?
Solved

XP Home Edition and HIPAA compliance

Posted on 2005-05-10
16
Medium Priority
?
1,015 Views
Last Modified: 2011-04-14
I am a network administrator for a manufacturing company, but on the side I take care of a few doctor's offices.  These doctor's offices have multiple remote users connecting via a vpn tunnel terminating on a PIX.  These users have XP Home Edition as their OS and some even have wireless networks at home setup by theirselves.  My question is: Is this configuration (XP Home Edition connected wirelessly (probably no encryption)to the internet and then VPNing into a doctor's office) HIPAA compliant?  Moreover, is XP Home Edition in and of itself compliant?  Any accompanying documentation would be much appreciated.
0
Comment
Question by:tmstovall
  • 6
  • 4
  • 3
  • +1
16 Comments
 
LVL 4

Expert Comment

by:AZweb
ID: 13970377
This is a good question. First of all we must all remember that HIPAA does not and never will (so they say) provide or endorse any product, hardware , software, method or procedure as being HIPAA approved. There is only poeple's assumptions that it is HIPAA compliant by their understanding of the very broad terms listed in HIPAA.

HIPAA does not tell you what is right or wrong but only provides these guidelines and asks that you make your best effort at providing multiple level security protection to your information and equipment.

With all that said lets look at the pieces:

VPN tunnel to the PIX = When properly setup and encrypted, very secure and most likely compliant
XP Home Edition = Cannot log into a domain for security but with proper VPN connection can be okay
Home wireless setup = Can be secure with proper equipment and setup but a huge possible break point in security
Home wired setup = Can be secure with proper equipment and setup but still a huge possible break point in security

The biggest weak spot will be the users home setup and security provided at that point. Once they are connected via VPN the connection is direct between but there can be ways that can open this up with improper setup.

I don't think this is what you are looking for but your not going to find much in documentation to help you out. I've looked.
Good Luck...
0
 

Author Comment

by:tmstovall
ID: 13971964
I appreciate you taking the time to try and help.

As far as the VPN tunnel goes, it is as locked down as it can be.

What most concerns myself is that one doctor has recently had an issue with the vpn dialer crashing on his laptop so he installed it on his kid's pc.  Several weeks ago the same doctor's laptop got nailed by a plethora of viruses.  I am not sure at what point he realized it and thus how many times he connected back to the office after he was infected.

This is a major concern.  Home wireless network with multiple computers.  If any computer on the home network gets hijacked in anyway then this is a backdoor right into the doctor's network, which normally has at least one vpn tunnel connected to the local hospital.

This cannot be HIPAA compliant.

Unfortunately this doctor believes that XP Home Edition is not much different than XP Pro and hence doesn't think he is jeopardizing the office in any way.  Somehow I have to prove to him that it is not safe.

This is where any documentation on this subject would be of great help.

If anyone has run across a similar situation, please share with me how you handled it.

Thanks,

Matt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13973241
What about using a software like zonealarm pro?

It shields the own computer from others, so a worm has to get through zonealarm to get access to the vpn tunnel.

http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=zassskulist2_trial

A couple of years ago, I worked in a company that experimented with vpn using a nortel box.

The vpn client provies a nice feature: you can only connect to the vpn gateway with a proper antivirus running and all other internet connections are disabled.

http://products.nortel.com/go/product_content.jsp?segId=0&catId=null&parId=0&prod_id=34820&locale=en-US

---
I don't think that xp pro is somewhat more sophisticated than xp home. It's rather the problem of being logged on as administrator, running all kind of "valuable" software, ignoring windows updates and running an open wlan.

Here is the point you should start:

up-to-date Antivirus
up-to-date Antispyware
maybe a software like zonealarm pro (it can be password protected, so this is a nice feature) you could even prevent internet and lokal network access if not connected to a ICS/NAT gateway running zonealarm...

Keeping users away from admin rights (yep even xp home knows the restricted user....)
Keeping the system patched and hotfixed
Teaching the users to be careful with their pc and not just make it work somehow.

