I agree. Heck, I don't consider myself competent to do much more than convert FAT to NTFS. (I'm also not in a sufficiently high-performance environment to make filesystem choice really matter.)
On the other hand, we live in an era of simple auxilliary mass storage. For $200, I can add a 160 Gb external drive with USB. The filesystem choice for such an external drive is very simple to make and does not carry a lot of downside risk. If it gets screwed up, just change filesystems, reformat, and restore the data from backup.
Now, Microsoft is implying that it is technically feasible to implement this new filesystem on XP, but they haven't yet decided if they are going to actually offer it. My point is that if it is indeed technically feasible, they should defer that choice to the users.
Instead, they are saying that they will decide what is best for their customers. Their customer base is extremely diverse, which makes it hard to imagine that there is one optimal solution for their entire user base. However, it's easy to imagine that they can discover a solution that optimizes their profit over their user base. Which do you suppose is going to be the basis of their decision?
To me, "best for customers" sounds like marketing code for "best for Microsoft shareholders." If so, that's a reasonable choice to make... but I wish they'd be honest about it.
That article contains a wonderful example of the difference between Microsoft and the OSS movement. Microsoft is developing a new filesystem that (one would hope) is vastly more advanced than the one they currently use. Yet they're hedging about making it available for older systems, because they have yet to decide what is "best for customers".
Now, if they were really interested in what's best for customers, you'd think they'd let the customer decide on a case-by-case basis. They could just release the filesystem for older systems via an extensive patch and see what the customers decide to do. Instead, Microsoft is going to determine what is best for all their customers.
The OSS folks would just release (and have released) new filesystems and let the bits fall where they may.
Central planning versus individual choices. Remind you of any 20th-century struggles?
MS is sensing demand for Windows software that can cluster without much modification.
Not much modification, for values of "not much" which include installing a special edition of the OS with a distinct flavor of licensing and pricing.
If they don't make enabling cluster support easy, they're sunk. If you have to reinstall the OS to enable clustering, why not install an OS that is proven to cluster well?
If Microsoft wants to be taken seriously in this, what they really need to do is make a free/cheap Cluster Service Pack that patches any XP-Pro box to support clustering. If they do that, they'll have a chance to catch up to the *nix world in clustering.
The people this is targted to are users of MS software already.
And some small number of wealthy customers are certain to take advantage of it. Bonus for them. But the rest of the world is going to use more proven, optimizable, and free clustering.
With respect to privacy issues, resetting your system time via NTP will break a measurement sample. If you use NTP, and have it update every hour, your clock skew is going to change often enough to make an accurate (long term) measurement very difficult.
Kind of. You'll need to reset to an NTP server sufficiently often that your total drift never approraches the resolution of the system's timestamp clock. No measurable drift means no measurable skew.
So if you have a system that uses a TSopt clock with 500 ms resolution (such as OSX or OpenBSD) on a machine with 50 ppm skew, you'll need to reset to NTP much less than every 10,000 seconds to remain unresolvable. But if you're running a system with a 10 ms resolution (RH 9.0, Debian 3.0, FreeBSD 5.2.1) and your machine has a 100 ppm skew, you'll have to reset to NTP much less than every 100 seconds to remain hidden. (Unless I slipped a decimal point somewhere, anyway.)
The author has some more techniques already lined up, too, so it should make for an interesting arms race as people try to dirupt the predictability of their systems' timings.
Still, it does seem to me that the resolution of this technique is too low to effectively track every machine on the internet. If I were someone the NSA was hunting in particular, though, I'd be changing clock battieries in my laptop daily, or using a GPS card to stay in constant synch.
He landed at the same airport he started from, and he chose it because he needed a really long runway for takeoff, right? So I wonder if he touched down on the runway at a point beyond where he took off. It'd be a real shame to go all that way and end up a few hundred meters short...
Just kidding, Steve. Great work, and I can't wait to hear what you'll be trying next!
Does this violate the PCI specification? Do they still get to call it a "PCI" slot if some PCI-compliant cards with valid drivers are non-operational in it by design?
How is using an RFID system which is more accurate, efficient, and convenient any different from tracking students on paper? [...] I fail to see the difference here, let alone how it's somehow an invasion of privacy.
