Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Win2k + SP3 HIPAA Compliant?

Cliff posted more than 12 years ago | from the EULAs-vs-government-regulations dept.

Microsoft 489

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

cancel ×

489 comments

Sorry! There are no comments related to the filter you selected.

Why is there censorship on slashdot ?? (-1, Offtopic)

The_Fire_Horse (552422) | more than 12 years ago | (#4155397)

Did you know that if 5 moderators dont agree with you and mod you down you will get bad karma and then only be able to post twice a day?

First they silenced the trolls, and I didnt complain because I wasnt a troll - who needs that crap anyway.

Then they silenced the Mac users and I didnt complain because I wasnt a Mac user - fucking faggots

Then they silenced the Windows users and I actually cheered about this one - fucking lamers

Then they silenced the OS2 users, but no one even noticed

Then they silenced the RedHat users because they are corporate sellouts anyway and only newbie wankers use redhat

Then they came to silence me, and I realised I was the only one left (I run freeBSD :)


Its's time to stop the censorship on slahdot. Just because you dont agree with the comments, is no reason to 'ban' the person for the day.
Email jamie@slashdot.org if you think this is unfair

Re:Why is there censorship on slashdot ?? (0)

Anonymous Coward | more than 12 years ago | (#4155439)

Why stop the censorship? We need more, so more people will choose to quit Slashdot [washington.edu] !

Re:Why is there censorship on slashdot ?? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#4155635)

Top Nine Reasons to Quit Slashdot.org
#9. Slashdot is a plot by Microsoft to destroy the productivity of Linux users.

I have friends who were once tremendously productive programmers, until they started reading Slashdot. Then, the endless stream of links, updated a dozen times a day no less (so you don't go once a day to get your fix; instead, you keep a window open and hit reload every twenty minutes or so), steadily seduced them, until they eventually became babbling idiots, dribbling saliva from the corners of their mouths, ranting on the forums about the relative merits of Karma Whores and Anonymous Cowards. Can there be any doubt that this website is anything other than a nefarious ploy to destroy Linux by undermining the productivity of its developers? And is there any organization that would like to destroy Linux more than Microsoft? (Well, maybe the Santa Cruz Operation...) Is it any coincidence that just as the Feds were working out Microsoft's sentence, Microsoft sued Slashdot, resulting in a firestorm of geek ire that totally overshadowed the monopoly ruling?

#8. Screaming 14-year-old boys attempting to prove to each other that they are more 3133t than j00.

Need I say more?

#7. Technical opinions refereed by popular vote means lousy technical opinions.

Before the Internet, a certain breed of deconstructionists had a lot of fun telling everybody that "privileging of dominant paradigms" was wrecking the world. The Internet has taught us that privileging certain views is absolutely crucial to avoid drowning in the ravings of idiots. On Slashdot, many articles discuss technical issues---but comments are refereed by popular vote, and even though the populace of Slashdot readers knows somewhat more than your average set of people off the street, they still tend to promote (as in "moderate up") a lot of technical nonsense. Reading Slashdot can therefore often be worse than useless, especially to young and budding programmers: it can give you exactly the wrong idea about the technical issues it raises.

The pre-Internet publishing world had magazines, newspapers, and journals with editors. Respectable publications hired qualified editors. Those qualified editors were educated enough to make intelligent decisions about the quality of content. The Slashdot model removes the editors and substitutes popular vote, and the result (unfortunately) is that the quality level becomes incredibly inconsistent. It was an interesting experiment; it didn't work, not for Slashdot (though it might work in some other population of users). Too bad. Now, it's time to quit.

#6. Community myth that Linux is technically superior to any other operating system in the known universe.

People who do operating systems research, of course, think this is a joke. Dissent from this view in Slashdot, however, and you'd better be wearing your asbestos fatigues.

#5. Butt-ugly visual design.

Of course, this one's a matter of taste. However, in my analysis, the visual elements of the Slashdot site are basically hopelessly confused and wrong. From the cryptic links in the left margin, to the drop-shadowed graphics (hello, digital design cliche circa 1994?), to the offensively lousy color scheme (let's use circuit board green, because it's "News for Nerds", right?) I can't find much to like about the design of Slashdot.

#4. Gullible editorial staff continues to post links to any and all articles that vaguely criticize Linux in any way.

Blowhards (like the flock of irresponsible columnists over at the Windows-boosterism rag InfoWorld) have had tons of fun taking advantage of this tendency to drive hits to their site. On any given day, Slashdot readers are treated to another link to another column by another self-proclaimed pundit declaring that Linux is (pick one) unreliable, not scalable, not user-friendly, doomed, piracy-inducing, foul-smelling, or un-American. And irony was that the editors of Slashdot are falling right into the pundits' trap: inciting the Slashdot community is the one surefire way to drive up your hit count and hence your revenue from ad banners. Did the Slashdot editors ever wise up? Not that I ever saw. Given how tiresome the endless pro-Linux jihad had become by the time I quit, I have very little desire to go back and find out whether that's changed.

#3. Gullible editorial staff continues to post links to bogus pseudoscience articles by crackpots.

At the time I quit, the editors were posting links to theories of alternate consciousness, unified theories of the universe made up by people in their garages, and the like at a rate of two or three a week. And the number was only increasing. If I want to read articles that promote totally bogus pseudoscience, I'll open up the Village Voice. We don't need another webzine filling that role.

#2. Editorial/comment system pretends to be democratic but in reality most content remains firmly in the iron clasp of the editors.