Tolomir
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13974794
ZA is a great preventitive measure as outlined above. Getting the wireless access points to have a minimum of an MAC address ACL is another. The MAC address Access control list, will keep outsiders from getting in through the WAP at the DR's home, but radius and or ipsec should also be used to authenticate the wireless clients.
Also to reitterare Tolomir's answers, keep up2date with VirusDAT's and OS patches, as well as patches for applications such as M$ office etc...
These two links should also help you to understand Hipaa "standards"
http://www.sans.org/resources/policies/#HIPAA
http://www.med.unr.edu/it/security.html
Be sure to keep detailed log's, such as the event log's on the pc's and the pix logs, you can use Snare for the windows log's and Kiwi for the syslog's of the pix. http://www.kiwisyslog.com/ http://www.intersectalliance.com/projects/
-rich

0
 

Author Comment

by:tmstovall
ID: 13978745
Tolomir and richrumble,

I totally agree with you both in an ideal environment; however this is far from that.  Let me explain my situation a little more clearly.

I already manage a network that spans seven locations with 20 servers and 150 nodes, not to mention a dozen PIXes and a half a dozen Cisco Routers. I am already overwhelmed.  These doctor's offices in question are in a rural mountain area in which several of the doctor's live down the mountain (several hours away).  I put in maybe 2-3 hours a month max working on stuff for each doctor's office. Each office has one or two servers with between 3-8 employees.  They do not have the funds to allow someone like myself to monitor their networks as richrumble suggests.  I know you are completely right, but that is unfortunately besides the point.  Matter of fact I use Kiwi CatTools on a daily basis along with MRTG and several Smoothwall boxes monitoring bandwidth and IDS.

That said, my problem is that these XP HE boxes are home pcs and laptops.  That is they are used by doctor's who also use them for personal stuff.  Some of these doctor's live several hours away and I do not have the time to drive to their homes and setup their home networks correctly and securely.  I will reemphasize that these are home computers that the doctor's offices don't pay to maintain in any way.  

I also want to reiterate that one doctor in particular recently corrupted the virtual adapter subsystem on his vpn dialer and was not able to reinstall (he will be bringing me the laptop next week).  In the meantime he has installed the vpn dialer to his children's pc.  See my issue.  It is the end-users are not knowledgable enough, they are about convenience, not security.  Keep in mind that some doctor's are ego-maniacle and think they already know everything.

You are right that it is the methodology not the OS that is at issue in dealing with HIPAA.  However, the methodology in this particular scenario is largely based on end-user knowledge.

I cannot get these doctor's to lock down their home pcs like they should.  For instance they all use Fast User Switching.  They do not want to change.  These doctor's do not even know that there is an Administrator account and that each user account they create they give Admin rights to.  They do not want to change this because they do not want to have to install games and other programs for their children.  They all share out printers and even multiple My Document folders between home computers.  You have to envision doctor's with 1-4 children at home that are between the ages of 9 and 15.  These doctor's home computers are not only used by them for remote access they are also used by kids who are playing games and using multiple instant messangers (yes I have already tried to get them to switch from using aol, yahoo and msn, to just using trillian--to no avail--what the kids want the kids get).

When I have no control over these computers in any way, I cannot verify that the OS and Office are being updated, that AV is updated and that Spyware is in use and updated.  I also cannot verify what their Windows Firewall settings are.  Yes disabling Windows Firewall and using something like Zone Alarm is preferred.  However it has been my experience that with programs like Zone Alarm, or say Microsoft Antispyware or Spybot's TeaTimer feature, when the user is prompted to allow or deny access to something, they inevitably hit Allow.

Telling a doctor how to setup encryption on his/her wireless network, disabling SSID and limiting which MAC addresses is doable, except for my time constraints and the fact that this is does not help when they are roaming.  I don't know how many times I have stayed in a hotel and the access point I grabbed hold of was not even in the hotel.  (I use Net Stumbler for this purpose.)  This produces another level of complexity for the wireless roaming end-user.