Remember that public school is about a whole lot more than education... it's also about teaching kids what they should expect from society. I doubt anyone has a problem with students being accountable. We parents all want our kids to stay in school, to learn, to not cut class. But what we're talking about is not a system that improves a student's sense of accountability. Instead, this system would cripple it.
Accountability, responsibility, ethics, morals... among other things, these qualities are descriptions of what we do when we're pretty sure we won't get caught. A paper attendance system is easily cheated if the teachers don't pay attention. An RFID system offers different ways to cheat, but of course the goal would be to make it very hard indeed to cheat. An RFID system that's many times more effective than paper is achievable, especially if the tags are mandatory or implanted.
What happens if we put kids in an environment where they have no opportunity to learn about the risks and rewards attendant on skipping and cheating? What happens to kids who grow up in a situation where they know they'll get caught if they don't follow the rules? What happens when these kids are let loose into the world after graduation, untracked for the first time, having had no opportunity to learn the sort of risk management we take for granted?
I doubt it'd be good. They won't have a good understanding of what they can get away with and what they can't, because they'll never have had the chance to make mistakes. When they discover they are free of behavioral enforcement, they will experiment with behaviors previously repressed. By the time they do start making mistakes, which they inevitably will, they'll no longer be juveniles under the law.
Society's only alternative, when faced with these reckless miscreants, would be to continue to track them. The only way to track this group in particular, of course, is to build infrastructure capable of tracking everyone generally.
That's not a society in which I care to participate.
If my kid comes home with a trackable badge, it's going to be a great teachable moment in Resistance to Oppressive Authority, Civil Disobedience, Hardware Hacking, and Abuse of Microwave Ovens.
It's worse than that. Whole product lines are unavailable to people with personal accounts.
Through some very weird circumstances, a trainer that came to our site did not have a working laptop. This adversely impacted the training we purchased, so I tried to straighten it out to no avail. (It looked like a dying video subsystem.) I set her up on one of ours, but it just wan't the same.
She wasn't getting satisfaction from her own IT people, and hadn't been for months. That's tough on a road warrior... 3,000 miles from the home office, and she can't fill out her timesheets because her IT staff won't fix or replace her company laptop. So I suggested that if she was really desperate, she should consider doing something extremely ruthless: Buy a new laptop and expense it. If she thought her boss would back up her expense report, anyway.
The glow of gleeful, righteous wrath lit her eyes, and she whipped out her cell phone so fast it hummed. As she dialed Dell and dug for her credit card, she asked me for a recommended system, and I gave her one from Dell's Lattitude line of business laptops. She tried to order it on her personal Dell account, and the Dell rep on the phone would not take the order. She was so astonished that she asked me to talk to Dell for her. I got the same result.
I said to the rep, "So here you have a customer willing to give you about three thousand dollars right now, for a product Dell makes, and you won't sell it to her because she has the wrong account type?"
"That's right, sir" came the reply.
"That's nuts!" I gasped.
"That's the way it is, sir."
Plus, if he does the exterior, he's got the whole angle of repose problem. That'll be one big pile of popcorn.
(I wonder... what *is* the angle of repose of popcorn? Google provides this interesting but irrelevant gem, but that's all. I guess he'll just have to measure it himself.)
Now, popcorn balls, that's another matter. Maybe he could re-side the fella's house in gooey popcorn balls, colored like red brick. Might have a bit of a rodent and ant problem later, of course...
Bah. OpenBSD is not hard to install. My first three *nix OS installs ever were OpenBSD. Twice on old salvaged PCs, and then on a headless Soekris 4801. It's not like I'm some superbrain guru either... I had nearly zero experience with any *nix flavor at the time. All that was requred was to read the online manpages. Never mind the FUD, it's just not that hard.
Buy the CD, and it's a snap. It's slightly harder with the floppy/ftp install, but not much.
"I'm not aware of any HIPAA violations prosecuted to date, and I'd love to hear about them if they exist."
I think the feds are still focusing on getting clinics to comply with HIPAA, and are not yet using prosecution and fines as much more than a threat.
I think it's a sound approach... they come to a non-compliant clinic, set a really big freakin' stick down on the table, and speak softly about the need to get into compliance with the regs for the protection of the patients. They say that later they'll actually be smiting people with that stick, but they haven't specified quite when. No one wants to be first.
