Yes, keeping up with patches can amount to a full-time job. With that said, a vendor who provides a software tool that requires so much time to maintain b/c of security holes is effectively beta-testing the software after it has been released to the public.
The other side can argue that software that requires frequent application of patches is being analyzed by more people and therefore is maturing more quickly.
How many patches per week/month/year are too many? Are software products that require fewer patches really more secure? Ditto frequent patching.
Those of you who frequent web sites such as searchsecurity.com, infoworld.com or itworld.com have probably seen articles questioning the lack of accountability for software vendors who release software with a multitude of security and functionality flaws. While this is a very valid concern, how would such accountability be applied to open source software? Most of us would not buy a car if we could not lock its doors. Yet, many of us accept buggy software as the norm. ...but that is a topic for another discussion.
The point I am trying to make is that HIPAA privacy is ultimately about a policy decision that takes risk into account. Besides, my above comments pertain more to security than to privacy.
Jake Mazur
GovConnect
A Subsidiary of govONE Solutions
15 Piedmont Center, Suite 1200
3575 Piedmont Road NE
Atlanta, GA 30305
[EMAIL PROTECTED]
http://www.govconnect.com/
-----Original Message-----
From: David Frenkel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 08, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject: RE: Questions on firewalls
Another major issue with any software facing the outside world is to
keep up with vendor patches which can be a time consuming effort.
Regards,
David Frenkel
Business Development
GEFEG USA
Global Leader in Ecommerce Tools
www.gefeg.com
425-260-5030
-----Original Message-----
From: Kathleen Chauvin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 08, 2002 9:46 AM
To: 'Duane N. Bruce'; Lance; 'HIPAA Office Assistant DHS';
[EMAIL PROTECTED]
Cc: Debbie R. Linger
Subject: RE: Questions on firewalls
That is definitely the case. Configuration is of utmost importance for
a
secure and effective work environment. My experience directing an IT
project
with a Federal contractor when our DoD customer began adding firewalls
and
configuring and re-configuring for internal user groups, external
cleared
vendors...it took a lot of time and tweaking and authorizations due to
new
DoD policies and procedures. That's a good thing.
-----Original Message-----
From: Duane N. Bruce [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 08, 2002 12:20 PM
To: Lance; 'HIPAA Office Assistant DHS'; [EMAIL PROTECTED]
Cc: Debbie R. Linger
Subject: Re: Questions on firewalls
Everyone is giving you pretty good definitions of what a firewall is. I
would merely like to add that a firewall is only as good as its
configuration.
Many organizations merely plug a firewall in and think they
are protected. Their main concern usually centers around whether the
addition of a firewall interferes with their legitimate user's
activities.
As much time, if not more, should be devoted to HOW it is configured.
By
all means, consult an expert and follow their advice.
----- Original Message -----
From: "Lance" <[EMAIL PROTECTED]>
To: "'HIPAA Office Assistant DHS'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Cc: "Debbie R. Linger" <[EMAIL PROTECTED]>
Sent: Thursday, August 08, 2002 10:14 AM
Subject: RE: Questions on firewalls
> A firewall, in a very general sense, is a piece of computer equipment
that
> sits between the internet and your corporate network. This sometimes
takes
> the form of a PC running certain software or a specialized appliance.
It's
> job is to restrict the flow of data to only that which you want to
happen.
> If you only want email to go in and out of your network, then you turn
off
> everything except email. If you want to keep people from accessing a
> particular website, you can block that. They can be simple or quite
> sophisticated. You mentioned policy and procedure. I'm a technical
person,
> but would guess that the configuration of your firewall would be
determined
> by policy and procedure. There should be some documentation that
dictates
> what is allowed and denied access. For more information consult an
expert.
>
> -----Original Message-----
> From: HIPAA Office Assistant DHS [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 08, 2002 9:10 AM
> To: [EMAIL PROTECTED]
> Cc: Debbie R. Linger
> Subject: Questions on firewalls
>
>
> May I please have answers to the following questions at your earliest
> convenience?
>
> 1.) What is the definition of a firewall?
> Is a firewall an actual piece of software or can it be
accomplished
> by Policies and Procedures and limited access?
>
> 2.) Can one facility be considered as a health plan and a health
provider?
> Is it a requirement that they are considered
> one or the other?
>
> Thank you for your help,
>
> Theresa Sack
> HIPAA Office Assistant
> [EMAIL PROTECTED]
> (701) 328-1479
>
>
> The WEDI SNIP listserv to which you are subscribed is not moderated.
The
> discussions on this listserv therefore represent the views of the
individual
> participants, and do not necessarily represent the views of the WEDI
Board
> of
> Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/.
> Posting of advertisements or other commercial use of this listserv is
> specifically prohibited.
>
> The WEDI SNIP listserv to which you are subscribed is not moderated.
The
> discussions on this listserv therefore represent the views of the
individual
> participants, and do not necessarily represent the views of the WEDI
Board
of
> Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/.
> Posting of advertisements or other commercial use of this listserv is
> specifically prohibited.
>
The WEDI SNIP listserv to which you are subscribed is not moderated.
The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board
of
Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated.
The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
