On Thu, 22 Jan 2004, Alex LeDonne wrote:
[Huge amount of text snipped]
> I remember that one of the MS EULA concerns from a HIPAA security rule
> point of view is this section, the second bullet of Part 11,
> "DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS" from the EULA of an
> enterprise install of Win2KSP3 (I believe it is the same or similar in
> WinXP):
>
> * Internet-Based Services Components. The Product contains
> components that enable and facilitate the use of certain
> Internet-based services. You acknowledge and agree that
> Microsoft may automatically check the version of the
> Product and/or its components that you are utilizing
> and may provide upgrades or fixes to the Product that
> will be automatically downloaded to your Workstation
> Computer.
>
> That is, you agree that Microsoft may install un-audited
> Internet-enabled software on what may be an audited machine. Note that
> "upgrade" is as designated by Microsoft - if _they_ consider the
> addition of a spyware component to be an "upgrade" to, say, Internet
> Explorer, Media Player (it uses the Internet to get CDDB data and is
> considered an OS component), etc., then you have, in fact, authorized
> MS to install said spyware on your system. Will they? Can you say with
> certainty that they won't, or in fact haven't? What about upgrades that
> are just buggy to the point of exploitability?
Speaking as someone who is actively involved in compliance endeavors with
HIPAA Security/Privacy for $large_AZ_Insurance_Company, I feel qualified
to comment on this.
First of all, EULA or no EULA - MS gives you ability to *turn off*
automatic update notification. No MS product (that we use) has the
ability to auto-install these "fixes". Some products will download the
fix, but they will not *install* them. That would be insanity and vendor
suicide. I'm not saying MS won't get there - they don't have the best
track record in security, period. This comes down to your network
security policy, server maintenance policy, etc. Policy Policy Policy.
> MS has no obligation to notify you of such changes, either.
True. Part of the information security game is due dilligence. If you
use $vendor's product, you should be actively watching for updates. Since
we turned off auto-update notification/download we call the shots. If the
EULA is changed to say "We will install $update on your machine, not tell
you, nya nya" then any ISO with half a brain will recommend that their
legal department speak with MS. If a compromise can't be reached (believe
it or not, MS does actually compromise when a sale is on the line) then
you stop actively developing for that product and move to something else.
> I am not a lawyer, nor a HIPAA auditor nor consultant. I don't know
> enough about HIPAA security requirements to know if this is a real
> problem or not for HIPAA compliance. I have read claims that it is. In
> particular, I have seen claims that based on MS history of exploitable
> bugs in Internet-enabled software, such bugs in automatically installed
> upgrades are a reasonably anticipated threat or hazard to information
> security and integrity, hence giving the above right to MS violates
> HIPAA in 45 CFR 164.306(a)(2) [0]:
> (a) General requirements. Covered
> entities must do the following:
> (1) Ensure the confidentiality,
> integrity, and availability of all
> electronic protected health information
> the covered entity creates, receives,
> maintains, or transmits.
> (2) Protect against any reasonably
> anticipated threats or hazards to the
> security or integrity of such information.
The section you quote deals with:
- Having adequate policies in place for (1).
- Performing an adequate risk analysis to ensure that you can meet the
requirements.
> There may also be an issue with 45 CFR 164.312(b), as MS is not
> obligated to provide notification of this change:
> (b) Standard: Audit controls.
> Implement hardware, software, and/or
> procedural mechanisms that record and
> examine activity in information systems
> that contain or use electronic protected
> health information.
The MS EULA has nothing to do with this provision IMHO. This is HHS's
way of making sure that you auditing who has access to what, when they did
what they did, etc. General audit controls that any internal audit
department should already be demanding.
> However, this second issue could presumably be addressed with a
> network-level audit/monitoring solution.
That addresses network access, but to show any auditor full compliance,
you need to have application-level user-access logs available. To what
level? This is up to you, based on the risk analysis that you perform.
> As I understand HIPAA, the main requirement is documentation. Perhaps
> this is an issue which, sufficiently documented, does not prohibit the
> use of newer MS OSs (Win2KSP2 has been reported as the last MS OS not
> to include the EULA bullet in question). Perhaps not. Since there's no
> such thing as too many disclaimers, do not use this information without
> proper review by your legal counsel.
Documentation is key. In summary, you need to perform a risk analysis,
then a gap analysis (where are you compared to the requirements) and then
write corrective action plans to address your deficiencies. If all this
is documented properly, you should have very little problem in showing an
auditor from OCR (Office of Civil Rights, the enforcers of HIPAA) that you
have done your due diligence.
Gary
Disclaimer: I am by no means pro-MS. I am a Mac/Linux/Sun weenie at
heart.
(text/plain)