I'm sorry, but you are not correct on this. First of all, HIPAA is the Health Insurance Portability and Accountability Act. Please notice the single "P" and double "A"s. Secondly, please attempt to count successful HIPAA prosecutions on a single hand. I bet you have a lot of fingers left. I'd also wager you'd be surprised to know that the budget for governmental HIPAA surveillance is approaching nil. Your recourse with most things healthcare are the civil courts, not HIPAA.
Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.
I for one will not be using Google Health for my own records, but that's just me.
The guys over at Bell Labs developed Venti as a part of their Plan9 Operating System. If you are not adventurous enough to install Plan9, they have a great set of ports called Plan9 Port that has most of the exciting bits of Plan9 for other *nix like Operating Systems including Linux and Max OS X. Venti is an archival storage server, utilities and filesystem. It works with both magnetic and optical media.
Is it just me, or is this just about the most brilliant move on Microsoft's part? Hot on the heels of Oracle's announcement to compete directly with RedHat for Enterprise Linux support, this "partnership" only serves to destabilize the clear market leader for Enterprise Linux (RedHat). Microsoft knows that their influence in the Enterprise computing market will help sway people away from RedHat and towards SUSE. I'm not knocking SUSE, I like the distro, but the fact remains that RedHat is the 800 lb. gorilla in the Enterprise Linux space. RedHat's success is a direct threat to Microsoft. I'm sure the arrangement will help Novell in the short term, but the possibility exists that this move could further fragment the EL space, hurt RedHat and at the same time aid MS in preventing further erosion of their monopoly. Whether you like the RHEL distro or not, you have the admit that the inroads they have made with ISVs and hardware vendors has dramatically helped the adoption of Linux as an enterprise computing platform, especially among the Fortune 1000. Needless to say, I'm a little bit concerned.
Ok, lets assume that there is a huge datacenter behind the firewall. What does the firewall do to protect the datacenter? Generally, you do not allow direct inward access from the Internet into a DC proper. Rather, you use a DMZ to host exposed nodes. So in the end, for the DC, the firewall is just a router. It allows traffic from select DMZ nodes to access hosts inside the network. That's really the function of a router. However, we often filter as well to ensure that only the minimum ports and services that are required are passed. Why do we do this? Because we are concerned that the DMZ nodes might get compromised and be used as a gateway into the environment to compromise nodes on the internal network. Why are we concerned about this? Because we have come to accept that the vendors of server platforms, operating systems, middleware, databases, etc ship fundamentally flawed products. They are buggy, exploitable and are not carefully coded to prevent compromise. We trust firewalls, because they are very carefully coded and great pains are taken to ensure that they cannot (generally) be compromised. That is the author's point. Let's spend the time ensuring that products are as well coded as the firewalls and we do not need a firewall. Is this likely to happen? Probably not, but it is a valid point.
The point the author is trying to make is that if vendors spent the effort to ensure that their applications, databases, operating systems, servers, etc are coded securely, then the need for a firewall goes away. He is not endorsing putting firewall-type security on every node. Plain and simple, Firewalls have become the crutch for poor security within an infrastructure. We hide behind them, rather than address the inherent security issues at hand. If an application had a good security model, strong authentication, isn't vulnerable to buffer overflows or didn't run on a Microsoft product that keeps getting exploited on ports 135/139/445 every other week, then a firewall is redundant.
IBM has been doing the same thing. The vendors claim that this "white-listing" of mini-pci wi-fi cards is due to certification of the card with the built-in antenna within the laptop in accordance with FCC requirements. I'm not sure that thinking is valid any longer due to regulatory changes.
I can't justify being ignorant/unaware of a vulnerability for 90 days while said vulnerability is probably known to bad guys for that same period of time. The sooner I know about a vulnerability the sooner I can take countermeasures. The M$ model is a perfect example of where this is broken. Second Tuesday of the month I get patches for vulnerabilities that may have been reported greater than 12 Months before!!!!! (look at the "reported-on" dates) For that whole period of time, I may have had people messing with my systems.
If I know about it, I can watch my systems more closely for particular behavior, make changes to my allowable traffic, adjust my IDS or even block attachment types. Just my $.02
Take a look at Mozilla i18n & L10n Guidlines and Netscape ToolCool. These projects allow mozilla to be localized without recompilation of binaries. Local language data is kept in a seperate data store that the application can pull from. Translating the app is just a matter of adding the language to the database. Seems logical and simple.
