MS EULA v HIPAA - specifics (was Re: Linux in business)

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Gary Nichols
Date:  
Subject: MS EULA v HIPAA - specifics (was Re: Linux in business)
On Thu, 22 Jan 2004, Derek Neighbors wrote:
> Read the DRM sections. Today you have the ability to turn off the
> auto-update feature. In the future you may *not* have that luxury.
> During the last rash of worms/virii Microsoft Officials mentioned they
> were seriously considering making any computer connected to the net have
> force upgrades. As the damage the worms/virii were doing because of
> unpatched systems, was as bad as the "suicide" you mention.
>
> To be clear you seem to think if this feature is left on that indeed there
> would be a HIPAA violation? Remember this is the *default* behavior of
> the software.


More of a violation of common-sense security policy than anything else.
HIPAA Security gives you a lot of room to work depending on your
environment. If you allow products to self-install updates and it's
against your security policy, and you've determined that self-installing
updates is a high risk factor, then yes I would consider this HIPAA
Security Fodder.

> That is why this discussion is happening. DRM is coming.


It can come. That doesn't mean anyone $joe_blow is going to use it.

> >> There may also be an issue with 45 CFR 164.312(b), as MS is not
> >> obligated to provide notification of this change:
> >>       (b) Standard: Audit controls.
> >>       Implement hardware, software, and/or
> >>       procedural mechanisms that record and
> >>       examine activity in information systems
> >>       that contain or use electronic protected
> >>       health information.


This section requests that you implement
some type of *auditing* feature that *records activity* in systems that
store or process EPHI. If MS deploys a bomb of an update to SQL server,
that's just fine - but you need an audit trail to help diagnose what
happened and who was responsible, what was touched, etc.

> If you have Microsoft updating your system (which they give themselves
> right to according to their EULA) and part of that says they need not
> notify you. Then how the hell do you expect to audit it?


Let me put it this way.  If you trust $vendor who provides $software to
you, and they automagically install updates with no verbal or written
warning or signed agreement, then yes - you're in a bad place.    If you
overlooked critical sections in an SLA or an EULA, then you're in a bad
place.  -> DUE DILLIGENCE <-  If you don't do your homework and make the
vendor bend to your wishes (or use another vendor) then you have noone to
blame but yourself or whoever demanded that you use that product to begin
with.


> Even if you audit they updated something. How can you reasonably trust
> what they uploaded is known to be good? If I remember correctly didnt
> they send out several thousands CD's of their software with some trojan?
> (unbeknownst to them of course)


Dance with the devil, feel the burn. :-)

> I know you like to cry over and over turn off the feature, but you realize
> if push came to shove Microsoft has the right to terminate the agreement,
> because you do not allow them to keep the system adequately updated. They
> can revoke your right to use the software at any time.


I see your point, but I'm afraid I don't agree with this statement at all.
Right now if MS demanded that we (at work) allow them to force-update our
MS machines, we would say no. We would give good reasons. Two scenerios
would then happen:
1) They would say "ok" and keep us as a premium customer (as they always
have).
2) They would terminate the agreement, which would result in us *QUICKLY*
moving to another platform from a vendor that would support us and our
security policies.

This is the real world folks, and maybe life is different for me since
we're a large corporate customer - but I'm just stating the facts from my
chair here.

> The circles I see this talked about the most, pretty much say there is
> limited "task forces" available to enforce HIPAA. Therefore, a case like
> this which is very much on the edge of details and is not "clear" is not
> likely to be pursued by any HIPAA compliance folks. They will be focusing
> on clear and definitive gross privacy violations.


Yes, OCR has very limited resources for enforcement, but remember this one
key element about HIPAA:
>> It is complaint driven <<


That means for OCR to even blink at your business (being a covered entity
governed by HIPAA) you have to have someone or something file a formal
complaint against you. Then and only then do the black helicopters
appear.

> I am willing to fully concede that the XP EULA(and many other MS EULAs) is
> draconian, backwards and limit your freedoms severely. However, at this
> time are not in gross violation of HIPAA to the extent there is a need to
> test them in court of law. However, I would expect others using this
> position to state that since the GPL has stood up for nearly 20 years
> against forces like apple, compaq and others that it is a valid license
> that need not have undue doubts cast on it merely because the legal eagles
> have chosen not to make a court case out of it.


Well said.