The above problems with editorial could be solved if stories could be moderated as well as comments, or if editors paid attention to negative feedback about the posting of certain articles. However, the editorial staff, while pretending to be ideology-free selectors of any "interesting" content, in fact exert tremendous power over the content of the site, because they are the only ones who can select top-level links. They have furthermore demonstrated, for all the reasons above, that they cannot use this power wisely.

In fact, if you think about it, the links on Slashdot are easily an order of magnitude less interesting, on average, than those of Suck, Hotwired, or FEED---all of which are run by smart editors with good taste (and two of which are dead---thus proving that only the good die young). If you've read any of these webzines, you'll probably agree. Rob and Hemos simply don't compare, as editors, to Stephen Johnson or Joey Anuff.

So, really, it's time to ask yourself: why should I read Slashdot? Because it targets my demographic? That's a silly reason. So why not quit today?

#1. Two words: Jon Katz.

Every community has its resident gasbag. The difference between Slashdot and other communities is that they have the means to kick their village idiot off his soapbox, but they lack the will. If Jon Katz is not the single worst writer for any webzine, anywhere on the planet, alive today, then I am a penguin. His writing manages to be endlessly meandering and verbose, and simultaneously utterly content-free.

Notice, by the way, that I have not said a word about his technical acumen. It's not necessary to. Katz (who, like all opportunists, likes to paint himself as an innocent victim whenever he's criticized) makes a big deal about how there are "technical snobs" in the Linux user population who blast him for not being a technical genius. To tell the truth, Katz's inability to install even recent Linux distributions (which are arguably as easy to install as MacOS or Windows) on a run-of-the-mill x86 PC does testify to his general cluelessness. However, Katz is not a programmer or sysadmin; he's a writer. He must stand or fall based on the quality of his writing. And his writing is totally the pits. He would never have gotten published anywhere but Slashdot; even WIRED, cheerleaders of all things "digital" and "decentralized", finally got tired of his babbling and let him go. The cheesiest, most blatantly pandering "Hookers Who Read Proust" article on Salon.com displays more literary skill than the finest Katz screed ever to see the light of day.

To make things worse, Katz is also a shameless opportunist who regularly uses Slashdot to promote his books. And the Slashdot admins go right along with it. You can't criticize someone for their taste in friends, but you can criticize them for continuing in a relentless and blind nepotism that destroys the quality of the site.

No single factor was more pivotal in driving me away from Slashdot than Jon Katz. Even when I registered for an account and filtered Katz out, still he made it into news items not labeled Jon Katz---presumably to promote sales of his book. What other webzine displays such a blatant disrespect for its readers?

But then again, Katz's pandering, one-note "Ich bin ein Geek" spiel may be exactly what the Slashdot audience deserves.

Simply put, it's time to quit Slashdot, once and for all.

pist frost (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#4155398)

fp

BITCH IF I EVER MEET YOU I WILL GAY BASH YOU, MOFO (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#4155533)

What a waste of time (2, Insightful)

danheskett (178529) | more than 12 years ago | (#4155399)

If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

This question has to be some type of joke, right?

Re:What a waste of time (3, Informative)

1010011010 (53039) | more than 12 years ago | (#4155413)


Additional thouughts:

Use a firewall to block all traffic into and out of your network, and make the machiens inside use proxy servers (for http) and relays (for smtp) to access the internet. In other words, disallow all traffic that is not explicitly permitted. Log what goes through the proxies and relays, and log attempts at initiation of direct outgoing traffic.

Re:What a waste of time (4, Interesting)

Kristoffor (562485) | more than 12 years ago | (#4155429)

Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".

HIPAA regs (0)

Anonymous Coward | more than 12 years ago | (#4155450)

Funny - HIPAA and 21CFR (part 11 I think) are the stated reason we didn't win a bid recently. I was told we 'don't understand the regulations'. I'd discussed the regs with this potential client and earlier we'd both come to the agreement that some of the regs are simply too unclear to be understood at this point. Then we lose. I'm glad others think they're also unclear. :)

Well, well, well (0)

Anonymous Coward | more than 12 years ago | (#4155437)

Aren't we mister "Holier Than Thou" today. Ease up on the attitude...

Problem is EULA not SP (5, Insightful)

sphealey (2855) | more than 12 years ago | (#4155465)

Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

Have to disagree with your police work a bit there.

The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.

sPh

Re:Problem is EULA not SP (3, Interesting)

cr@ckwhore (165454) | more than 12 years ago | (#4155532)

"Access to the system" is a broad term... there are many ways to access a system and stay within HIPAA guidlines.

Re:Problem is EULA not SP (5, Interesting)

Anonymous Coward | more than 12 years ago | (#4155613)

I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

Ergo, we haven't installed SP3 and doubt that we will.

Re:What a waste of time (4, Interesting)

NumberSyx (130129) | more than 12 years ago | (#4155514)

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.

Re:What a waste of time (0, Flamebait)

danheskett (178529) | more than 12 years ago | (#4155567)

Okay, I tell you what. I can make any agree to any EULA they want. It doesn't matter. If its an invalid clause - as in illegal or unreasonable - its invalid.

It is a legal issue, but first and foremost its a technical issue. The SP3 EULA formalized what MS already was doing, and allows your machine and MS's machines to interact via the auto-update feature. Big deal.

A lawyer who is HIPPA specialist will file an extension, and then submit a request for clarification. In the meantime, this is a technical forum...

