Full Disclosure mailing list archives
Re: EULA
From: "Curt Purdy" <purdy () tecman com>
Date: Tue, 9 Sep 2003 18:25:08 -0500
Actually, failure to achieve compliance with HIPAA could find hospital executives and physicians facing fines of up to $25,000. Certain criminal violations could cost individuals and organizations $250,000 and up to 10 years in jail. This is quoted out of more than one reference. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions cpurdy () dpsol com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Gregory A. Gilliss Sent: Tuesday, September 09, 2003 5:13 PM To: full-disclosure () lists netsys com Subject: [inbox] Re: [Full-disclosure] EULA Okay, this is from my girlfriend, so flame her if it's wrong :-) Basically, a HIPAA compliant hospital/practice/etc. that is found to be in violation of, say, the regs on software change control, can be fined up to US$ 10,000 per violation. I would guess that tha *could* be construed as "per personal computer" if they wanted to be dicks about it... But, it gets better...if they hospital/practice/etc that has been inspected and cited doesn't comply with the violated HIPAA regs, they can be closed down. BAM! In practice I do not think that this has happened (yet) because the whole HIPAA thing is so new. However if you look at it from the security perspective, I expect that M$ legal will be amending their existing EULA for health care providers as soon as they read about this... G On or about 2003.09.09 14:08:04 +0000, David Hayes (david.hayes () mci com) said:
So, if a HIPAA site uses Windows and accepts the SP3 EULA, they're screwed. If a HIPAA site uses Windows and does not accept the SP3 EULA, they're screwed. Logical conclusion, if a HIPAA site uses Windows, they're screwed. Thus they should use a different OS? -- David Hayes Network Security Operations Center MCI Network Svcs email: david.hayes () MCI com vnet: 777-7236 voice: 972-729-7236 On Mon, Sep 08, 2003 at 01:13:21PM -0400, Valdis.Kletnieks () vt edu wrote:On Mon, 08 Sep 2003 08:43:14 PDT, D B <geggam692000 () yahoo com> said:does the EULA of Microsoft violate lawyer client privilege ..... as in if my lawyer is using windows is he violating my rightsI can't speak for the legal profession, but the SP3 EULA (the one where
you agree to
allow Microsoft to install, without warning or notification, anything
labeled a "security
patch", even if it breaks 3rd party software), is known to be very bad
mojo for sites
covered by HIPPA, because it cedes software change control. Of course, if you fail to agree to the EULA and you're a HIPPA site,
you're still screwed
because then you can't install post-SP3 patches._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Gregory A. Gilliss Telephone: 1 650 872 2420 Computer Engineering E-mail: greg () gilliss com Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EULA D B (Sep 08)
- <Possible follow-ups>
- RE: EULA Jerry Heidtke (Sep 09)