Disclaimer: i work as an IS architect for a large pharmaceutical company, putting together systems for electronic data capture of clinical data that's used for regulatory submission. It's not the same as general healthcare, but a lot of it is covered by the same regulations.
The short answer is you do this very carefully. There are a whole raft of legal and ethical regulations, of which HIPAA are only the start, and certainly the easiest to attain. If the stuff you're doing falls under FDA regulation then you need to validate those systems: this is very hard indeed to do properly - I'd suggest hiring a validation lead to do this who's got experience of the industry.
Basically, you have to prove to an insane level of detail that everything is consistent, tested, and built/installed as per your testing. On our systems I can document them right from the Little Rubber Feet upwards: hardware firmware revision level, exact version of all drivers, wet-ink signed documents for each step of the build process, and demonstrate that they're locked down and an audit trail exists for Electronic Record/Electronic Signatures for anyone who's ever used it etc etc.
You may find it cheaper to buy in a software package, as you can audit the vendors and if they're considered validated you can reduce your testing - it's testing and documentation here that are going to take up the majority of your time and budget - the actual coding's the easy bit.
This is why OSS isn't automatically the cheapest way of doing things, although this is offset by the massive amount of testing and revalidation that's required everytime an MS patch comes out!
Basically, tread very carefully, speak to a validation rep and have a work with an FDA rep if you can to attempt to clarify exactly how strict the conditions are that you have to work under.
For us, worst case scenario might be that you sign off an implementation, you get audited, and the FDA discover an irregularity - maybe you didn't collect those evidence screenshots when you tested your data capture for example - and they decide any data captured over the intervening few years is suspect - result could be a formal warning (visible to the whole industry and your shareholders) or simply pulling a megabrand off the shelves...this is one area where a single mistake by a single IT guy can have massive direct impact on lives - both in terms of patients and in terms of your personal safety of employment...
BootIt Next Generation (BING) is *great* for this. partition resizing/creating/deleting on the fly, boot manager, you can hide partitions from particular OS's - it's the bomb...free eval version if you've not tried it - not been so impressed with a bit of software since i first saw PKZIP.
faulty laptop? sony *won't* sell you the spares. they don't even provide *drivers* for some of the suckers, as some different model numbers merely denote different OS's installed at delivery, and they won't let you change and keep support. they're legendary for the quality of a support - just not in a good way.
what, you mean the goverment didn't like them showing what dicks they'd been over the war, and got a stooge called hutton to back them up? i think you'll find the BBC is held in higher regard than *any* other journalistic organisation, and also produces higher quality entertainment programming - rather than mixing the two together like fox.
so i pop a motherboard in a pc? 60-80 UKP at the most. care to guess what the cost of a flat panel imac motherboard might be?
you'd have to *seriously* fvck it up to kill a PC or Mac stone dead (i.e. pop a lot of major components) but the cost of recovery is significantly lower with a pc.
i'm *not* knocking macs as such, just pointing out the pretty obvious point that generic hardware is cheaper.
for this i get modded flamebait.
...that "free as in beer" meant you had a choice.
go down the shop/pub and buy it (at a reasonable cost), or brew it yourself for effectively nothing - pure choice, no monopolies, individual taste/requirements/money decides what you do...
...on *no* recent laptops will removing a CMOS battery cause it to lose its BIOS password. there wouldn't be a whole lot of point having one if it did, would there? *sometimes* there are other ways around (toshiba's parallel dongle or keydisk, dell's resoldering the BIOS chip) etc but almost all modern laptops are a *bitch* to remove passwords from by their very design. particularly IBM - if their hard disk is locked then only a clean room and a few hundred times the worth of that hard disk is getting the data back.
the guy who's paying the bill to the ISP whose service he's broadcasting gets canned. note that unless his ISP has an *extraordinarily* open AUP, this is probably against the terms of it...
my machines are nicely behind multiple corporate firewalls, sit in a separate domain, and the clients are ACL'd off from our main LAN as well. i take security far more seriously than you'd believe, and there's no way my clients for data capture get an internet connection. however, a pc that's not attached to anything ain't much use - so what you're controlling here is the (small) risk of having it attached to your main LAN in some way for data export and, say, citrix connection to your main desktop client PCs.
did i say anywhere i'd be dumb enough to leave an unpatched wintel box on the internet anywhere?
my point is that in the real world you don't just go chucking patches on boxes without thorough testing on your preproduction rig, user acceptance testing etc etc - and in my specific case it could actually be construed as illegal to do so.
ok, nice and lovely. they look pretty, too, and i can imagine they'd be easier to support. however, if you want, say a clinical app that does bedside CRF capture, you need to buy it from a vendor, and i've not come across any that do what we want on macs...
ok, obvious answer: no, of course trojans aren't certified. no one wants them, everyone takes steps to prevent them (hence saying i'd pull my validated systems off the net if that was what was required). however, we're talking about damage limitation here. i can't possibly afford any possibility of data corruption and am legally liable for up to 25 years for any clinical data captured on my systems.
