Gary Nichols said:
> First of all, EULA or no EULA - MS gives you ability to *turn off*
> automatic update notification. No MS product (that we use) has the
> ability to auto-install these "fixes". Some products will download the
> fix, but they will not *install* them. That would be insanity and
> vendor suicide. I'm not saying MS won't get there - they don't have the
> best track record in security, period. This comes down to your network
> security policy, server maintenance policy, etc. Policy Policy Policy.
Read the DRM sections. Today you have the ability to turn off the
auto-update feature. In the future you may *not* have that luxury.
During the last rash of worms/virii Microsoft Officials mentioned they
were seriously considering making any computer connected to the net have
force upgrades. As the damage the worms/virii were doing because of
unpatched systems, was as bad as the "suicide" you mention.
To be clear you seem to think if this feature is left on that indeed there
would be a HIPAA violation? Remember this is the *default* behavior of
the software.
>> MS has no obligation to notify you of such changes, either.
>
> True. Part of the information security game is due dilligence. If you
> use $vendor's product, you should be actively watching for updates.
> Since we turned off auto-update notification/download we call the shots.
> If the EULA is changed to say "We will install $update on your machine,
> not tell you, nya nya" then any ISO with half a brain will recommend
> that their legal department speak with MS. If a compromise can't be
> reached (believe it or not, MS does actually compromise when a sale is
> on the line) then you stop actively developing for that product and move
> to something else.
That is why this discussion is happening. DRM is coming.
>> I am not a lawyer, nor a HIPAA auditor nor consultant. I don't know
>> enough about HIPAA security requirements to know if this is a real
>> problem or not for HIPAA compliance. I have read claims that it is. In
>> particular, I have seen claims that based on MS history of exploitable
>> bugs in Internet-enabled software, such bugs in automatically
>> installed upgrades are a reasonably anticipated threat or hazard to
>> information security and integrity, hence giving the above right to MS
>> violates HIPAA in 45 CFR 164.306(a)(2) [0]:
>> (a) General requirements. Covered
>> entities must do the following:
>> (1) Ensure the confidentiality,
>> integrity, and availability of all
>> electronic protected health information
>> the covered entity creates, receives,
>> maintains, or transmits.
>> (2) Protect against any reasonably
>> anticipated threats or hazards to the
>> security or integrity of such information.
>
> The section you quote deals with:
> - Having adequate policies in place for (1).
> - Performing an adequate risk analysis to ensure that you can meet the
> requirements.
>
>> There may also be an issue with 45 CFR 164.312(b), as MS is not
>> obligated to provide notification of this change:
>> (b) Standard: Audit controls.
>> Implement hardware, software, and/or
>> procedural mechanisms that record and
>> examine activity in information systems
>> that contain or use electronic protected
>> health information.
>
> The MS EULA has nothing to do with this provision IMHO. This is HHS's
> way of making sure that you auditing who has access to what, when they
> did what they did, etc. General audit controls that any internal audit
> department should already be demanding.
If you have Microsoft updating your system (which they give themselves
right to according to their EULA) and part of that says they need not
notify you. Then how the hell do you expect to audit it?
Even if you audit they updated something. How can you reasonably trust
what they uploaded is known to be good? If I remember correctly didnt
they send out several thousands CD's of their software with some trojan?
(unbeknownst to them of course)
I know you like to cry over and over turn off the feature, but you realize
if push came to shove Microsoft has the right to terminate the agreement,
because you do not allow them to keep the system adequately updated. They
can revoke your right to use the software at any time.
> Documentation is key. In summary, you need to perform a risk analysis,
> then a gap analysis (where are you compared to the requirements) and
> then write corrective action plans to address your deficiencies. If all
> this is documented properly, you should have very little problem in
> showing an auditor from OCR (Office of Civil Rights, the enforcers of
> HIPAA) that you have done your due diligence.
The circles I see this talked about the most, pretty much say there is
limited "task forces" available to enforce HIPAA. Therefore, a case like
this which is very much on the edge of details and is not "clear" is not
likely to be pursued by any HIPAA compliance folks. They will be focusing
on clear and definitive gross privacy violations.
I am willing to fully concede that the XP EULA(and many other MS EULAs) is
draconian, backwards and limit your freedoms severely. However, at this
time are not in gross violation of HIPAA to the extent there is a need to
test them in court of law. However, I would expect others using this
position to state that since the GPL has stood up for nearly 20 years
against forces like apple, compaq and others that it is a valid license
that need not have undue doubts cast on it merely because the legal eagles
have chosen not to make a court case out of it.
-Derek
(text/plain)