Windows 10 and HIPAA HITECH compliance was called into question soon after the OS was released. This is not another post on whether or not Windows 10 is HIPAA compliant; for more on that you can read https://maaadit.wordpress.com/2015/12/15/hipaa-windows-10-privacy-concerns/.
What this post is about is how to better secure ePHI if using Windows 10 in healthcare. Should you use Windows 10 in healthcare amid all the HIPAA concerns? HIPAA compliance, as it has been said before is up to the covered entity. You, as a covered entity, are ultimately responsible for securing ePHI.
Windows 10 is fairly new. As it applies to every other new technology out there, it is recommended to wait until it has been widely accepted by the healthcare industry before implementing it as a full blown computing solution. Having said that, you may still find a place for Windows 10 in your organization.
HIPAA HITECH – Windows 10 – 5 settings to better secure ePHI (Electronic Protected Health Information).
• Telemetry – Sends system data to Microsoft after a system/ app hang or crash
Why should Telemetry settings be configured for organizations that work with ePHI? The following excerpt from a ZDNet article by Ed Bott explains that at the Enhanced setting, data transmissions to Microsoft include memory contents of faulting processes.
IS IT POSSIBLE FOR MICROSOFT TO COLLECT BUSINESS OR PERSONAL INFORMATION?
Yes, especially at the higher telemetry settings.
The collection process is tailored so that the telemetry component avoids gathering information that could directly identify a person or an organization. However, at the Enhanced setting, when Windows or an app crashes or hangs, the memory contents of the faulting process are included in the diagnostic report generated at the time of the crash or hang, and that crash dump might include sensitive information.
Enhanced is the default Telemetry setting in Windows 10. Why is this important for HIPAA covered entities? If a user accessed patient information when the application in use crashed, is it possible that patient information was loaded in memory at the time of crash/ hang.? Could there exist the possibility of it being included in a diagnostic report and be accidentally sent to Microsoft?
How to configure Telemetry settings in Windows 10 computers on the domain using Group Policy?
Use Group Policy to set the telemetry level
Use a Group Policy object to set your organization’s telemetry level.
- From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
- Double-click Allow Telemetry.
- In the Options box, select the level that you want to configure, and then click OK.
• Speech, Inking and Typing – Collects information like speech and handwriting patterns and typing history
Why Input Personalization should probably be disabled for organizations that work with ePHI? As pointed out in Windows 10 speech, inking, typing, and privacy: FAQ:
We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services.
Is it possible that any collected words may accidentally include patient information?
To disable Speech, Inking and Typing using Group Policy:
In Group Policy Management Console navigate to Computer Configuration\ Administrative Templates\ Control Panel\ Regional and Language Options\ Allow Input Personalization and set to Disabled.
• OneDrive – Microsoft cloud storage
If you are a HIPAA covered entity, unless you have a signed BAA with Microsoft, you should probably prevent the usage of OneDrive for file storage. Why? Because less tech savvy users could accidentally store files containing ePHI in OneDrive; without a BAA, this would be in violation of HIPAA privacy rules. It is possible to acquire a BAA with Microsoft however if you do wish to use Microsoft’s cloud storage service.
To turn off OneDrive in your organization:
- Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage
Note: Set to Enabled
• Microsoft accounts – In Windows 10, allows users to log in to workstations using a Microsoft account
It is strongly recommended that Microsoft Accounts be disabled via Group Policy unless a BAA has been signed with Microsoft. More information regarding Microsoft cloud services and HIPAA/ HITECH ACT here.
Why you may want to prohibit the use of Microsoft accounts to log in to Windows 10? Users logging in to Windows 10 with a Microsoft account will have access to storage in the cloud with OneDrive. Also, they will be able to sync settings which could include content in certain apps as explained here. Might any of this content contain ePHI?
In Group Policy navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts and set to Users can’t add or log on with Microsoft accounts
Cortana – Mircrosoft’s virtual assistant
Why you should probably disable Cortana for workstations running Windows 10 in healthcare organizations:
Cortana, Search, and privacy: FAQ
When I use Cortana, what information is collected and where is it saved?
NEW Low Price Promo computer sysadmin logo t-shirt by systemadmin
Create custom print t-shirts at Zazzle
Other Windows 10 Group Policy settings to consider modifying:
Don’t search the web or display web results in Search
and..
Don’t search the web or display web results in Search over metered connections – Prevents searching the web via Windows Search
Why might you want to disable web search? It is a good idea if you don’t want your local search queries sent to Bing.
Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search
Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search over metered connections
Note: Set to Enabled.
Disable Pre-release features or settings – This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior
In a production environment you may not want to allow Microsoft to experiment with the product.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Disable pre-release features or settings
Note: Set to Disabled.
Turn off the advertising ID – Advertising ID allows sharing of information for the purpose of delivering targeted ads
Turn off the advertising ID to disable targeted ads
Computer Configuration> Administrative Templates> System> User Profiles> Turn off the advertising ID
Note: Set to Enabled
WiFi Sense – Allows Windows 10 users to share WiFi bandwidth with their contacts without sharing the password directly with the other users; also, it allows Windows 10 users to connect to WiFi hotspots that are shared by others
What does Wi‑Fi Sense do?
Why might this be a problem? From an IT administrative standpoint, you do not want your users to have access to unsecured networks outside of the organization nor do you want users sharing the organizations bandwidth with individuals outside of the organization.
Users have to be signed in to a Microsoft account in order to use WiFi Sense (another good reason why you may want to disable Microsoft accounts in a work environment). To prohibit users from accessing WiFi hotspots, in Group Policy go to Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts and to hotspots offering paid services and set it to Disabled.
Lastly, will applying these Group Policy settings make Windows 10 HIPAA compliant? Consult with your IT security administrator to determine what is appropriate to meet HIPAA regulations.