic understanding of what is going on, and what you need, before you set up a meeting. You will get a lot more accomplished that way.

Similarily, lawyers aren't born knowing everything (even though they try to foster that impression!). If your hospital's legal dept. primarily handles malpractice and billing cases, and you bring an intellectual property / EULA problem to them, they are also going to have to do some research to get up to speed. Being able to provide background helps here too.

sPh

Re:HIPAA Compliance

[TheLostOne]

Certainly it is... just have to remember somewhere over 50% is pure FUD... how many times have you seen an absolutly wrong parent post at 4-Informative clearly disproven by a 2 :)

That being said... sure there will be good info on /. ... but what can I say. Sure seems fishy when /. asks a question 'gee windows SPBlah breaks the rules, what ever could we do about it....' You almost can't blame them when they say 'use linux windows is the suxor'

A question like this is bound to yield as much propaganda as it is useful information... slashdot is the last place on earth I'd go to consider useful windows solutions in peace (again... plenty of useful posts already up, just gotta scroll past the 'why are you using windows' posts ;)

Re:HIPAA Compliance

[crawling_chaos]

It doesn't matter if you get the right answer on Slashdot. HIPPA is a legal monster and you must get advice from competent legal counsel. To give a marginally related example, a lawyer might give you good medical advice, but you'd be a fool not to check with a doctor before you took the lawyer's advice. Again, find a lawyer who's a HIPPA expert. No other advice counts.

Re:HIPAA Compliance

[rjamestaylor]

Excellent post. I'm reminded of a quote from Thomas Jefferson along the lines of

• Those who do not read newspapers are closer to the truth as are those who know nothing are closer to the truth than those who know a lie

As one whose fate is closely tied to HIPAA, seeing this topic on Slashdot was pretty disturbing, to say the least....

Re:HIPAA Compliance

[innocent_white_lamb]

Ask Slashdot might give you better/more questions to ask, though. "Hey, I never thought of that angle!" Then go and check it out.

Slashdot is a truly amazing pool of odd facts, opinions, and astounding (and sometimes asinine) insights.

"How to defang Win2k SP3's auto updating"

[C0vardeAn0nim0]

is the head title of this arcticle in The Reg.

basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

now, the original submiter could really consider an alternative.

if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?

does you REALLY need win2k ????

Re:"How to defang Win2k SP3's auto updating"

[Xaoswolf]

Well, for starters, Solaris boxes are rather expensive, the person asking the question may not be able to authorize that kind of purchase even if he wanted to. I believe he was looking for either a software fix, or a cheaper hardware one that would still allow him to use his current setup. I'd suggest a fire wall, and disabling the autoinstallers.

Re:"How to defang Win2k SP3's auto updating"

[Liet+Hacksor]

Solaris boxen expensive? Not really - Get a Sun Blade100 for $995.00, order your RAM upgrade elsewhere, and you have a real workstation at Dell prices. OK, the MHz is lower, but do you really *need* 2.4GHz if you're not gaming? Besides, you can run the Sun Grid Engine (free) and aggregate your computing cycles as needed.

Re:"How to defang Win2k SP3's auto updating"

[Neck_of_the_Woods]

Cripes man, have you ever seen the cost of a Unix oracle installation??

Why did SQL6/7/2000 ever get a foot hold? Look at the prices.

Yes, indeed medical should have the money to buy this stuff, but a lot of places are on the verge and can't spent this kind of money.

#2 - Install your sp3 and disable the auto-update. Sometimes I think slashdot puts this kind of crap up as one large troll. Not that microsoft is a saint, or even a normal sinner, but 2 wrongs don't make a right. The stance that you leave out a little information to try to make a point is bias. Every day slashdot slips down the slippery slope and it is starting to get ugly.

Re:"How to defang Win2k SP3's auto updating"

[epfreed]

Many medical applications for small/med medical facilities unfortunately only run on Windows. In my experience the majority of these have a desktop component (such as medical record information systems), but a whole bunch of (somewhat low end) equipment like digital X-Rays, and such also come with W2K workstations. The big stuff, like multi-million $ MRI, PET scanner, etc run a version of Unix (IRIX, Solaris, even VAX). So sometimes there is no real alternative. The vendor of the equipment decides what to run.

Re:"How to defang Win2k SP3's auto updating"

[Spackler]

basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

Not to be a conspiracy theorist, but that only deactivates the "well known" update service. Once you have SP3 on your machine, you have agreed to the EULA, allowing Microsoft to throw anything, anyway, anytime onto YOUR machine. Once they have the right (that you just agreed to to get the bugfixes), the barn door is open to any way Microsoft can get files onto your machine. Known to you, or not.

• PS: Could a lawyer please explain how that is not a protection racket?

Re:"How to defang Win2k SP3's auto updating"

[Ilgaz]

Don't forget the fact that they are 64bit CPUs. Never compare 64bit with 32bit on clock speed.

Re:"How to defang Win2k SP3's auto updating"

[MaxQuordlepleen]

You must not have a blade. The graphics subsystem that ships by default is severely substandard and makes the blade 100 almost impossible as a workstation, believe me I know - I've got one.

It's possible that you could install Linux on the blade 100 and use a Wintel PCI video card , or maybe even Solaris and XFree86 but I haven't explored these possibilities.

Re:"How to defang Win2k SP3's auto updating"

[Cyberdyne]

Well, for starters, Solaris boxes are rather expensive,

Really? Apart from Solaris on x86, you can get Sun hardware for $1k now - OK, you can buy cheaper x86 systems, but by the time you factor in the usual MS stuff (Win2k, Office, support costs for another Windows box) Solaris could well be a better option.

I'd suggest a fire wall, and disabling the autoinstallers.

I'd suggest the obvious approach. Think: what exactly does your database system need Internet access for? Just don't plug it into the Net: keep it sitting on a desk, offline (or at least LAN only). That way, it cannot be compromised except locally, which isn't usually an issue (just lock the door!)

It's quite depressing how many people assume computer=networked=on-Internet-without-firewall these days. Despite all the dot-com style hype about online domestic appliances, your refrigerator, toaster and medical records server do not need (or even benefit from!) an Internet connection!

Re:"How to defang Win2k SP3's auto updating"

[Liet+Hacksor]

Actually, we have 30 Blades.

Yes, the PGX64 graphics system isn't great, but you can order it with 'good' card straight from sun. No 'Wintel PCI' + linux needed.

When you say 'impossible as a workstation', we run 2D CAD (Arris), KDE 2.2.2, and StarOffice. We drive 19" monitors at 1280x1024 @ 85Hz. No flicker, no redraw issues in the CAD software at all... You don't need the latest Radeon card to run a spreadsheet, after all.

To keep this on the original topic, any medical software (www.synitech.com - it's HIPAA compliant) is going to be glorified text-entry anyway. Also, If (unlikely) the original poster was going to switch to a unix solution, he could be running shared-memory graphics on a Celeron 500 for all we know, so don't make like the Blade100 is 'unusable' (it's not!).

Re:"How to defang Win2k SP3's auto updating"

[alext]

The question relates to the license not to the technology. Technical fixes might be a fascinating subject in their own right but they are irrelevant in this case.

Re:"How to defang Win2k SP3's auto updating"

[Xaoswolf]

you can get Sun hardware for $1k now

But not all companies can spare the extra thousand dollars to replace hardware that is working fine as it is.

keep it sitting on a desk, offline

This is no good if you access the database from multiple workstations. And they will need net access if email is used, or to do online orders.

Re:"How to defang Win2k SP3's auto updating"

[MaxQuordlepleen]

Your "good" card from Sun doubles the price of the machine. You'd get much more bang for your buck buying an OEM PC preloaded with Linux than with the Blade.

Don't get me wrong, I love Sun equipment - my employer is a Sun reseller among other things - however, let's be realistic, the performance of the integrated graphics chip on the Blade is horrible. I found dropping my resolution to 1024x768 and switching to "no background" in CDE improved things from "horrible" to "frustrating".

I actually am happy with my Blade, for what it is - a Netra with an X console, but I am shocked that you are using it - apparently happily - as a serious desktop. Maybe the solution is not to use CDE ;)

Re:"How to defang Win2k SP3's auto updating"

[pmz]

...Solaris boxes are rather expensive...

This isn't necessarily true. Decent Sun computers go from about $500 used up to, well, imagine a really big number.

I'm not making up that $500 number either. I just saw an Ultra 30 special for that much (250MHz CPU, 36GB UltraSCSI storage, 256MB RAM, accel 2D graphics). A Solaris license would be required, but even those are cheap (or free). This sort of workstation would do just fine hosting a small to moderate database.

$500 isn't the cheapest, either, since the older 32-bit Sun workstations easily sell for only a few hundred dollars or less used now-a-days.

One of the added benefits of Solaris: Sun is perfectly happy to stay off your back, if you want them to. Their automatic monitoring features are "opt-in" (e.g., service agreements). What a concept.

Re:"How to defang Win2k SP3's auto updating"

[OrangeSpyderMan]

.../me looks around for some poor doctors :-D

Re:"How to defang Win2k SP3's auto updating"

[Xaoswolf]

Hospitals are always looking for money, same thing for family practices or small offices. Not every doctor gets the same salary as a hollywood plastic surgeon.

Re:"How to defang Win2k SP3's auto updating"

[Odinson]

"#2 - Install your sp3 and disable the auto-update. Sometimes I think slashdot puts this kind of crap up as one large troll. Not that microsoft is a saint, or even a normal sinner, but 2 wrongs don't make a right. The stance that you leave out a little information to try to make a point is bias. Every day slashdot slips down the slippery slope and it is starting to get ugly."

If you agree to a contract with your landlord that says he may legally enter your apartment and move about freely at any time, what differance does it make what you do to lock the windows and doors?

Re:"How to defang Win2k SP3's auto updating"

[johnnyb]

Why doesn't anyone use SAP's database? It's free, Oracle7 compatible, and enterprise-ready (i.e. - you can run SAP's applications on it).

Re:What a waste of time

[Kristoffor]

Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".

MS Windows EULA not HIPAA compliant

[RazorJ_2000]

Microsoft Windows is not HIPAA-compliant and you legally may not be allowed to use any MS Windows as your O/S without facing severe legal ramifications if I'm understanding the HIPAA information site correctly. Although there can be many security-related concerns and issues surrounding MS Windows and MS products in general, I believe that it comes down to the EULA that MS has you basically agree to when you install MS Windows. Under the terms of the EULA, you agree that MS can access your system at any time. That totally violates the security and confidentiality requirements of the HIPAA legislation.

Anyone care to argue/agree?

Re:MS Windows EULA not HIPAA compliant

[bjiujitsu3]

hmmm intresting point. It should be stated this is only an academic point. The government wants health care to provide resonable effort in it's privacy and security efforts. Win2K, NT, and XP pro will be easy to justify as resonable. 95,98,ME, XP home may be a little tougher..... Anyway, to take the argument a step further, a covered entity could choose to create a Biz agreement or Chain of Trust agreement with M$. This would cover any issues that arose from the EULA. I wonder if M$ would sign it :)

Re:MS Windows EULA not HIPAA compliant

[rseuhs]

It should be stated this is only an academic point.

Huh?

What do you mean? What guarantees do I get that Microsoft isn't changing policies again and starts to do really nasty things? Face it: *Anything* can happen. Microsoft might never use their power or they might start deleting warez tomorrow.

It's stupid to be dependent on a single-vendor solution. And it doesn't matter if the vendor is called Microsoft, Apple or Sun.

Re:MS Windows EULA not HIPAA compliant

[JWW]

The government can audit you and find you out of complience basically at their whim.

It doesn't matter if Windows systems are a monopoly, and everyone has them. They will find everyone they audit to be out of complience. Auditors are looking for a score, they don't give a shit about your ability to do business.

BTW: This EULA aslo is not FDA part 11 compliant either. Locked down systems would need to be revalidated after any and all autoupdates.

Re:MS Windows EULA not HIPAA compliant

[Omega996]

i think it would be very difficult to classify microsoft as having 'due cause' in regards to the legal ability to access the computer patient data is stored on. i agree with you. most people don't understand the hipaa regs (they are amazingly obtruse, after all); even 'consultants' who are supposed to know this sort of thing don't all seem to get it. i can't wait to hear the vp of is where i work talk his way out of this one, since he used the hipaa legislation as his reason to switch the mission critical platform from aix to windows.
what kind of person calls a database running on windows NT a 'data vault'? seems a bit erroneous, given the fundamental flaw in windows cryptographics. maybe a 'data wallsafe', or 'data cashbox'. not a vault...

anyhow... to summarize, i agree with you.

Time for your company to dump microsoft.

[MrJerryNormandinSir]

I've got new for you. There's a more robust OS
out there. More secure. And you don't pay a per
seat license.

And you've got your choice! I prefer Linux myself!

Re:Time for your company to dump microsoft.

[jayhawk88]

Yeah, that'll go over real good.

Elitist IT Moron: We have decided that Microsoft products are no good, and we're going to switch all of our operations to Linux-based solutions.
Docs: Well, OK, just as long as we can still get our work done. Will we still be able to send our grant applications and other records to the various governmental agencies, other hospitals, and such without and problems?
Elitist IT Moron: Well you'll be using this open source word processing program that is designed to be compatible with Word, but there is a chance that some places won't be able to view it properly, or it will look slightly different. Medical companies aren't sticklers for complete and total accuracy, are they?
Docs: What about these hundreds of legacy DOS and Windows applications that do one thing for us, but do it incredibly well, that we absolutely have to have? Will they still run?
Elitist IT Moron: Umm...No. But there may be 0.85 pre-beta versions of comperable apps up at SourceForge we could try! Or we could maybe try Wine and see if we can get a few of them to work.
Docs: So basically you're telling us that by switching to Linux, we won't be able to properly communicate with the people we need to, and we won't be able to use the applications we need to.
Elitist IT Moron: Uhh....W1nd0ze suxxor?

Re:Time for your company to dump microsoft.

[curious.corn]

Ha, ha very funny indeed! So basically you're saying that's OK for a company to stick with a crumbling IT infrastructure just because they mistakenly omitted to acquire the source to the custom apps they deployed 10 years before? So now that the joke who wrote them flew away to Cuba you're stuck, eh? That's strange, you seem to imply that the Elitist IT Moron is about to get fired while I think the ones about to flip burgers are the asses that cooked up this crap in the first place.
Know what? I'd answer that the 0.85 pre-beta apps could be sublicensed to develop them in-house or pay a local/big sw firm to polish up the job and sell you the source (or @ least agree to source disclosure agreements in case of business termination, etc...)

Remember ELITIST M$ GROUPIE, never surrended knowledge of your business to anyone or you balls will roll, sooner or later! And that includes how the bits that live in your ws work.

Re:Time for your company to dump microsoft.

[jayhawk88]

No, what I'm saying is that IT departments work for their customers, not the other way around. You can suggest, recommend, push towards, and even whine all you want. But when it comes down to brass tacks, when the customer "just wants it to work", you're going to do what it takes to make it "just work", even if that means continuing to use MS products against your better judgement.

The point here is that there's no way in hell most companies can just throw away MS products cold turkey. This sort of thing might work for IT shops or code developers, but in most other sectors it's a pipe dream. Not every company can afford (in time and money) to hire on extra people or train up existing staff to the point where they can custom-code apps to replace existing ones, just like they can't expect all the companies or entities they communicate with to suddenly bend to the quirks of their suddenly "not quite compatible" software.

So yes, I do sort of take offense when someone mouths off with "Just drop MS and use Linux" as a solution to problems like this, like it was as easy as switching from Coke to Pepsi in the breakroom.

Re:Time for your company to dump microsoft.

[Zamfir]

in the name of all thats holy, someone please mod parent up. when i see people taking issues with posts like this one it makes me wonder if some of the more zealous linux zealots here ever had a real job. no one is arguing that there is risk associated with running windows vs more secure operating systems. but, common sense should tell you people that the risk of staying needs to be weighed against the cost of moving. healthcare happens to be the business i work in and i can tell you first hand that this is not a nimble industry when it comes to technology. years back when taking part in a windows 95 migration at a place i worked at (500 desktops or so) i was FLOORED by the number of applications out there being used. maybe 100 or so in total. lots of these were either custom built or specialty applications. when you are in a specific business, sometimes you need REALLY SPECIFIC SOFTWARE. do you jackasses have any idea of what the cost would be to find alternatives for 2 dozen specialized applications, implement them, and retrain potentially hundreds of people? its called common sense! disclaimer - this post does not imply that i somehow think that windows is very secure or that microsoft is a warm and fuzzy company worthy of everyone's trust.