How will a firewall help... (4, Insightful)

volpe (58112) | more than 12 years ago | (#4155522)

... if your own operating system is tunnelling through http to make requests from Microsoft's server to download patches without your knowledge?
(Unless, of course, you want to cut off MS's websites from your browsers as well.)

Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.

Re:How will a firewall help... (1)

danheskett (178529) | more than 12 years ago | (#4155534)

1. Firewall. FIREWALL.

2. Auto-update uses a service called "BITTS". Disable that. Auto-update offers a way to disable it. IF you dont trust it, shut it off and hitch the box to a packet sniffer. Prove to us and the world that its not actually off. You'd be a hero. But of course that's not going to happen.

3. On a LAN of any size, use SUS from MS to distribute your patches. Like end-users should be patching their boxen to begin with.

Re:What a waste of time (3, Interesting)

yasth (203461) | more than 12 years ago | (#4155546)

A firewall does not prevent the possibility of MS getting access by other means. If it is an agreed to part of the EULA, then they can take such steps as needed to effect the clauses. I would also be worried about the no cause software audits that some MS volume plans have. I mean obviously if you have a search warrant then you have to let them in, even if they might incidentally find some records, but by lowering the standard needed to perform an audit might have legal implications. I would ask your in house counsel, about both the EULA and the licensing agreements.

IANAL, and even if I was this would not be legal advice.

Re:What a waste of time (3, Interesting)

rseuhs (322520) | more than 12 years ago | (#4155570)

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

Microsoft has the right to ignore all settings for auto-updating whenever they want.

Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

Re:What a waste of time (4, Insightful)

Zocalo (252965) | more than 12 years ago | (#4155628)

Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?

All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)

Re:What a waste of time (1)

broody (171983) | more than 12 years ago | (#4155626)

Where did you see the "due use" clause? The only thing that I see on the site are privacy policies, rules for electronic transactions and EDI, indentifiers, and transactions. None of which are going to be relavant to running an update on a server no matter what it's purpose happens to be. While I am not going to dig all over the site, the HIPAA regulations seem to relate to how you store the inforamtion or transmit your data to other parties as a transaction. AFAIK, this law has jack to do with the issue the poster describes.

To the orignial poster, chill. It certainly looks like you have nothing to worry about and making mountains out of mole hills only makes you seem an ass. You should be asking HIPAAlive [hipaadvisory.com] , not Slashdot anyway.

Don't worry (0)

Anonymous Coward | more than 12 years ago | (#4155403)

Microsoft would never do something like that. It is the other security holes (you know the ones Microsoft hasn't and won't fix) that you have to worrry about.

Re:Don't worry (1, Funny)

Anonymous Coward | more than 12 years ago | (#4155425)

Yes, they are truly benevolent overlords.

Waiting for clear definition (5, Informative)

TimeTrav (460837) | more than 12 years ago | (#4155406)

HIPAA extensions are being granted to anyone who fills out a form requesting one. One of the reasons you can give for requesting one is "awaiting clarification of standards".

This is one of those standards that has yet to be clearly defined.

Re:Waiting for clear definition (5, Informative)

bjiujitsu3 (590867) | more than 12 years ago | (#4155454)

The extension is _only_ related to codeset/transaction compliance. The privacy rules are final and take effect on April 14th 2003.

Easy sollution really... (4, Informative)

edgrale (216858) | more than 12 years ago | (#4155416)

If you have a network with Windows 2000 workstations you do not want them to independently access, download and install the patches from Microsoft.

In stead you have a server running SUS, aka Software Update Services [microsoft.com] . It solves the problem of Microsoft accessing your workstations as you deploy the fixes from a central server of your choosing. This is what Microsoft recommends us to use, I spoke a few weeks ago with the Product Manager for the Finnish division and he recommended this.

Re:Easy solution really... (1)

shokk (187512) | more than 12 years ago | (#4155531)

SUS [microsoft.com] is a great idea that can keep admins from running around to all desktops just to check if the machines are properly patched against acknowledged security holes, bug fixes, and enhancements. Only the patches the admins approve are pushed out to the desktop, so if you find one that doesn't quite work, you can delay it. For instance, VMWare's virtual network adapters have a problem with SP3 for Win2k. If you have properly tested for that by testing the apps against a new patch in the lab, then you'll know not to roll that out.

If you're not modeling things in a lab like that, I wouldn't worry about Microsoft doing you in, because sooner or later you're going to patch yourself out of a job.

Re:Easy sollution really... (5, Informative)

spudnic (32107) | more than 12 years ago | (#4155602)

From the FAQ:

Q. Does SUS support Service Packs?
A. No, it is not possible to use SUS to deploy Service Packs.

Re:Easy sollution really... (1)

RobertNotBob (597987) | more than 12 years ago | (#4155621)

Accessing the box is only the smallest part of the problem. Agreeing to allow M$ to add software that adds and removes features at their discression is (I personally feel) more alarming.

Aggreeing to that means that any security feature or configuration you make can leagally be removed by M$. Even if you (using thier own products) limit their ability to access the machine, they still have the legal right to do it if you agree to give them that right.

I have already gone off on a rant about this though. http://ask.slashdot.org/comments.pl?sid=38798&cid= 4155588

Oh c'mon, that's easy... (1)

rocjoe71 (545053) | more than 12 years ago | (#4155419)

Switch to Linux!

