HIPAA HITECH and Windows 10 – 5 Settings to better secure ePHI

Windows 10 and HIPAA HITECH compliance was called into question soon after the OS was released.  This is not another post on whether or not Windows 10 is HIPAA compliant; for more on that you can read https://maaadit.wordpress.com/2015/12/15/hipaa-windows-10-privacy-concerns/.

What this post is about is how to better secure ePHI if using Windows 10 in healthcare.  Should you use Windows 10 in healthcare amid all the HIPAA concerns?  HIPAA compliance, as it has been said before is up to the covered entity.  You, as a covered entity, are ultimately responsible for securing ePHI.

Windows 10 is fairly new.  As it applies to every other new technology out there, it is recommended to wait until it has been widely accepted by the healthcare industry before implementing it as a full blown computing solution.   Having said that, you may still find a place for Windows 10 in your organization.


HIPAA HITECH – Windows 10 – 5 settings to better secure ePHI (Electronic Protected Health Information).


Telemetry – Sends system data to Microsoft after a system/ app hang or crash

Why should Telemetry settings be configured for organizations that work with ePHI?  The following excerpt from a ZDNet article by Ed Bott explains that at the Enhanced setting, data transmissions to Microsoft include memory contents of faulting processes.


Yes, especially at the higher telemetry settings.

The collection process is tailored so that the telemetry component avoids gathering information that could directly identify a person or an organization. However, at the Enhanced setting, when Windows or an app crashes or hangs, the memory contents of the faulting process are included in the diagnostic report generated at the time of the crash or hang, and that crash dump might include sensitive information.

Enhanced is the default Telemetry setting in Windows 10.  Why is this important for HIPAA covered entities?  If a user accessed patient information when the application in use crashed, is it possible that patient information was loaded in memory at the time of crash/ hang.? Could there exist the possibility of it being included in a diagnostic report and be accidentally sent to Microsoft?

How to configure Telemetry settings in Windows 10 computers on the domain using Group Policy?

Use Group Policy to set the telemetry level

Use a Group Policy object to set your organization’s telemetry level.

  1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
  2. Double-click Allow Telemetry.
  3. In the Options box, select the level that you want to configure, and then click OK.


Speech, Inking and Typing – Collects information like speech and handwriting patterns and typing history

Why Input Personalization should probably be disabled for organizations that work with ePHI? As pointed out in Windows 10 speech, inking, typing, and privacy: FAQ:

We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services.

Is it possible that any collected words may accidentally include patient information?

To disable Speech, Inking and Typing using Group Policy:

In Group Policy Management Console navigate to Computer Configuration\ Administrative Templates\ Control Panel\ Regional and Language Options\ Allow Input Personalization and set to Disabled.


OneDrive – Microsoft cloud storage

If you are a HIPAA covered entity, unless you have a signed BAA with Microsoft, you should probably prevent the usage of OneDrive for file storage.  Why?  Because less tech savvy users could accidentally store files containing ePHI in OneDrive; without a BAA, this would be in violation of HIPAA privacy rules.  It is possible to acquire a BAA with Microsoft however if you do wish to use Microsoft’s cloud storage service.

To turn off OneDrive in your organization:

  • Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

Note: Set to Enabled


Microsoft accounts – In Windows 10, allows users to log in to workstations using a Microsoft account

It is strongly recommended that Microsoft Accounts be disabled via Group Policy unless a BAA has been signed with Microsoft.  More information regarding Microsoft cloud services and HIPAA/ HITECH ACT here.

Why you may want to prohibit the use of Microsoft accounts to log in to Windows 10?  Users logging in to Windows 10 with a Microsoft account will have access to storage in the cloud with OneDrive.  Also, they will be able to sync settings which could include content in certain apps as explained here. Might any of this content contain ePHI?

In Group Policy navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts and set to Users can’t add or log on with Microsoft accounts


Cortana – Mircrosoft’s virtual assistant

Why you should probably disable Cortana for workstations running Windows 10 in healthcare organizations:

Cortana, Search, and privacy: FAQ

When I use Cortana, what information is collected and where is it saved?

