Slashdot Mirror
Is Win2k + SP3 HIPAA Compliant?
Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA
compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?
Additional thouughts:
Use a firewall to block all traffic into and out of your network, and make the machiens inside use proxy servers (for http) and relays (for smtp) to access the internet. In other words, disallow all traffic that is not explicitly permitted. Log what goes through the proxies and relays, and log attempts at initiation of direct outgoing traffic.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?
is the head title of this arcticle in The Reg.
basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.
now, the original submiter could really consider an alternative.
if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?
does you REALLY need win2k ????
What ? Me, worry ?
Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".
The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.
sPh
HIPAA is like any other oversight group and only it can decide this is "okay" or a "violation". However, since logic cannot be guaranteed to rule, you cannot guess which. Have your company, preferably through your legal consul, submit a binding request for clarification.
Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)
Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."
This is an issue for your lawyer(s) to resolve, not Slashdot.
http://www.euspirit.org/
Really. It'll clarify things right up. Dollars to donuts there's a clause in there, probably called "Severability" or something to that effect, which states that "if any clause in this EULA is found to be in violation of the law, then it is null and void with all the other clauses still in effect."
Contracts aren't allowed to violate the law. A contract to kill someone isn't legally binding, because murder is illegal. If Microsoft wants to claim they get remote access at will to your boxes, then you get to say "neener neener neener, no you don't, under HIPAA I'm forbidden from allowing you that access".
The proper Microsoft response? "Oh. Well, we're sorry about that. All the other clauses of the EULA stick, though."
So go ahead, get Windows SP3, and then figure out some way to disable remote-root.
Oh, and one more thing--
FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!
(Sorry, just had to get that knee-jerk reaction out of my system.)
"Nobody ever got sacked for buying IBM"
If you're just worrying about covering your behind, extent to "Nobody ever got sacked for buying Microsoft" and then to "Nobody ever got sacked for clicking through default Microsoft licenses."
I actually think that people should get sacked for doing this if they compromise their business for the sake of avoiding raising a thorny issue, but it's not going to happen in our lifetime.
If you were blocking sigs, you wouldn't have to read this.
As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.
Having said that, if either of these two represents your biggest problems, then you're probably safe for a while. I don't understand what you're trying to accomplish by asking Slashdot - maybe you should try checking with your MS rep first to at least get the company line. MS is wild about HIPAA - they produce a lot of BizTalk stuff for hospital EDI needs.
What's your damage, Heather?
Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.
This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
... if your own operating system is tunnelling through http to make requests from Microsoft's server to download patches without your knowledge?
(Unless, of course, you want to cut off MS's websites from your browsers as well.)
Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.
A firewall does not prevent the possibility of MS getting access by other means. If it is an agreed to part of the EULA, then they can take such steps as needed to effect the clauses. I would also be worried about the no cause software audits that some MS volume plans have. I mean obviously if you have a search warrant then you have to let them in, even if they might incidentally find some records, but by lowering the standard needed to perform an audit might have legal implications. I would ask your in house counsel, about both the EULA and the licensing agreements.
IANAL, and even if I was this would not be legal advice.
I'd do something interesting, but my server can't handle a slashdotting.
We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at:
- Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one).
- Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.
Microsoft has the right to ignore all settings for auto-updating whenever they want.
Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.
If so, I guess I would be a bit slower to call other people "morons & idiots". Because the fundamental problem is in the EULA, not in the service packs or download mechanism. One could take all the steps you have described and (potentially) still be in violation of the privacy statutes, since by agreeing to the EULA you have agreed to allow Microsoft access to your systems under circumstances controlled only by Microsoft.
sPh
The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.
They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.
The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.
1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.
2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.
3. IF the product is home grown. Cover your ass.
MSHUG is microsoft centric but a good start for you.
I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.
PUTO
The Revolution Will Not Be Televised
It does not.
The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.
Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.
Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.
oh, DARN ! ;)
And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.
___ I don't respond to Anonymous Cowards, and I Never Mod them UP.
Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?
All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)
UNIX? They're not even circumcised! Savages!
Yeah, that'll go over real good.
Elitist IT Moron: We have decided that Microsoft products are no good, and we're going to switch all of our operations to Linux-based solutions.
Docs: Well, OK, just as long as we can still get our work done. Will we still be able to send our grant applications and other records to the various governmental agencies, other hospitals, and such without and problems?
Elitist IT Moron: Well you'll be using this open source word processing program that is designed to be compatible with Word, but there is a chance that some places won't be able to view it properly, or it will look slightly different. Medical companies aren't sticklers for complete and total accuracy, are they?
Docs: What about these hundreds of legacy DOS and Windows applications that do one thing for us, but do it incredibly well, that we absolutely have to have? Will they still run?