Re:Oh c'mon, that's easy... (0)

Anonymous Coward | more than 12 years ago | (#4155457)

Advice on how to run a hospital from ask Slashdot?

Fine. Just tell us roughly where you work at so we can make sure we get sick on the other side of the country. You can help weed out the stupid and uninformed.

HIPAA Compliance (4, Insightful)

mosch (204) | more than 12 years ago | (#4155422)

If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?

Re:HIPAA Compliance (2, Redundant)

Anml4ixoye (264762) | more than 12 years ago | (#4155468)

Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

Normally I would agree wholeheartedly with this statement. However, I have already seen a comment from a person who is going through the same thing and had a bang-up answer that made since. I have seen a lot of crap, but I don't think that the author is intending on using Slashdot in court ("Your honor, but L0053c4nn0n on Slashdot said it was right!") but simply not wanting to duplicate steps that others have already taken.

Re:HIPAA Compliance (1)

miffo.swe (547642) | more than 12 years ago | (#4155496)

Actually i think slashdot is an amazing pool of knowledge. Even if the information isnt correct all the time it gives very valuable hints on where to look and go furter.

Ofcourse you shouldnt read slashdot like the bible, use common sense if avaliable.

Re:HIPAA Compliance (1)

TheLostOne (445114) | more than 12 years ago | (#4155573)

Certainly it is... just have to remember somewhere over 50% is pure FUD... how many times have you seen an absolutly wrong parent post at 4-Informative clearly disproven by a 2 :)

That being said... sure there will be good info on /. ... but what can I say. Sure seems fishy when /. asks a question 'gee windows SPBlah breaks the rules, what ever could we do about it....' You almost can't blame them when they say 'use linux windows is the suxor'

A question like this is bound to yield as much propaganda as it is useful information... slashdot is the last place on earth I'd go to consider useful windows solutions in peace (again... plenty of useful posts already up, just gotta scroll past the 'why are you using windows' posts ;)

Re:HIPAA Compliance (5, Insightful)

sphealey (2855) | more than 12 years ago | (#4155515)

If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.
In the long run, you are of course correct. This issue will need to be resolved by the hospital's CIO and Legal Dept.

However, when seeking assistance from a lawyer (or any similar professional) it is best to have a basic understanding of what is going on, and what you need, before you set up a meeting. You will get a lot more accomplished that way.

Similarily, lawyers aren't born knowing everything (even though they try to foster that impression!). If your hospital's legal dept. primarily handles malpractice and billing cases, and you bring an intellectual property / EULA problem to them, they are also going to have to do some research to get up to speed. Being able to provide background helps here too.

sPh

8========D (_|_) (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#4155587)

What?! (2)

Greyfox (87712) | more than 12 years ago | (#4155630)

You mean having watched every episode of "Ally McBeal" doesn't make me a leading legal expert? Damn it!

Use Linux (0)

Anonymous Coward | more than 12 years ago | (#4155426)

You can easily use Linux. If you deal with student loans, then it's possible you have an Engineering deptartment or CS department sitting around you somewhere. They probably already use some form of Unix, and could provide you with information on usabiliy and functionality.

Don't bet on Windows ever being anything that you might have to rely on. Regardless of how rhetoric is thrown around, Windows is everything bad that people say about it. If you'd already been using Linux, then you wouldn't be having this problem now, and if you switch now (whether or not Windows is HIPAA compliant) you won't have to worry about it in the future.

Re:Use Linux (1)

Zamfir (585994) | more than 12 years ago | (#4155617)

and the statment: "Regardless of how rhetoric is thrown around, Windows is everything bad that people say about it" has no rhetoric at all now does it?

"How to defang Win2k SP3's auto updating" (4, Informative)

C0vardeAn0nim0 (232451) | more than 12 years ago | (#4155428)

is the head title of this arcticle [theregister.co.uk] in The Reg [theregister.co.uk] .

basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

now, the original submiter could really consider an alternative.

if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?

does you REALLY need win2k ????

Re:"How to defang Win2k SP3's auto updating" (3, Insightful)

Xaoswolf (524554) | more than 12 years ago | (#4155475)

Well, for starters, Solaris boxes are rather expensive, the person asking the question may not be able to authorize that kind of purchase even if he wanted to. I believe he was looking for either a software fix, or a cheaper hardware one that would still allow him to use his current setup. I'd suggest a fire wall, and disabling the autoinstallers.

Re:"How to defang Win2k SP3's auto updating" (1)

Liet Hacksor (571538) | more than 12 years ago | (#4155540)

Solaris boxen expensive? Not really - Get a Sun Blade100 for $995.00, order your RAM upgrade elsewhere, and you have a real workstation at Dell prices. OK, the MHz is lower, but do you really *need* 2.4GHz if you're not gaming? Besides, you can run the Sun Grid Engine (free) and aggregate your computing cycles as needed.

Re:"How to defang Win2k SP3's auto updating" (0)

Anonymous Coward | more than 12 years ago | (#4155479)

The British Government appears to be handing out contract tickets to Microsoft at present. Allowing M$ to dictate how and what protocols will be used to communicate between departments.

In many respects a lot of departments will be forced into running Wintel machines because of Government Dictats.

They will probably end up changing the law to allow Healthcare workers and M$ as authorised to access medical records. :-)

Re:"How to defang Win2k SP3's auto updating" (0)

Coward the Anonymous (584745) | more than 12 years ago | (#4155489)

>>does you REALLY need win2k ???? I'm sure the proprietary software they are using only runs on Windows and it's a lot cheaper to stay on Windows and this software which they have already paid for than to switch to Solaris.