Re:Time for your company to dump microsoft.

[Zamfir]

i am entirely serious here:

how old are you?

Re:Time for your company to dump microsoft.

[Bagheera]

Docs: Well, OK, just as long as we can still get our work done. Will we still be able to send our grant applications and other records to the various governmental agencies, other hospitals, and such without and problems?

Competent IT Manager: Yes. It will mean changing platforms and learning new software, but it will be no harder than when we moved you from Word 5.5 to Word 6 (Word 6 to 97, Word 97 to Word 2k, etc.)

Docs: What about these hundreds of legacy DOS and Windows applications that do one thing for us, but do it incredibly well, that we absolutely have to have? Will they still run?

Competent IT Manager: For the systems that don't require HIPAA complience, we'll be able to leave the legacy applications in place. For others, we will be moving to updated custom applications, or working with other solutions. The bottom line is we will maintain the functionality, even if it requires a bit of retraining.

Docs: So basically you're telling us that by switching to Linux, we won't be able to properly communicate with the people we need to, and we won't be able to use the applications we need to.

Competent IT Manager: No. It means learning some slightly different ways to do the job, but ultimately you'll be able to do everything you could do before. It will also give us closer compliance with witht the new regulations and enable us to better support you and the rest of the faculty. It will also give us capabilities we didn't have before, and will save the Hospital money in the long run.

I've had this argument.

It's not fun.

Re:Time for your company to dump microsoft.

[Ozymandias_KoK]

Not much of a clue about your average hospital's IT budget, do you? Have you ever implemented a SINGLE medical type system, much less any that may talk to a hundred others? This prolly all sounds very simple in your mind, but that tain't the real world.

Re:Time for your company to dump microsoft.

[Bagheera]

Actually, more of a clue than you realize. And yes, I have.

I live with an IT manager for a large University Hospital and am painfully aware of the arguments and budget constraints. I am regularly shocked by some of the decisions made at the upper management levels regarding IT in general, and Information Security (my field) in particular. Yes their budgets are tight, but a little thought could save them a whole lot of money and make their lives easier overall.

Please note that I was responding to someone else who presented it as 'IT morons' wanting to change everything because it was the cool, geek, thing to do. Those aren't valid reasons to change an entire system.

I didn't say it was easy or cheap. But given the choice between paying for an upgrade to XP (assuming XP's licensing doesn't, itself, present unacceptable terms in the EULA) or migrating to Linux/BSD/Anything the arguments are valid. Obviously, some of those legacy systems are still in place because it costs too bloody much to replace them!

HPIAA logo?

[Galahad]

Is it just me, or does the logo at the top left of the HIPAA web site look like the cover of an O'Reilly book?

Re:HPIAA logo?

[liquidsin]

Yeah, but I thought the hippo was for the javascript app cookbook.

Re:HPIAA logo?

[vile7707]

That's some weird, and kinky stuff going on there. Looks to me as if they are spanking that hippo with a feather.

Problem is EULA not SP

[sphealey]

Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

Have to disagree with your police work a bit there.

The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.

sPh

Re:Problem is EULA not SP

[cr@ckwhore]

"Access to the system" is a broad term... there are many ways to access a system and stay within HIPAA guidlines.

Re:Problem is EULA not SP

I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

Ergo, we haven't installed SP3 and doubt that we will.

Re:Problem is EULA not SP

good than all your box will belong to me and read them all of your word doc's and put them up on slashdot.

Re:Problem is EULA not SP

[ShavenYak]

good than all your box will belong to me and read them all of your word doc's and put them up on slashdot.

No, all your box are belong to me!

Re:Problem is EULA not SP

[itsJools]

True. With MS sooner or later you will have to do a security update (or be stuck with an insecure system), and chances are that there will be a EULA that will conflict with your company's (privacy) policy. I'm currently working on a database project which will contain very privacy-sensitive (medical) data. We chose for postgresql (not to start an mysql pg flamewar, but pg was the more suitable for our purposes) because it's open, and thus safer. We would never trust this data to be stored in a database made by a company that will possibly break into the data. Of course, MS (and Oracle and the rest) will say that they would never do such a thing, but that's beside the point. Once I agree to the EULA they have the _right_ to do it. And even if the current EULA looks OK, there is no guarantee that future ones will be OK.

Re:Problem is EULA not SP

[operagost]

Well, shoot, the US courts have ruled that consumers are allowed to make copies of analog media for personal use, but that hasn't stopped the industry from putting Macrovision on the video tapes to try to stop us.

Let's turn the tables on them this time.

Re:Problem is EULA not SP

[LegendLength]

I'm sure it states that authentication is required though.

Re:Problem is EULA not SP

[boskone]

Actually, it'll be wordperfect docs if it's law firm data... get your openoffice filter set for that format...

Re:Problem is EULA not SP

[spd_rcr]

well put ! mod up

Re:Problem is EULA not SP

[DrSkwid]

because it's open, and thus safer.

be warned, this is not a universal truth

Re:Problem is EULA not SP

[MikeTheYak]

It's the next clause that's bad:

* The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

Re:Problem is EULA not SP

[dbrutus]

Since this effectively cripples your ability to maintain a secure box, when are you going to start migrating off MS in order to maintain your NDAs?

Re:Problem is EULA not SP

Meaning, if you utilize an Internet component, they can check it for version and/or patch it.

Meaning, if you firewall the box, and therefore do not use the component, you agree to nothing.

Let's see, so using an internet component (internet explorer, telnet, ... basically any thing microsoft sees as connecting to the internet), M$ can check the version and patch it. Your statement about a firewall makes no sense. The license is clear.. use anything that connect to the internet(internet component) and M$ can check the version and possibly update it.

Re:Problem is EULA not SP

[Black+Copter+Control]

If you use Mozilla, it will not do anything.

Great: Let's me see you use Mozilla without using Microsoft's TCP stack... You're pretty much SOL, here.

Re:Problem is EULA not SP

[lpq]

danhaskett, writes:

That is untrue. Read the EULA snip:

* If you choose to utilize the update features within the OS Product or OS Components
===
You give them permission if and only if you use the auto-update features.

---
You're reasoning is flawed. No where in what you quote does it say you give up control of your system *only* if you use auto-update. It uses the phrase "update features". Update features could include the microsoft installer one loads off a CD -- anything. Any 'update' is allowed to convert your machine into an open-port to microsoft and/or anyone smart enough to hack the system.

Ooops -- that copy of winamp just used an update feature (think of the OS routine to write to disk -- that's updating the disk). Now MS has permission to log and send that detail to Redmond. Why, my gosh, you just copied an MP3 to your HD? Redmond should hear about this update to your hard disk...etc. etc. etc. You can argue all day about what you might want MS to have said, but the words are the words. Update features, to me, include the ability of the user to update disk contents -- i.e. anything that allows writing to disk, for example.
-q

Re:Problem is EULA not SP

[tunah]

But so could *anyone* who sells software (including all that GPL software you love! ohh no!).

Before you said that, I thought you were just wrong, now I know you are just a troll. But just in case anyone believed you...

YOU CANNOT CHANGE THE LICENCE OF GPL SOFTWARE!

Sorry to shout, but that's the whole point

Re:Problem is EULA not SP

[MikeTheYak]

I'm behind a (Microsoft-made) firewall here at work. The only thing that's supposed to go through is web traffic. In practice, though, what makes it through is pretty much any internet traffic originating on my system from a Microsoft program (e.g., Mozilla doesn't work, even when set up with the same proxy settings as IE, Media Player has no problem downloading content, etc.). Microsoft has the technical means to send whatever it likes to my system through periodic checks made by the client. I could probably figure out what to disable, but what about the average user?

Re:Problem is EULA not SP

[DellaMente]

So use the clout of the medical industry to get MS to change the EULA.

Mike

Re:Problem is EULA not SP

[Tony-A]

I change my mind and want to relicense future versions of that software. I can do that. Its my code.
The future versions of that software are not issued under GPL. I fail to see how software not issued under a license changes the license that it is not issued under.
Oh, and there's nothing "give away" about the GPL.

Morons, Idiots, and Fools...Oh My!

[killmenow]

First off, if you're storing the medical records on individual workstations instead of a centralized database, you're a moron.

Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

And third, if you don't have proper egress filtering and logging in place to make sure this isn't happening and know who keeps hitting the damn Windows Update buttons when they're not supposed to...then you're a fool.

And a fool and his job are soon parted.

Re:Morons, Idiots, and Fools...Oh My!

[sphealey]

Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

And a fool and his job are soon parted.

Does that apply also to people who misunderstand the nature of a problem, and apply a "fix" that doesn't address the root cause of the problem?

If so, I guess I would be a bit slower to call other people "morons & idiots". Because the fundamental problem is in the EULA, not in the service packs or download mechanism. One could take all the steps you have described and (potentially) still be in violation of the privacy statutes, since by agreeing to the EULA you have agreed to allow Microsoft access to your systems under circumstances controlled only by Microsoft.

sPh

Re:Morons, Idiots, and Fools...Oh My!

[RobertNotBob]

Say what you want about Morons, Idiots, and Fools. The fact is that they are out there. Sometimes, they even get jobs in healthcare.

That's why this law was written in the first place.

Re:Morons, Idiots, and Fools...Oh My!

[jarbob]

If I've read the HIPAA information correctly, ANY medical facility with sensitive records must comply. Sure, expensive hardware and dedicated servers are fine for hospitals and large organizations, but what about dentist offices? Chiropractors? Physical Therapists? Often these are very small offices with sometimes just a doctor and receptionist and one or two computers. There are other viable reasons why an office would not choose to go with a dedicated server for their data. It isn't a dumb question.

Re:Morons, Idiots, and Fools...Oh My!

[Neck_of_the_Woods]

If that is true, and please correct me if I am wrong because I have not taken the full time needed to read the EULA top to bottom like I should. Why on earth would they allow you to turn it off. If it is turned off, they can't update squat can they? If it is turned off this issue becomes moot.

Alas, I will bow to your knowledge on the subject because I have not done the due dilegence to argue. Please enlighten me why this is even and issue if all you have to do is turn off the auto update feature.

Re:Morons, Idiots, and Fools...Oh My!

[JordanH]

• First off, if you're storing the medical records on individual workstations instead of a centralized database, you're a moron.

The records would exist in transit on individual workstations and the workstations would need authenticated access to the DB, so MS's access of that workstation could conceivably compromise a centralized database. Also, I would expect that this EULA provision would eventually extend to MS's server Operating Systems. Better to be prepared.

• Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

But that's what you are agreeing to when you click through the EULA for this patch. So, installing this patch makes you an idiot. Fair enough.

Re:Morons, Idiots, and Fools...Oh My!

[cheinonen]

Maybe if you were doing HIPAA stuff yourself you would understand that it's not just where you store the records. All computers that need access to those records, as well as programs that access those records, have to be HIPAA compliant. Additionally, saying "Just use Linux" isn't a solution when all the custom software that people have and that is developed for lab work is done in a Windows32 environment.

That said, I'm almost certain that Win2k, with or without a service pack, will be HIPAA compliant since many, many medical and scientific organizations use it for their main operating system, and coordinating an upgrade to something else in the next 7 months would be near impossible. We really don't have much of a choice in what OS to use, though, since if all the programs we need are only available in Win32 versions, that's what we'll use.

Re:Morons, Idiots, and Fools...Oh My!

[vrmlknight]

its the matter that bill could come to your house and sit down on your compupter and jack off to your 500 gig p0rn collection, and theirs nothing that you can do about it casue M$ has full access to yuor computer no matter what.

Re:Morons, Idiots, and Fools...Oh My!

[vrmlknight]

waiting for the wine comment....

Re:Morons, Idiots, and Fools...Oh My!

[NiceGeek]

I'll make this simple for you and the dozens of others that can't seem to grasp the concept. This has nothing to do with the technical aspect of auto-updating. This has to do with the wording of MS's EULA. That's all. Period. Get it?

Re:Morons, Idiots, and Fools...Oh My!

[ibennetch]

Sure, I'll agree with you that in cases of a smaller office environment, a dedicated server is out of the question; however how many of these places are going to have full-time always-on internet connections? MS can't get on a box if it's not conencted. Sure, dial-up is still a problem; but how many of these places even have that? If they do, a personal firewall is still imporant, of course.

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

Maybe if you knew me you could assume I'm not doing any HIPAA stuff. But you don't...and I am.

If my DB server is Oracle on Linux, Solaris, or even NetWare...and my PCs run FreeDOS (why medical billing apps need to be GUI is beyond me), I'm quite certain they are all compliant.

Even if I upgrade all the PCs to W2K w/ SP3 and they still only access those records through TERMINAL EMULATION software, MS can have all the access they want to those PCs. The EULA doesn't give them the right to run keylogging software on my PC and trap user/password combos.

If they can't login to the server, they can't access the records.

Not that the EULA doesn't suck anyway.

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

Very good point. In those cases, I am at a loss. I was thinking of it from our setup: several people accessing a central server with patient information.

If you're a standalone dentist's office though, I don't know...

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

I get it. The EULA sucks. I know and agree. That's not to say there are not technical ways around it.

If my server runs Linux, Solaris, or NetWare (providing Sun and Novell don't have similar clauses in their EULAs) and my client systems run FreeDOS, Linux, OS/2, MacOS, or even Windows 2000 w/ SP3 it makes no difference.

In order for MS to have access to the records, they need access to the DB. If the DB is not on a system w/ an MS OS, they have no right to that machine. Period. Get it?

They can have all the access they want to the client systems...but they'd be hard-pressed to explain to the government why they needed a keylogger to capture user/password combos for accessing the DB on a NON-MS system.

Look, the point of HIPAA is that you have to do all you can to make the data secure from misuse. It doesn't mean you have to make it impossible.
We've taken all the reasonable (and even some almost unreasonable) steps to make sure our patient data is and stays confidential.

If MS wants to butt in and abuse its EULA to argue they have a right to the data, the lawyers can fight it out. I'm confident this is not a problem.

It just strikes me as another reason for people on /. to bash MS...which I'm happy to do...but geez, people...I don't see how this is a problem for anyone other than small Dr's offices with only one system that may unfortunately be running Windows 2000...because if you're big enough to have two PCs, you're big enough to need a server...and there's all kinds of things you can do to keep this theoretical problem under control.

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

Additionally, saying "Just use Linux" isn't a solution when all the custom software that people have and that is developed for lab work is done in a Windows32 environment.

...

We really don't have much of a choice in what OS to use, though, since if all the programs we need are only available in Win32 versions, that's what we'll use.

I think this is total bullshit. We have custom software (note that it's not for lab work) that is not written for Win32. How? We wrote our own. Saying "the only apps out there are win32" meaning you have no choice is a cop out. Write or hire someone to write your own. With the licensing fees you'll pay some company (probably in the many many thousands of $$ [USD]) you could likely pay someone to write an app to do just what you want in an alternative platform.

Your statements here simply strike me as the easy way out.

Re:Morons, Idiots, and Fools...Oh My!

[cheinonen]

I do write lots of stuff that we use, and it's not written to be Win32 only, however, I can't write everything we use. Beyond HIPPA, you have FDA regulations and other rules to comply with as well, and when you can buy something from a vendor that other people (say, the National Institute of Health) are using fine and is compliant, or spend months developing your own custom solution, you're going to choose the one that is working and has support and is tested. If we had the time to write everything exactly how we wanted, we would, but we really don't have the time, or the money typically, to do that.

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

While I'll grant you that I should indeed be a LOT slower to call people "morons & idiots" ... this is slashdot, isn't it?

And I understand the EULA is crap. I understand the EULA says you might as well give up every last bit of freedom you thought you had and hand it over to Microsoft. And I understand that people bleating and griping about the EULA are not forced to accept it.

Our company does third-party medical billing. Our client systems run DOS. There is NO NEED for them to run Win-anything.

We wrote our own apps. You can too. We are looking to port the apps to Linux because it's pretty freaking simple, but there's little need. The apps run just fine as is. And the server where the database of client records exists does not run a Microsoft OS. By choice...you know...that thing I hear everybody saying they don't have.

