HIPAA HITECH and Windows 10 – 5 Settings to better secure ePHI

Windows 10 and HIPAA HITECH compliance was called into question soon after the OS was released.  This is not another post on whether or not Windows 10 is HIPAA compliant; for more on that you can read https://maaadit.wordpress.com/2015/12/15/hipaa-windows-10-privacy-concerns/.

What this post is about is how to better secure ePHI if using Windows 10 in healthcare.  Should you use Windows 10 in healthcare amid all the HIPAA concerns?  HIPAA compliance, as it has been said before is up to the covered entity.  You, as a covered entity, are ultimately responsible for securing ePHI.

Windows 10 is fairly new.  As it applies to every other new technology out there, it is recommended to wait until it has been widely accepted by the healthcare industry before implementing it as a full blown computing solution.   Having said that, you may still find a place for Windows 10 in your organization.


HIPAA HITECH – Windows 10 – 5 settings to better secure ePHI (Electronic Protected Health Information).


Telemetry – Sends system data to Microsoft after a system/ app hang or crash

Why should Telemetry settings be configured for organizations that work with ePHI?  The following excerpt from a ZDNet article by Ed Bott explains that at the Enhanced setting, data transmissions to Microsoft include memory contents of faulting processes.


Yes, especially at the higher telemetry settings.

The collection process is tailored so that the telemetry component avoids gathering information that could directly identify a person or an organization. However, at the Enhanced setting, when Windows or an app crashes or hangs, the memory contents of the faulting process are included in the diagnostic report generated at the time of the crash or hang, and that crash dump might include sensitive information.

Enhanced is the default Telemetry setting in Windows 10.  Why is this important for HIPAA covered entities?  If a user accessed patient information when the application in use crashed, is it possible that patient information was loaded in memory at the time of crash/ hang.? Could there exist the possibility of it being included in a diagnostic report and be accidentally sent to Microsoft?

How to configure Telemetry settings in Windows 10 computers on the domain using Group Policy?

Use Group Policy to set the telemetry level

Use a Group Policy object to set your organization’s telemetry level.

  1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
  2. Double-click Allow Telemetry.
  3. In the Options box, select the level that you want to configure, and then click OK.


Speech, Inking and Typing – Collects information like speech and handwriting patterns and typing history

Why Input Personalization should probably be disabled for organizations that work with ePHI? As pointed out in Windows 10 speech, inking, typing, and privacy: FAQ:

We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services.

Is it possible that any collected words may accidentally include patient information?

To disable Speech, Inking and Typing using Group Policy:

In Group Policy Management Console navigate to Computer Configuration\ Administrative Templates\ Control Panel\ Regional and Language Options\ Allow Input Personalization and set to Disabled.


OneDrive – Microsoft cloud storage

If you are a HIPAA covered entity, unless you have a signed BAA with Microsoft, you should probably prevent the usage of OneDrive for file storage.  Why?  Because less tech savvy users could accidentally store files containing ePHI in OneDrive; without a BAA, this would be in violation of HIPAA privacy rules.  It is possible to acquire a BAA with Microsoft however if you do wish to use Microsoft’s cloud storage service.

To turn off OneDrive in your organization:

  • Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

Note: Set to Enabled


Microsoft accounts – In Windows 10, allows users to log in to workstations using a Microsoft account

It is strongly recommended that Microsoft Accounts be disabled via Group Policy unless a BAA has been signed with Microsoft.  More information regarding Microsoft cloud services and HIPAA/ HITECH ACT here.

Why you may want to prohibit the use of Microsoft accounts to log in to Windows 10?  Users logging in to Windows 10 with a Microsoft account will have access to storage in the cloud with OneDrive.  Also, they will be able to sync settings which could include content in certain apps as explained here. Might any of this content contain ePHI?

In Group Policy navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts and set to Users can’t add or log on with Microsoft accounts


Cortana – Mircrosoft’s virtual assistant

Why you should probably disable Cortana for workstations running Windows 10 in healthcare organizations:

Cortana, Search, and privacy: FAQ

When I use Cortana, what information is collected and where is it saved?

When you use Cortana, Microsoft collects and uses information including your device location information and location history, contacts (People), voice input, searching history, calendar details, content and communication history from messages and apps, and other information on your device. In Microsoft Edge, Cortana collects and uses your browsing history.

This information is saved on your device, in your Cortana Notebook, and in the cloud on the Bing.com dashboard.