There are plenty of organizations out there that provide contract help. Most of them will be more than willing to provide support for a week or two. Your management will learn quickly that hiring contractors is not cheap. A more long term approach that has worked for me in the past is to hire an eager kid out of college for an entry-level salary that you can train as a junior sysadmin and act as your backup when you need to take some time-off. Life is short... Take your vacation.
Slashdot Mirror
I'm sorry, but you are not correct on this. First of all, HIPAA is the Health Insurance Portability and Accountability Act. Please notice the single "P" and double "A"s. Secondly, please attempt to count successful HIPAA prosecutions on a single hand. I bet you have a lot of fingers left. I'd also wager you'd be surprised to know that the budget for governmental HIPAA surveillance is approaching nil. Your recourse with most things healthcare are the civil courts, not HIPAA.
Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.
I for one will not be using Google Health for my own records, but that's just me.
The guys over at Bell Labs developed Venti as a part of their Plan9 Operating System. If you are not adventurous enough to install Plan9, they have a great set of ports called Plan9 Port that has most of the exciting bits of Plan9 for other *nix like Operating Systems including Linux and Max OS X. Venti is an archival storage server, utilities and filesystem. It works with both magnetic and optical media.
Is it just me, or is this just about the most brilliant move on Microsoft's part? Hot on the heels of Oracle's announcement to compete directly with RedHat for Enterprise Linux support, this "partnership" only serves to destabilize the clear market leader for Enterprise Linux (RedHat). Microsoft knows that their influence in the Enterprise computing market will help sway people away from RedHat and towards SUSE. I'm not knocking SUSE, I like the distro, but the fact remains that RedHat is the 800 lb. gorilla in the Enterprise Linux space. RedHat's success is a direct threat to Microsoft. I'm sure the arrangement will help Novell in the short term, but the possibility exists that this move could further fragment the EL space, hurt RedHat and at the same time aid MS in preventing further erosion of their monopoly. Whether you like the RHEL distro or not, you have the admit that the inroads they have made with ISVs and hardware vendors has dramatically helped the adoption of Linux as an enterprise computing platform, especially among the Fortune 1000. Needless to say, I'm a little bit concerned.
Ok, lets assume that there is a huge datacenter behind the firewall. What does the firewall do to protect the datacenter? Generally, you do not allow direct inward access from the Internet into a DC proper. Rather, you use a DMZ to host exposed nodes. So in the end, for the DC, the firewall is just a router. It allows traffic from select DMZ nodes to access hosts inside the network. That's really the function of a router. However, we often filter as well to ensure that only the minimum ports and services that are required are passed. Why do we do this? Because we are concerned that the DMZ nodes might get compromised and be used as a gateway into the environment to compromise nodes on the internal network. Why are we concerned about this? Because we have come to accept that the vendors of server platforms, operating systems, middleware, databases, etc ship fundamentally flawed products. They are buggy, exploitable and are not carefully coded to prevent compromise. We trust firewalls, because they are very carefully coded and great pains are taken to ensure that they cannot (generally) be compromised. That is the author's point. Let's spend the time ensuring that products are as well coded as the firewalls and we do not need a firewall. Is this likely to happen? Probably not, but it is a valid point.
The point the author is trying to make is that if vendors spent the effort to ensure that their applications, databases, operating systems, servers, etc are coded securely, then the need for a firewall goes away. He is not endorsing putting firewall-type security on every node. Plain and simple, Firewalls have become the crutch for poor security within an infrastructure. We hide behind them, rather than address the inherent security issues at hand. If an application had a good security model, strong authentication, isn't vulnerable to buffer overflows or didn't run on a Microsoft product that keeps getting exploited on ports 135/139/445 every other week, then a firewall is redundant.
IBM has been doing the same thing. The vendors claim that this "white-listing" of mini-pci wi-fi cards is due to certification of the card with the built-in antenna within the laptop in accordance with FCC requirements. I'm not sure that thinking is valid any longer due to regulatory changes.
If I know about it, I can watch my systems more closely for particular behavior, make changes to my allowable traffic, adjust my IDS or even block attachment types. Just my $.02
Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.
Take a look at Mozilla i18n & L10n Guidlines and Netscape ToolCool. These projects allow mozilla to be localized without recompilation of binaries. Local language data is kept in a seperate data store that the application can pull from. Translating the app is just a matter of adding the language to the database. Seems logical and simple.
There are plenty of organizations out there that provide contract help. Most of them will be more than willing to provide support for a week or two. Your management will learn quickly that hiring contractors is not cheap. A more long term approach that has worked for me in the past is to hire an eager kid out of college for an entry-level salary that you can train as a junior sysadmin and act as your backup when you need to take some time-off. Life is short... Take your vacation.