"One of the great tricks done by the HIPAA legislation and its industrial camp followers is to convince people that it's scary shit."
Well, it is a big freakin' stick. It's definitely big enough that you don't ever want to get hit with it even once. (And it is cleverly designed so that even the largest organizations could get seriously hurt by it. The fines are per violation, so if you make the same mistake on a hundred patients, you get a hundred fines.)
But yes, the FUD regarding HIPAA comes not from the regulatory body itself, but from the folks who profit from fear. The HIPAA reg itself is actually pretty reasonable... most folks should be able to read and understand it. (Although they might have a headache by the tieme they do.) There's a lot of implementation legwork necessary, but it's not inherently scary.
"Can you imagine what the world would be like if email addresses, web site privacy policy, and spam were covered by regulations as strong as HIPAA?"
As a citizen, I'd love to have all my personally-identifiable information protected by regs as strong as HIPAA. There's no reason it can't be done, honestly... Congress just lacks the will to do it. It wouldn't be real cheap to implement, but it wouldn't be the horrorshow people make such things out to be, either.
It is a common misunderstanding to think that software, hardware, or turnkey systems can be made inherently HIPAA compliant. They can't.
HIPAA does not specify technologies, it specifies that a clinic (or whatever) that generates, uses, or stores protected health information have policies in place to protect that data (for several values of "protect") and that it adheres to its own policies.
Like ISO 9000, HIPAA is just a standard framework for creating policies. ISO 9000 compliance, as Dilbert observed, is not affected by how stupid the policy actually is, but how consistently it is followed. In the case of HIPAA, of course, the standard is mandatory, legally binding, and places upper limits on the allowable stupidity of the policies.
However, systems can be made HIPAA capable, meaning they are designed so that it is possible (or maybe even easy) to adapt the system to one's own HIPAA policies. But that's as far as it goes... there is not now and probably never will be such thing as software that is certified to be HIPAA Compliant, no matter what the vendor's marketing department may tell you.
Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.
The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.
For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.
The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!
Hey, you sound like you know what you're talking about! Can I ask your opinion?
Are you wanting to use cheap usb scanners or is something more office grade ok?
Could you give me some examples of office-grade scanners under, say, $1000 US? The application is insurance card scans for a busy pediatrics clinic. (A specialized card-scanner won't work because my state Medicaid program has 8.5x11 insurance "cards". Sigh.) I don't need ADF or OCR or even color, but speed and reliability at 300 DPI or less would be nice. USB is ideal, but I'll try anything at this point.
I have tried several models, and the only one that's held up under use is a $4000 Fujitsu 4097... and that's way more scanner than we really need at the front desk. (Besides, I'll eventually need four.)
Design for easy HIPAA compliance. Will the system gather, use, or store Protected Health Information? If so, make it operate such that as little of the PHI as possible is even cached on the desktop machine, and that the desktop machine stores none of it.
Platform-independece is nice. I am stuck with a vendor who provides windows-centric products. My docs have Apple laptops, and want to use the apps.:-/ You could make platform-independence a major sales feature.
Most small to midsize clinics do not have IT staff. Maintaining application and/or terminal servers is probably easier for such a clinic than maintaining many windows desktops. They're used to maintaining an accounting server; your app server is an easy addition.
If you want a 3D model, then this isn't going to be a big help to you. But oftentimes you don't need a full model, you just need a really good image from one or two POVs.
In my previous life in manufacturing, this would have been a godsend for creating as-built drawings of custom work and for making assembly drawings for the customer.
It's not that hard to do, if you're willing to read a bunch of manpages.
Get a fixed IP DSL and a Soekris net4801 for each site. Add a laptop hard drive or compact flash with OpenBSD on it. Read the man pages for "vpn" and "pf". Implement as appropriate to your site.
Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.
If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it.:-)
[...] what average user is auctually going to take the time to read this?
The average user? No.
The average manager needing justification before buying new security tools? Heck yeah! The clever ones will append the NSA document to their budget proposals.
The PC Engines board sure looks cheaper, but it looks like the 1C-2 uses the same Geode chip and same RAM as the Net-4801. How is it faster?
I haven't looked at M0n0wall yet... I'll take a peek.