Re:Morons, Idiots, and Fools...Oh My!

[killmenow]

If we had the time to write everything exactly how we wanted, we would, but we really don't have the time, or the money typically, to do that.

Understood. We also buy software. But we write a lot more of it. And the more of it we write for ourselves, the more we realize it is generally just as cost effective as buying...but it usually does take more time. We find that the extra time taken is often justified because we get exactly what we want, we have no EULAs to worry over, and we are our best support.

How many times when you call a vendor for support on their app do you think the developers themselves get involved? Rarely. With our internal apps, the developers are almost always involved. Also, when you call a vendor, what is their vested interest in helping you? It's just about money. But if they can't help you, they still got their money off the licensing and supprot fees didn't they? When one of our internal apps has a problem, there's a strong urge to fix it...fast. You can bet there's way more incentive than a vendor may have.

Re:Morons, Idiots, and Fools...Oh My!

[leonbrooks]

In order for MS to have access to the records, they need access to the DB. If the DB is not on a system w/ an MS OS, they have no right to that machine. Period. Get it?

Yes, I get it. But you're wrong. (-:

The machine is not the problem, the data are the problem. One of the constellation of possible actions which you authorise Microsoft to take when you agree to the EULA on any Windows workstation in the LAN is to install a sniffer (call it `Microsoft Diagnostics for a Networked Medical Environment 6.0' to drive the point home). The data is no use to anyone if it stays on the server, but as soon as it leaves the server and wanders past a Windows box, Bill can glom it and shove it into the `My Data' folder.

BTW, you didn't think the `My' in `My Computer' and `My Documents' referred to the user, did you?

there's all kinds of things you can do to keep this theoretical problem under control.

Ah, that reminds me of l0pht's motto: `Making the theoretical practical since 1992'.

Re:Morons, Idiots, and Fools...Oh My!

[alienmole]

And a fool and his job are soon parted.

If only... if only.

Re:Morons, Idiots, and Fools...Oh My!

[japhmi]

MS can't get on a box if it's not conencted.

Sure they can, they can come to the office and sit down to look at whatever they want. The EULA says that they can look at any part of your computer in any way at any time.

Re:Morons, Idiots, and Fools...Oh My!

[cheinonen]

Acually, when I call the vendors of our main applications, I talk straight to the developers, or the database guys, or whoever I have a question for at the moment. If we need help with something, they fly down for a couple days and show us. If we didn't get that kind of support, we would probably do more of our own development, but if someone else is going to do most of the testing, give us all the source and other info we want for the program, and support us like that, we'll buy from them.

Re:Morons, Idiots, and Fools...Oh My!

[Bravid98]

All computers that need access to those records, as well as programs that access those records, have to be HIPAA compliant. So if Microsoft were HIPAA compliant then everything would be ok right??? I bet they are....

That's a great idea

[ch-chuck]

Put your cd rips in you medical records!! That way the RIAA can't hack them w/o breaking a law.

Submit a request to HIPAA not /.

[Kefaa]

HIPAA is like any other oversight group and only it can decide this is "okay" or a "violation". However, since logic cannot be guaranteed to rule, you cannot guess which. Have your company, preferably through your legal consul, submit a binding request for clarification.

Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)

Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."

This is an issue for your lawyer(s) to resolve, not Slashdot.

Re:Submit a request to HIPAA not /.

[squaretorus]

This is an issue for your lawyer(s) to resolve, not Slashdot.

How about a list of stuff that IS for /. to resolve! I can't think of any!

Other than what kind of cereal should be favoured while fragging.

Re:Submit a request to HIPAA not /.

[TrebleJunkie]

HIPAA isn't an oversight group. It's a law.

Say it with me now: Health Insurance Portability and Accountability Act.

Re:Submit a request to HIPAA not /.

[Kefaa]

Beat me like a rented mule!

You are correct (but you knew that). In my haste I typed HIPAA instead of HCFA. In thinking it over however, I seem to recall the GAO got involved some time back and that caused responsibility for enforcement to the States. If so, getting an answer especially if his company is multi-state will be real fun. (Unless they have Federal oversight somewhere)

Re:Submit a request to HIPAA not /.

[TrebleJunkie]

It's not HCFA any more, either. It's the Centers for Medicare & Medicaid Services.

*grin*

But you're right, more fun and bureaucracy all around. Yay us in the health care business.

Here's a couple of Linux Medical Sites

[motardo]

http://www.openhealth.org/

http://www.euspirit.org/

Re:Here's a couple of Linux Medical Sites

[motardo]

Oops, I also forgot http://www.linuxmednews.com

Read the EULA.

[rjh]

Really. It'll clarify things right up. Dollars to donuts there's a clause in there, probably called "Severability" or something to that effect, which states that "if any clause in this EULA is found to be in violation of the law, then it is null and void with all the other clauses still in effect."

Contracts aren't allowed to violate the law. A contract to kill someone isn't legally binding, because murder is illegal. If Microsoft wants to claim they get remote access at will to your boxes, then you get to say "neener neener neener, no you don't, under HIPAA I'm forbidden from allowing you that access".

The proper Microsoft response? "Oh. Well, we're sorry about that. All the other clauses of the EULA stick, though."

So go ahead, get Windows SP3, and then figure out some way to disable remote-root.

Oh, and one more thing--

FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

(Sorry, just had to get that knee-jerk reaction out of my system.)

Re:Read the EULA.

[gorilla]

But it isn't illegal for Microsoft to have a clause in their contract saying they can view systems, it may be illegal for the hospital to use the Microsoft software with that clause. That's very different to the contract violating law.

Re:Read the EULA.

[Zeinfeld]

FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

Oh come on, we know why the question was put. It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.

It is kind of like a 'proof' that 1 = 2. We are not meant to agree with the conculsion, we are meant to admire the devious application of logic.

It is quite obvious to anyone but a moron that MSFT is not going to enforce license agreements that prevent sale of their product for use regulated by HIPPA.

It should also be obvious that the EULA term was written very broadly by a lawyer who was attempting to minimize the probability of a lawsuit if someone complained about auto-update or the like.

And it should be completely obvious that Microsoft as a US corporation is obliged to comply with HIPPA. Microsoft is one of the few US companies that actually has a privacy policy and has agreed to be regulated under the EU privacy directive.

The other fact to consider is that the Clinton era HIPPA act has since gbeen gutted by the Bush administration who have issued 'guidance' that essentially negates the whole act. Under the Bush guidelines you lose the right to opt-out. Hospitals can refuse service if you don't waive all your rights to patient confidentiality which they can do in small print. So while the act may require hospitals to install firewalls etc. etc. none of it will make any difference because the hospitals can now sell all your confidential data to the people you least want to have hold of it.

Re:Read the EULA.

[dbrutus]

When MS starts doing medical care, it will, indeed, be bound by HIPAA. But MS doesn't provide medical care so it is only trivially bound by it. It provides general purpose computing software to run on x86, PPC, and Sparc systems running Windows, Mac OS, and Solaris software in that order. The people who buy this stuff in a medical environment are bound by HIPAA and must cease using systems that are not compliant by certain dates.

MS may be compliant with HIPAA or it may not be. If it wants to remain in the medical computing field in the US, it can either create a HIPAA compliant EULA or it can exit the field. It's up to them.

What medical facilities can't do is purchase and continue to use MS (or any other vendor's) software that is non-compliant with the HIPAA rules.

Other posters have made it clear that the HIPAA rules are not very clear. This means that in the relatively near future there's going to be some serious people like Blue Cross/Blue Shield, Kaiser, and several insurance firms that are going to petition for a ruling and MS licensing is either going to be ruled compliant or not. The medical software field may have to do some heavy shifting if an impasse is reached but that's the breaks.

Re:Read the EULA.

[Zeinfeld]

Many uninformed newspaper reporters took this position in their newspaper articles, but in fact for CEs, HIPAA remains almost entirely intact.

Oh right, we take the word of a GOP flack posing as an Anonymous Coward over Prof Sobel from Harvard Medical school in the LA Times.

At least there is no confusion over where I stand concerning my opinion of his inadequacy (follow the link in my .sig).

Re:Read the EULA.

[Arandir]

It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.

Everywhere I look in the medical industry I see Windows. From diagnostics, review stations, records, hospital servers, etc. Even bloody EKG machines! It's ubiquitous. Rule of thumb: If QNX or Solaris is the appropriate solution, expect the system to be running WinXP/Embedded or Win2K instead.

If HIPPA is going to prevent the use of Windows, expect to see a *major* shakeup in the industry. Expect to see the medical divisions of Philips, GE and Siemens to implode into nothing.

Remember this?

[Rogerborg]

"Nobody ever got sacked for buying IBM"

If you're just worrying about covering your behind, extent to "Nobody ever got sacked for buying Microsoft" and then to "Nobody ever got sacked for clicking through default Microsoft licenses."

I actually think that people should get sacked for doing this if they compromise their business for the sake of avoiding raising a thorny issue, but it's not going to happen in our lifetime.

Re:Remember this?

[fishbowl]

Well, in the context of this story, we are not
only talking about people getting sacked, but
also about doctors who are running the risk of
losing their license to practice medicine by making agreements that they are not allowed to make, under penalty of Federal law. If you look at the HIPAA website, the fines may seem small, but consider that knowing and wilfully violating these laws can lead to quite severe civil penalties that are not specified directly with HIPAA, but rather would be consequences of routinely breaking laws in general.

Don't forget about MSN Messenger

[Brento]

As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.

Having said that, if either of these two represents your biggest problems, then you're probably safe for a while. I don't understand what you're trying to accomplish by asking Slashdot - maybe you should try checking with your MS rep first to at least get the company line. MS is wild about HIPAA - they produce a lot of BizTalk stuff for hospital EDI needs.

Re:Don't forget about MSN Messenger

[sphealey]

As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.

Indeed. Many Wall Street firms block IM protocols on both the Internet connection and internally due to privacy and recordkeeping regulations.

sPh

Re:Don't forget about MSN Messenger

[anarchima]

medical staff can circumvent all your hard work and simply send patient data back & forth over the IM

Ever thought of the possibility of writing stuff down by hand on a PIECE OF PAPER perhaps? That seems like the easiest way to smuggle out information :)

Re:Don't forget about MSN Messenger

[rjamestaylor]

Speaking of IM... I was at a clinic the other day getting a tour of the newest "state of the art" HIPAA compliant workstations: Compaq Legacy-Free machines, which have no floppy or any traditional ports, besides USB. The unit I saw, for processing prescriptions, didn't even have a CD-ROM. Everyone was so proud that there was no floppy or zip disk to download coipes of patient or prescriber data.

Then I gave my analysis: it's connected to the office LAN via wide-open 802.11b (using DHCP, so I was able to attach to their network from the parking lot -- with full green bars as signal strength -- and get on their LAN, browse the wide-open shares...), each computer is loaded with standard XP Pro, including Outlook Express, Internet Explorer, MSN Messenger...all which give capacity to export data, screen shots, whatever from the desktop to any computer on the Internet (yes, it's on the Internet). As a matter of fact, because it didn't have a firewall, I was using my laptop's cdrom to install some software on the legacy-free pc (without the optional cdrom) and I pointed out that I could just as easily push data on to my CD-R/CD-RW drives as pull it.

Of course, it was the lawyers who had approved the purchase...

Re:Don't forget about MSN Messenger

[rjamestaylor]

Wow - I need my coffee...the fragment because it didn't have a firewall, should have been because it didn't have a cdrom, but I was thinking, while typing, about the office managers question regarding their network: "But we have a firewall!" which protected them, somewhat, from intrusion from China, say, but not from Chinese agents in their ^%$%##^ parking lot. (They had been "hacked" by Chinese hackers, say they, before getting the new system which included a firewall. I didn't bother testing the firewall). This was a case of my fingers typing my immediate thoughts instead of my intended thoughts.

Re:Don't forget about MSN Messenger

[rjamestaylor]

My job wasn't to analyze their network, security, or HIPAA compliance. My relationship with the clinic was on a totally different level. I reported my findings to manangement. It's up to them to contact the responsible parties. I was more of a witness to a crime than a policeman, victim, prosecutor, judge or perp.
Why the attitude, dude?

Some clarification?

[dr_dank]

How exactly would medical records relate in any way, shape, or form to student loans?

Re:Some clarification?

[jdreed1024]

How exactly would medical records relate in any way, shape, or form to student loans?

The most obvious reason would be that if you have a physical disability (which requires medical documentation, even if it's something obvious, like, say, a missing limb), you are extremely limited in how much work you can do. Inability to work, for reasons of a physical disability, certainly affects the type of loan re-payment plan you're on.

I'd venture to say there are also special loans/grants, or special terms for loans if you're physically or mentally challenged.

Re:Some clarification?

[EvilStein]

Probably the same way your credit report can affect your auto insurance. I dunno, I've never understood how my bad credit 6yrs ago should affect my auto insurance rates, but it's legal.. =/

Re:What a waste of time

[NumberSyx]

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.

UK data protection act

[oliverthered]

It looks like the ELUA problems might also cause issues with the data protection act in the UK.

I may allow company X to give other companies access to my personal data, without that permission company X would not be able to agree to Microsoft ELUA which could potentially give Microsoft access to you personal data.

Re:UK data protection act

[permaculture]

Yup, I work at a British University who are changing (under duress) from UNIX/WinNT to Win2000. We're currently updating the desktop build that'll be rolled out to 2,000 odd PCs next summer. I've suggested that we should run the Win2000 SP3 EULA past our legal people after reading lots of discussion about it recently.

Comment removed

[account_deleted]

Comment removed based on user account deletion

How will a firewall help...

[volpe]

... if your own operating system is tunnelling through http to make requests from Microsoft's server to download patches without your knowledge?
(Unless, of course, you want to cut off MS's websites from your browsers as well.)

Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.

Re:How will a firewall help...

[volpe]

1. Firewall. FIREWALL.

This does not address my point that permitted protocols may be used to do the job.

2. Auto-update uses a service called "BITTS". Disable that. Auto-update offers a way to disable it. IF you dont trust it, shut it off and hitch the box to a packet sniffer. Prove to us and the world that its not actually off. You'd be a hero. But of course that's not going to happen.


I wasn't suggesting that MS was likely to do this. Rather, that they'd be ALLOWED to do this, because you gave them permission when you clicked-through the EULA


3. On a LAN of any size, use SUS from MS to distribute your patches[...]

Yes but you're missing the point. Even if you do that, you've already given MS permission to update through any backdoor mechanism they like.

Re:How will a firewall help...

[fandelem]

I must interject here that Volpe is somewhat correct in stating that there are applications out there even today that tunnel their information through any port that is open, however according to this post from july of 2000, there is indeed a way to completely stop this transaction, once you find out the server address it is connecting to. it would be wise to note that while this provides a luke-warm feeling of security, a simple new server address and a quick "update" or "fix" or "exchange of information" between a new server and your computer is possible..

k.

Re:How will a firewall help...

[monkeydo]

How do you know they aren't doing it already? Closed source backdoors are evil! OMG all my boxes are belong to Microsoft! If you are an administrator and your boxes are doing something without your knowledge you should be looking for a job. Just because you don't know how to solves a problem doesn't mean it isn't a solved problem. Firewalls that restirct outbound access, proxies, HIDS, your probelm is not a problem.

As other's have stated the technical part of this is a non-issue. The only question is the legal one. IANAL, but if you are HIPPA compliant you can't legally agree to Microsoft's EULA. Since I seriously doubt that MS is going to sue you for breach when you don't give them unfetered access I think that is a non-issue as well.

Re:How will a firewall help...

[sethadam1]

Block *.microsoft.com

or even

Block windowsupdate.microsoft.com

We do it - there's no tunneling, there's no autoupdating...it works.

Re:How will a firewall help...

[volpe]

Okay? "If you choose", and "by using". Get it?


Got it. Mea culpa. Thanks for the clarification. I had been going by an understanding of the EULA that was posted by someone else the last time this came up.

Re:How will a firewall help...

[monkeydo]

Did you read what I wrote? I mean seriously.

We know that we can prevent MS from getting to our computers and we know we cam prevent our computers from getting to MS. Would doing so violate the EULA? Maybe, but who cares?

Does anyone think MS is going to start suing companies for properly configuring their firewalls? What the End User agrees to is completly irrelevant as far as practical security and HIPPA is concerned. If MS can't get to it they can't get to it. End of story.