Re:"How to defang Win2k SP3's auto updating" (2)

Neck_of_the_Woods (305788) | more than 12 years ago | (#4155663)

Cripes man, have you ever seen the cost of a Unix oracle installation??

Why did SQL6/7/2000 ever get a foot hold? Look at the prices.

Yes, indeed medical should have the money to buy this stuff, but a lot of places are on the verge and can't spent this kind of money.

#2 - Install your sp3 and disable the auto-update. Sometimes I think slashdot puts this kind of crap up as one large troll. Not that microsoft is a saint, or even a normal sinner, but 2 wrongs don't make a right. The stance that you leave out a little information to try to make a point is bias. Every day slashdot slips down the slippery slope and it is starting to get ugly.

MS Windows EULA not HIPAA compliant (1, Informative)

RazorJ_2000 (164431) | more than 12 years ago | (#4155443)

Microsoft Windows is not HIPAA-compliant and you legally may not be allowed to use any MS Windows as your O/S without facing severe legal ramifications if I'm understanding the HIPAA information site correctly. Although there can be many security-related concerns and issues surrounding MS Windows and MS products in general, I believe that it comes down to the EULA that MS has you basically agree to when you install MS Windows. Under the terms of the EULA, you agree that MS can access your system at any time. That totally violates the security and confidentiality requirements of the HIPAA legislation.

Anyone care to argue/agree?

Re:MS Windows EULA not HIPAA compliant (2, Interesting)

bjiujitsu3 (590867) | more than 12 years ago | (#4155476)

hmmm intresting point. It should be stated this is only an academic point. The government wants health care to provide resonable effort in it's privacy and security efforts. Win2K, NT, and XP pro will be easy to justify as resonable. 95,98,ME, XP home may be a little tougher..... Anyway, to take the argument a step further, a covered entity could choose to create a Biz agreement or Chain of Trust agreement with M$. This would cover any issues that arose from the EULA. I wonder if M$ would sign it :)

Re:MS Windows EULA not HIPAA compliant (2)

rseuhs (322520) | more than 12 years ago | (#4155650)

It should be stated this is only an academic point.

Huh?

What do you mean? What guarantees do I get that Microsoft isn't changing policies again and starts to do really nasty things? Face it: *Anything* can happen. Microsoft might never use their power or they might start deleting warez tomorrow.

It's stupid to be dependent on a single-vendor solution. And it doesn't matter if the vendor is called Microsoft, Apple or Sun.

Parent is not redundant. (0, Troll)

GigsVT (208848) | more than 12 years ago | (#4155491)

I don't see anyone else posting this... It's true. If you want to run an OS from a rape-you-in-the-ass company that has no respect for its customers, you better not do it with my goddamn medical data. MS products are not fit for important uses. Running personal web pages from MS products is probably OK, but for any actual business use you need a real OS.

Re:Parent is not redundant. (1)

danheskett (178529) | more than 12 years ago | (#4155521)

I tell you what..

Go find a doctor that doesnt use MS products somewhere in the office - and get back to me.

Yeah... hope you don't need emergent care or anything.

Re:Parent is not redundant. (1)

Brento (26177) | more than 12 years ago | (#4155552)

Go find a doctor that doesnt use MS products somewhere in the office - and get back to me.

You'd be surprised - most of 'em I've seen use Unix-based patient scheduling & billing software. This is one of those areas where Unix had a huge head start because of the multi-user capabilities.

Re:Parent is not redundant. (2)

danheskett (178529) | more than 12 years ago | (#4155579)

I work in the industry too, and see it a lot. We actually sell replacements to the "character based" management software.

Usually though instead of serial style terminals they are using Windows 95/98 machiens with a terminal emulator.

Windows.. ouch.

Re:Parent is not redundant. (0)

Anonymous Coward | more than 12 years ago | (#4155525)

There is a proof, though (contrary to your "i want to fuck a pengiun" opinion) that MS software can be run to run a very sucessfull company.

MS uses it's own software to run it's business - SQL Server, Windows 2000, all the stuff you name is in use there.

Funny, eh?

Maybe penguin asses should be of less interest for you and you should care more about reality.

Re:Parent is not redundant. (1)

dhfoo (238759) | more than 12 years ago | (#4155645)

Maybe you could tell me what platform MS do their salary run on???

Clue, AS400.

They tried to migrate to win2k just before 2000 (due to y2k issues on AS400 apparently) but had to go scuttling back ~9 months later with their tail between their legs.

Re:Parent is not redundant. (1)

yatest5 (455123) | more than 12 years ago | (#4155526)

If you want to run an OS from a rape-you-in-the-ass company that has no respect for its customers, you better not do it with my goddamn medical data.

OK then fuckwad, you start your own hospital and use that. I'll leave the people who run hospitals to do just that, you stupid, know-it-all/know-nothing zealot cunt.

Re:Parent is not redundant. (0)

Anonymous Coward | more than 12 years ago | (#4155611)

The article doesn't mention hospitals at all. If it really was a hospital, they wouldn't even be considering MS to store patient records.

Just stick to Notepad and Paint in the future, eh ?

Wake up..... (1)

bjiujitsu3 (590867) | more than 12 years ago | (#4155566)

I write EMR software for a living. I'm a huge Linux fan and so is most of my development team. The reality is doctor's don't buy Linux systems. They buy Windows systems. So we offer a Linux DB server and Window's client. In the end, however, everyone still gets a Windows DB server...... In thousands of installs we have 2 using Linux servers. Just reality.

