Windows and HIPAA

Does Microsoft's new 'we will update you' license comply with U.S. law on health-care privacy?

I REPORTED that Windows' newest patches -- Service Pack 1 for Windows XP and SP3 for Windows 2000 -- contain new license language that gives Microsoft the right to silently revise your operating system (see " Sneaky service packs ").

This upsets many companies whose PCs can't be allowed to morph at will. But those who are worried the most are IT pros in the health care field. They must comply by April 14, 2003, with HIPAA (Health Insurance Portability and Accountability Act). Among other things, the law requires "a compliant technical information infrastructure." All systems must ensure the security and privacy of medical records online. (See .)

Let's set aside for the moment whether today's Windows can ensure security of any kind. Let's also note that, except for XP's Media Player and digital rights management, Windows doesn't silently do all that much yet.

Here's the question: Since Microsoft may start using its new rights any time, won't it soon be against federal law for health care providers to rely on Windows to handle patient records?

"The EULA [end-user license agreement] change has really got me worried," writes Peter Clark, the owner of Consulting. "I think the new SP3 license terms are in direct conflict with HIPAA. Either I don't install the service pack -- and am therefore running an OS with known security holes, which HIPAA frowns upon -- or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration."

Clark has an idea, though. "Since the automatic update/security holes only apply to Microsoft, the health care industry needs to go to Microsoft with a joint NDA (nondisclosure agreement) and indemnification agreement, requiring Microsoft to hold their HIPAA-compliant customers harmless should patient information be leaked via this mechanism."

The issue has escalated beyond tech workers to alarm medical doctors themselves.

"Our procedures sometimes involve surgery to place over 100 recording electrodes in the patient, sometimes on the surface of the brain," says Dr. Bob Webber, a systems manager at a teaching hospital. "These PC-based systems use Microsoft Windows [because all but one vendor of these systems use Microsoft operating systems] and multimedia programs to capture the patient's data."

Webber asks, "If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient's data, thus damaging our patient care, who is responsible?"

It's not just hospitals but every user of Windows who should be wondering. You'd think Microsoft would understand that customers don't want their mission-critical systems changing in the dead of night. This isn't brain surgery.