Sneaky Microsoft patches worry health managers

Windows' newest patches contain new licence language that gives Microsoft the right to silently revise your operating system. This upsets many companies whose PCs can't be allowed to morph at will. But those who are worried the most are IT pros in the US health care field.

I reported that Windows' newest patches -- service pack 1 for Windows XP and SP3 for Windows 2000 -- contain new licence language that gives Microsoft the right to silently revise your operating system (see Sneaky service packs).

This upsets many companies whose PCs can't be allowed to morph at will. But those who are worried the most are IT pros in the health care field. They must comply by April 14, 2003, with HIPAA (Health Insurance Portability and Accountability Act). Among other things, the law requires "a compliant technical information infrastructure". All systems must ensure the security and privacy of medical records online. (See

HIPPAAdvisory.)

Let's set aside for the moment whether today's Windows can ensure security of any kind. Let's also note that, except for XP's Media Player and digital rights management, Windows doesn't silently do all that much yet.

Here's the question: Since Microsoft may start using its new rights any time, won't it soon be against US federal law for health care providers to rely on Windows to handle patient records?

"The EULA [end-user licence agreement] change has really got me worried," writes Peter Clark, the owner of PClark.net Consulting. "I think the new SP3 licence terms are in direct conflict with HIPAA. Either I don't install the service pack -- and am therefore running an OS with known security holes, which HIPAA frowns upon -- or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration."

Clark has an idea, though. "Since the automatic update/security holes only apply to Microsoft, the health care industry needs to go to Microsoft with a joint NDA (nondisclosure agreement) and indemnification agreement, requiring Microsoft to hold their HIPAA-compliant customers harmless should patient information be leaked via this mechanism."

The issue has escalated beyond tech workers to alarm doctors themselves.

"Our procedures sometimes involve surgery to place over 100 recording electrodes in the patient, sometimes on the surface of the brain," says Dr Bob Webber, a systems manager at a teaching hospital. "These PC-based systems use Microsoft Windows [because all but one vendor of these systems use Microsoft operating systems] and multimedia programs to capture the patient's data."

Webber asks, "If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient's data, thus damaging our patient care, who is responsible?"

It's not just hospitals but every user of Windows who should be wondering. You'd think Microsoft would understand that customers don't want their mission-critical systems changing in the dead of night. This isn't brain surgery.

Send tips to contributing editor, Livingston. He regrets that he cannot answer individual questions. Send letters for publication in Computerworld to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags Window Manager

More about LivingstonMicrosoft

Show Comments

Market Place

[]