Elitist IT Moron: Umm...No. But there may be 0.85 pre-beta versions of comperable apps up at SourceForge we could try! Or we could maybe try Wine and see if we can get a few of them to work.
Docs: So basically you're telling us that by switching to Linux, we won't be able to properly communicate with the people we need to, and we won't be able to use the applications we need to.
Elitist IT Moron: Uhh....W1nd0ze suxxor?
The government can audit you and find you out of complience basically at their whim.
It doesn't matter if Windows systems are a monopoly, and everyone has them. They will find everyone they audit to be out of complience. Auditors are looking for a score, they don't give a shit about your ability to do business.
BTW: This EULA aslo is not FDA part 11 compliant either. Locked down systems would need to be revalidated after any and all autoupdates.
That said, I'm almost certain that Win2k, with or without a service pack, will be HIPAA compliant since many, many medical and scientific organizations use it for their main operating system, and coordinating an upgrade to something else in the next 7 months would be near impossible. We really don't have much of a choice in what OS to use, though, since if all the programs we need are only available in Win32 versions, that's what we'll use.
I agree with what you are saying, but I feel that these questions need to be asked. Well, they shouldn't need to be asked, because MS shouldn't be doing what they are doing, but I digress.
I work for a very large company and we are implementing HIPAA into our software now. We do all kinds of software for hospitals. The reason I think that this issue needs to be brought up is because most people don't even think about the holes that MS creates. I asked a very similar question to our director of operations a while ago, and he said basically that if the hospitals don't have firewalls, then they have bigger problems. While this may be true, I still think it is good to ask the question, so that people are aware of the "Microsoft issue". The people who maintain the firewall need to know about the autoupdate, so that they can block it at the firewall. They need to know about these vulnerabilitites, so they can plug them. I don't trust that they will be keeping up on these things. After all, who would have thought that the OS you run could create a huge gaping hole in your security and potentially hold you liable for violating federal regulations?
My beliefs do not require that you agree with them.
It seems to me that unacceptable changes to the EULA for a service pack might void the implied warranty usability of Windows 2000. By releasing the service pack, they are admitting that Windows 2000 has problems. If I cannot get access to fixes for those problems without agreeing to a contract substantially different from that which governed my license for Windows 2000, I think that I might have a good basis for a lawsuit to get a court order that Microsoft supply fixes to their software under the terms of the original EULA.
If your company is of any size whatsoever, you'll need more than just a lawyer who specializes in HIPAA compliance issues. You'll need to acquire the services of a HIPAA compliance and remediation consulting group. Our hospital is using Ernst & Young.
It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.
First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.
Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.
Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.
One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.
I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.
I do write lots of stuff that we use, and it's not written to be Win32 only, however, I can't write everything we use. Beyond HIPPA, you have FDA regulations and other rules to comply with as well, and when you can buy something from a vendor that other people (say, the National Institute of Health) are using fine and is compliant, or spend months developing your own custom solution, you're going to choose the one that is working and has support and is tested. If we had the time to write everything exactly how we wanted, we would, but we really don't have the time, or the money typically, to do that.
If the EULA you agree to entitles MS to automatically download updates and you turn off autoupdate, are you still in agreement with the EULA, can you still use the software?
Perhaps the answer is yes today, but will this always be the case? Remember, because of Microsoft you have a "license" to use the software, you do not own it. I believe there will come day when you will need to pay to continue to use the operating system or it will disable itself. For corporations, it might not be so harsh, but may involve sending billing information to Microsoft to provide a count so they can bill the corporation, a large lump sum.
This kind of activation system will also, I'm sure update the system with at least the keys to run for another year and more than likely many more updates, and it WON'T be optional.
You don't remember that hue? Neither do I. Yeah, they agreed to pay a 500k "settlement". Big whoop. Your data was "repurposed" and you had no say. Too bad!
sPh
I'd say that you have a lot to learn about Slashdot. While most of the stories on here are technical in nature or have something to do with technology a large percentage of them have to do with the legal and political issues surrounding something technical.
Think about all the stories on copy protection for CD's. Yes, it has to do with a technical issue, but the discussions are certainly not technical. I've seen no code posted no how to defeat the copy protection. 99% of the posts are opinions about whether it is right for the producers to restrict use of purchased CD's in the way they want to, and the other 1% are First Post!
Why don't you just come out and say it? You are a Microsoft appologist that wants to ignore the issue with their EULA by making fun of the issue and calling it a waste of time. You say it's an invalid clause, but you don't indicate that you are a lawyer (and even if you were I doubt you'd be offering official legal advise). So you want us to just ignore the issue and "agree" to the EULA?
What happens if the EULA is allowed to stand and then Microsoft actually builds in more of this access that you granted them? What happens when it eventually gets installed on all Windows systems and then the crackers find out how to manipulate it and steal information off your computer? Then it wouldn't be Microsoft accessing the sensitive information, as I doubt they actually would do something like that, but because of the EULA they provide additional access methods for others.