But so far I'm happy with OpenBSD. Everyone says it's a hard system to use, but even as a complete *nix newb I managed to get it loaded onto a compact flash and installed in a Soekris box. It didn't seem that bad to me. Maybe it's because they really do have good manpages!:-)
I haven't been able to get to the Beeb since about 1930 PST. Presumably it's being crushed by the load of legit users, but I wonder if it might be actually under attack, too?
Yes, exactly. Your comment is so perfectly articulate on the issue that when I run into the issue again, as I inevitably will, I do believe I shall refer people to it.
Bravo.
What I meant to say in my previous comment is that there are few people these days who use the term "states' rights" to directly address the balancing act that is shared sovereignity. As I see it, most of them are cynically exploiting the term as a matter of political convienience in support of their particular issue.
Conservatives like to claim that liberals will abuse these "states' rights", but both sides abuse them equally when they hold the White House. If anyone is in need of an example of conservative centralism, they should look at Mr. Ashcroft's campaign to quash the implementation of Oregon's Assisted Suicide law.
Also note that liberal judges will erode states' rights
States' Rights is one of the most amusingly overused battlecries in US politics. Both sides use and abuse State's' Rights as suits their convenience. Medical Marijuana, Assisted Suicide, Voting Rights, Abortion, and Desegregation have all been cast as States' Rights issues, and I doubt you'll find a person who takes the side of the states against the federal government in all these cases.
States' Rights is just a handy cry to whip up the partisan faithful when there's really a social issue at stake.
Slashdot Mirror
I agree. Heck, I don't consider myself competent to do much more than convert FAT to NTFS. (I'm also not in a sufficiently high-performance environment to make filesystem choice really matter.)
On the other hand, we live in an era of simple auxilliary mass storage. For $200, I can add a 160 Gb external drive with USB. The filesystem choice for such an external drive is very simple to make and does not carry a lot of downside risk. If it gets screwed up, just change filesystems, reformat, and restore the data from backup.
Now, Microsoft is implying that it is technically feasible to implement this new filesystem on XP, but they haven't yet decided if they are going to actually offer it. My point is that if it is indeed technically feasible, they should defer that choice to the users.
Instead, they are saying that they will decide what is best for their customers. Their customer base is extremely diverse, which makes it hard to imagine that there is one optimal solution for their entire user base. However, it's easy to imagine that they can discover a solution that optimizes their profit over their user base. Which do you suppose is going to be the basis of their decision?
To me, "best for customers" sounds like marketing code for "best for Microsoft shareholders." If so, that's a reasonable choice to make... but I wish they'd be honest about it.
That article contains a wonderful example of the difference between Microsoft and the OSS movement. Microsoft is developing a new filesystem that (one would hope) is vastly more advanced than the one they currently use. Yet they're hedging about making it available for older systems, because they have yet to decide what is "best for customers".
Now, if they were really interested in what's best for customers, you'd think they'd let the customer decide on a case-by-case basis. They could just release the filesystem for older systems via an extensive patch and see what the customers decide to do. Instead, Microsoft is going to determine what is best for all their customers.
The OSS folks would just release (and have released) new filesystems and let the bits fall where they may.
Central planning versus individual choices. Remind you of any 20th-century struggles?
MS is sensing demand for Windows software that can cluster without much modification.
Not much modification, for values of "not much" which include installing a special edition of the OS with a distinct flavor of licensing and pricing.
If they don't make enabling cluster support easy, they're sunk. If you have to reinstall the OS to enable clustering, why not install an OS that is proven to cluster well?
If Microsoft wants to be taken seriously in this, what they really need to do is make a free/cheap Cluster Service Pack that patches any XP-Pro box to support clustering. If they do that, they'll have a chance to catch up to the *nix world in clustering.
The people this is targted to are users of MS software already.
And some small number of wealthy customers are certain to take advantage of it. Bonus for them. But the rest of the world is going to use more proven, optimizable, and free clustering.
With respect to privacy issues, resetting your system time via NTP will break a measurement sample. If you use NTP, and have it update every hour, your clock skew is going to change often enough to make an accurate (long term) measurement very difficult.
Kind of. You'll need to reset to an NTP server sufficiently often that your total drift never approraches the resolution of the system's timestamp clock. No measurable drift means no measurable skew.
