THE OFFICIAL BLOG OF THE SBS "DIVA"

So I'm on the phone today and get asked if there is anything in HIPAA that says that ISA server/SBS 2003 is not HIPAA compliant because it has two Network cards.

Huh?  Say...whaaattt?  First off a bit of background,  HIPAA stands for the Health Insurance Portability and Accountabilty act which was signed into law in 1996 and part of that law includes protecton of ePHI ... electronic Protected Health Information.  Stuff you want to secure, you know?

As part of the final rules that were released, it is purposely technology neutral. 

As is discussed in this GIAC practical by Dan Aiken-- “Network Design – The Rule makes no explicit mention of network security principles such as resource separation, firewall placement and protection, and limiting visibility of traffic between systems.”

The National Insititute of Standards and Technology has also produced a introductory resource guide for implementing the HIPAA Security rule.  At 96 pages I would argue it's probably a bit more than an introduction, but nonetheless, it too is silent as to the exact type of protection i.e. one network card or two.

So we continue on the conversation and the gentlemen on the phone says that he recently lost out on an installation of SBS 2003 with ISA server because he thinks that another firm came in with a dash of FUD [fear...etc] and sold them how that they had to have a CISCO protecting their firm.  Meanwhile CISCO's source code has been stolen and it has a few vulnerabilities here and there per Secunia.  Meanwhile ISA Server 2004 has none in the same database, and ISA Server 2000, just a few.  Now, granted you can be totally freaked out by the number of services on our boxes, but the point is, it's not how many nics you have, what firewalls are in place, it's the entire network you have to look at. 

Where's your weak spots?  That's where you need to be focusing your time and budget on.

Counting network cards is not the way to more security.

Just a heads up folks... There's no silver bullet that is going to make the bad guys all go away.  Staying on an up to date and patched platform is the best way to stay safe.  And with that... I'm firing up the Shavlik folks and getting my control thrill in for the evening!