Speaking of HIPAA, Do MS's EULAs Violate It?

by Pamela Jones
Groklaw

May 22, 2003

I've been following a number of online discussions on HIPAA, the new regulation requiring health care providers to provide privacy and security protections for our personally identifiable health information, and in more than one place I've seen people raise the question: Do Microsoft's current EULAs, their End User License Agreements, violate HIPAA? HIPAA requires you to prevent access to PHI; the EULAs in question say Microsoft has the right to access your hard drive at will -- their will, not yours -- and download updates and patches.

It's a bit like arguing over how many angels can fit on the head of a pin.... it doesn't matter what you conclude, it is what it is (or isn't), no matter what you say. Most people use Windows products and they probably will continue to do so, no matter what you say. You can't escape the EULA, so you're stuck, some say.

Examples of such online conversations here [ http://yro.slashdot.org/comments.pl?sid=61497&threshold=1&commentsort=0&tid=109&mode=nested&cid=5775920 ] and here [ http://ask.slashdot.org/article.pl?sid=02/08/27/2030205&mode=thread&tid=109 ] and here [ http://www.linuxmednews.com/linuxmednews/1050658492/index_html ] and here [ http://www.mshug.org/forum2/topic.asp?TOPIC_ID=81 ] and here [ http://bioc09.v19.uthscsa.edu/pipermail/hsc-unix/2002-August/000224.html ] and here [ http://forums.obgyn.net/techtalk/TECHTALK.02/0029.html ] and here [ http://mail.nahu.org/pipermail/nahunet/2002-September/000750.html ] and even on Security Focus [ http://www.der-keiler.de/Mailing-Lists/securityfocus/security-basics/2002-08/0886.html ].

Some view it as a non-issue but others are taking it seriously. Some suggestions [ http://yro.slashdot.org/article.pl?sid=03/04/21/2045200&mode=thread&tid=109&tid=125 ] I have seen in online discussions include not enabling the automatic updates and doing them manually, not updating at all so you don't have to accept the EULA, and still others have suggested "disabling" the EULA itself, by declaring it not binding on you anyway. Don't try that at home, kids, by the way... I am just reporting what I've been reading, not what I think is good advice. Anyone who tells you that you can click on "I Agree" and then later say it isn't binding on you probably didn't go to law school. (Cf., http://www.theregister.co.uk/content/4/30325.html)

Others, more knowledgeable, say you can just encrypt the PHI and monitor exactly what Microsoft does with your hard drive.

What is the fuss all about? To understand, first you might like to go here [ http://www.microsoft.com/education/license/eula.asp+EULA&hl=en&ie=UTF-8 ]where Microsoft waxes poetic on EULAs.

Then try this article [ http://www.theregister.co.uk/content/4/25956.html ] "MS Security Path EULA Gives Billg Admin privileges on your box," by Thomas C Greene at The Register.

And this: "Windows and HIPAA [ http://www.infoworld.com/article/02/09/13/020916opwinman_1.html ]," by Brian Livingston.

And these two: "Microsoft's Intrusive License Agreement Conflicts With Federal Banking Laws" [ http://www.macobserver.com/article/2002/10/23.13.shtml ] by Bryan Chaffin and Brad Smith, and "Follow-Up: Microsoft EULA May Conflict With More Federal Privacy Laws" [ http://www.macobserver.com/article/2002/10/24.6.shtml ] by Brad Smith.

With Windows Media Player, just not updating won't solve the problem. The EULA comes with a vital security patch [ http://bsdvault.net/article.php?sid=527&mode=&order=0 ], not just when you update. And if you automatically update everything on a Windows computer, Windows Media Player is included in the mix unless you take steps to avoid it.

The patch is explained [ http://www.microsoft.com/technet/treeview/default.asp?ir;=/technet/security/bulletin/ms02-032.asp ] in MS Security Bulletin MS02-032, June 26, 2002, updated Feb. 28, 2003, "Cumulative Patch for Windows Media Player" (Q320920), and it addresses three vulnerabilities "which could be used to run code of attacker's choice".

MS' recommendation is to upgrade, if using 7.0, to 7.1 and then patch "immediately". If you do, you get the EULA, which includes this:

"Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS components that will be automatically downloaded onto your computer."

So now you are faced with a true dilemma. Update and/or patch and accept the EULA, or don't update/patch and face the internet with critical vulnerabilities? In a HIPAA context, which is better? Is either acceptable? Just not updating is clearly not possible. But if you accept the EULA, are you then out of compliance with HIPAA?

All right you say, but if you upgrade to XP or 2000, you get more secure environments than 95/98SE, so much so that some companies covered by HIPAA are forbidding the storage or transmital of any PHI on 95/98 boxes. True, the environment is more secure, if only because neither 95 or 98 allows meaningful user access control, but upgrading to Windows XP or Windows 2000 SP3 presents the EULA question. Windows XP Professional's EULA requires "mandatory operating system software upgrades", which MS has verbally said they don't actually mean, when asked about the EULA after the storm hit. But it still says this, so which is it? You are faced with relying on MS's word that they don't mean it, going ahead and disabling the automatic updates and doing updates manually, and risking that they might change their minds and hold you to the actual wording of the EULA; or just not using their software. Hmmm. And by the way, if you update manually, you must enable ActiveX, which is itself a security issue [ http://windowsupdate.microsoft.com/R1150/v31site/x86/nt4/en/thanksstart.htm ].