When you use Cortana, Microsoft collects and uses information including your device location information and location history, contacts (People), voice input, searching history, calendar details, content and communication history from messages and apps, and other information on your device. In Microsoft Edge, Cortana collects and uses your browsing history.

This information is saved on your device, in your Cortana Notebook, and in the cloud on the Bing.com dashboard.

Why might this be of concern for HIPAA covered entities using Windows 10?

If conducting a search for patient files on a Windows 10 PC using Cortana, and if you are using patient identifiers to conduct your search queries, is it possible for those identifiers to be saved in search history and perhaps in the Bing.com Dashboard?

To disable Cortana in Group Policy navigate to Computer Configuration > Administrative Templates > Windows Components > Search> Allow Cortana and set to Disabled.


Other Windows 10 Group Policy settings to consider modifying:


Don’t search the web or display web results in Search


Don’t search the web or display web results in Search over metered connections – Prevents searching the web via Windows Search

Why might you want to disable web search?  It is a good idea if you don’t want your local search queries sent to Bing.

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search over metered connections

Note: Set to Enabled.


Disable Pre-release features or settings – This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior

In a production environment you may not want to allow Microsoft to experiment with the product.

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Disable pre-release features or settings

Note: Set to Disabled.


Turn off the advertising ID – Advertising ID allows sharing of information for the purpose of delivering targeted ads

Turn off the advertising ID to disable targeted ads

Computer Configuration> Administrative Templates> System> User Profiles> Turn off the advertising ID

Note: Set to Enabled


WiFi Sense – Allows Windows 10 users to share WiFi bandwidth with their contacts without sharing the password directly with the other users; also, it allows Windows 10 users to connect to WiFi hotspots that are shared by others

What does Wi‑Fi Sense do?

Wi‑Fi Sense connects you to Wi‑Fi networks around you. It can do these things for you to get you Internet access:
  • Automatically connect you to open Wi‑Fi networks it knows about by crowdsourcing networks that other people using Windows have connected to. These are typically open Wi‑Fi hotspots you see when you’re out and about.

  • Automatically connect you to Wi‑Fi networks that your Facebook friends, Outlook.com contacts, or Skype contacts have shared with you after you’ve shared at least one network with your contacts. When you and your contacts share Wi‑Fi networks with each other, you give each other Internet access without having to tell each other your passwords. No networks are shared automatically. When you first connect to a network that you decide to share, you’ll need to enter the password, and then select the Share network with my contacts check box to share that network.

Why might this be a problem?  From an IT administrative standpoint, you do not want your users to have access to unsecured networks outside of the organization nor do you want users sharing the organizations bandwidth with individuals outside of the organization.

Users have to be signed in to a Microsoft account in order to use WiFi Sense (another good reason why you may want to disable Microsoft accounts in a work environment).  To prohibit users from accessing WiFi hotspots, in Group Policy go to Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts and to hotspots offering paid services and set it to Disabled.


Lastly, will applying these Group Policy settings make Windows 10 HIPAA compliant?  Consult with your IT security administrator to determine what is appropriate to meet HIPAA regulations.

4 thoughts on “HIPAA HITECH and Windows 10 – 5 Settings to better secure ePHI

  1. Windows10’s HIPAA problems are not (or not only) technical. The technical issues are largely addressed above.

    The real problem is the EULA. It *grants access* to Microsoft to any information residing on a Windows10-equipped machine.

    As a HIPAA Covered Entity, you do not have that right, if any ePHI is on that machine. From a legal viewpoint, putting any ePHI on a Windows10-equipped machine is a willful violation — irrespective of whether the violation is exploited.

    Unless you have a BAA with Microsoft, that is. Microsoft offers “automatic BAA” for users of Office365; however, I have found no trace of such an arrangement for Windows10. Contacting Microsoft has not borne fruit — at least this far.

    If you have been more successful than me in that respect, I would appreciate knowing how you solve this!


    1. Appreciate your input. This is the first time I see the Windows 10 EULA explained as it applies to HIPAA covered entities. I will look more into this.


  2. Thank you for this article. It is now over a year later and several large windows revisions were released, have you heard of any changes in Microsoft policies or software settings pertaining to this article?

    Do you happen to have any Powershell commands or registry key equivalents of the above GPOs?

    Have you seen these two projects below?



    Thank you!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s