Windows 10 has generated privacy concerns for Healthcare IT professinals as much as it has generated interest in the consumer market.
HIPAA Windows 10 Privacy Concerns are in full swing as healthcare organizations begin making preparations to update.
Windows 10 privacy concerns regarding HIPAA regulations has risen from all the new features offered in Windows 10. Windows 10 has been described by some as residing partially in the cloud. That is, as consumers are now being lead to cloud based services, so Microsoft has developed it’s Windows 10 operating system to be evermore so connected to their servers in the back end.
Some of the features that Healthcare IT professionals are concerned about include Input Personalization as noted in this popular article.
According to Microsoft’s privacy statement for Windows 10 (https://www.microsoft.com/en-us/privacystatement/default.aspx), for the “Input Personalization” feature, “…your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers.”…
…In addition, Windows 10 Input Personalization, “collect[s] your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”…
- Is the input scrubbed of personally identifiable information before or after it’s sent to Microsoft (i.e. on the local PC or in Microsoft’s servers)?
- Is the input data encrypted before it’s transmitted to Microsoft?
- Is Microsoft storing the collected data?
Mr. Hoffenberg is not alone in his privacy concerns regarding Windows 10. The question of whether or not Windows 10 is HIPAA and HITECH compliant was posted on Microsoft’s website as detailed in the linked article below. As of now, I believe the question remains unanswered but was moved over to a discussion forum.
Another cause for Windows 10 privacy concerns is Data Syncing as explained in The Windows 10 Privacy Issues you Should Know About.
…and the list of HIPAA Windows 10 privacy concerns goes on…
The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:
Cortana: Microsoft’s answer to Siri and Google Talk. Cortana “learns” how each person speaks and writes by taking samples. In addition, names, nicknames, recent calendar events and contacts are maintained.
Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.
3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers. This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications. Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.
Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element. Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.
Telemetry: Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry. Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc. This is a well-documented How-To disable Telemetry from our friends at Winaero.
Regarding Telemetry you can read Windows 10 makes diagnostic data collection compulsory. Of key interest to those concerned with HIPAA compliance is this tidbit of information:
Full switches on other data gleaning, including advanced diagnostics “that collect … such [things] as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred.”
Microsoft’s new license agreement as explained in this article is painfully straightforward in regards to personal data. The article goes on to describe it (Windows 10) as “a privacy nightmare for everyone”.
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”
Another Windows 10 feature that is troubling, not only for Healthcare IT Professionals, but for network administrators is Wi-Fi Sense.
Wi-Fi Sense is a feature of Windows 10 that allows you to easily share your various Wi-Fi networks with people on your contact list. It’s handy because you don’t have to give them the password to your Wi-Fi. You simply add them to your computer’s Wi-Fi Sense list and it Just Works.
The list of people that you can share your Wi-Fi networks with through Wi-Fi Sense is very extensive. It can go so far as anyone who is your Facebook friend. Experts have determined that there are various ways for bad guys to exploit Wi-Fi Sense and get access to places they really shouldn’t be.
It is quite obvious that the contest for delivering cloud based services has been accelerating and will continue to do so. Microsoft has made an aggressive push towards that end with Windows 10.
While regular consumers will voice their own privacy concerns they will likely be ignored; healthcare organizations, on the other hand, are obligated by law to comply in keeping patient data private…and privacy is what seems to be going out the window in order to enhance functionality and provide feature rich content.
In closing, HIPAA Windows 10 privacy concerns need to be addressed before moving forward with an upgrade to Windows 10.
**Update** For information on better securing ePHI while using Windows 10 in healthcare read https://maaadit.wordpress.com/2016/03/22/hipaa-hitech-and-windows-10-5-settings-to-better-secure-ephi/.