To see the actual wording for XP, go here [ http://www.microsoft.com/licensing/resources ] and download the PUR.pdf file, dated April of 2003, under the MS Volume Licensing Programs; or read this Infoworld article [ http://www.infoworld.com/article/02/02/08/020211opfoster_1.html ].

For Windows 2000, you can read about updates here [ http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/spdeploy.htm#automatic_updates_for_windows2000_gahz ].

To read the EULA itself, go here [ http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp ] and click on the download link, then quit the process after you read it by saying you don't agree, or read this posted version by doing a Find for EULA in the comments after this Slashdot article [ http://yro.slashdot.org/comments.pl?sid=61497&threshold=1&commentsort=0&tid=109&mode=nested&cid=5775920 ].

If you already have Windows 2000 and want to see the EULA, this MS page [ http://www.microsoft.com/windows2000/en/professional/help/lic_what_eula_say.htm ] tells you how to find it on your computer.

So there you have the dilemma. Can you protect PHI and also invite Microsoft in to visit your hard drive where the PHI is kept?

Recently I got a press release offering a HIPAA conference with a special party thrown by MS for all the attendees as part of the package. It's a big party, and it sounded like fun, with food and drink, fun tech-toys to play with at their headquarters, a chance to win an XBox, big-time speakers, etc. You can read about it here [ http://www.hipaasummit.com/agenda/day3.html ] although the fun stuff is only mentioned in the press release: "SPECIAL RECEPTION SPONSORED BY MICROSOFT ON FRIDAY EVENING, JUNE 6 IN SEATTLE: -- Mingle among test tubs [sic], beakers and tablet PCs at Microsoft's Lab party in downtown Seattle on Friday night. There will be cocktails, food and music, plus all attendees can register to win an X-Box that will be given away on Saturday." The next day all the conferees are taken by bus to Microsoft's conference center for the day's talks.

It's no wonder, I thought reading the release, that talking about security problems in MS products is such a hard sell. These heavy-duty speakers at the conference are going to have a lot of fun at Microsoft's headquarters, and it must be hard to say bad things about their software after you've eaten their food, drunk their drinks, and danced to their music. I don't think perceptions about the importance of security will change overnight, but as HIPAA problems crop up, and they will, just as Nimbda and Slammer were a big education with regards to security and Microsoft software, little by little I think people working under the HIPAA umbrella will realize that security in current MS products is a challenge. MS promises to improve security in the future. Unless or until they do, I don't doubt that there will be PHI spills.

And what I wonder is: when some infuriated victim of a PHI breach sues a company that didn't succeed in preventing the spill, then what? Can they successfully argue that they met their HIPAA obligation when there are other operating systems, such as Apple and Linux, that arguably provide better security? The US Army, for example, switched [ http://www.landfield.com/isn/mail-archive/1999/Sep/0020.html ] from Windows NT servers to Apple servers [ http://www.techtv.com/news/story/0,24195,2332011,00.html ] in 1999 to increase security, because the W3C said they were more secure [ http://www.w3.org/Security/faq/wwwsf1.html#Q3 ].

Nor is HIPAA the only worry; state consumer protection and privacy laws, when they are more stringent than HIPAA, are not wiped away by it. You can sue under state law, even if you can't sue as an individual under HIPAA, where you can only file a complaint for the government to follow up on. See "Medical Privacy: Understanding HIPAA's Security Rule," here [ http://gigalaw.com/articles/2003-all/hollander-2003-04-all.html ] and this page [ http://www.state.oh.us/hipaa/234hpm.htm ] "HIPAA Privacy Law Matrix", developed by The Ohio State Medical Association and The Ohio State Bar Association Health Law Committee to compare the requirements of the HIPAA Privacy rule with privacy requirements in Ohio law, for one example.

If HIPAA has done one thing already, it's making us all more aware of issues some of us didn't worry about that much before.

Maybe you aren't the worrying kind. But if I were a health care provider, I believe I'd follow these suggestions I have seen in online discussions on this topic: first, I'd call my lawyer and get specific legal advice on the EULA and liability re the security issues, and second, I'd get expert computer security advice. HIPAA isn't a job for amateurs.

HIPAA, the Health Insurance Portability and Accountability Act, the new set of federal rules and regulations regarding privacy of medical records, is now in effect. The Privacy Rule is here [ http://www.hhs.gov/ocr/hipaa/finalreg.html ]

Next to be implemented will be the Security Rule, which you can read [ http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf ] in the Federal Register or from the link here [ http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp ].

Not everyone is happy about HIPAA, including the American Association of Physicians and Surgeons who are urging patients to talk to their doctors and ask them for their files to take home with them, and then bring them with them to each visit themselves. Their instructions are here [ http://www.aapsonline.org/confiden/hipaapatients.htm ] and the form they suggest patients sign is here [ http://www.aapsonline.org/confiden/patientadvisory.htm ].

Meanwhile, back on Planet Reality, you can learn about what HIPAA all means here [ http://www.medabiliti.com/hipaa.html ] and at CMS' official page here [ http://www.cms.hhs.gov/hipaa/hipaa2/default.asp ] and here [ http://www.cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem12 ]. The HIPAA Complaint form is here [ http://www.cms.hhs.gov/hipaa/hipaa2/support/correspondence/complaint/securitychoice.asp ]. There is also an attorney HIPAA Blog [ http://hipaablog.blogspot.com/ ].

2:29:06 AM

Copyright 2003 http://radio.weblogs.com/0120124/ - http://creativecommons.org/licenses/by-nc-nd/3.0/