My problem with doctor's using XP HE isn't a problem with the OS.  It is a problem with having to have the user more knowledgable to make it secure enough to be HIPAA compliant.

Ideally I would want the doctor's to use XP Pro added to the domain with restricted Group Policies in place, Symantec Corp managed back at the home office, and the user only being a doman user with no children working or playing on it.  This would then separate their home-based "work" computer from their other home pcs (no sharing of any sort).  If they need to share a printer then they can do it with a print server.  

Perhaps I am looking at this all wrong due to my biases against XP HE.  Maybe I am being too paranoid.  But in the current situation I cannot believe that this could be HIPAA compliant.  Also I would have to imagine that there are many others in rural areas in similar circumstances.

One last note, in the domain in which I am IT Manager, all remote users use XP Pro as domain users only, all are on the domain with restrictive Group Policies in place, Windows Firewall Ruleset has been highly customized to maximize its security, and I have full control over what is installed and what is not.  And still I have security concerns.  But this is a Manufacturing environment, not a Health Care environment.

If I am totally off base here, please let me know.  Thanks for all your input.

0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 300 total points
ID: 13979202
Just a note,

you can add a Win XP HE also to a domain.
Either during installation or like this: http://vowe.net/archives/001639.html
But your problems still exists, and now I see your point: XP Home doesn't support group policies...

Well maybe some powerpoint information sheets will help you to persuade the doctors to switch to xp pro.
You could argue with some worst case scenarios, like data loss, hacking, spoofing etc. This might help.

But I see no technical solution right out of the box.

Tolomir


 
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 13979589
Well not following or properly qualifying with Hipaa compliance should be reason enough. Your Dr's will be open to many law suits if you cannot reign in the issues, before something bad happens, and it makes it to the press. This could be a situation similar to what's happening with the recent ID theft's that have happened to major credit broachers recently. People's information is/was being stolen, and they are now forming class-action law suits against said companies.

This is one of the toughest things for us here at the EE, when we know that you have the answers to what need's to be done, we sometimes don't have the answers to how you get it done. This is a common problem when policies, practices, and tightening security, they sometimes call for more man hours, more money and lot's of work, but it's not easy to get the right people to approve, or even listen seriously.

It sounds to me like you've got your head on right, and knew the answer to your question before posting it, the real question I think is how does one make a business case for getting the help/money needed to make what needs to happen, happen. It's my experience with the companies I've worked and consulted for, that something bad has to happen first, and then they will try to accommodate the security needs. It's seldom you can get another person hired, or even get a consultant to farm the work out to, espically if your case is weak.

So I think we all have an understanding of how you would go about making yourself compliant or closer to compliance- but the means to that end may rest more on your end.
My suggestions, do your homework first. Try to audit your network, look for the holes that need plugged, I think you have a good idea already in that dept. Once you've got that laid out find the solutions to those holes, and outline their implementation in great detail. Look for cost-effective solutions, and shop around. Call consulting firms, call the geeksquad, or other local computer techs, have a careful outline for them to follow, get the best price you can, if that is ultimatly what needs to happen.

Creating the worst case sceniero is good, but don't rely on it to heavily. Look at your IDS log's, bring actual attacks documented into the presentation, and let them know it's a matter of time before the weakest link is found by someone looking to make money or extort money. Hack your own wireless setup on a test lan, and document how quickly you were able to assertain confidential information. I think that budget's are pretty much the deciding factor for most security issues/remedies- worst case's will make them think, but the bottom line will make them act.
http://whitepapers.zdnet.co.uk/0,39025945,60104244p-39000579q,00.htm
http://www.networkworld.com/newsletters/sec/2005/0307sec1.html
http://www.fcw.com/fcw/articles/2002/1021/mgt-case-10-21-02.asp
-rich
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13981437
Talking about "HIPAA compliance"

I never knew I could use the advertisements next to my gmail account messages, here is what google offers:

Need HIPAA Compliance?
Want to send encrypted messages? Download a free white paper today.
www.voltage.com