As for playing CDs, etc: NOT ON MY CLINICAL SYSTEMS. these are *most definitely* not standard desktop PCs.
what it boils down to is i know PRECISELY what is on my machines: from little rubber feet up - I've documented evidence down to precise driver levels and there is *nothing* on there that i haven't specifically placed there, INCLUDING NEW PATCHES that haven't been exhausively tested by me - seeing as it's my signature on those FDA documents...
i'm not sure what your last line meant: can't specifically disagree with it, but i'm not talking about any "certification program", i'm talking about regulatory compliance in a production system.
we collect data from clinical trials, and we do so in a validated manner as we're inspectable by the FDA. i'd rather disconnect our LAN from the WAN and work with reduced functionality than just patch the servers willy nilly and break our validation. we can't apply *anything* without formally testing it as it could potentially affect data. it's fine if you're just doing bogstandard file'n'print, but for other stuff you can't just go installing patches that may or may not impact production systems.
not to mention the 1cm of ground clearance on a modern F1 car and no conventional suspension. also radiators that need to be moving at high speed to avoid overheating. an F1 car on an autocross track would not work, just as an autocross car on an F1 track wouldn't.
...about 5 years ago. it bombed. there was also the superdisk. it bombed. now we have usb flashdrives with generic USB bulk storage drivers.
they may not be any longer lasting though - the only answer is archive and periodically read and rearchive to the latest storage medium.
implement good password ageing policies so his password changes regularly, and use complex passwords. then insist he keeps the backup password tatooed on his arm up to date. you could probably buy a robotic tatooing machine for the IT department.
Slashdot Mirror
The short answer is you do this very carefully. There are a whole raft of legal and ethical regulations, of which HIPAA are only the start, and certainly the easiest to attain. If the stuff you're doing falls under FDA regulation then you need to validate those systems: this is very hard indeed to do properly - I'd suggest hiring a validation lead to do this who's got experience of the industry.
Basically, you have to prove to an insane level of detail that everything is consistent, tested, and built/installed as per your testing. On our systems I can document them right from the Little Rubber Feet upwards: hardware firmware revision level, exact version of all drivers, wet-ink signed documents for each step of the build process, and demonstrate that they're locked down and an audit trail exists for Electronic Record/Electronic Signatures for anyone who's ever used it etc etc.
You may find it cheaper to buy in a software package, as you can audit the vendors and if they're considered validated you can reduce your testing - it's testing and documentation here that are going to take up the majority of your time and budget - the actual coding's the easy bit.
This is why OSS isn't automatically the cheapest way of doing things, although this is offset by the massive amount of testing and revalidation that's required everytime an MS patch comes out!
Basically, tread very carefully, speak to a validation rep and have a work with an FDA rep if you can to attempt to clarify exactly how strict the conditions are that you have to work under.
For us, worst case scenario might be that you sign off an implementation, you get audited, and the FDA discover an irregularity - maybe you didn't collect those evidence screenshots when you tested your data capture for example - and they decide any data captured over the intervening few years is suspect - result could be a formal warning (visible to the whole industry and your shareholders) or simply pulling a megabrand off the shelves...this is one area where a single mistake by a single IT guy can have massive direct impact on lives - both in terms of patients and in terms of your personal safety of employment...
they solder the CPU in? wow, *that's* persuaded me that it's easier to work on Macs than PCs, then
BootIt Next Generation (BING) is *great* for this. partition resizing/creating/deleting on the fly, boot manager, you can hide partitions from particular OS's - it's the bomb...free eval version if you've not tried it - not been so impressed with a bit of software since i first saw PKZIP.
faulty laptop? sony *won't* sell you the spares. they don't even provide *drivers* for some of the suckers, as some different model numbers merely denote different OS's installed at delivery, and they won't let you change and keep support. they're legendary for the quality of a support - just not in a good way.
what, you mean the goverment didn't like them showing what dicks they'd been over the war, and got a stooge called hutton to back them up? i think you'll find the BBC is held in higher regard than *any* other journalistic organisation, and also produces higher quality entertainment programming - rather than mixing the two together like fox.
does anyone else get the screaming heebie-jeebies when the new dual xeon DL370's you buy come with an HP sticker on them?
so i pop a motherboard in a pc? 60-80 UKP at the most. care to guess what the cost of a flat panel imac motherboard might be?
you'd have to *seriously* fvck it up to kill a PC or Mac stone dead (i.e. pop a lot of major components) but the cost of recovery is significantly lower with a pc.
i'm *not* knocking macs as such, just pointing out the pretty obvious point that generic hardware is cheaper.
for this i get modded flamebait.
mind you, they make up for this by blowing goats when you start dealing with IBM Global Services...