Why might this be of concern for HIPAA covered entities using Windows 10?

If conducting a search for patient files on a Windows 10 PC using Cortana, and if you are using patient identifiers to conduct your search queries, is it possible for those identifiers to be saved in search history and perhaps in the Bing.com Dashboard?

To disable Cortana in Group Policy navigate to Computer Configuration > Administrative Templates > Windows Components > Search> Allow Cortana and set to Disabled.


Other Windows 10 Group Policy settings to consider modifying:


Don’t search the web or display web results in Search


Don’t search the web or display web results in Search over metered connections – Prevents searching the web via Windows Search

Why might you want to disable web search?  It is a good idea if you don’t want your local search queries sent to Bing.

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search over metered connections

Note: Set to Enabled.


Disable Pre-release features or settings – This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior

In a production environment you may not want to allow Microsoft to experiment with the product.

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Disable pre-release features or settings

Note: Set to Disabled.


Turn off the advertising ID – Advertising ID allows sharing of information for the purpose of delivering targeted ads

Turn off the advertising ID to disable targeted ads

Computer Configuration> Administrative Templates> System> User Profiles> Turn off the advertising ID

Note: Set to Enabled


WiFi Sense – Allows Windows 10 users to share WiFi bandwidth with their contacts without sharing the password directly with the other users; also, it allows Windows 10 users to connect to WiFi hotspots that are shared by others

What does Wi‑Fi Sense do?

Wi‑Fi Sense connects you to Wi‑Fi networks around you. It can do these things for you to get you Internet access:
  • Automatically connect you to open Wi‑Fi networks it knows about by crowdsourcing networks that other people using Windows have connected to. These are typically open Wi‑Fi hotspots you see when you’re out and about.

  • Automatically connect you to Wi‑Fi networks that your Facebook friends, Outlook.com contacts, or Skype contacts have shared with you after you’ve shared at least one network with your contacts. When you and your contacts share Wi‑Fi networks with each other, you give each other Internet access without having to tell each other your passwords. No networks are shared automatically. When you first connect to a network that you decide to share, you’ll need to enter the password, and then select the Share network with my contacts check box to share that network.

Why might this be a problem?  From an IT administrative standpoint, you do not want your users to have access to unsecured networks outside of the organization nor do you want users sharing the organizations bandwidth with individuals outside of the organization.

Users have to be signed in to a Microsoft account in order to use WiFi Sense (another good reason why you may want to disable Microsoft accounts in a work environment).  To prohibit users from accessing WiFi hotspots, in Group Policy go to Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts and to hotspots offering paid services and set it to Disabled.


Lastly, will applying these Group Policy settings make Windows 10 HIPAA compliant?  Consult with your IT security administrator to determine what is appropriate to meet HIPAA regulations.

#hipaa-windows-10, #windows-10-cortana-privacy, #windows-10-ephi, #windows-10-hipaa-compliance, #windows-10-hitech, #windows-10-microsoft-accounts-privacy, #windows-10-onedrive-privacy, #windows-10-pre-release-features-or-settings, #windows-10-speech-inking-and-typing-privacy, #windows-10-telemetry-privacy, #windows-10-turn-off-advertising-id, #windows-10-web-search, #windows-10-wifi-sense-risk

Windows 10 Pro – Export Image Split WIM (SWM) to WIM

Have you had it happen to you that you set out to perform a task but keep running into a wall?  A solid brick wall?

In my quest for creating a Windows image file (WIM) for Windows 10 Professional, to import into Microsoft Deployment Tools (MDT) 2013 Update 2, I spent days trying to perform what should have been a simple task.

The situation was this:

For a lab/ test environment I have two Dell All-in-One computers that I want to test an image on.  The PCs came with Windows 10 Pro 64 pre-installed.  I attempted to import Windows 10 Pro 64bit from Dell media DVD but it includes two Split WIM files (install.swm and install2.swm) instead of install.wim.  It turns out that .swm files are not supported in MDT 2013.  Thus, I set out to merge install.swm and install2.swm into install.wim.

It took countless failed attempts to finally get it to work.

dism /export-image /swmfile:install*.swm /sourceindex:1 /destinationimagefile:install.wim is what I found online to be the right command but it failed miserably with the following:

Error 87:

The Export-Image option is unknown.

