HIPAA and SP4 -- Mircosoft's take?

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

We at the Dept. of Psychiatry at San Francisco General Hospital need to
protect medical data according to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).

Currently, we run W2K Pro SP2. We have not upgraded yet to SP4 because
of concern over Microsoft's purported ability to access PCs, as allowed
by SP4, where in the software agreement it states Mircosoft is allowed
to act in the place of a (music, media) company that suspects illegal
copies of its copyright protected material PCs and can disable programs
related to this material.

**The issue is**, by federal law, NO ONE is allowed access to Protected
Health Information (PHI) unless they are authorized (clinical staff, ITS
staff that cannot but help being around such data. Naturally, we do not
support the illegal copying and dissemination of copyrighted material
and will erase it if noticed.)

We wish to know, what exactly is the amount of access Microsoft has to
W2K SP4 PCs? Is there a possibility of unauthorized access to PHI?
From what we have heard, there is. I am trying to find this in print
and cannot.

Thank you,

ITS staff
UCSF-SFGH Dept. of Psychiatry
 
Sue Bill and his company or do not use Windows...
The rumors about background access have been spreading since Windows 98 hit
the market, so it's late to abstain from SP4 installation, moreover - it's a
must.

Seriously, check http://www.cms.hhs.gov/ and send them an email about MS and
HIPAA compatibility, if it's not too paranoid. AFAIK, the gov't and MS must
have an agreement.
 
Peter said:
We at the Dept. of Psychiatry at San Francisco General Hospital need to
protect medical data according to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).

Currently, we run W2K Pro SP2. We have not upgraded yet to SP4 because
of concern over Microsoft's purported ability to access PCs, as allowed
by SP4, where in the software agreement it states Mircosoft is allowed
to act in the place of a (music, media) company that suspects illegal
copies of its copyright protected material PCs and can disable programs
related to this material.

**The issue is**, by federal law, NO ONE is allowed access to Protected
Health Information (PHI) unless they are authorized (clinical staff, ITS
staff that cannot but help being around such data. Naturally, we do not
support the illegal copying and dissemination of copyrighted material
and will erase it if noticed.)

We wish to know, what exactly is the amount of access Microsoft has to
W2K SP4 PCs? Is there a possibility of unauthorized access to PHI? From
what we have heard, there is. I am trying to find this in print and
cannot.

Thank you,

ITS staff
UCSF-SFGH Dept. of Psychiatry
Click to expand...

There is more involved than just the operating system, be it
Windows 2000, NT or whatever. One of the requirements for a
HIPAA-secure system is that it must operate behind firewalls.
Simiarly, access to the subnet, i.e., penetrating the firewall,
must also be controlled as well as access to the domain and
the systems in the domain. It is a lot more complicated than
just looking at a single computer and its OS. FYI, our clinical
systems are in its own domain behind a departmental firewall and
the health center firewall. Access to all servers and systems are
restricted. The UCSF Medical Center Compliance Office should be
fully aware of the requirements to run properly under HIPAA.
 
We at the Dept. of Psychiatry at San Francisco General Hospital need to
protect medical data according to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).

Currently, we run W2K Pro SP2. We have not upgraded yet to SP4 because
of concern over Microsoft's purported ability to access PCs, as allowed
by SP4, where in the software agreement it states Mircosoft is allowed
to act in the place of a (music, media) company that suspects illegal
copies of its copyright protected material PCs and can disable programs
related to this material.

**The issue is**, by federal law, NO ONE is allowed access to Protected
Health Information (PHI) unless they are authorized (clinical staff, ITS
staff that cannot but help being around such data. Naturally, we do not
support the illegal copying and dissemination of copyrighted material
and will erase it if noticed.)

We wish to know, what exactly is the amount of access Microsoft has to
W2K SP4 PCs? Is there a possibility of unauthorized access to PHI?
From what we have heard, there is. I am trying to find this in print
and cannot.

Thank you,

ITS staff
UCSF-SFGH Dept. of Psychiatry
Click to expand...

I am always amazed when I read things about "back-door access" in
Windows. It is one of those things that are all rumors with no fact.
Windows 2000 has received C2 security rating. That is the highest level
security rating and means it can be used in Dept of Defense and other
high security government agencies. You can find lots of info here.

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/topics/issues/w2kccwp.asp

Bottom line, I am sure it will meet HIPAA standards.

Leonard Severt

Windows 2000 Server Setup Team
 
Back
Top