So if you have a system that uses a TSopt clock with 500 ms resolution (such as OSX or OpenBSD) on a machine with 50 ppm skew, you'll need to reset to NTP much less than every 10,000 seconds to remain unresolvable. But if you're running a system with a 10 ms resolution (RH 9.0, Debian 3.0, FreeBSD 5.2.1) and your machine has a 100 ppm skew, you'll have to reset to NTP much less than every 100 seconds to remain hidden. (Unless I slipped a decimal point somewhere, anyway.)
The author has some more techniques already lined up, too, so it should make for an interesting arms race as people try to dirupt the predictability of their systems' timings.
Still, it does seem to me that the resolution of this technique is too low to effectively track every machine on the internet. If I were someone the NSA was hunting in particular, though, I'd be changing clock battieries in my laptop daily, or using a GPS card to stay in constant synch.
He landed at the same airport he started from, and he chose it because he needed a really long runway for takeoff, right? So I wonder if he touched down on the runway at a point beyond where he took off. It'd be a real shame to go all that way and end up a few hundred meters short...
Just kidding, Steve. Great work, and I can't wait to hear what you'll be trying next!
Does this violate the PCI specification? Do they still get to call it a "PCI" slot if some PCI-compliant cards with valid drivers are non-operational in it by design?
How is using an RFID system which is more accurate, efficient, and convenient any different from tracking students on paper? [...] I fail to see the difference here, let alone how it's somehow an invasion of privacy.
Remember that public school is about a whole lot more than education... it's also about teaching kids what they should expect from society. I doubt anyone has a problem with students being accountable. We parents all want our kids to stay in school, to learn, to not cut class. But what we're talking about is not a system that improves a student's sense of accountability. Instead, this system would cripple it.
Accountability, responsibility, ethics, morals... among other things, these qualities are descriptions of what we do when we're pretty sure we won't get caught. A paper attendance system is easily cheated if the teachers don't pay attention. An RFID system offers different ways to cheat, but of course the goal would be to make it very hard indeed to cheat. An RFID system that's many times more effective than paper is achievable, especially if the tags are mandatory or implanted.
What happens if we put kids in an environment where they have no opportunity to learn about the risks and rewards attendant on skipping and cheating? What happens to kids who grow up in a situation where they know they'll get caught if they don't follow the rules? What happens when these kids are let loose into the world after graduation, untracked for the first time, having had no opportunity to learn the sort of risk management we take for granted?
I doubt it'd be good. They won't have a good understanding of what they can get away with and what they can't, because they'll never have had the chance to make mistakes. When they discover they are free of behavioral enforcement, they will experiment with behaviors previously repressed. By the time they do start making mistakes, which they inevitably will, they'll no longer be juveniles under the law.
Society's only alternative, when faced with these reckless miscreants, would be to continue to track them. The only way to track this group in particular, of course, is to build infrastructure capable of tracking everyone generally.
That's not a society in which I care to participate.
If my kid comes home with a trackable badge, it's going to be a great teachable moment in Resistance to Oppressive Authority, Civil Disobedience, Hardware Hacking, and Abuse of Microwave Ovens.
It's worse than that. Whole product lines are unavailable to people with personal accounts.
Through some very weird circumstances, a trainer that came to our site did not have a working laptop. This adversely impacted the training we purchased, so I tried to straighten it out to no avail. (It looked like a dying video subsystem.) I set her up on one of ours, but it just wan't the same.
She wasn't getting satisfaction from her own IT people, and hadn't been for months. That's tough on a road warrior... 3,000 miles from the home office, and she can't fill out her timesheets because her IT staff won't fix or replace her company laptop. So I suggested that if she was really desperate, she should consider doing something extremely ruthless: Buy a new laptop and expense it. If she thought her boss would back up her expense report, anyway.
The glow of gleeful, righteous wrath lit her eyes, and she whipped out her cell phone so fast it hummed. As she dialed Dell and dug for her credit card, she asked me for a recommended system, and I gave her one from Dell's Lattitude line of business laptops. She tried to order it on her personal Dell account, and the Dell rep on the phone would not take the order. She was so astonished that she asked me to talk to Dell for her. I got the same result.