That was when attempting to export the files on a Windows 7 machine.  Entering dism /? in the command line clued me in on the fact that the /Export-Image option was not available for whatever reason.

So I moved on to a Windows 8 machine.  The /Export-Image option worked but I was prompted with this:

The command-line is missing the /sourceimagefile option

So I spent what seemed like an eternity searching Google for answers but would stumble upon the same command line over and over:

dism /export-image /swmfile:install*.swm /sourceindex:1 /destinationimagefile:install.wim

I moved on to a Windows 10 machine thinking it mattered; it probably doesn’t.

…and again I tried…

dism /export-image /swmfile:install*.swm /sourceindex:1 /destinationimagefile:install.wim

…and was greeted with:

The command-line is missing the /sourceimagefile option

…so I tried..

dism /export-image /sourceimagefile:install*.swm /sourceindex:1 /destinationimagefile:install.wim

…but /sourceimagefile: does not allow for wild characters so that failed…and then I tried…

dism /export-image /sourceimagefile:install.swm /sourceindex:1 /destinationimagefile:install.wim

…and thought I had it figured out as it began the process but again failed miserably at the end with a different error message:

The specified image file did not contain a resource section

…and I was back to square one.

You know that increasingly upsetting feeling that you get after failing so many times?  And you are following the instructions to the tee but yet something is missing?  Then you recompose yourself and realize that this has been done before and thus you must be doing something wrong.

So I issued dism /export-image /? at the command prompt and stared at the results for several minutes…and then it dawned on me.

I did a Google search for /sourceimagefile: and /swmfile: and found this post.

DISM /Export-Image /SourceImageFile:C:\Temp\SP2Recovery\Source\install.swm /swmfile:C:\Temp\SP2Recovery\Source\install*.swm /SourceIndex:1 /DestinationImageFile:C:\Temp\SP2Recovery\Destination\install.wim

I took that example and modified it to look like this:

dism /export-image /sourceimagefile:install.swm /swmfile:install*.swm /sourceindex:1 /destinationimagefile:install.wim

…but first…

I copied both install.swm and install2.swm into a new folder called images, located in Documents folder.

At the command line I did this:

cd c:\users\administrator\documents\images

…to be in the same directory as the .swm files.

…Finally, running the following from an elevated command prompt:

dism /export-image /sourceimagefile:install.swm /swmfile:install*.swm /sourceindex:1 /destinationimagefile:install.wim

…and the magic happened, successfully exporting the two .swm files into one very large install.wim file I needed to import into MDT 2013 Update 2.


BitLocker – Too Many Pin Entry Attempts – Enter the Recovery Key to Get Going Again – Reset TPM Lockout

On system drives that have been encrypted with Bitlocker to enable pre-boot authentication, users may at one time or another find themselves locked out from the computer.  If too may pin entry attempts are made by the user, an administrator will have to enter the recovery key to get it going again.  Additionally, the administrator will have to reset TPM Lockout; otherwise, the user will continue to be prompted with the message: Too Many Pin Entry Attempts.  Subsequently, you will have to enter the recovery key in order to complete the boot process until TPM Lockout has been reset.

When using Bitlocker preboot authentication on a Windows 8 machine, it is very important for the Recovery Key to be saved to a safe place, preferably, a central repository where administration can have access to all Recovery Keys when needed (and they eventually will).  BitLocker gives you several options to saving the Recovery Key when enabling pre-boot authentication for a system drive.

Sometimes a user will enter the proper BitLocker PIN at boot but find themselves with a message stating ” Too Many Pin Entry Attempts”.  If you see this message you will need to reset TPM Lockout once you are logged in to the system.  To log in to the system you will have to enter the BitLocker Recovery Key that was saved when encrypting the system drive.  Once you have located the Recovery Key and have gained access to the system, right click on the C: drive and select Manage BitLocker.  On the Drive Encryption Window, on the bottom left hand corner click on TPM Administration.  In the Trusted Platform Module (TPM) Management on Local Computer window click on Reset TPM Lockout.

The system will again display Enter the PIN to unlock this drive and will accept the BitLocker PIN at boot.

#bitlocker, #bitlocker-drive-encryption, #bitlocker-pin, #bitlocker-preboot, #bitlocker-system-drive, #encryption, #enter-the-pin-to-unlock-this-drive, #enter-the-recovery-key-to-get-going-again, #reset-tpm-lockout, #too-many-pin-entry-attempts