HIPAA IT Security
Practical guide to HIPAA compliance Free whitepaper, Good info.
www.ecora.com

HIPAA Manuals & Guides
Fast Shipping and Delivery of economical HIPAA guides and manuals
www.aardvarkforms.com

The HIPAA Fast-tracker from McLure-Moynihan Inc. (MMI) is a user-friendly software program that provides detailed advice and tracking for HIPAA compliance and implementation initiatives for hospitals, billing companies, health plans, medical groups and other organizations.
http://www.mmiec.com/h_fst_trker.html


In short:
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=HIPAA+compliance

Tolomir
0
 

Author Comment

by:tmstovall
ID: 14011836
Richrumble,

You are right in saying that I did know the answer to my question before I asked it.  I just wanted to make sure I wasn't barking up the wrong tree.  Also, I was hoping that someone I had run into something similar and could help get me in the right direction with either their experience or some docs dealing with this in particular.

Tolomir,

I too used google and found lots of sites that offer the documentation.  My point is that I am swamped and can't weed through all of the info.  I am a full time Admin in the Manufacturing Industry.  

To you both,
The area in which I live is not known for its capable consultants.  As a matter of fact I am one of only two people up here I know of that is Cisco certified and I have more Microsoft certs than anyone around here.  So there is no one else for me to direct them to that may be of help.  Not unless they want someone to drive up (several hour drive each way) and charge 3X as much for the service (not doable).

Guess the real answer to my question is that HIPAA is impractical and impossible to fully implement.  Forget the network security.  There is no way to get rid of the gossip system within small towns.

Thank you both for trying to help me with this situation.  I will split the points between the two of you.
0
 

Author Comment

by:tmstovall
ID: 14011861
Tolomir,

I did not realize that you could join an XP HE box to a domain.  Thanks for the info.
0
 
LVL 4

Expert Comment

by:AZweb
ID: 14012426
Tolomir,
While the link you provided is interesting, it only allows you to connect to a domain share and not the domain itself.
This still does not provide the security features and permissions of the group policy from the domain. But can actually provide a security flaw in the domain by the share on the XP Home machine.

I would not recommend this practice to anyone where security is an issue.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 14012728
@ AZweb: Forgive me, I never had windows xp home running on my own, and as it seems it is always wise to invest the additional bucks to buy the pro version. So I simply don't know what precisely is "really" missing in the home edition.

@  tmstovall: Tnx for the points. I think, you should still consider some advice to the medicals about network security.
You can prevent a lot of potential damage by running an antivirus solution and an antispyware tool. Also mention a backup solution (a simple dvd burner would be enough).

Alright, greetings to the wild wild west ;-)

Tolomir
0
 
LVL 4

Expert Comment

by:AZweb
ID: 14012874
Tolomir,
No problem, I was just trying to clarify to others that it is not the same as logging into a domain and can still be a security large risk without the group policies in place.

I will consider this topic closed...Good day all
0
 

Author Comment

by:tmstovall
ID: 14014615
AZweb,

Thanks for the clarification on  XP HE being added to a domain.  I only clicked on the link, but did not actually read the information on the site. (it's no excuse, but I didn't take/have the time) ;)

I also appreciate your previous input as well.

--Matt
0
 

Author Comment

by:tmstovall
ID: 14014679
PS--

Tolomir,

We already do run all of that locally within the domain--with multiple backups throughout the day (the are totally paperless--docs even write scripts from their computer--and that means they can from anywhere).  The doctor's in question, at home, do run antivirus, and antispyware; how often is another question.  What concerns me is the fast user switching environment with no password and doing all personal banking, not to mention the sharing with the children, and being laptops (docs on the go).  These are personal computers and that is where I have to give them specific information on why I should change the way they do things.

As far as them consulting a healthcare security expert.  You are exactly correct and that is where I will have to bow out and let them take care of that on their own.

Thanks for your input.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 14171308
The penelties have changed for Hipaa
http://www.schneier.com/blog/archives/2005/06/us_medical_priv.html
Just an FYI.
-rich
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question