I said to the rep, "So here you have a customer willing to give you about three thousand dollars right now, for a product Dell makes, and you won't sell it to her because she has the wrong account type?"
"That's right, sir" came the reply.
"That's nuts!" I gasped.
"That's the way it is, sir."
I guess the customer isn't right after all.
Plus, if he does the exterior, he's got the whole angle of repose problem. That'll be one big pile of popcorn.
(I wonder... what *is* the angle of repose of popcorn? Google provides this interesting but irrelevant gem, but that's all. I guess he'll just have to measure it himself.)
Now, popcorn balls, that's another matter. Maybe he could re-side the fella's house in gooey popcorn balls, colored like red brick. Might have a bit of a rodent and ant problem later, of course...
Bah. OpenBSD is not hard to install. My first three *nix OS installs ever were OpenBSD. Twice on old salvaged PCs, and then on a headless Soekris 4801. It's not like I'm some superbrain guru either... I had nearly zero experience with any *nix flavor at the time. All that was requred was to read the online manpages. Never mind the FUD, it's just not that hard.
Buy the CD, and it's a snap. It's slightly harder with the floppy/ftp install, but not much.
"I'm not aware of any HIPAA violations prosecuted to date, and I'd love to hear about them if they exist."
I think the feds are still focusing on getting clinics to comply with HIPAA, and are not yet using prosecution and fines as much more than a threat.
I think it's a sound approach... they come to a non-compliant clinic, set a really big freakin' stick down on the table, and speak softly about the need to get into compliance with the regs for the protection of the patients. They say that later they'll actually be smiting people with that stick, but they haven't specified quite when. No one wants to be first.
"One of the great tricks done by the HIPAA legislation and its industrial camp followers is to convince people that it's scary shit."
Well, it is a big freakin' stick. It's definitely big enough that you don't ever want to get hit with it even once. (And it is cleverly designed so that even the largest organizations could get seriously hurt by it. The fines are per violation, so if you make the same mistake on a hundred patients, you get a hundred fines.)
But yes, the FUD regarding HIPAA comes not from the regulatory body itself, but from the folks who profit from fear. The HIPAA reg itself is actually pretty reasonable... most folks should be able to read and understand it. (Although they might have a headache by the tieme they do.) There's a lot of implementation legwork necessary, but it's not inherently scary.
"Can you imagine what the world would be like if email addresses, web site privacy policy, and spam were covered by regulations as strong as HIPAA?"
As a citizen, I'd love to have all my personally-identifiable information protected by regs as strong as HIPAA. There's no reason it can't be done, honestly... Congress just lacks the will to do it. It wouldn't be real cheap to implement, but it wouldn't be the horrorshow people make such things out to be, either.
"should HIPAA systems be certified for use?"
It is a common misunderstanding to think that software, hardware, or turnkey systems can be made inherently HIPAA compliant. They can't.
HIPAA does not specify technologies, it specifies that a clinic (or whatever) that generates, uses, or stores protected health information have policies in place to protect that data (for several values of "protect") and that it adheres to its own policies.
Like ISO 9000, HIPAA is just a standard framework for creating policies. ISO 9000 compliance, as Dilbert observed, is not affected by how stupid the policy actually is, but how consistently it is followed. In the case of HIPAA, of course, the standard is mandatory, legally binding, and places upper limits on the allowable stupidity of the policies.
However, systems can be made HIPAA capable, meaning they are designed so that it is possible (or maybe even easy) to adapt the system to one's own HIPAA policies. But that's as far as it goes... there is not now and probably never will be such thing as software that is certified to be HIPAA Compliant, no matter what the vendor's marketing department may tell you.
Actually, not knowing any facts of this case beyond TFA but having fair familiarity with HIPAA regulations, I'd say this is probably not a violation of the sections of HIPAA currently in force.
The Privacy portion of HIPAA is what caused a big stir a couple years ago when it went into effect. (It's the only part of HIPAA really apparent to patients.) It deals with the sorts of intentional disclosures of Protected Health Information that a clinic can make. It does not (amazingly) deal much with unauthorized access to PHI.
For instance, it is allowed under HIPAA Privacy to e-mail a patient's chart to someone over the public internet, as long as you are absolutely sure that the e-mail address you entered represents the correct intended recipient. HIPAA Privacy cares not who reads it in transit.