There are plenty of valid discussion items surrounding this issue. Ignoring them is not going to make them go away, and they definately fall right smack into the favorite topic on Slashdot -- Microsoft bashing.
Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...
Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).
Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.
"Lawyers are for sucks."
- Doug McKenzie
Breaking confidentiality via the actions of authorized staff is a different risk. The question is about the act of assigning external parties privileges that itself breaks confidentiality agreements.
Comment removed based on user account deletion
So, you thought desktop/application firewalls were safe? Think again.
Although MS engineers are not really well-known for implementing clever and working solution, I fear that they might have come up with a similar or even advanced technique of establishing a "stealth" connection.
A corporate firewall/packet filter with some sort of IDS enabled and all MS IPs blocked _might_ work if used in conjunction with an application firewall on each individual machine. On the other hand it might trade in too much flexibility for security. If the individual machine depends on http availability your pretty much lost. You can piggyback/tunnel basically anything through that. Disabling IE and using Netscape might put a hold to that.
But there ain't no verification of that unless someone can produce the w2k sources... And if someone does MS will have a patch ready and automatically deployed in RECORD time...
+++ath0
Yes, I get it. But you're wrong. (-:
The machine is not the problem, the data are the problem. One of the constellation of possible actions which you authorise Microsoft to take when you agree to the EULA on any Windows workstation in the LAN is to install a sniffer (call it `Microsoft Diagnostics for a Networked Medical Environment 6.0' to drive the point home). The data is no use to anyone if it stays on the server, but as soon as it leaves the server and wanders past a Windows box, Bill can glom it and shove it into the `My Data' folder.
BTW, you didn't think the `My' in `My Computer' and `My Documents' referred to the user, did you?
Ah, that reminds me of l0pht's motto: `Making the theoretical practical since 1992'.
Got time? Spend some of it coding or testing
Comment removed based on user account deletion
You've got three years to deal with the issue until they start fining you (if your company has under $5 million in annual revenue).
If over $5 million, you've still got two years to comply.
Either way, the max fine for non-compliance is $25K/Year, and they don't even know how they're going to find you...
I'm not saying you should slack on this, I'm just saying it's not a "huge,huge" crisis situation. Deal with basic, common sense security and do more research. You've got time to do this right.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
There is a less than perfect solution: Filter off all machines from vendor-X using products from vendor-Y. Make all machines from vendor-X resistant to attacks from the vendor-Y machines. Oh, and be damn sure that the two vendors are not affiliated, and are not controlled by the same government.
This won't work, MS is slap happy about RPC over HTTP. They can even do it through a caching proxy. That means any firewall that allows web traffic won't prevent access to their Windows software on your machine. But even if you took the medical records completely off the internet this is a legal problem not a technical one. You gave them access, they might demand physical access if you don't give them electronic access. I don't see it happending, but legally, in any state where EULAs apply, they can.
The only solution here is to get MS to sign a supplementary agreement either that is satisfactory for HIPAA, or for the congress critters to pass a law forbiding overbroad hacking clauses in contracts, forcing Microsoft to rewrite their EULA for everyone.
I still think the best thing to do is deny copyright protection to any work distributed with license. Sort of a patent vs. trade secret distinction, instead you get a choice between copyright or contract.
Reasonable Assurances... The writer who states that the covered entity need only take reasonable precautions. What is or is not reasonable depends on too many factors. I happen to think that if you disable the feature, that action seems pretty reasonable. I for one, am not worried about the EULA. I'm more worried about things like password protection, access to the file room and the like.
Illegal Contracts... As someone else correctly states, contracts that are contrary to law cannot be enforced (at least the illegal provision).
Covered entites... Chris, who wrote the original message may not need to worry about HIPAA. HIPAA covers mostly medical providers and insurance companies. It also covers self-insured companies and the like, but I don't think it covers loan applications. Of course, Chris could be a business associate of a covered entity.
Business associates... A covered entity must obtain satisfactory assurances from its business associates (accountants, lawyers, billing companies) that the health information is protected. As someone correctly notes, that requires an agreement known as a business associate agreement/contract.
As a side note, I've begun to draft an article about what HIPAA requires... the language in the law actually asks the covered entity to make sure that they have "satisfctory assurances" that the business associate safeguard personal health information ("PHI" although some call it "individually identifiable health information")
The clause you've been debating interacts with this other clause, which says that if I don't accept everything Microsoft wants me to take (or give!) then my only recourse is to stop using their software. Microsoft is very close to making auto-update a condition of running their software. They haven't gone entirely to ``leasing agreements only'' but they're very close.