Time for your company to dump microsoft. (1)

MrJerryNormandinSir (197432) | more than 12 years ago | (#4155456)

I've got new for you. There's a more robust OS
out there. More secure. And you don't pay a per
seat license.

And you've got your choice! I prefer Linux myself!

Re:Time for your company to dump microsoft. (0)

Anonymous Coward | more than 12 years ago | (#4155604)


Yeah, this had gotta be slashdot.

With no real understanding of what application software is being used, there's a scream of "use Linux" -- and it gets moderated to +1, at the time of writing.

Sheesh.

Re:Time for your company to dump microsoft. (0)

Anonymous Coward | more than 12 years ago | (#4155610)

You're an idiot. I mean, have you any idea at all?

Re:Time for your company to dump microsoft. (3, Insightful)

jayhawk88 (160512) | more than 12 years ago | (#4155639)

Yeah, that'll go over real good.

Elitist IT Moron: We have decided that Microsoft products are no good, and we're going to switch all of our operations to Linux-based solutions.
Docs: Well, OK, just as long as we can still get our work done. Will we still be able to send our grant applications and other records to the various governmental agencies, other hospitals, and such without and problems?
Elitist IT Moron: Well you'll be using this open source word processing program that is designed to be compatible with Word, but there is a chance that some places won't be able to view it properly, or it will look slightly different. Medical companies aren't sticklers for complete and total accuracy, are they?
Docs: What about these hundreds of legacy DOS and Windows applications that do one thing for us, but do it incredibly well, that we absolutely have to have? Will they still run?
Elitist IT Moron: Umm...No. But there may be 0.85 pre-beta versions of comperable apps up at SourceForge we could try! Or we could maybe try Wine and see if we can get a few of them to work.
Docs: So basically you're telling us that by switching to Linux, we won't be able to properly communicate with the people we need to, and we won't be able to use the applications we need to.
Elitist IT Moron: Uhh....W1nd0ze suxxor?

HPIAA logo? (1)

Galahad (24997) | more than 12 years ago | (#4155464)

Is it just me, or does the logo at the top left of the HIPAA [hipaadvisory.com] web site look like the cover of an O'Reilly book?

Re:HPIAA logo? (2)

liquidsin (398151) | more than 12 years ago | (#4155563)

Yeah, but I thought the hippo was for the javascript app cookbook [oreilly.com] .

Morons, Idiots, and Fools...Oh My! (1, Flamebait)

killmenow (184444) | more than 12 years ago | (#4155466)

First off, if you're storing the medical records on individual workstations instead of a centralized database, you're a moron.

Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

And third, if you don't have proper egress filtering and logging in place to make sure this isn't happening and know who keeps hitting the damn Windows Update buttons when they're not supposed to...then you're a fool.

And a fool and his job are soon parted.

Re:Morons, Idiots, and Fools...Oh My! (0)

Coward the Anonymous (584745) | more than 12 years ago | (#4155504)

> Yeah, but only b/c he gets promoted.

storing the medical records (0)

Anonymous Coward | more than 12 years ago | (#4155536)

Well how else do you supose there going to be viewed/updated from a workstation they have to be stored there at some point, even if it's only a fraction of a second.

Medical records in the UK are de-centralised because of the inpraticalities of central storage (though this is being sorted out at the moment)

Re:Morons, Idiots, and Fools...Oh My! (3, Informative)

sphealey (2855) | more than 12 years ago | (#4155577)

Seond, if you let your servers auto-update and apply patches from *ANY* vendor without doing your own testing and verification of those patches before hand, you're an idiot.

And a fool and his job are soon parted.

Does that apply also to people who misunderstand the nature of a problem, and apply a "fix" that doesn't address the root cause of the problem?

If so, I guess I would be a bit slower to call other people "morons & idiots". Because the fundamental problem is in the EULA, not in the service packs or download mechanism. One could take all the steps you have described and (potentially) still be in violation of the privacy statutes, since by agreeing to the EULA you have agreed to allow Microsoft access to your systems under circumstances controlled only by Microsoft.

sPh

Re:Morons, Idiots, and Fools...Oh My! (1)

RobertNotBob (597987) | more than 12 years ago | (#4155660)

Say what you want about Morons, Idiots, and Fools. The fact is that they are out there. Sometimes, they even get jobs in healthcare.

That's why this law was written in the first place.

Let me get this straight... (0)

Chexsum (583832) | more than 12 years ago | (#4155474)

You run Microsoft Windows and you are worried about privacy.

Mwahahahaha!

You should have had a firewall running for the last 3 years, you should be using Netscape Navigator (or Mozilla now), and most importantly you should assume you have no privacy at all when running Windows.

STFW! *sigh*

That's a great idea (1)

ch-chuck (9622) | more than 12 years ago | (#4155477)

Put your cd rips in you medical records!! That way the RIAA can't hack them w/o breaking a law.

Submit a request to HIPAA not /. (5, Insightful)

Kefaa (76147) | more than 12 years ago | (#4155482)

HIPAA is like any other oversight group and only it can decide this is "okay" or a "violation". However, since logic cannot be guaranteed to rule, you cannot guess which. Have your company, preferably through your legal consul, submit a binding request for clarification.

Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)

Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."

This is an issue for your lawyer(s) to resolve, not Slashdot.