The Security section of HIPAA will definitely cover this sort of thing. It applies to all electronic PHI in place or in transit. However, it doesn't take effect for a couple months yet. So if you're going to screw up PHI security this badly, you'd best do it quick!
Hey, you sound like you know what you're talking about! Can I ask your opinion?
Are you wanting to use cheap usb scanners or is something more office grade ok?
Could you give me some examples of office-grade scanners under, say, $1000 US? The application is insurance card scans for a busy pediatrics clinic. (A specialized card-scanner won't work because my state Medicaid program has 8.5x11 insurance "cards". Sigh.) I don't need ADF or OCR or even color, but speed and reliability at 300 DPI or less would be nice. USB is ideal, but I'll try anything at this point.
I have tried several models, and the only one that's held up under use is a $4000 Fujitsu 4097... and that's way more scanner than we really need at the front desk. (Besides, I'll eventually need four.)
Any suggestions are appreciated.
Design for easy HIPAA compliance. Will the system gather, use, or store Protected Health Information? If so, make it operate such that as little of the PHI as possible is even cached on the desktop machine, and that the desktop machine stores none of it.
:-/ You could make platform-independence a major sales feature.
Platform-independece is nice. I am stuck with a vendor who provides windows-centric products. My docs have Apple laptops, and want to use the apps.
Most small to midsize clinics do not have IT staff. Maintaining application and/or terminal servers is probably easier for such a clinic than maintaining many windows desktops. They're used to maintaining an accounting server; your app server is an easy addition.
Whatever else you might think of the merits of this project, ya gotta admit that it has an amusing logo.
If you don't get the joke, try this.
If you want a 3D model, then this isn't going to be a big help to you. But oftentimes you don't need a full model, you just need a really good image from one or two POVs.
In my previous life in manufacturing, this would have been a godsend for creating as-built drawings of custom work and for making assembly drawings for the customer.
For its designed purpose, this is brilliant.
It's not that hard to do, if you're willing to read a bunch of manpages.
:-)
Get a fixed IP DSL and a Soekris net4801 for each site. Add a laptop hard drive or compact flash with OpenBSD on it. Read the man pages for "vpn" and "pf". Implement as appropriate to your site.
Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.
If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it.
He meant "inexpensive for Cisco", not "inexpensive for you". Markups, ya know.
[...] what average user is auctually going to take the time to read this?
The average user? No.
The average manager needing justification before buying new security tools? Heck yeah! The clever ones will append the NSA document to their budget proposals.
The PC Engines board sure looks cheaper, but it looks like the 1C-2 uses the same Geode chip and same RAM as the Net-4801. How is it faster?
:-)
I haven't looked at M0n0wall yet... I'll take a peek.
But so far I'm happy with OpenBSD. Everyone says it's a hard system to use, but even as a complete *nix newb I managed to get it loaded onto a compact flash and installed in a Soekris box. It didn't seem that bad to me. Maybe it's because they really do have good manpages!
Why bother buying PIX sourcecode when you can just download OpenBSD?
I haven't been able to get to the Beeb since about 1930 PST. Presumably it's being crushed by the load of legit users, but I wonder if it might be actually under attack, too?
Yes, exactly. Your comment is so perfectly articulate on the issue that when I run into the issue again, as I inevitably will, I do believe I shall refer people to it.
Bravo.
What I meant to say in my previous comment is that there are few people these days who use the term "states' rights" to directly address the balancing act that is shared sovereignity. As I see it, most of them are cynically exploiting the term as a matter of political convienience in support of their particular issue.
Conservatives like to claim that liberals will abuse these "states' rights", but both sides abuse them equally when they hold the White House. If anyone is in need of an example of conservative centralism, they should look at Mr. Ashcroft's campaign to quash the implementation of Oregon's Assisted Suicide law.
Also note that liberal judges will erode states' rights
States' Rights is one of the most amusingly overused battlecries in US politics. Both sides use and abuse State's' Rights as suits their convenience. Medical Marijuana, Assisted Suicide, Voting Rights, Abortion, and Desegregation have all been cast as States' Rights issues, and I doubt you'll find a person who takes the side of the states against the federal government in all these cases.
States' Rights is just a handy cry to whip up the partisan faithful when there's really a social issue at stake.