Re:How will a firewall help...

[innocent_white_lamb]

We do it - there's no tunneling, there's no autoupdating...it works.

And tomorrow "windowsupdate2.microsoft.com" and "updatewindows.ms.com" come online for whatever reason and your firewalling is providing exactly how much security, did you say, again?

Re:Parent is not redundant.

[yatest5]

If you want to run an OS from a rape-you-in-the-ass company that has no respect for its customers, you better not do it with my goddamn medical data.

OK then fuckwad, you start your own hospital and use that. I'll leave the people who run hospitals to do just that, you stupid, know-it-all/know-nothing zealot cunt.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What a waste of time

[yasth]

A firewall does not prevent the possibility of MS getting access by other means. If it is an agreed to part of the EULA, then they can take such steps as needed to effect the clauses. I would also be worried about the no cause software audits that some MS volume plans have. I mean obviously if you have a search warrant then you have to let them in, even if they might incidentally find some records, but by lowering the standard needed to perform an audit might have legal implications. I would ask your in house counsel, about both the EULA and the licensing agreements.

IANAL, and even if I was this would not be legal advice.

A few thoughts

[jayhawk88]

We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at:

- Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one).

- Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.

Re:A few thoughts

[pbrammer]

For the love of [fill in with your applicable god-like figure], please don't use IIS... I thought the whole concept of this conversation was security?

Phil

Re:Parent is not redundant.

[Brento]

Go find a doctor that doesnt use MS products somewhere in the office - and get back to me.

You'd be surprised - most of 'em I've seen use Unix-based patient scheduling & billing software. This is one of those areas where Unix had a huge head start because of the multi-user capabilities.

Wake up.....

[bjiujitsu3]

I write EMR software for a living. I'm a huge Linux fan and so is most of my development team. The reality is doctor's don't buy Linux systems. They buy Windows systems. So we offer a Linux DB server and Window's client. In the end, however, everyone still gets a Windows DB server...... In thousands of installs we have 2 using Linux servers. Just reality.

Re:Wake up.....

[WetCat]

Doctors don't buy? Well, they will DO buy... after they found that they could be hit by lawsuits about their HIPAA noncompliance... or their insurance would require it...

Re:What a waste of time

[rseuhs]

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

Microsoft has the right to ignore all settings for auto-updating whenever they want.

Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Check Out MSHUG.ORG or HL7

[puto]

The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.

They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.

The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.

1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.

2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.

3. IF the product is home grown. Cover your ass.

MSHUG is microsoft centric but a good start for you.

I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.

PUTO

Re:Check Out MSHUG.ORG or HL7

[Mr.+No+Skills]

Clarification:

"HL7" is "Health Level 7", referring to the OSI model.

It is a protocol for electronic clinical data, not all healthcare data. While HL7 is a useful protocol for sharing information on an enterprise's Intranet, most EDI on an extranet is financial in nature which HL7 does not define. Data wizzing around internally is not subject to HIPAA, since it is not seen by the outside world (assuming other protections). And, the HL7 transactions are clear text -- not good for sending outside, right?

Moving forward, the HIPAA transaction sets are the deal.

By the way, the Microsoft Healthcare Users Group is a "Users Group", not a standards body. Anyone can join who wants to pony up the 50 bucks.

Watch out for the 'disable' option

[RobertNotBob]

I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

It does not.

The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

oh, DARN ! ;)

And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

Re:Watch out for the 'disable' option

[Krieger]

IANAL.

However consider this. All of the upgrades to the Microsoft products are not upgrades, but rollups of security patches. These patches are necessary to keep our systems from being hacked.

From what I've read on different law sites, it is kind of questionable if any software company is capable of completely disclaiming all liability for their product, but for the most part people aren't willing to risk it and the lawyers fees. Especially against Microsoft, which is funny considering that the functionality, stability and security of the OS is perhaps the one that they are most likely to be able to hold them liable for.

Now back to my point. The Service Packs and Hot Fixes with new EULAs are quite simply unlikely to be legal. As with most EULAs they are simply extorting the customer and making them sign under duress. "Here's this Hot Fix that you absolutlely need to make certain that you don't get hacked, but first you have to agree to this EULA with no chance of negotiating." At some point someone will sue Microsoft over these EULAs and try and hold them liable.

At least I can hope.

Re:Use Linux

[Zamfir]

and the statment: "Regardless of how rhetoric is thrown around, Windows is everything bad that people say about it" has no rhetoric at all now does it?

Re:What a waste of time

[Zocalo]

Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?

All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)

What?!

[Greyfox]

You mean having watched every episode of "Ally McBeal" doesn't make me a leading legal expert? Damn it!

Re:What?!

[alienmole]

Sorry, you picked the wrong show to watch - Ally's lipstick shade doesn't actually have any bearing on the law. You should have been watching "Law and Order"...

Re:Parent is not redundant.

[dhfoo]

Maybe you could tell me what platform MS do their salary run on???

Clue, AS400.

They tried to migrate to win2k just before 2000 (due to y2k issues on AS400 apparently) but had to go scuttling back ~9 months later with their tail between their legs.

Active v passive

[mgkimsal2]

One might argue that a EULA is more binding because someone agreed to it actively, instead of a law which one basically accepts passively. Oftentimes the laws may have been passed before you were even born, so there's not much realistically you can do, but you have every option of clicking 'accept' or 'do not accept' when the LA comes up.

Problem is, most companies don't accept the agreement themselves. A contractor installs stuff on their machines for them, clicks 'OK' 50 times, and leaves. Much like if we actually had to *pay* taxes, instead of most people having them withheld, if most people actually READ the LA with most software, there'd be a minor revolution.

Re:Active v passive

[psych031337]

One might argue that a EULA is more binding because someone agreed to it actively, instead of a law which one basically accepts passively. Oftentimes the laws may have been passed before you were even born, so there's not much realistically you can do, but you have every option of clicking 'accept' or 'do not accept' when the LA comes up.

To me that is not within the definition of option. You order a W2K copy because you want to use it on your machine. You pay real bucks for the package. Upon installation you have the choice of accepting the EULA (and actually getting something for your money) or not accepting the EULA and trying to get the dealer accept the item (with broken shrinkwraps) for a return.

Basically, you don't purchase a product, but an "license" or allowance to use it. Not accepting does not give you limited functionality. It gives you just plain nothing.

Is that a choice?

Why ask anything on slashdot.....

[Viewsonic]

Cuz all the answers are by nerds with no nerdy jobs apparently. Ive seen several posts by people from Harvard on slashdot fuckyouverymuch.

Future Microsoft Products Will Be Grandfathered In

[jlusk4]

Silly rabbit.

Microsoft is the rock around which the stream will flow.

Disable remote root?

[Oestergaard]

On a proprietary system ?

Do you honestly believe that you can do this ?

I mean, sure there's some "disable remote r00t" clickety-click somewhere - as long as you cannot verify what the OS actually does about it, it means squat. Nobody promised you it would also disable the "remote w00t r00t", or the "hidden remote secret root", or the ...

There is one perfect solution: Keep proprietary OS machines off the network. Galvanic separation - no cable (and no antennas!) - works 100%

There is a less than perfect solution: Filter off all machines from vendor-X using products from vendor-Y. Make all machines from vendor-X resistant to attacks from the vendor-Y machines. Oh, and be damn sure that the two vendors are not affiliated, and are not controlled by the same government.

Sort of limits your options...

Unless you chose products where you can verify their operation. Note, this does not necessarily mean proof-reading the entire source, if the source is publicly available, the vendor is facing a mutual risk - *if* a backdoor is discovered he loses credibility and goes out of business, *because* there are alternative vendors available. Free Software is very clever in many ways that are not immediately obvious.

Re:Disable remote root?

[zenyu]

There is a less than perfect solution: Filter off all machines from vendor-X using products from vendor-Y. Make all machines from vendor-X resistant to attacks from the vendor-Y machines. Oh, and be damn sure that the two vendors are not affiliated, and are not controlled by the same government.


This won't work, MS is slap happy about RPC over HTTP. They can even do it through a caching proxy. That means any firewall that allows web traffic won't prevent access to their Windows software on your machine. But even if you took the medical records completely off the internet this is a legal problem not a technical one. You gave them access, they might demand physical access if you don't give them electronic access. I don't see it happending, but legally, in any state where EULAs apply, they can.

The only solution here is to get MS to sign a supplementary agreement either that is satisfactory for HIPAA, or for the congress critters to pass a law forbiding overbroad hacking clauses in contracts, forcing Microsoft to rewrite their EULA for everyone.

I still think the best thing to do is deny copyright protection to any work distributed with license. Sort of a patent vs. trade secret distinction, instead you get a choice between copyright or contract.

Re:Disable remote root?

[fishbowl]

"There is one perfect solution: Keep proprietary OS machines off the network."

Sure that's good advice, until your application
involves connectivity or else it is not useful to you.

There is a huge difference between the technical
aspects of security and the legal aspects of granting permission.

The concern about regulatory compliance versus the licence agreement is about the legal aspects of granting permission. Whether that permission is ever execercised is completely irrelevant. If you made an agreement which by Federal law you were specifically forbidden to make, it makes no difference at all whether Microsoft or buttmonkeys accessed your computers, or whether you even plugged them in -- MAKING THE AGREEMENT was ILLEGAL, period.

The end result *should* be that Microsoft has made it so that certain industries cannot legally use their product. In reality though, simply because it's Microsoft, nothing will happen.

Now that's secure :)

[mgkimsal2]

consider serving that information up on a web page via an IIS/SQL type of solution of some kind

Cause we all know how secure *those* products are. :)

I'm not sure if HIPPA guidelines provide for this sort of thing, though.

That's the problem - I don't think *anybody* knows for certain at this stage. Things are too ambiguous (yes I've read most of the regulations)

Re:Now that's secure :)

[jayhawk88]

Yeah, I know. You should see some of the BS documents we wrote up for a couple departments to put in grant proposals. Lots of fancy phrases like "...have a way to secure workstations (use Windows 2000/XP and show users how to lock their machines)", "...offer a secure networking environment (no one has keys to the coms closets but us)", "...offer secure servers for confidential information (we know how to map a drive to a server on a seperate vlan)".

It's pretty funny actually. All these departments come to us in a panic about HIPPA, we give them these fancy documents and reassuring words, and then don't hear about it again for two months. Seems to me this HIPPA stuff (right now anyway) is more about making things look good on your grant proposals and what not.

Oh, and it is possible to run a secure IIS server guys, if you know what you're doing.

Re:What a waste of time

[irve]

A firewall does not prevent the possibility of MS getting access by other means.

I can already imagine angry MS emergency support people waving EULAs and demanding access to your system to install the latest security patch....

Re:Parent is not redundant.

[ShavenYak]

Tee hee, that's funny. Also, are they still running Hotmail on Apache/BSD or did they finally get it moved to IIS?

Re:A few thoughts (I agree, but...)

[gosand]

We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at: - Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one). - Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.

I agree with what you are saying, but I feel that these questions need to be asked. Well, they shouldn't need to be asked, because MS shouldn't be doing what they are doing, but I digress.

I work for a very large company and we are implementing HIPAA into our software now. We do all kinds of software for hospitals. The reason I think that this issue needs to be brought up is because most people don't even think about the holes that MS creates. I asked a very similar question to our director of operations a while ago, and he said basically that if the hospitals don't have firewalls, then they have bigger problems. While this may be true, I still think it is good to ask the question, so that people are aware of the "Microsoft issue". The people who maintain the firewall need to know about the autoupdate, so that they can block it at the firewall. They need to know about these vulnerabilitites, so they can plug them. I don't trust that they will be keeping up on these things. After all, who would have thought that the OS you run could create a huge gaping hole in your security and potentially hold you liable for violating federal regulations?

Easy one...

[JordanH]

• If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Use Macs or Linux?

Woah, woah...hang on a second here....

[no_nicks_available]

I'm in the middle of upgrading a pharmacy's computers to privacy "compliant" software that is supposed to be secure. One of the perks of the new software is the ability to use the internet for data transfers instead of 56Ghey. While talking to the tech support guy on all the details I'd need to know, I asked him whether the transfer was done VPN and what sort of encryption I'd need to setup. He got back to me a few minutes later and said there is NO VPN, NO ENCRYPTION done at all. This pharmacy deals with hundreds of patients a day and for each one, a stream of data is sent CLEAR TEXT across the internet. Makes you feel secure doesn't it?

Re:Trust Microsoft

[artificial_blue]

Is it just me, or does life feel a little surreal these days.. Soon we'll have constant streams of data coming into our house, custom tailored to our way of life, telling us the price of gas has been lowered, and that our victory gin rations have been raised !!

What timing...

[barista]

Last week I was told I am now on my department's HIPAA committee. Since I figured I should know what's going on, I hit Google and went here to read (and print) the actual act.

From what I understand, HIPAA only requires reasonable precautions. Depending on how anal your compliance officer is (if you have one), this may or may not be a problem. I work for a group that owns three hospitals, one of them a teaching hospital, and our compliace officer is a lawyer, so she knows her stuff. In a meeting to all staff we were told to use "reasonable precautions". You don't have to be paranoid, just use some common sense.

Good luck with it.

What are medical records doing on the network?

[jonadab]

Hospital medical records should never be on a system that is
connected, directly or indirectly, to the internet. _No_ OS
is sufficiently secure for that to be acceptable. We just
had an openssl vulerability a few weeks ago, in case you're
forgetting. Yes, it was patched right away, but it makes
the point clear that no OS can be known with certitude to
be absolutely secure.

Sure, the hospital needs _some_ systems connected to the
internet, but they absolutely SHOULD NOT be connected to
the systems that have the private medical information.

Re:What a waste of time

[jackb_guppy]

We are placing secondary firewalls, between the servers the desktop. We have found that most servers have extra ports open, then even if you them off, some thing will get them turned on again. Like a Patch "fixing" a break.

By placing isulating the servers from the rest of the network, we are able to control the port issues both ways. So ODBC and Remote Job Submits can be sent. The app is all green screen based.

Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the defualt route from the firewalls, so they do not know where the gateway to the internet is.

This is not a problem

[d3xt3r]

Remember, Microsoft can always be trusted. Granting a thrid party uninhibited access to your system (for whatever purpose) is a security breach by any means. But come on, it's Microsoft. You trust them. Don't you?

Discaimer: The poster of this message is not implying that Microsoft is trustworthy. The poster of this message does not trust Microsoft. This was a joke. :)

answer to the question

[Lumpy]

If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Simple use Windows NT 4.0 with SP6a

and exactly why did you switch from it to begin with? what extremely important feature that Windows 2000 has that you absolutely needed?

upgrading because you can is never a good reason.. Most of Big Corperate america is just now starting to roll out W2K servers.. and they Keep NT4 servers running becasue there is no reason to upgrade them. (up until last month the very large multi-national corperation I work for had a policy that NO Windows 200 servers were allowed on the network, anyone upgrading their servers to W2K will be fired without question.)

Re:answer to the question

[Phil+the+Canuck]

Great answer! You, sir, are an IT god. Don't use Windows 2000. Damn, why didn't I think of that? Oh...wait. That's right. All of the services we provide on Windows servers were added after NT4 was disconintued. Now where'd I leave that damn time machine?

Re:answer to the question

[Phil+the+Canuck]

All of the services we provide on Windows servers were added after NT4 was disconintued.

What part of that didn't you understand? The whole point of my post was that, read this part slowly now, we didn't have NT4 prior to implementing W2K. So next time you want to call someone a "moron" or a "worthless turd idiot fool", you might want to consider taking some reading comprehension classes first.

For the record, one of the things that Microsoft actually does well is tech support.

Perhaps a lawsuit would be appropriate

[brokeninside]

For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it.

It seems to me that unacceptable changes to the EULA for a service pack might void the implied warranty usability of Windows 2000. By releasing the service pack, they are admitting that Windows 2000 has problems. If I cannot get access to fixes for those problems without agreeing to a contract substantially different from that which governed my license for Windows 2000, I think that I might have a good basis for a lawsuit to get a court order that Microsoft supply fixes to their software under the terms of the original EULA.

Re:Perhaps a lawsuit would be appropriate

[fishbowl]

"For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it. "

You will need damages. You can't sue without showing damages.