Re:Submit a request to HIPAA not /. (1)

squaretorus (459130) | more than 12 years ago | (#4155554)

This is an issue for your lawyer(s) to resolve, not Slashdot.

How about a list of stuff that IS for /. to resolve! I can't think of any!

Other than what kind of cereal should be favoured while fragging.

Read the EULA. (3, Insightful)

rjh (40933) | more than 12 years ago | (#4155497)

Really. It'll clarify things right up. Dollars to donuts there's a clause in there, probably called "Severability" or something to that effect, which states that "if any clause in this EULA is found to be in violation of the law, then it is null and void with all the other clauses still in effect."

Contracts aren't allowed to violate the law. A contract to kill someone isn't legally binding, because murder is illegal. If Microsoft wants to claim they get remote access at will to your boxes, then you get to say "neener neener neener, no you don't, under HIPAA I'm forbidden from allowing you that access".

The proper Microsoft response? "Oh. Well, we're sorry about that. All the other clauses of the EULA stick, though."

So go ahead, get Windows SP3, and then figure out some way to disable remote-root.

Oh, and one more thing--

FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

(Sorry, just had to get that knee-jerk reaction out of my system.)

Firewall and firewalls (0)

Anonymous Coward | more than 12 years ago | (#4155498)

Some one mentioned storing data on workstations is stupid. Lets get real here. At some point, some data is going to be stored on the workstations. Lets not forget the workstation is where users access the database, so security is a concern.

Firewalls can block out going traffic and some are smart enough to block by specific hostname or use other types of filters. As a general rule of security freaks. The firewall should be restrictive and block all out going UDP ports and most TCP ports. Reguardless of windows 2K auto update, these things should be in place considering sensitive nature people's health records. Looks like the entire security system needs an audit, because these wouldn't be an issue in a well maintained secure network.

Yes and NO (0)

Anonymous Coward | more than 12 years ago | (#4155499)

A vendor can say they are hipaa certified, but you have to certify HOW you are using the product.

Trust me on this, when it comes to the FDA you are guilty until you prove you are right. That is there usual operating procedure.....my opinion anyway.

Remember this? (3, Insightful)

Rogerborg (306625) | more than 12 years ago | (#4155501)

"Nobody ever got sacked for buying IBM"

If you're just worrying about covering your behind, extent to "Nobody ever got sacked for buying Microsoft" and then to "Nobody ever got sacked for clicking through default Microsoft licenses."

I actually think that people should get sacked for doing this if they compromise their business for the sake of avoiding raising a thorny issue, but it's not going to happen in our lifetime.

Re:Remember this? (0)

Anonymous Coward | more than 12 years ago | (#4155644)

>but it's not going to happen in our lifetime.

I disagree. It's happening now. Corporates and goverment departments from all over the world are very unhappy with the new MS licensing deal and EULA.

MS is behaving exactly like IBM did in the 1980s i.e. high-handed and arrogant. They don't seem to care about their customers. Look how IBM was humbled. All businesses, no matter how big, need customers and MS is doing a great job of pissing them off.

Don't forget about MSN Messenger (3, Insightful)

Brento (26177) | more than 12 years ago | (#4155505)

As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.

Having said that, if either of these two represents your biggest problems, then you're probably safe for a while. I don't understand what you're trying to accomplish by asking Slashdot - maybe you should try checking with your MS rep first to at least get the company line. MS is wild about HIPAA - they produce a lot of BizTalk stuff for hospital EDI needs.

Re:Don't forget about MSN Messenger (2)

sphealey (2855) | more than 12 years ago | (#4155664)

As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.
Indeed. Many Wall Street firms block IM protocols on both the Internet connection and internally due to privacy and recordkeeping regulations.

sPh

Some clarification? (2, Interesting)

dr_dank (472072) | more than 12 years ago | (#4155512)

How exactly would medical records relate in any way, shape, or form to student loans?

Re:Some clarification? (2)

jdreed1024 (443938) | more than 12 years ago | (#4155581)

How exactly would medical records relate in any way, shape, or form to student loans?

The most obvious reason would be that if you have a physical disability (which requires medical documentation, even if it's something obvious, like, say, a missing limb), you are extremely limited in how much work you can do. Inability to work, for reasons of a physical disability, certainly affects the type of loan re-payment plan you're on.

I'd venture to say there are also special loans/grants, or special terms for loans if you're physically or mentally challenged.

Re:Some clarification? (0)

Anonymous Coward | more than 12 years ago | (#4155638)

. . .and is whoever asked the question actually required to comply with HIPAA? The "trigger" for whether or not you are a covered entity under HIPAA is if you conduct one or more of the designated billing transactions electronically. Only then are you required to comply with the privacy or security regulations. In theory, even a hospital that does all of its billing stuff on paper isn't covered by HIPAA (unless there's a clearinghouse which conducts electronic transactions on its behalf, but that's another story.)

You might be a business associate of a covered entity, in which case the protections you place on the data will be specified in your business associate agreement. If you are getting medical information that is released to you directly by the patient through an authorization and not through a relationship with a covered entity, you don't have to worry about HIPAA at all.

UK data protection act (1)

oliverthered (187439) | more than 12 years ago | (#4155520)

It looks like the ELUA problems might also cause issues with the data protection act in the UK.

I may allow company X to give other companies access to my personal data, without that permission company X would not be able to agree to Microsoft ELUA which could potentially give Microsoft access to you personal data.