...that "free as in beer" meant you had a choice.
go down the shop/pub and buy it (at a reasonable cost), or brew it yourself for effectively nothing - pure choice, no monopolies, individual taste/requirements/money decides what you do...
Whereas in a desktop PC, the worst you can do is pop a sub 60 component or two.
...on *no* recent laptops will removing a CMOS battery cause it to lose its BIOS password. there wouldn't be a whole lot of point having one if it did, would there? *sometimes* there are other ways around (toshiba's parallel dongle or keydisk, dell's resoldering the BIOS chip) etc but almost all modern laptops are a *bitch* to remove passwords from by their very design. particularly IBM - if their hard disk is locked then only a clean room and a few hundred times the worth of that hard disk is getting the data back.
well, you'd typically get the IP address that user was given by their ISP, and get local law enforcement to sub poena the name out of them...
you can't remove/readd TCP/IP in XP. you have to fix the stack. annoying, but there you go.
the guy who's paying the bill to the ISP whose service he's broadcasting gets canned. note that unless his ISP has an *extraordinarily* open AUP, this is probably against the terms of it...
my machines are nicely behind multiple corporate firewalls, sit in a separate domain, and the clients are ACL'd off from our main LAN as well. i take security far more seriously than you'd believe, and there's no way my clients for data capture get an internet connection.
however, a pc that's not attached to anything ain't much use - so what you're controlling here is the (small) risk of having it attached to your main LAN in some way for data export and, say, citrix connection to your main desktop client PCs.
did i say anywhere i'd be dumb enough to leave an unpatched wintel box on the internet anywhere?
my point is that in the real world you don't just go chucking patches on boxes without thorough testing on your preproduction rig, user acceptance testing etc etc - and in my specific case it could actually be construed as illegal to do so.
...it's a wrapper for IE, so you don't get OSS kudos, but it Just Plain Works. Great bit of software, I put it on every machine I build now...
ok, nice and lovely. they look pretty, too, and i can imagine they'd be easier to support.
however, if you want, say a clinical app that does bedside CRF capture, you need to buy it from a vendor, and i've not come across any that do what we want on macs...
As for playing CDs, etc: NOT ON MY CLINICAL SYSTEMS. these are *most definitely* not standard desktop PCs.
what it boils down to is i know PRECISELY what is on my machines: from little rubber feet up - I've documented evidence down to precise driver levels and there is *nothing* on there that i haven't specifically placed there, INCLUDING NEW PATCHES that haven't been exhausively tested by me - seeing as it's my signature on those FDA documents...
i'm not sure what your last line meant: can't specifically disagree with it, but i'm not talking about any "certification program", i'm talking about regulatory compliance in a production system.
we collect data from clinical trials, and we do so in a validated manner as we're inspectable by the FDA. i'd rather disconnect our LAN from the WAN and work with reduced functionality than just patch the servers willy nilly and break our validation. we can't apply *anything* without formally testing it as it could potentially affect data. it's fine if you're just doing bogstandard file'n'print, but for other stuff you can't just go installing patches that may or may not impact production systems.
not to mention the 1cm of ground clearance on a modern F1 car and no conventional suspension. also radiators that need to be moving at high speed to avoid overheating. an F1 car on an autocross track would not work, just as an autocross car on an F1 track wouldn't.
...about 5 years ago. it bombed. there was also the superdisk. it bombed. now we have usb flashdrives with generic USB bulk storage drivers.
they may not be any longer lasting though - the only answer is archive and periodically read and rearchive to the latest storage medium.
that's what your proxy's for!
implement good password ageing policies so his password changes regularly, and use complex passwords. then insist he keeps the backup password tatooed on his arm up to date. you could probably buy a robotic tatooing machine for the IT department.
...and I can see a use for maybe 2 or three computers in the world in the future
...you're assuming that the brain processes information like a P4. this isn't the case!