Chat with us, powered by LiveChat

Windows 10 and HIPAA Security Officer Compliance

Windows 10 Settings

CIOs, IT Directors and IT Managers are often deputized as their organization’s HIPAA Security Officer.  In addition to being responsible for HIPAA security and compliance, there may be a push to upgrade to Windows 10.   After all, everyone in the organization is already using it at home.  But during testing and planning deployment, Cortana and the mobile-OS-like features of sending data to third-parties begs the question, “Does Windows 10 violate HIPAA Privacy?”

The short answer is that the default configuration of Windows 10 may violate HIPAA.  The Windows 10 Privacy Statement as part of the Microsoft License terms July 2015 provides very flexible language on how Personal Data is collected, used and shared.    Specifically this provision states:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

As with any convenient features, there is always an impact on security.  Unfortunately, security and functionality are often inversely related.

Windows 10 Privacy Settings

The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.
  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.
  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.
  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.
  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.

Although it is still early to tell if specific HIPAA Privacy considerations are violated with Windows 10; HIPAA Privacy, at a high level, ensures individuals have the minimum protections which may be violated. Therefore depending on whether ePHI is released as these Windows 10 features are used; we believe the violation of the following laws may lead to HIPAA non-compliance:

  • Access to the health record – see patient rights §164.522, §164.524 §164.526
  • Minimum necessary uses of PHI – see use and disclosure §164.514
  • Content and right to an Accounting of Disclosures – see privacy management process §164.528
  • Business Associate Contracts – see privacy management process §164.504, §164.502, §164.524, §164.526,§164.528.

To ensure diligence with HIPAA Privacy, it is unclear whether Microsoft will be sending ePHI from PCs anytime soon, which may result in “collateral damage” for those Covered Entities using Windows 10.   And although the question on HIPAA Privacy violations is a tenuous answer, following some basic steps may significantly reduce your organization’s risk of violating HIPAA.

Windows 10 Cortana settings

To maintain your organization’s level of due-diligence under HIPAA and the HITECH act, there are items to configure in Windows 10 to help avoid long-term repercussions that result from upgrading to Windows 10.   By taking measures to test, configure and restrict information being sent outside your organization’s networks with Windows 10; you may request set of instructions below.

In conclusion, Windows 10 does send information back to Microsoft and does such on a per-feature, per-benefit basis.  Microsoft has provided a way to turn off these data-collecting features however, traditional system-level information will still be sent (as it always has been) to Microsoft.  We strongly recommend turning these data-collecting features off.  It is better to be safe than sorry!

To request your copy of the full whitepaper, which includes specific instructions on which Active Directory Group Policies to edit, along with sources of Microsoft Administrative Templates for Windows Server 2012 and the Windows 7 & 8 KB patches to avoid, please request it by contacting us now, and we will be happy to send you a full copy.

 

For a copy of the pcapng file replay of our tested Windows 10 Enterprise configuration in the updated version of this whitepaper, win10Run1.

 

 

 

Comments

  1. Michel Bouckaert says

    My concern is not with the software, but with the EULA. By agreeing with it, I am giving permissions that are incompatible with HIPAA Confidentiality — the equivalent of leaving paper documents visible to non-BA-people. Sure, as long as they don’t abuse that right I gave them, there is no leak. The day they do, however, HHS will discover that I gave them permission. Willingly.

  2. There are several issues with 10. 1. The EULA (licensing agreement) gives permissions which can lead to HIPAA violations. As Mr. Bouckaert states well.
    2. Microsoft has not been clear on what is actually being reported. Even ArsTechnica could not figure out all items being reported. But, again, per the EULA, if they find something illegal, they will give full access to authorities. So, whatever they are taking can be read and reported.
    3. Yet, several tech websites have confirmed the Telemetry reporting CANNOT BE TURNED OFF. So, your perceived belief of “if we tell it to stop reporting, it will stop,” is false.

    Due to these things, I will not recommend 10 to anyone who cannot get Enterprise Licensed 10, as supposedly, Enterprise Licensed 10 allows the complete turning off of all telemetry.

  3. I’m with you up until “it is unclear whether Microsoft will be sending ePHI from PCs anytime soon”, but you lose me when you state so confidently that turning off a few features constitutes due diligence. This is a serious cloud hanging over Windows 10 adoption into the SOHO market (e.g. a solo marriage therapist), which lacks the ability to audit their network traffic. Or rather it should be a cloud, but I’m afraid these people will upgrade without even being aware of the issues.

    • As it stands, the small users stands no chance of stopping a breach, let alone guaranteeing any sort of due diligence in the face of an audit. Ignorance is no defense, and for Windows 10 even Enterprise users will need to very carefully adjust security settings and myriad other services to maintain compliance. They will then have to continually make certain updates do not revert or invalidate these changes.

      Linux is just the simpler option. Unfortunately most users will fall back to Windows 7 as long as possible. They will extend the use of old machines and licenses long past usability, in the hopes of continuing to live in the Microsoft world for one more day.

  4. Maybe, just maybe, you might consider asking your vendors to create linux versions of their applications. Linux has far, far better security than windows does. The National Security Agency, the organization that knows a thing or two about secrecy, has developed something called SELinux, which creates extraordinarily strong security. Yes, it takes an expert to set up SELinux, but once it is set up, you don’t have to touch it. And it WILL stop malware. Linux can create an encrypted file system at boot time. Furthermore, since you get the source code to linux, you can, if you wish, audit the system yourself for security flaws. There are some distributions of linux that will “phone home” in case of a system failure, but you can turn it off, and once it is off, it stays off. Since the software is free, there is no need to get any nefarious marketing advantage. Finally, linux is *significantly* more reliable than Windows, even if only because you don’t have to reboot it every time you do an upgrade. The fact is that there are linux machines that have been up and running, continuously, for over 3 years. Finally, there is a system, called WINE, that will allow you to run Windows applications on linux, so even if your vendor balks at rewriting their code, you can run your software under WINE, and it should work.
    You’ve been blinded into thinking that the only solution is Windows. As a result of that blindness, you are not aware that there are alternatives. It’s very much like being in an abusive marriage – “Why didn’t she just leave him?”.
    Think about it.

Speak Your Mind

*