I work at a hospital (0)

Anonymous Coward | more than 12 years ago | (#4155545)

I'm a sysadmin for a hospital,
You will need to hire a GOOD consultant, and probrolly have a knowledgeable lawyer on hand.

I just fired the last consultant company, becouse
they said linux is not a hippa secure OS.
What hippa really means if its not patched then..well duh

As far as I can tell, If you disable the autoupdate (which you shouldn't have on anyway)
then you should be ok
You may also want to give microsoft a call.
Also you should have a firewall that can prevent this, If you don't then you need not worry what OS you have!

A few thoughts (3, Informative)

jayhawk88 (160512) | more than 12 years ago | (#4155547)

We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at:

- Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one).

- Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.

Trust Microsoft (0)

Anonymous Coward | more than 12 years ago | (#4155561)

They're nice guys, I'm sure they would never abuse the privileges they grant themselves in the EULA. I just can't see them accessing anyone's medical records, can you? I mean, come on, now really.

Just check the "always trust content from Microsoft box." I'm sure the HIPAA does.

As soon as everyone understands that big corporations ONLY INVADE PRIVACY FOR THE PURPOSES OF SELLING YOU STUFF, all this tempest-in-a-teapot privacy hysteria will go away.

Check Out MSHUG.ORG or HL7 (5, Informative)

puto (533470) | more than 12 years ago | (#4155580)

The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.

They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.

The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.

1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.

2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.

3. IF the product is home grown. Cover your ass.

MSHUG is microsoft centric but a good start for you.

I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.

PUTO

MS + "anything" = Slashdot news (0, Offtopic)

garoush (111257) | more than 12 years ago | (#4155585)

Questions like those can't be answered by /. readers -- you need a lawyer and some one who understand both the HIPAA and Windows domain to help you out.

Asking such questions on /. will give you nothing but opinions on HIPAA and Windows and how /. views Windows and MS as evil.

Slashdot is becoming "news for making news" (and it can easly be done by throwing MS in the mix) not "news for nerds ...".

Gone the days when /. was news for nerds.

Re:MS + "anything" = Slashdot news (0)

Anonymous Coward | more than 12 years ago | (#4155646)

It's not news for making news. It's news for generating revenue from banner ads. Slashdot, the Microsoft of yellow journalism.

Watch out for the 'disable' option (5, Interesting)

RobertNotBob (597987) | more than 12 years ago | (#4155588)

I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

It does not.

The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

oh, DARN ! ;)

And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

Meditech... (-1)

Anonymous Coward | more than 12 years ago | (#4155594)

Bleh... Microsoft OS's for Medical Records are a nightmare. It's bad enough walking into the report room everyday to find a nurse dumbfounded as to how to get past the login screen. Nevermind the security issues.

At the hospital where I work, the solution is fairly simple. We use Meditech computers on the units, and we have a PC here and there that can also access the software but is mainly used for HealthStream. The Meditech software on those dinky little machines that seem to be built just for it is good. The computer illiterate nurses, techs, and secretaries can manage to get around them - printing, email, etc. is easy as can be - and all the security features (like chart viewing flags, etc.) are very functional and reliable. It really beats having to instruct people constantly on how to click the Start bar. What's more, the old-school 320x240 with 16 colors is way fun to play around with. Even our Medical Records dept. uses those systems.

Oh! And they DON'T CRASH.

Re:Meditech... (0)

Anonymous Coward | more than 12 years ago | (#4155642)

I'm switching to meditech

But we will still be using windows

You must be using MAGIC? not the client server

M$FT can go straight to hell (0)

Anonymous Coward | more than 12 years ago | (#4155598)

i just finished fdisking my servers and installed Redhat7.3 with DB2 & Apache, then i took my Win2k CDroms and burned em, fired my MCSE tech when he said he could not admin Linux boxes and put a ad in the paper for a Linux admin...

Outstanding Question! (0)

Anonymous Coward | more than 12 years ago | (#4155609)



Good job man! You are thinking way to deep!

Don't get between the Feds. and medical records!

Outstanding!

Stop being a weenie (1)

PegQuin (306581) | more than 12 years ago | (#4155615)

You need to get on a bandwagon big time and get control of your IT dept. and help others join in before you lose all sorts of control due to government BS decision making. These restrictions are just the beginning and they are coming from foolish sheep being herded by cunning dogs.

I've been trying to get an answer to this myself (1)

Phil the Canuck (208725) | more than 12 years ago | (#4155619)

And my boss sits on the national committee. Odds are that what is industry standard today will be acceptable under HIPAA. The technical issue here is trivial (especially considering the fact that you'll already be required to monitor and control internet access under HIPAA anyway), and another poster has already pointed out that the EULA clause is invalid if it violates the law. I personally won't be losing sleep over this.

I have to deal with HIPAA compliance also and... (1)

PSL (519746) | more than 12 years ago | (#4155634)

My company has to deal with HIPAA standards as well. To answer your question: If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do? The answer is simple... install a firewall and encrypt data.

Also facing this problem (4, Interesting)

Dredd13 (14750) | more than 12 years ago | (#4155649)

To make matters worse, remember that as of 9/30, you can't GET Win2K, and the WinXP EULA (the only one you'll have available to you at that point) suffers the same legal issues.

We're in the process of forwarding this off to our legal staff for review, but in IT, we're now giving serious consideration to a conversion to Macs on the desktop (which would still allow compatibility and ease of use while avoiding the problematic issues involved).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?