However this HIPAA concern carries with it some dire implications. I wonder if it will actually get the attention of the appropriate people (let's say, a large hospital, prefereably one
that is either a very influential one, e.g., the
Naval Hospital in Bethesda which has the added benefit of being a governmental body, or say a
big research institution, Johns Hopkins or Northwestern will do fine).

If it occurs to the right people (the ones with the bread to make a real difference) that the current licensing is entirely incompatable with the laws that the must follow, and that the exposure to liability is huge (it only takes one malpractice suit to end a doctor's career), then
we might someday hear about a secondary license that is granted for certain institutions by Microsoft.

Unfortunately, I don't suppose many people are aware of this problem, so the phones at MS headquarters have not been ringing off the wall
with attorneys who represent hospitals and physicians demanding satisfaction on this matter.

I suspect that it will take a federal lawsuit against someone who has been caught with their pants down, and this will be but one of many incidents of noncompliance with various regulations raised in the case.

The problem that many slashdot posters don't seem
to understand is that we're not talking about an
"illegal contract", but rather, that is might be
technically illegal for a party to agree to a particular contract. This is only a problem if the party with the problematic contract will not negotiate, and is also only a problem if there is no alternative.

In many cases, there is only one choice for an operating system. If it is illegal for physicians to use that one choice, then it may be too high-risk for a physician to use computer systems for certain tasks at all.

Re:Perhaps a lawsuit would be appropriate

[nivedita]

You will need damages. You can't sue without showing damages.

This doesn't make sense. Are you saying that, to take a purely hypothetical example, if Ford releases a car that has the nasty habit of shutting its engine off randomly while driving, I actually have to be in an accident before I can sue? I mean, simply coasting onto the shoulder of a highway surely doesn't count as damage.

Re:Perhaps a lawsuit would be appropriate

[rainmanjag]

I believe Microsoft's historical stance on Service Packs is that they're not fixing problems (remember Bill Gates saying that Windows doesn't have any bugs?) but are improving the original product...

Re:Perhaps a lawsuit would be appropriate

[ppanon]

Well, if your only option to stay compliant with HIPAA regulation is to replace the MS operating system and software on all your client and server computers with something else not covered by their EULA, then there would be costs (capital and labor) associated with that migration. Would that qualify for damages?

Microsoft counts on those migration costs (barriers to exit?) being high enough that customers find it more advantageous to pay their licencing fees instead. Since, should you win the case, you would get Microsoft to pay for replacement of their own software (i.e. pay to lose future revenues), it would make some MS executives sit up and notice, and maybe put out a more reasonable EULA.

Re:Perhaps a lawsuit would be appropriate

[Ozymandias_KoK]

You don't need damages. Remember the theoretical potential data loss with floppy drives with the soandso (I forget, but just about any floppy drive made used it) controller? Lots of neat lawsuits over that, no data loss was ever demonstrated.

Not a problem, yet...

[dotc]

I highly doubt most hospital/health care facilities have "upgraded" to Win98, much less Win2K. So much legacy software, it's pretty near impossible to upgrade these big organizations and still get work done. This won't be an issue for a couple of years yet...

Re:Not a problem, yet...

[Seor+Pelo]

well, it's turning into a problem now. I work for a clearinghouse, and the latest version of our billing software requires that the users be on at least windows 98. Needless to say, lots of them are opting for windows 2k. oop

Locked down != autoupdated

[Software]

Locked down systems would need to be revalidated after any and all autoupdates.

As part of the lockdown procedure, you should disable automatic updates. Isn't this obvious? Perhaps "locked down" has a different meaning w.r.t FDA part 11 - I'm not familiar with this regualation. But If I want an unchanging system, the first thing I'll do is disable autoupdate.

Look, I'm all in favor of crucifying Microsoft when they are wrong, but it's pretty obvious that people are reading too much into this. They have to put the clause in their EULA, or else people will crucify them for updating their machines without their consent.

I think MS should have their lawyers rewrite this section of the EULA to make it more clear that the computer will go out and look for updates and install them automatically, unless the end user disables this function.

I cannot believe a reasonable, unbiased person would believe that MS would feel entitled to snoop around anyone's machine at their whim as a result of this clause in the EULA. The gov't might feel such an entitlement, but not MS.

Re:Locked down != autoupdated

[RebelTycoon]

BULLSHIT

You have a recourse against the government, as the courts have shown, there is little recourse against MS.

Re:Locked down != autoupdated

[JWW]

If the EULA you agree to entitles MS to automatically download updates and you turn off autoupdate, are you still in agreement with the EULA, can you still use the software?

Perhaps the answer is yes today, but will this always be the case? Remember, because of Microsoft you have a "license" to use the software, you do not own it. I believe there will come day when you will need to pay to continue to use the operating system or it will disable itself. For corporations, it might not be so harsh, but may involve sending billing information to Microsoft to provide a count so they can bill the corporation, a large lump sum.

This kind of activation system will also, I'm sure update the system with at least the keys to run for another year and more than likely many more updates, and it WON'T be optional.

previous life

[mkelley]

I use to be a hospital sysadmin and in my old job, we had a network full of Windows systems with NT servers. But the actual medical software pumped out through to the dumb terminals or emu software was Unix based (DG/UX or HP/UX) or Novell. You also have to realize that the biggest medical vendors use Unix, SIEMENS, GE, McKessonHBOC.

One of the problems hospitals face is going back to Y2K. Some of the companies were so far behind that they moved to Windows NT to "fix things later". I remember my fellow tech moving the Dictaphone system from an old pre-system V system to NT. We were just cringing because we knew we were going to have problems.

Get More Than Just a Lawyer

[Phoukka]

If your company is of any size whatsoever, you'll need more than just a lawyer who specializes in HIPAA compliance issues. You'll need to acquire the services of a HIPAA compliance and remediation consulting group. Our hospital is using Ernst & Young.

It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.

First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.

Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.

Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.

One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.

I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.

I still think this is all one big troll

[CerebusUS]

The EULA states that MS has the right to install patches. it doesn't say anything about being able (legally) to transmit your personal data back to the mothership.

Can you imagine the cry that would be raised if someone discovered that MS was transmitting personal info or documents in Windows Update Requests? Do you remember Prodigy? Do you remember the Quicken scare? Compared to the number of installations of Win2k, those are tiny issues in comparison.

You (meaning the rabidly pro-linux crowd) should all be so lucky as to have Microsoft to this, it would virtually guarantee that the company would be regulated into oblivion. or Canada. Which is almost the same thing :-)

Re:I still think this is all one big troll

[sphealey]

The EULA states that MS has the right to install patches. it doesn't say anything about being able (legally) to transmit your personal data back to the mothership.

Can you imagine the cry that would be raised if someone discovered that MS was transmitting personal info or documents in Windows Update Requests? Do you remember Prodigy? Do you remember the Quicken scare? Compared to the number of installations of Win2k, those are tiny issues in comparison.

Yeah, can you imagine the hue and cry if Doubleclick started reselling your personal information in violation of the privacy agreements of every web site it was collected from as well as their own privacy agreement?

You don't remember that hue? Neither do I. Yeah, they agreed to pay a 500k "settlement". Big whoop. Your data was "repurposed" and you had no say. Too bad!

sPh

Re:I still think this is all one big troll

[CerebusUS]

Information gleaned from sending you email and watching your surfing habits != reading a Word document you wrote to your tax attourney.

There's a pretty big difference there.

Back to the original point, though... there's nothing in the EULA that I can find that says they have the right to read your data. Everyone is up in arms about "accessing" the machine, when HIPAA is concerned about the security of the data. There's nothing in the EULA that says MS is going to read your files.

Re:I still think this is all one big troll

[Myxx]

I work for a major Hosting company and we have to deal with this sort of stuff all the way around. Our NOC engineers get access to the machine too. Technically this would also violate HIPAA standards. Still, HIPAA requires that the records be secure. ANYONE can read the data, if only by sitting at the main terminal. Technically the EULA does violate HIPAA, but so does giving the password to your firewall to ANYONE.

In the end the only way to be truly compliant is to disconnect the machine from all networks, wrap it in chains, and bury it under concrete.

I have your answer.

[Whatthehellever]

Install Linux.

The Actual EULA Reproduced Here

[NoData]

OK...Like many of you, I was skeptical that this was an issue at all. How realistic is it, in this MS-paranoid forum, that really you're granting MS access to your system "at any time?" The Ask Slashdot sounded like FUD-baiting. But then, someone made the intelligent point that whether or not MS has real access to private data, the fact that the EULA may cause you to AGREE to give them some sort of access may violate HIPPA.

Well, fight FUD with facts I say, so I downloaded SP3 and here's the actual supplemental EULA. Note bulleted point #3...it does not begin with the same "If you choose..."" qualifier as point #2. I'll leave it the legal scholars and armchair lawyers to talmudically wrangle over what sort privacy violation is inherrent in allowing "OS product" version checking and update installation. I know nothing about HIPPA.

And as for "Severability" clause the parent post referes to...Not there. So, I've never been clear, do I get Dollars or Donuts for winning the bet? :) (OK, granted, the Win2K EULA which is a superordinate parent of the SP3 EULA, may include such a clause...)

Long-ass EULA follows:

SUPPLEMENTAL END USER LICENSE AGREEMENT FOR
MICROSOFT SOFTWARE

IMPORTANT: READ CAREFULLY - These Microsoft
Corporation ("Microsoft") operating system components,
including any "online" or electronic documentation
("OS Components") are subject to the terms and
conditions of the agreement under which you have
licensed the applicable Microsoft operating system
product described below (each an "End User License
Agreement" or "EULA") and the terms and conditions of
this Supplemental EULA.
BY INSTALLING, COPYING OR OTHERWISE USING THE
OS COMPONENTS, YOU AGREE TO BE BOUND BY THE
TERMS AND CONDITIONS OF THE APPLICABLE OS
PRODUCT EULA AND THIS SUPPLEMENTAL EULA. IF
YOU DO NOT AGREE TO THESE TERMS AND
CONDITIONS, DO NOT INSTALL, COPY OR USE THE
OS COMPONENTS.

NOTE: IF YOU DO NOT HAVE A VALID EULA FOR
MICROSOFT WINDOWS 2000 PROFESSIONAL, WINDOWS
2000 SERVER, WINDOWS 2000 ADVANCED SERVER, OR
WINDOWS 2000 DATACENTER SERVER (each an "OS
Product"), YOU ARE NOT AUTHORIZED TO INSTALL,
COPY OR OTHERWISE USE THE OS COMPONENTS AND
YOU HAVE NO RIGHTS UNDER THIS
SUPPLEMENTAL EULA.

Capitalized terms used in this Supplemental EULA and not
otherwise defined herein shall have the meanings assigned
to them in the applicable OS Product EULA.

General. The OS Components are provided to you by
Microsoft to update, supplement, or replace existing
functionality of the applicable OS Product. Microsoft
grants you a license to use the OS Components under the
same terms and conditions of the OS Product EULA for the
applicable OS Product (which are hereby incorporated by
reference except as otherwise set forth below) and the
terms and conditions set forth in this Supplemental EULA,
provided that you comply with all such terms and conditions.
To the extent that any terms in this Supplemental EULA
conflict with terms in the applicable OS Product EULA, the
terms of this Supplemental EULA control solely with respect
to the OS Components.

Additional Rights and Limitations.

* With respect to the OS Components only, if the licensor of the
applicable OS Product was an entity other than Microsoft,
then for the purposes of this Supplemental EULA Microsoft
will be the licensor with respect to such OS Components in
lieu of the "Manufacturer" or other entity and support, if
any, for such OS Components shall not be provided by
Manufacturer. With respect to the existing functionality
contained in the applicable OS Product which is not updated,
supplemented, or replaced by the OS Components, the EULA
for the OS Product shall remain in full force and effect as to
that OS Product.

* If you choose to utilize the update features within the OS
Product or OS Components, it is necessary to use certain
computer system, hardware, and software information to
implement the features. By using these features, you
explicitly authorize Microsoft or its designated agent to
access and utilize the necessary information for updating
purposes. Microsoft may use this information solely to
improve our products or to provide customized services or
technologies to you. Microsoft may disclose this
information to others, but not in a form that personally
identifies you.

* The OS Product or OS Components contain components that
enable and facilitate the use of certain Internet-based
services. You acknowledge and agree that Microsoft may
automatically check the version of the OS Product and/or its
components that you are utilizing and may provide upgrades
or fixes to the OS Product that will be automatically
downloaded to your computer.

* If you have multiple validly licensed copies of the applicable
OS Product(s), you may reproduce, install and use one copy
of the OS Components as part of such applicable OS Product
(s) on all of your computers running validly licensed copies
of the OS Product(s) provided that you use such additional
copies of the OS Components in accordance with the terms
and conditions above. Microsoft, its subsidiaries and/or
suppliers retain all right, title and interest in and to the
OS Components. All rights not expressly granted are
reserved by Microsoft, its subsidiaries and/or suppliers.

IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
YOU BY MICROSOFT OR ANY OF ITS WHOLLY OWNED
SUBSIDIARIES, THE LIMITED WARRANTY (IF ANY)
INCLUDED IN THE APPLICABLE OS PRODUCT EULA
APPLIES TO THE OS COMPONENTS PROVIDED THE OS
COMPONENTS HAVE BEEN LICENSED BY YOU WITHIN
THE TERM OF THE LIMITED WARRANTY IN THE
APPLICABLE OS PRODUCT EULA. HOWEVER, THIS
SUPPLEMENTAL EULA DOES NOT EXTEND THE TIME
PERIOD FOR WHICH THE LIMITED WARRANTY
IS PROVIDED.

IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
YOU BY AN ENTITY OTHER THAN MICROSOFT OR ANY
OF ITS WHOLLY OWNED SUBSIDIARIES, MICROSOFT
DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE
OS COMPONENTS AS FOLLOWS:

DISCLAIMER OF WARRANTIES. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT
AND ITS SUPPLIERS PROVIDE TO YOU THE OS
COMPONENTS, AND ANY (IF ANY) SUPPORT SERVICES
RELATED TO THE OS COMPONENTS ("SUPPORT
SERVICES") AS IS AND WITH ALL FAULTS; AND
MICROSOFT AND ITS SUPPLIERS HEREBY DISCLAIM
WITH RESPECT TO THE OS COMPONENTS AND
SUPPORT SERVICES ALL WARRANTIES AND
CONDITIONS, WHETHER EXPRESS, IMPLIED OR
STATUTORY, INCLUDING, BUT NOT LIMITED TO,
ANY (IF ANY) WARRANTIES OR CONDITIONS OF OR
RELATED TO: TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, LACK OF VIRUSES, ACCURACY OR
COMPLETENESS OF RESPONSES, RESULTS, LACK OF
NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT,
QUIET ENJOYMENT, QUIET POSSESSION, AND
CORRESPONDENCE TO DESCRIPTION. THE ENTIRE
RISK ARISING OUT OF USE OR PERFORMANCE OF
THE OS COMPONENTS AND ANY SUPPORT SERVICES
REMAINS WITH YOU.

EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND
CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, IN NO EVENT
SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE
FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING,
BUT NOT LIMITED TO, DAMAGES FOR: LOSS OF
PROFITS, LOSS OF CONFIDENTIAL OR OTHER
INFORMATION, BUSINESS INTERRUPTION, PERSONAL
INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY
DUTY (INCLUDING OF GOOD FAITH OR OF
REASONABLE CARE), NEGLIGENCE, AND ANY OTHER
PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING
OUT OF OR IN ANY WAY RELATED TO THE USE OF OR
INABILITY TO USE THE OS COMPONENTS OR THE
SUPPORT SERVICES, OR THE PROVISION OF OR
FAILURE TO PROVIDE SUPPORT SERVICES, OR
OTHERWISE UNDER OR IN CONNECTION WITH ANY
PROVISION OF THIS SUPPLEMENTAL EULA, EVEN IF
MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

LIMITATION OF LIABILITY AND REMEDIES.
NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT
INCUR FOR ANY REASON WHATSOEVER (INCLUDING,
WITHOUT LIMITATION, ALL DAMAGES REFERENCED
ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE
ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS
SUPPLIERS UNDER ANY PROVISION OF THIS
SUPPLEMENTAL EULA AND YOUR EXCLUSIVE REMEDY
FOR ALL OF THE FOREGOING SHALL BE LIMITED TO
THE GREATER OF THE AMOUNT ACTUALLY PAID BY
YOU FOR THE OS COMPONENTS OR U.S.$5.00. THE
FOREGOING LIMITATIONS, EXCLUSIONS AND
DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, EVEN IF ANY
REMEDY FAILS ITS ESSENTIAL PURPOSE.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Does it really matter?

