I'm not. Anyone familiar with medical records and computer security issues considers the security portions of HIPAA a joke.
The primary reason is that medical records are pretty much universally kept on MS Windows systems.
I guess I was lucky. Most of the medical software I've worked on has run on CentOS or RHEL systems.
There are several reasons why this makes data security a joke. The main one has been discussed here at /. several times: Windows has an automatic update feature, which you can turn off for "application" level software. However, it can't be turned off for "system" level software. MS has admitted that this has been true since XP. Their excuse is that kernel security issues are taken seriously, and updates are mandatory.
However, if you think about this for a few seconds, it obviously means that any time your Windows system is connected to the Internet, MS can silently install any new software they like. If your machine isn't reporting the contents of selected files to a .microsoft.com site now, it could be by the time you read this, and unless you're a real Windows security guru, you'd never suspect.
So if you're running Windows, you must assume that anyone who has "socially engineered" a connection at MS has access to all of your data.
And, less you think this is all spurious, you might look around in the records of the internet back in the 1990s when MS was first supplying systems with internet access. There are multiple reports of people getting curious about why their modem's lights were flickering when the machine was idle. Attaching a line monitor showed that the traffic was a list of the contents of the disk, being sent to a .microsoft.com address. The server on the other end could obviously also ask for the contents of files. This was ignored by the media and most managers, but it was noticed by the geeks among us with even minimal understanding of network security. Similar behavior has been reported for most releases of Windows.
This all has obvious application to HIPAA rules. My wife has worked with medical data for several decades now, at several employers. Every one of them worked exclusively on Windows systems. She has a Windows partition on her Mac "for work", and uses it a lot. She also has a work-supplied take-home Windows laptop. It's true that they use VPN to connect to the office computer systems. But this does nothing for the above issues. Since her Windows partition and laptop are connected to our home network, VPN just supplies an internet connection to her office machines, so their "silent upgrade" feature can work any time she's connected. This shoots down any claims that her office is protected from malicious sites (such as microsoft's ;-) by VPN. We've verified that both her Windows systems can easily access .microsoft.com web sites while connected via VPN, showing that there is a data path for MS's silent update software to work.
This is hardly a secret. We've discussed it here on /., and it's been discussed in lots of other forums. Microsoft has a clear and obvious silent path to any medical data stored on their systems, any time they have an internet connection, which is almost all medical systems in the US. Anyone who can bribe the right people at MS also has such access.
So the fact that HIPAA rules don't forbid the use of MS Windows makes those rules a joke. I'd bet that many medical records people understand all this. It should be no surprise that they treat HIPAA data security as a joke.
Oh, that's actually pretty simple. Block Microsoft's sites via firewall rules (not on a per-machine basis, that would be silly, but at the point of entry). You can still have machines outside of the network download all the security updates that a machine might need, put them on a DVD, and make that available to the workstations (via IT reps or whatever), but this way you control the flow of data.
It's interesting to consider non-MS systems in this light. Fully open-source systems are probably immune to such problems, since they'd be exposed fairly quickly. Apple systems are about half open-source, but most of the kernel and the UI have hidden source. Apple systems haven't been documented to have any behavior like those described above, so there's a good chance that such backdoors don't exist on Macs. But we can't prove this, because we aren't permitted access to the low-level source. Macs apparently don't do silent updates, but we can't prove that, either. Is there a way to either expose such backdoors or prove they don't exist on Macs?
Sure. Route the Mac's traffic through a device that's capable of inspecting the network traffic. If you don't have a decent router handy, any old box with a live linux distro would do.
