InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Windows and HIPAA

I REPORTED that Windows' newest patches -- Service Pack 1 for Windows XP and SP3 for Windows 2000 -- contain new license language that gives Microsoft the right to silently revise your operating system (see "Sneaky service packs").

This upsets many companies whose PCs can't be allowed to morph at will. But those who are worried the most are IT pros in the health care field. They must comply by April 14, 2003, with HIPAA (Health Insurance Portability and Accountability Act). Among other things, the law requires "a compliant technical information infrastructure." All systems must ensure the security and privacy of medical records online. (See http://www.hipaadvisory.com/regs/HIPAAprimer1.html.)

Let's set aside for the moment whether today's Windows can ensure security of any kind. Let's also note that, except for XP's Media Player and digital rights management, Windows doesnt silently do all that much yet.

Here's the question: Since Microsoft may start using its new rights any time, won't it soon be against federal law for health care providers to rely on Windows to handle patient records?

"The EULA [end-user license agreement] change has really got me worried," writes Peter Clark, the owner of PClark.net Consulting. "I think the new SP3 license terms are in direct conflict with HIPAA. Either I don't install the service pack -- and am therefore running an OS with known security holes, which HIPAA frowns upon -- or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration."

Clark has an idea, though. "Since the automatic update/security holes only apply to Microsoft, the health care industry needs to go to Microsoft with a joint NDA (nondisclosure agreement) and indemnification agreement, requiring Microsoft to hold their HIPAA-compliant customers harmless should patient information be leaked via this mechanism."

The issue has escalated beyond tech workers to alarm medical doctors themselves.

"Our procedures sometimes involve surgery to place over 100 recording electrodes in the patient, sometimes on the surface of the brain," says Dr. Bob Webber, a systems manager at a teaching hospital. "These PC-based systems use Microsoft Windows [because all but one vendor of these systems use Microsoft operating systems] and multimedia programs to capture the patient's data."

Webber asks, "If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient's data, thus damaging our patient care, who is responsible?"

It's not just hospitals but every user of Windows who should be wondering. You'd think Microsoft would understand that customers don't want their mission-critical systems changing in the dead of night. This isn't brain surgery.




RELATED ARTICLES

Window Manager archive
Sneaky service packs
Hurrying toward HIPAA
Healthy challenges
Wireless health driven by HIPAA


RELATED SUBJECTS

Operating Systems
Business News

Click here for all of Brian Livingston's past columns.
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.
SeeBeyond Webinar - Topic: UCCnet, Thurs., 9/26/02 , 8-9 am PST

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.