[Idou]

" . . . Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine."

Mod this offtopic or flamebait, but if nobody but MS has access to the source code, are you not already completely trusting MS not to access those medical records without due cause? I mean, even if you do prevent "automatic updating," there is no way you could prove these records aren't being sent out everytime your machine connects to the 'net, in theory. I know this doesn't help YOUR problem, but I can't help but think this policy is a bunch of BS created to make people ignorant of the situation FEEL better.

Re:A few thoughts (I agree, but...)

[LegendLength]

The people who maintain the firewall need to know about the autoupdate, so that they can block it at the firewall.

Could you block the windows updates and still let other http through though? I'm not a networking expert but if it uses port 80 then there is no way to stop it right?

Living the cliche

[DannyO152]

Are we accelerating down the slippery slope? Files have to be open for copyright infringement monitoring and national security; files have to be closed because of privacy. One seeming solution is to have everyones' os and hardware enforce "good copyright citizenship", which I suspect is a technological and sociological impossibility. Or some entities could receive a government conferred license to look at everything, which means that some people's copyrights are more precious than others. Welcome to the weirdfest.

Don't forget about USB drivers

[Bloody+Bastard]

Do you know those little USB drivers which look like a pen? Well, they are better than floppies, and you can use them in your "legacy free, super secure" Compaqs, I think.....

Re:Don't forget about USB drivers

[Brento]

Do you know those little USB drivers which look like a pen? Well, they are better than floppies, and you can use them in your "legacy free, super secure" Compaqs, I think.....

Not if you're running NT4 on said Compaqs, and I know of one company who still refuses to migrate because of a few similar problems. Think plug & play USB wireless nics, for starters.

Not just secure from the outside.

[jjccss]

HIPAA privacy standards (to this point, being that they most likely finalized until Oct. 2002) say that not only must you keep things from the outside, but also from other employees that are not supposed to see them. Now, knowing that, just sticking yourself behind a firewall is going to keep information in (in theory). That does not however, stop an employee from walking away with information. And until we can figure out what capabilities MS has to access things, we can't rule out that someone else won't figure out that method and exploit it.

um.. common sense?

[Froqen]

Acording to the register article, the clause is: "You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer" I'm really unclear what this has to do with accessing private data that has nothing to do with the OS. I think you have let the /. hype about "ms gets to own your computer anytime it wants" get to you.

OT: Dumping M$

[tarsi210]

It's rather amazing, but from my experience, especially in the healthcare field there are an amazing number of custom, legacy, older-than-hills-but-works-well software to support or handle. I should know, my company's product is one of them.

Mind you, after being in the industry this long, I can see WHY companies take so long to port to anything new, the regulations and codes are staggering.

Linux will take a long time, if ever, before it becomes a major player in healthcare. There's just too much stuff to move.

Re:OT: Dumping M$

[iamacat]

And why would any of this legacy software need XP and especially SP3? Sounds like it should work well with Win3.1. Or WINE for that matter.

Misguided

[alext]

go ahead, get Windows SP3, and then figure out some way to disable remote-root.

No lawyer is going to recommend this because there's no guarantee that a technical fix will work or will not compromise some other clause or agreement.

A new contract needs to be drawn up in place of the EULA. I would recommend this for all IT licensing, not just for MS products - shrinkwrap EULAs are of dubious legality at best, especially in Europe.

Default routes

[???]

Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the
defualt route from the firewalls, so they do not know where the gateway to the internet is.

Removing the default route does not effectively prevent traffic from the servers getting out to the internet, nor does it effectively prevent traffic from the internet getting to the servers. A properly configured firewall can do that, but just removing default routes is not sufficient.

Re:Default routes

[jackb_guppy]

It is configured corrected. We also removed the route to prevent an open port say :80 from getting access to internet, if other settings fail or are overriden.

This is just another "hurl" to prevent the connections.

You see, you do not rely on just one "hurl" to prevent problems... you rely on multiple. Simple ones like removing a default from routers and servers to complex like vpn tunnels, certificates, and auto removal of "unsafe" programs from the desktops.

Re:Default routes

[Tony-A]

Multiple "hurl"s, (whatever that is)
Where security by obscurity actually works. Each piece individually is not that good, but there is no one thing you can crack and be "in". Damage is limited, and these things tend to be noisy about stuff that doen't belong.

NOTHING of the sort in the Dutch EULA

[Beetjebrak]

I trawled through the entire Win2K Pro Eula here in the Netherlands when I got it from a shop, then read through all the additions that came with updates (SP2, SP3 and other smaller patches). Nowhere in the whole EULA or its additions could I find any statement that allows MS any access to my system whatsoever. Is there a difference in EULA's here, or am I just cross eyed??

Re:NOTHING of the sort in the Dutch EULA

[alext]

Apparently there are two EULA texts - one comes up before you download, the other during the install. Guess which is the more constraining?

I haven't installed SP3 so I'm afraid I can't be more precise - suggest you check earlier /. discussions.

Re:NOTHING of the sort in the Dutch EULA

[Beetjebrak]

Well that's what I did.. and I read through each and every text MS threw at me during the process. I just find it funny that I can't seem to find the dreaded paragraph in any of the EULA bits..

I doubt it

[NoBlock]

I'm not an American citizen and I don't know anything about HIPAA but...

As I understand it from this discussion, HIPAA specifies the hospital's obligations, not Microsoft's or in fact any other software vendor's.

If you install SP3 and Microsoft remotely accesses your PCs, Microsoft probably wouldn't be in violation of HIPAA (because it isn't bound by it). *You*, however would be in violation because you've potentially allowed a third-party access to confidential data.

So it seems to me that your only option is not to install the service pack (or get some kind of exemption from either the HIPAA authority or Microsoft).

But IANAL...

A Technical Forum???

[fwr]

In the meantime, this is a technical forum...

I'd say that you have a lot to learn about Slashdot. While most of the stories on here are technical in nature or have something to do with technology a large percentage of them have to do with the legal and political issues surrounding something technical.

Think about all the stories on copy protection for CD's. Yes, it has to do with a technical issue, but the discussions are certainly not technical. I've seen no code posted no how to defeat the copy protection. 99% of the posts are opinions about whether it is right for the producers to restrict use of purchased CD's in the way they want to, and the other 1% are First Post!

Why don't you just come out and say it? You are a Microsoft appologist that wants to ignore the issue with their EULA by making fun of the issue and calling it a waste of time. You say it's an invalid clause, but you don't indicate that you are a lawyer (and even if you were I doubt you'd be offering official legal advise). So you want us to just ignore the issue and "agree" to the EULA?

What happens if the EULA is allowed to stand and then Microsoft actually builds in more of this access that you granted them? What happens when it eventually gets installed on all Windows systems and then the crackers find out how to manipulate it and steal information off your computer? Then it wouldn't be Microsoft accessing the sensitive information, as I doubt they actually would do something like that, but because of the EULA they provide additional access methods for others.

There are plenty of valid discussion items surrounding this issue. Ignoring them is not going to make them go away, and they definately fall right smack into the favorite topic on Slashdot -- Microsoft bashing.

Re:A Technical Forum???

[ScottKin]

Pure, rampant red-herring bullcrap!

If you would take a moment and read the WHOLE EULA, you would see that they are only talking about DOWNLOADING software updates and checking installed software catalogs specific to Microsoft Operating Systems (not even third-party apps) to ensure that the proper updates are downloaded.

Paranoia in this case is so damn pathetic! GROW UP AND STOP THINKING THAT EVERYONE IS GOING TO STEAL YOUR THINGS!!!!!

ScottKin

Anyone know of and hard rules posted anywhere?

[Asprin]

Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...

Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).

Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.

Re:Anyone know of and hard rules posted anywhere?

[mfiller]

The root post by Chris appears in my browser with a list of links provided by Slashdot. It includes one "HIPAA" http://ask.slashdot.org/askslashdot/02/08/27/20302 05.shtml?tid=109 which seems to have every thing you could want, from the rules themselves (if you want a headache) to various attempts to explain them to non-bureaucrats.

Red herrings R us

[alext]

Breaking confidentiality via the actions of authorized staff is a different risk. The question is about the act of assigning external parties privileges that itself breaks confidentiality agreements.

SILENCE!

[Ride-My-Rocket]

Dissent from within the Slashdot ranks will NOT be tolerated! No post for you!

Microsoft's Tactic:

[tomkit]

Here's the behemoth's tactic: Create crappy and buggy software and sell it. Distribute a service pack that makes their anti-piracy technology more strigent. This causes consumers to be stuck between a rock and a hard spot; if they don't upgrade their software becomes out-of-date and prone to crashes and hacks, or if they do upgrade, they give in to Microsoft's monopoly and have to go along with whatever MS cooks up. tomkit, long live puja mahtani and mankit li

Simple, change the law

[gelfling]

It's far cheaper to simply change the law and declare victory than it is to pretend you can sue Microsoft. Seriously, start lobbying your local Congresspersons explaining to them that your company might have to close and fire voters unless they intervene. That way they can simply pressure the agency to write an exclusion for W2K specifically. The law was created in the first place to pacify people who didn't want their records divulged. It has nothing to do at all with the industry itself or what is good for health care providers. So if you simply ignore the screams of the populace and change the law you're in a better place,

I'm sure some of you narrow minded twits will think this is backhanded MS bashing but it's not. It's simply reality. When was the last time YOU sued a multibillion dollar company?

Oracle? Who needs Oracle?

[leonbrooks]

Many quite large and busy sites are running on PostgreSQL or even MySQL (true SQL afficiondos are permitted a short vomit break at this point). As they've freely admitted, even Microsoft hasn't figured out how to undercut `free'. Yet.

But forget the server, Win2kSP3 on a workstation means that Microsoft have the right to installer a sniffer (diagnostic software) on the workstation and directly or indirectly pilfer all of your HIPPA data. You gave them that right when you agreed to the EULA. What's the real cost of that?

Meanwhile, IRL, W2k is likely to sooner or later also give every t0m, d1c| and |-|4rry the same ability, albeit not the right to legally employ that ability, as if they cared.

Re:Why is there censorship on slashdot ??

[stinky+wizzleteats]

Yeah, um, so I checked out your site, and found this claim:

Slashdot-free since Leap Day 2000

Do you know what day it is?

You can turn off the auto-updating feature of SP3

[shodson]

The Register ran a few interesting articles about how to work around the restrictions and requirements of SP3's EULA.

• How to disagree to the EULA and still install SP3
• How to disable the auto-updating features of SP3 so it doesn't update itself with MS patches.

Enjoy

Yeah, ask these people...

[NeoNormal]

I'd say your question could be moot... after all the hipaadvisory site is "already compromised".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Parent is not redundant.

[satterth]

Tee hee, that's funny. Also, are they still running Hotmail on Apache/BSD or did they finally get it moved to IIS?

Sort of, as far as Netcraft is concerned the [ad.***.hotmail.com] servers are still running Apache/1.3.26 (Unix) on FreeBSD. All the others seem to be switched over to Microsoft-IIS/5.0 on Windows 2000.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

OT (was: Re:Why is there censorship on slashdot ?)

[Ionized]

and it's so difficult to create a new user account that can post any number of times per day.

quit whining, please.

legal, not technical!

[zerodvyd]

I work with the healthcare industry on a limited basis...as in a couple clients are dr's offices and the like.

I have to agree with most of the others here:
get a good lawyer, and poor over the EULA. Talk with HIPAA, see what they have to say. This is a legal issue, and cannot be totally resolved by technical means. Sure, you can disable auto-updating, but those of us who actually installed SP3 will note that it in fact re-enables it (SILENTLY!!).

This goes beyond the regs according to HIPAA, we all have a right to privacy. Microsoft needs to take note of that. They do have a right to verify that you have a legit license for their software, they don't have the right to cruise through your hard drive.

Perhaps this little conflict will be the silver bullet to bring Microsoft's extremely bold EULAs back into line with reality as we know it.

The catch 22, of course, is that you're damned if you do, damned if you don't since you have to stay up to date with those security updates to keep HIPAA happy.

Even though we're all not lawyers here, I think we've gotten this person pointed in the right direction, eh? :)

Re:What a waste of time

[psych031337]

So, you thought desktop/application firewalls were safe? Think again.

Although MS engineers are not really well-known for implementing clever and working solution, I fear that they might have come up with a similar or even advanced technique of establishing a "stealth" connection.

A corporate firewall/packet filter with some sort of IDS enabled and all MS IPs blocked _might_ work if used in conjunction with an application firewall on each individual machine. On the other hand it might trade in too much flexibility for security. If the individual machine depends on http availability your pretty much lost. You can piggyback/tunnel basically anything through that. Disabling IE and using Netscape might put a hold to that.

But there ain't no verification of that unless someone can produce the w2k sources... And if someone does MS will have a patch ready and automatically deployed in RECORD time...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Read the FAQ.

[small_dick]

You've got three years to deal with the issue until they start fining you (if your company has under $5 million in annual revenue).

If over $5 million, you've still got two years to comply.

Either way, the max fine for non-compliance is $25K/Year, and they don't even know how they're going to find you...

I'm not saying you should slack on this, I'm just saying it's not a "huge,huge" crisis situation. Deal with basic, common sense security and do more research. You've got time to do this right.

Re:Read the FAQ. -- OOPS!

[small_dick]

Crap, this has been in effect for awhile. I wish they would use dates, not just simple lengths of time.

Deadlines:

The Transactions Rule was published on August 17, 2000. So the compliance date for that rule is October 16, 2002.

The Privacy Rule was published on December 28, 2000, but due to minor glitch didn't become effective until April 14, 2001. Compliance is required for the Privacy Rule on April 14, 2003.

[These are the 24 month deadlines].

Redundant.

[AJWM]

Okay, bucko, that's SIX times now you've posted that same excerpt from the EULA. Can we get some (-1, Redundant) modification in here?

Oh, and to answer your question: "you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes."

Note that that says NOTHING about how they will access the information. By the letter of the EULA, they'd be within their rights (which you authorized) to just have a couple of goons march into your computer room and haul the machine back to Redmond for them to update there.

Improbable? Sure. But you explicitly authorized "access", period, not "access over a network connection using a specified protocol on a specified port".

Remember, this is Microsoft legalese we're talking about -- their view of contracts (of wich the EULA is one) is that anything not expressly forbidden to them is allowed.

Re:Redundant.

[alext]

...but also misleading, as an AC has already pointed out. Here's the paragraph subsequent to the one that's been repeatedly quoted:

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

Because this is outside the context of the auto-updating feature paragraph there is no obligation on Microsoft's part to apply any user choice there to this mechanism.

Re:Redundant.

[alext]

The problem you appear to be encountering is that you interpret 'use/utilize' to be a conscious act and one which users will be able to identify and predict. No such meaning necessarily applies.

In fact, the wording is so vague Microsoft could associate this permission with any product or mechanism they choose, given the pervasiveness of 'internet-based services' such as IE.

With reference to your earlier posts, I'm obliged to point out that these are far from consistent in the argument that they are advancing.
In order, we have:

1) The suggestion that any machine connected to the net contravenes the HIPAA and that therefore the whole debate is moot. Presumably because this is obviously an impractical limitation, no further mention is made of it.

2) The suggestion of a technical fix to the auto-update mechanism to prevent it from functioning. Several responses then point out that the problem lies with the license, not any specific mechanism.

3) Several posts quoting the portion of the EULA concerning opt-in auto-updates, omitting the general update permission clause. This is in an effort to prove that auto-update requires explicit permission.

4) After apparently retreating from (3), a new proposition is advanced that auto-update, while admittedly not being under explicit control of the user, applies only to mechanisms consciously 'utilized'. Presumably the implication is that the user will always be aware of such use and therefore should not be surprised by an auto-update.

5) A synthesis of (2) and (4) is then proposed where by 'firewalling the box' the mechanisms in (4) will be used and therefore the general auto-update clause does not apply. This is then immediately undermined by the admission that firewalling does not prevent mechanisms from accessing the internet, and so "[a]ny of [sic] MS's software that uses the Internet can check itself and update itself.". This doesn't prevent the same argument being forwarded again later, this time with the recommendation to use SUS to distribute patches as a workaround.