From the mouth of Microsoft:
Replacement, Modification and Upgrade of the Software: Microsoft reserves the right to replace, modify or upgrade the SOFTWARE at any time by offering you a replacement or modified version of the SOFTWARE or such upgrade and to charge for such replacement, modification or upgrade. Any such replacement or modified software code or upgrade to the SOFTWARE offered to you by Microsoft shall be considered part of the SOFTWARE and subject to the terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of or upgrade to the SOFTWARE). In the event that Microsoft offers a replacement or modified version of or any upgrade to the SOFTWARE, (a) your continued use of the SOFTWARE is conditioned on your acceptance of such replacement or modified version of or upgrade to the SOFTWARE and any accompanying superceding EULA and (b) in the case of the replacement or modified SOFTWARE, your use of all prior versions of the SOFTWARE is terminated.
Or drunk?
How many hurls do you need?
We assessed the "hurl vs hurdle" question a long time ago and decided overwhelmingly in favor of hurdles...
The problem you appear to be encountering is that you interpret 'use/utilize' to be a conscious act and one which users will be able to identify and predict. No such meaning necessarily applies.
In fact, the wording is so vague Microsoft could associate this permission with any product or mechanism they choose, given the pervasiveness of 'internet-based services' such as IE.
With reference to your earlier posts, I'm obliged to point out that these are far from consistent in the argument that they are advancing.
In order, we have:
1) The suggestion that any machine connected to the net contravenes the HIPAA and that therefore the whole debate is moot. Presumably because this is obviously an impractical limitation, no further mention is made of it.
2) The suggestion of a technical fix to the auto-update mechanism to prevent it from functioning. Several responses then point out that the problem lies with the license, not any specific mechanism.
3) Several posts quoting the portion of the EULA concerning opt-in auto-updates, omitting the general update permission clause. This is in an effort to prove that auto-update requires explicit permission.
4) After apparently retreating from (3), a new proposition is advanced that auto-update, while admittedly not being under explicit control of the user, applies only to mechanisms consciously 'utilized'. Presumably the implication is that the user will always be aware of such use and therefore should not be surprised by an auto-update.
5) A synthesis of (2) and (4) is then proposed where by 'firewalling the box' the mechanisms in (4) will be used and therefore the general auto-update clause does not apply. This is then immediately undermined by the admission that firewalling does not prevent mechanisms from accessing the internet, and so "[a]ny of [sic] MS's software that uses the Internet can check itself and update itself.". This doesn't prevent the same argument being forwarded again later, this time with the recommendation to use SUS to distribute patches as a workaround.
6) Yet another new angle is introduced, this time that the EULA itself can be disregarded because any 'illegal or unreasonable' clause will be found invalid when legally tested. It is not clear how this relates to previous points made.
It seems from this summary that you are content to chop and change your argument as you go along, shifting ground from one proposition to the other where necessary, only to restate earlier points in other places. It might be better for all concerned if you drew together whichever parts of the statements above now constitute your position and posted it once for further discussion.
As an R.N. in a major hospital I have been told, both by the practice council and the state regulatory board that violation of a clients medical data by other not on the patients heatlh care team (e.g. M.D., R.N. PharmD., O.T., P.T. etc....) is a violation of Federal patient privacy laws and confidentiality guidelines. So the rub as I see it is this, An IT department makes best efforts to secure the data environment, applies all pertinant patches related to know security issue. And it gets hacked. I can't see how the admins can be held responsible given that they have followed all procedures known in order to secure said system. But, to the BEST of my knowledge Microsoft Corporation is not in the Health Care business and the patients, nor the health care team, has not implicitly or explicity consented to making MS party to the patients health care status. So, granted, I can't see MS going into a file system to query up a patient health record. However, by implimenting patch and changes to the system unbeknownst to the admins they are potentially compromising the data, making it less secure or, moreover, making the data inaccessible to the health care team due to the changes MS has implimented causing the system to fail or otherwise crash. This could have potentially drastic outcomes in the event that a patients status and information cannot be accessed at a crucial time (e.g. in a state of crisis - the patient needs emergency surgery and has an allergy to commonly used anesthetics). Who then is responsible for an undesirable outcome that is due to the inablitity to access information crucial to the patients well being? The patient and their families won't really care who's to blame. Their lawyers will simply suponea everyone involved. However, I can see the litigation becoming extremely costly and convoluted in light of such a scenario. And given that the access to said system and the subsequent "updates" and changes applied by MS were directly involved in the patient's negative outcome - how is MS held responsible? Bottom line, IMHO, is that MS is acting like the benevelant father in situations that they have no business in. It is incumbant upon those directly responsible for the maintenence of the system to ensure that it is operating correctly (and in the case of Health Care -- safely). The IT departments are those that should decide what and how changes are implimented -- NOT MICROSOFT! Just MHO!