6) Yet another new angle is introduced, this time that the EULA itself can be disregarded because any 'illegal or unreasonable' clause will be found invalid when legally tested. It is not clear how this relates to previous points made.

It seems from this summary that you are content to chop and change your argument as you go along, shifting ground from one proposition to the other where necessary, only to restate earlier points in other places. It might be better for all concerned if you drew together whichever parts of the statements above now constitute your position and posted it once for further discussion.

Re:Redundant.

[Tony-A]

you can't utilize an Internet component if you do not have an Internet connection
Take a few computers, a hub and some Cat5 cables. No Internet, but any Internet components in the software can certainly be used.

Finally, it is important to note that a EULA does not overide relevant legislative and case law. That is fact.
Are Microsoft's lawyers aware of this?

"Auto-update" as a feature only grants MS rights if you turn it on.
Does Microsoft have any rights if I don't turn it on?

Re:Redundant.

[Tony-A]

I'd like to get all that on a sworn affadavit from someone responsible at Microsoft.

Attorney's Take

[quoz13]

I'm an attorney who works with HIPAA. Here are some general observations about the EULA.

Reasonable Assurances... The writer who states that the covered entity need only take reasonable precautions. What is or is not reasonable depends on too many factors. I happen to think that if you disable the feature, that action seems pretty reasonable. I for one, am not worried about the EULA. I'm more worried about things like password protection, access to the file room and the like.

Illegal Contracts... As someone else correctly states, contracts that are contrary to law cannot be enforced (at least the illegal provision).

Covered entites... Chris, who wrote the original message may not need to worry about HIPAA. HIPAA covers mostly medical providers and insurance companies. It also covers self-insured companies and the like, but I don't think it covers loan applications. Of course, Chris could be a business associate of a covered entity.

Business associates... A covered entity must obtain satisfactory assurances from its business associates (accountants, lawyers, billing companies) that the health information is protected. As someone correctly notes, that requires an agreement known as a business associate agreement/contract.

As a side note, I've begun to draft an article about what HIPAA requires... the language in the law actually asks the covered entity to make sure that they have "satisfctory assurances" that the business associate safeguard personal health information ("PHI" although some call it "individually identifiable health information")

Re:Attorney's Take

[BuzzSawer]

Forgive me, I'm not a HIPAA guy, I'm more of a FDA Part 11 guy. If I'm correct, the original post was with regards go being found 'out of compliance'. To be found 'out of compliance' you must first be audited. Either your procedures are not HIPAA compliant, or you are not following your procedures. The Part 11 solution is to make sure your procedures are 'close enough' (I'm taking a little liberty here) then follow them exactly. Does that work with HIPAA and the issue we are discussing? Cant you just proceduralize the 'locking down' of your servers? I hope it is that simple. PS: Even if you have Linux (which I prefer) you still need to create the proper procedures.

another interesting one..

[THEbwana]

In Luxembourg the Banking secrecy legislation is very tight. It is, for instance, illegal to divulge any information regarding the client in the following situations:
- Divulging information to other legal entities in the same concern (ie communication between the insurance arm and the banking arm of a financial institution).
- to give out information to anyone even though the client has approved or ordered that the bank gives out information regarding the client relationship.

An example: in most countries its perfectly legal to have an offshore account. In some countries its ruled ok only if that citicen (the client) agrees to instruct the bank to share all information with the taxation authorities in the clients home jurisdiction. If you send a letter to a bank in luxembourg with such an instruction - they will straight away file the instruction in the round cabinet (that goes to recycling every day ;-). If they, however, choose to give out the specified information they will be (the actual clerk and possibly his/her manager) liable for a 5 year jail sentance.
Privacy is ruled to be of the utmost importance in Luxembourg. Moreso than even the Swiss.

- Why am I ranting about this? - well, all these bankers use computers. They usually use Windows computers. Computers that sometime (quite often if you take a look at Zone alarm) choose to send information from the bank to an external party. What information that is being sent is not disclosed by microsoft. No one knows.
But more seriously:
- If you allow Microsoft to be root - by definition you give them unlimited access to information regarding the clients of the bank. So who would be guilty (who would get 5 years in prison) ? - well, if the EULA is valid i the EU (not entirely sure that it would hold up in a court of law ) it should be the sysadm that clicks through the EULA . Otherwise, you could possibly point the finger to the head of security, within the bank, who decided to accept the EULA ...

Its a question of time... /m

Re:What a waste of time

[PONA-Boy]

Absolutely true!!!

We had a multi-million-dollar solution go down the toilet because neither the software manufacturer nor the doctor's practice nor the local medical board could assure us we were going to be HIPAA-compliant.

Hell, even the US-friggin-government couldn't tell us we would be compliant. Bottom-line? The customer walked because there WAS no solution. No-one knows what HIPAA is right now; it is just a loosely-defined, vague, treatise on what you SHOULD be doing.

-PONA-

homegrown software

[Unordained]

we built so-called homegrown software, knowing about hipaa (in fact, i think i read the spec more than the hipaa compliance officer assigned to the task) and no, there was no HL7 -- we built the app as a client/server with firebird/interbase, so there was no control over the data transmission. most of the firebird team, in fact, views SSL on the connection as unnecessary, but we didn't know how to go about setting that up manually (i hear it can be done, never got around to it.) the fact that the reply to your post says that HL7 is cleartext actually worries me ... we had to share the network with non-medical staff, but at least we knew the internet access was nice and secure.

our database server was running linux (slackware) so the EULA had no effect there. on the other hand, some of our machines were running w2k (dell) and were thus liable to have a EULA issue on the client end (MS could remotely install a listening patch gaining access to the DB data coming and going ... and slowly accumulate data about our patients.) to be hipaa compliant, you must make sure nobody can get to the data (remember: this also means locking your console when you're away, logging out, closing the door, keeping the blinds shut, etc.) so in this case, i'd recommend the following: make sure the w2k machines are set -not- to do automatic updates, and make sure the firewall is setup such that nobody's going to get in from the outside ... as long as the machines don't automatically wake themselves up and decide to go looking for updates, you should be fine. nothing that comes with w2k should make the system insecure, and with no updates other than by your network admin/techs, nothing new should arrive to change that.

even with SSL between the DB and our clients, we couldn't prevent an MS program from, say, gleaning data directly from RAM ... (i know, unlikely, but ... core dumps for helping to fix things? memory dumps for entire system status at the time of a crash? that annoying feature in XP that asks you if you want to send MS a bug report about your own, home-grown app if it crashes while you're testing something unstable?)

Student loan collection

[dave_mcmillen]

Our company deals with medical records in a peripheral sort of way (as they pertain to student loans)

"Mr. Peterson? This is your student loan officer. We note from your medical records that you still have both of your kidneys. We note from our financial records that you still owe us $40,000. Are you aware of how much a healthy kidney can fetch on the black market? Hello? Hello?"

Re:What a waste of time

[daveman_1]

Yes, a loosely defined treastise of laws to screw poor IT people over when someone fucks up. Don't worry, "risk management", aka your company's liaison to the insurance provider, will make all of you sign waivers after giving you a class that gives you just the vaguest notion of what HIPAA is. You will walk away confused, feeling like someone just screwed you and there will be nothing you can do about it. The purpose of all this is simple: Later on when someone fucks up, they now have some individual to blame and say "Hey, we're not responsible as an organization, he is!!!". And you won't have the first clue why they are putting you in jail. HIPAA is bureaucracy at its finest. HIPAA is Bill Clinton's legacy. HIPAA should die a quick and painful death before we all suffer its wretchedness.

Re: HIPAA Acronym explained

[Ashurbanipal]

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which is a regulatory nightmare that we will eventually be thankful for.

HIPAA is designed to accomplish three things:

1) Provide employers and employees with a standardized, useable system for transferring health insurance coverage (and/or the payment arrangement associated with that coverage)from one party to another. This would mostly be used to prevent gaps in insurance coverage when switching jobs.

2) Force all medical service providers (such as hospitals and analytical labs) and insurance providers to conform to a single strongly defined set of transaction codes and formats.

3) Mandate proper security for sensitive medical records (defined as ANY medical records of ANY sort that could be used to identify an individual's state of health or medical treatments received).

HIPAA is a nightmare because most hospital data management systems have totally ineffective security. Meditech, for example, is appalling, and homegrown systems are usually worse (I know of one world-famous Oncology Centre where the passwords have not been changed in seven years - hundreds of ex-employees know them all). The most secure is probably SMS (which is slow, cumbersome, mainframe-based, and tremendously expensive) or possibly HBOC (same comments apply).

Adding to the futility is the unbelievably lame way the government has handled the specification, dissemination, and revision of the standards. All the transaction stuff is fine, but the security standards are vague and constantly changing.

We will eventually be happy because HIPAA's transaction standards will vastly decrease costs in the health care and insurance industries - currently millions of man-hours are wasted doing simple reformatting tasks, because medical software companies generally refuse to use anything but government-mandated (HL7, UB92, etc) or proprietary data formats, in order to prevent customers from easily switching vendors.

I am currently searching for a new job because I do not wish to be involved in HIPAA any more. I am a scientist, not a lawyer, and I find all this stuff tedious, especially the intransigence of vendors who simply don't care if their products are HIPAA-compliant.

If this is health care ...

[Lucas+Membrane]

Isn't there more than privacy legislation involved? Those computers are somehow part of the process of getting people cured, healed, fixed-up, life-saved. How can any systems manager in that situation not maintain complete control of the machines? I've heard that their is MS software on airplanes. Does MS have the right to replace the software while the plane is in flight? Isn't this an ethical and a safety issue instead of simply a legal issue?

The *FURTHER* legal requirements

[Thyrsus]

The clause you've been debating interacts with this other clause, which says that if I don't accept everything Microsoft wants me to take (or give!) then my only recourse is to stop using their software. Microsoft is very close to making auto-update a condition of running their software. They haven't gone entirely to ``leasing agreements only'' but they're very close.

From the mouth of Microsoft:

Replacement, Modification and Upgrade of the Software: Microsoft reserves the right to replace, modify or upgrade the SOFTWARE at any time by offering you a replacement or modified version of the SOFTWARE or such upgrade and to charge for such replacement, modification or upgrade. Any such replacement or modified software code or upgrade to the SOFTWARE offered to you by Microsoft shall be considered part of the SOFTWARE and subject to the terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of or upgrade to the SOFTWARE). In the event that Microsoft offers a replacement or modified version of or any upgrade to the SOFTWARE, (a) your continued use of the SOFTWARE is conditioned on your acceptance of such replacement or modified version of or upgrade to the SOFTWARE and any accompanying superceding EULA and (b) in the case of the replacement or modified SOFTWARE, your use of all prior versions of the SOFTWARE is terminated.

Re:The *FURTHER* legal requirements

[Black+Copter+Control]

Microsoft is very close to making auto-update a condition of running their software. They haven't gone entirely to ``leasing agreements only'' but they're very close.

Actually, they have gone to a leasing-only agreement. They just haven't named it such yet. You can only use the software until they 'offer' you a replacement. You MUST accept (and pay for) the new software.

According to what you've quoted, they've locked you into recurring payments. You just don't know what they're going to charge, yet.

• Microsoft reserves the right [of]
• offering you a replacement or modified version of the SOFTWARE ... and to charge for such
• your continued use of the SOFTWARE is conditioned on your acceptance of such replacement
• [and] your use of all prior versions of the SOFTWARE is terminated.

It doesn't matter if the replacement software is buggy, shuts down your company's business or simply doesn't fit on the disk. You must pay them. You must use the new version.

According to this license, the software is clearly not yours. It's Microsoft's plaything -- and if you accept the license, so are you.

Re:The *FURTHER* legal requirements

[ScottKin]

Here's a translation of what the purported "clause" in the EULA states:

Microsoft can make updated or upgraded versions of the software.

When you install this updated or upgraded software, you are still bound by the EULA unless there is a new EULA.

Microsoft can charge you for the updated or upgraded software.

When you upgrade, you can not use the previous software as if it was brand-new and freshly installed, because it's no longer there.

Remember this important fact: The EULA is in effect when the software is installed, not when you buy/purchase the software - hence, if the previous software has been updated or upgraded, the previous version is gone.

Therefore, your conclusion is utter nonsense, and there is NOTHING in the aformetioned and above exhibited EULA clause that supports your conclusions.

Learn to read what's there instead of trying to read between the non-existent lines - legal documents, like EULAs can't have any by their own definition.

ScottKin

Re:The *FURTHER* legal requirements

[Chris+Burke]

Well, since we're all reading here, how about this line?

(a) your continued use of the SOFTWARE is conditioned on your acceptance of such replacement or modified version of or upgrade to the SOFTWARE and any accompanying superceding EULA

So, let's complete your translation, which was otherwise quite good:

Microsoft can make updated or upgraded versions of the software.

When you install this updated or upgraded software, you are still bound by the EULA unless there is a new EULA.

Microsoft can charge you for the updated or upgraded software.

When you upgrade, you can not use the previous software as if it was brand-new and freshly installed, because it's no longer there.

And the missing piece:
If you chose not to upgrade, you can not use the previous software.

So when you combine the other statements with -required upgrades-, it does in fact support previously arrived at conclusions.

Re:The *FURTHER* legal requirements

[Tony-A]

In the event that Microsoft offers a replacement or modified version of or any upgrade to the SOFTWARE, (a) your continued use of the SOFTWARE is conditioned on your acceptance of such replacement or modified version of or upgrade to the SOFTWARE and any accompanying superceding EULA

Looking more and more like a protection racket. Microsoft claims the right to abrogate any previous deal and substitute anything it likes, whenever it likes.

Can anyone provide the full license agreement

[York+the+Mysterious]

I really wanna read the exact wording of this thing. I'm interested in seeing what I just clicked accept to. -Tim

Re:What a waste of time

[SEWilco]

I hear that the key is now being sent to MS, which gives MS enough info that when you register your machine MS can add your system info and key to a database.

People who say that are forgetting that MS issues the keys. MS can already have a database of all legal keys, which means keygen would also have to test for a valid key.

MS could require registration in order to be able to download patches, so it can detect duplicate keys in use. Just because it seems that MS is presently not comparing against its own generated keys doesn't mean they won't....nor that they won't retroactively compare to that list.

Nor do we know if MS is actually performing such tests but using the info for something other than online validation.

DataHive offers solutions for this...

[coene]

Check out DataHive, who makes network servers that assist in many areas of HIPAA compliance. Their products are built upon OpenBSD, and have all the goodiest most companies need, out of the box.

Without knowing more details about how your operation handles medical records, let me tell you that a small medical office can have its IT department almost fully HIPAA compliant simply by installing a DataHive and following the install guide. Even down to the nitty gritty things like locking drives and offsite backup, DataHive has it covered.

Remember, a computer cannot make you HIPAA compliant, but it can ASSIST in achieving HIPAA compliance.

Altogether now

[dbrutus]

Anytime you see an MS station in a medical setting from now on, admire their bravery for bucking the HIPAA rules.

Doctors don't give a damn about MS. They certainly don't understand that they might be non-compliant and subject to lawsuit. They will drop MS in a second if they find out that this is true.

Btw: My wife is a doctor that's newly entered practice and she's been having me look up this sort of stuff to educate her.

Great thread.

Why do you need an internet connection?

[HiThere]

If I wanted a really secure system, I wouldn't hook it up to the internet. Not with *any* OS. Also no floppy drives or removable hard drives. Etc.

I'm not sure just what level of security you need, and what level of access you need, but consider having an intra-net that is disconnected from the internet. Any computer that really needed to access the internet would need to have two cable drops, and just manually switch between them as needed. (This wouldn't stop people intentionally breaching security, but it would be pretty effective against programs.)

Better still would be if the networks didn't share computers. Do you have any need for this data to go over the internet? Even VPNs are less secure than not having a connection. If you must, then use a server that is secure, and that doesn't mean MS. Novell, Unix, Linux, even, I've heard, Apple have good choices. With Apple though you will want to make sure that MSIE isn't installed. Perhaps the Apple version is safer than the Windows version, I wouldn't know, but I don't know, so I recommend against it. Of these, Novell is probably the safest (not really sure here, but that's what it looks like), but they're all pretty good choices with a range of prices and ease-of-use. (If you are new to a system, ease of use can be quite important. It can help you avoid mistakes.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Part of a larger problem including NDAs

[bons]

As I understand it, as a beta tester, I cannot in good faith sign a NDA when testing a product and run that product on a machine where I have already agreed with current Microsoft EULA's. The EULA seems to force me to disclose whatever happens to be installed on that PC.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I work at a hospital

[dbrutus]

You should give MS a call only to get a written statement of their HIPAA compliance assertion. Anything else should be handled by your own lawyers and techs. I wouldn't trust MS's legal department for unbiased or even accurate opinion. I would only trust them to convey legally accurate information as strictly required by law.

Comment removed

[account_deleted]

Comment removed based on user account deletion

SPAM?

[_Sprocket_]

Wow. Spamming Slashdot - this is the 2nd exact same reply and link to a commercial service / product. I'm not sure whether you're ballsy or an idiot.

Incidently - its a technical solution. It does nothing to address the legal issue being presented.

Re:SPAM?

[_Sprocket_]

Sure... whats it going to hurt my mailbox by being mailed by another clueless moron thinking they can make any money off me by buying harvesting software and a "targeted" email address list.

Comment removed

[account_deleted]

Comment removed based on user account deletion

SPAM?

[_Sprocket_]

...spam, perhapse?

Are you sick?

[itwerx]

Or drunk?
How many hurls do you need?

We assessed the "hurl vs hurdle" question a long time ago and decided overwhelmingly in favor of hurdles...

Re:SIM Solution for HIPPA compliance

[_Sprocket_]

...is this spam?

Re:No, he's saying it's a LEGAL Question, and this

[_Sprocket_]

This isn't a legal advice forum, no. But discussion on this subject helps develop the issues that need to be addressed. And it alerts Slashdot readers (many who are IT professionals - and all the ones who aren't) that the issue exists and may need to be addressed in their evironment too.

The smart reader will take the issues discussed here to their own legal councel and seek definitive answers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

From one who works with these issues

[zuggie]

Folks,I work for a company who creates practice managment systems. I sent this link out and here is a snippit I got. Seems as if this guy has a valid concern, but he would need to keep in mind that software CANNOT be HIPAA-compliant. Since the security regulations have not been passed, then the user implementing this software would not be penalized if records were wrongly accessed. Not until the government hands down specific guidelines to protect user's technology can anyone really act. Not that I know much about how to implement security in a technology environment (or about win2k or SP3 for that matter), IT departments should make best efforts and be conservative in securing their hardware and software.

Re:From one who works with these issues

[crusher-1]

As an R.N. in a major hospital I have been told, both by the practice council and the state regulatory board that violation of a clients medical data by other not on the patients heatlh care team (e.g. M.D., R.N. PharmD., O.T., P.T. etc....) is a violation of Federal patient privacy laws and confidentiality guidelines. So the rub as I see it is this, An IT department makes best efforts to secure the data environment, applies all pertinant patches related to know security issue. And it gets hacked. I can't see how the admins can be held responsible given that they have followed all procedures known in order to secure said system. But, to the BEST of my knowledge Microsoft Corporation is not in the Health Care business and the patients, nor the health care team, has not implicitly or explicity consented to making MS party to the patients health care status. So, granted, I can't see MS going into a file system to query up a patient health record. However, by implimenting patch and changes to the system unbeknownst to the admins they are potentially compromising the data, making it less secure or, moreover, making the data inaccessible to the health care team due to the changes MS has implimented causing the system to fail or otherwise crash. This could have potentially drastic outcomes in the event that a patients status and information cannot be accessed at a crucial time (e.g. in a state of crisis - the patient needs emergency surgery and has an allergy to commonly used anesthetics). Who then is responsible for an undesirable outcome that is due to the inablitity to access information crucial to the patients well being? The patient and their families won't really care who's to blame. Their lawyers will simply suponea everyone involved. However, I can see the litigation becoming extremely costly and convoluted in light of such a scenario. And given that the access to said system and the subsequent "updates" and changes applied by MS were directly involved in the patient's negative outcome - how is MS held responsible? Bottom line, IMHO, is that MS is acting like the benevelant father in situations that they have no business in. It is incumbant upon those directly responsible for the maintenence of the system to ensure that it is operating correctly (and in the case of Health Care -- safely). The IT departments are those that should decide what and how changes are implimented -- NOT MICROSOFT! Just MHO!

My medical records on MS systems? Fuck you.

[fire-eyes]

Talk about irresponsible.

Solution to the problem?

[octavian755]

Ok so you don't want to violate any agreements, but yet you feel letting Microsoft have access to your computer would also be bad. Well in this case either just install the patches like many companies already have.

You always do have the choice of switching to another OS like Linux or Apple, but they also have there problems too. This would eliminate the problem of Microsoft accessing your files. The bad part of course is throwing away the money that companies spent to for licenses for Microsoft, so most of the time it's not a logical option.

In the end, if you're so afraid of using the patch, then don't. (I wouldn't blame you; I would do the same thing.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This is silly

[geekee]

At risk of being modded down further, my score on the previous post shows yet more evidence of how badly the moderation system on slashdot works. The people who started the site reward people for opinions like there's. They in turn become moderators who also reward similar opinion and penalize dissenting opinions. So, instead of objective moderation based on the merit of the comment, the mod value really indicates how close your comment is to being /. politically correct.

Re:Parent is not redundant.

[formas]

Actually, I work for a company that provides information systems to hospitals, and provides two versions. One is proprietary, OS and all (though being ported to run on Windows Servers), and the other is proprietary software running on Windows NT/2K (and soon XP) servers. This is actually a relevant issue for my company, and I am curious how they will handle it.

Re:What a waste of time

[xQx]

We thought of doing this.

We really did, working at a school, all the hackers are on the wrong side of an internet firewall.

The problem:

It's rather difficult to find a cost effective firewall product that'll work at dual gigabit ethernet speed.

Who needs SP3?

[BasicOp]

I am a programmer updating software for a major pharmaceutical company so that they are HIPAA compliant. The update is being deployed onto Win2k SP2. So if you are worried about SP3 then certainly don't update to SP3, or roll back to SP2. I understand that rolling back could be a tremendous amount of work... but so can consulting lawyers. The best way to get around a EULA is don't agree to it.

Synitech OpenEMR 1.7.0

[darkstar101]

OpenEMR is a modular, HIPAA compliant cross-platform electronic medical records system (EMRS). It facilitates efficient office management through automated patient record journaling and billing integration, and has been successfully integrated with third-party technologies including speech recognition, secure wireless access, touch screen portables, and biometric authentication. Interface screens are customizable and optimized for consistency, simplicity, speed of access to patient information, and minimum eye strain. OpenEMR is based upon widely-used public standards to achieve maximum compatibility with evolving technologies.

Re:What a waste of time

[mesocyclone]

And then there are the HIPAA message formats.

Health insurance related transactions are not terribly complicated. But HIPAA has managed to create a foot thick pile of documentation JUST ON THE MESSAGE FORMATS. They are unbelievable complex, and of course, they are not XML!

Oh, and if you don't use them, you can get in big, big trouble and go to jail.

Sigh.

Microsoft is a Business Associate under HIPAA

[mfiller]

If you expect support where the software vendor has any access to your system, a software (or hardware) provider such as Microsoft is one of your many Business Associates, under the Privacy part of HIPAA. When dealing with real people and 2-sided contracts with Business Associates, you comply with HIPAA by having in your contract an agreement that the Business Associate will be bound by the privacy rules of HIPAA not to abuse or disclose any patient data, which now have a 1-year extension to April 2004. It is not automatically bound by anything in HIPAA, you are required to bind it in your contract. Also, such a provision probably would not override an EULA, especailly a subsequently accepted one, unless (a) it says it overrides any contrary provision of any EULA and (b) there is an actual contract, signed by an agent of Microsoft. The $64,000,000 question is, how do you get Microsoft (or any other shrink-wrap or download software vendor) to sign an EULA with you, assuming you are a small practice or hospital and not a mega-health-care provider?

Re:What a waste of time

[beat.bolli]

What's more, Microsoft XP's UPnP implementation has an API that lets an application register port forwarding at the router (article here). I don't know if this is targeted more at the home market, but don't you ever depoly an UPnP-enabled firewall...

Lawyer from HIPAA Blogs weighs in

[beanerspace]

From the HIPAA Blog: "if the trade-off is that the SP3 will give you greater protection against hackers (who might target your site because they know the PHI will be useful to them) at the cost of less protection against Microsoft (who will have the same rights against most of the universe and will be much less likely to target you particularly), then wouldn't you meet the reasonableness standard?

When the security regs come out, we pretty much expect the reasonableness standard to apply to everything there as well."

Yeah, What he said.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: HIPAA Acronym explained

[raindr]

At the medical center I worked at; security was extremely poor. We migrated from SMS to Cerner which had alot of NT servers involved though the database was Oracle on a Open Vms platform.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

The facts about HIPAA

[hipaa-dude]

The majority of what's been posted on this question as it relates to what HIPAA is and isn't, is incorrect (I won't comment on the EULA issues). As has been suggested, please contact a healthcare attorney, or a security consultant who has worked with HIPAA before acting on any advice posted here. The attorney can help you with what HIPAA is, but they probably won't be able to help much with the details of the HIPAA EDI and security regulations.

To clear some things up though (and I am a security consultant who has been working with HIPAA for 2 years and have performed over 50 HIPAA security assessments in the last 19 months):

1. HIPAA is a law, not a person, or gov't group; it stands for the Health Insurance Portability and Accountability Act of 1996; there were multiple provisions to HIPAA, but what this topic is dealing with is the Administrative Simplification provision, which has three parts: EDI (transactions and code sets), privacy, and security; these three parts have been implemented by the Dept of Health and Human Services as federal regulations; the compliance date for the EDI regulations is Oct 2002, however covered entities can file a one year extension (for EDI compliance only), that doesn't require a complete inventory of all HW/SW; the compliance date for the privacy regulations is Apr 14, 2003; the security regulations are not finalized yet, but when they are, the compliance date will be 2 years from when they become final (however, the privacy regulations pretty much imply that you should comply with the security regulations by 4-14-03 also); business entities required to comply with HIPAA are: all health plans (health insurance companies), all health care clearinghouses, and those health care providers who perform at least one standard health care transaction (as defined in the EDI regulations) in an electronic manner

2. The only SW that can really be deemed to be HIPAA-compliant or not will be applications used to perform the health care transactions defined in the EDI regulations, if done in an electronic manner; any HW, OS or other SW in use not dealing with these transactions will have to be evaluated to ensure that it has security features required by the security regulations (and only really, really old SW and HW won't have these features - ie. DOS-based SW that doesn't implement IDs and passwords)

3. The Proposed HIPAA Security Regulations were published in Oct 98; they are technology-neutral and define well-accepted security controls (technical and non-technical) that should be implemented in a "reasonable" manner to secure information that is determined to be PHI (Protected Health Information - this term is specifically defined in the privacy regulations); basically PHI is medical or financial information about a patient that is stored or transmitted electronically by a HIPAA covered entity

4. The Proposed HIPAA Security Regulations are not in disarray, but define security controls (with required features) in a general, but usable way (if you understand security) so that what is required can be implemented today, without waiting for the final regulations (with the possible exception of the Electronic Signature Standard, which is really a separate regulation, but gets lumped in with the security regulations); the final HIPAA security regulations should NOT be too different from the proposed ones, but may have some clarifications and more specific technical requirements (ie. encryption algorithms, key length)

5. The HIPAA security regulations are 70% policies and procedures and 30% technology; the documented policies required cover information, physical and personnel security in a pretty thorough manner

6. The technical security requirements of the HIPAA security regulations involve the following areas, with some specifics given in the regulations:
a. access controls (system and network)
b. audit controls (system and network)
c. data authentication
d. entity authentication
e. integrity controls during communication
f. message authentication during communication
g. encryption during communication
h. other network controls including:
- alarms, audit trails, event reporting

7. These technical security controls are vaguely defined, but can be implemented if you have a thorough understanding of information security and the security features of the HW/SW in use; they can be implemented now because the regulations do state that a covered entity can determine what is reasonable, as long as they cover what is required

8. The HIPAA Privacy Regulations will be enforced by the Office of Civil Rights (OCR), and will entail complaints being filed with the OCR on suspected compliance violations; there will be no gov't auditing done (from what the lawyers I work with tell me, and they also work with HHS - Health and Human Services - so they should know); the enforcement of the security regulations isn't clear right now, which hopefully will be addressed in the final regulations (it may also be OCR); enforcement of the EDI regulations isn't necessary, because if you don't comply, you basically can't stay in business; non-compliance with the EDI regulations will prevent you from performing the standard health care transactions with insurance companies and/or clearinghouses, which is why you couldn't stay in business, unless you don't accept insurance (if you don't do the standard transactions electronically, you aren't required to comply with HIPAA)

9. You (a HIPAA covered entity) are NOT required to ensure that your business associates comply with HIPAA (your business associates may not be HIPAA covered entities and therefore wouldn't be required to comply with HIPAA); you WILL be required to have a business associate agreement (HIPAA-specific legal verbage added to contracts) with entities determined to be HIPAA-defined business associates (this term is also specifically defined in the privacy regulations)

Hopefully that covers most of the misinformation posted here.

Enjoy!

Re:The facts about HIPAA

[Bourbonium]

I really appreciate this kind of input. Ever since this thread began, I've been pondering how it affects me, as a sysadmin for a state health department. Our information security office has a dead link on its intranet page to HIPAA information, indicating that the page is still under development, but they have been of no help at all in explaining how I am to ensure HIPAA compliance for my servers. All of their published policies are really directed toward the end users. They have not provided any security guidelines for the network administration group, except to let us know that we will have to begin maintaining our security audit logs for as long as seven years, instead of overwriting these logs every few months. We don't even have an encryption policy in place, even though we store gigabytes of confidential data on servers scattered all over the state.

My concern over SP3 is that, as the likely scapegoat, and the one who clicks on the "I Agree" radio button in the EULA (when the Microsoft Baseline Security Analyzer recommends I update the SP on my Win2K servers), I may be liable for the criminal penalties mandated by HIPAA in the event some of this data is compromised, whether it is by Microsoft or some other entity. Other IT staff in my state are already worried about their jobs after our civil service personnel records were hacked last spring and all state employees social security numbers, birthdates and other vital info was scanned and possibly copied by unknown parties. If data on these Pre-SP3 Windows servers can be compromised (residing behind the same kind of firewall that supposedly protects my data center), what assurance do I have that my data is safe?

Comment removed

[account_deleted]

Comment removed based on user account deletion

"Dump Microsoft? What about ...

[Jens]

our thousands of Word and MS Office files which can only be read by MS software?"

"You see? You are already hooked. Now we need to move faster so that dependance doesn't grow.
Don't create documents in a format where the only application that can read them is controlled by a company whose EULAs say 'We can do anything we like with your computer and you have to like it too'."

In the department of the German Government which deals with recommendations for IT infrastructure and software (for the rest of the state), this was discussed recently. And the outcome was, every time somebody mentioned special software, or access, or compatbility, that only works with Microsoft, the answer were like the one above.

No. I don't think they'll switch tomorrow. What they are going to do (probably) is for now, stick with their legacy apps. But the Government has decided it wants to be "e-Government" too, and so everything must be browser-based and acessible everywhere, internally and externally.

That is a huge advantage, for one thing, there is somebody who says "Things WILL CHANGE", no matter what the users say (so complaining about having to relearn won't do any good). Further, with web-based stuff you are efficiently removing the need for special client software (unless you are a stupid moron and rely on IE-only features). Third, the IT departments can (and they do want to) introduce open solutions in the server space without anybody noticing much, and that's exactly what they are doing now.

So, if the problem will fit into a web-based solution, advocate this instead of bullying the users with SuSE or RedHat CDs. Then, when they are used to using Mozilla or IE (in Windows) for almost all their stuff, the transition to an independant desktop system is much, much easier. They won't even notice the difference if you're clever enough (http://mozillako.hypermart.net/ieskin/).

Win 2K SP3 and HIPAA

[pclark]

Solution seems simple, if you're a big enough organization. Have your attorneys demand that Microsoft sign an NDA and an indemnification contract prior to buying any more software or updating anything.

They won't sign it, of course, but if enough customers do this, they'll change the offending terms of the license.

Pete Clark