HIPAA HITECH and Windows 10 – 5 Settings to better secure ePHI

Windows 10 and HIPAA HITECH compliance was called into question soon after the OS was released.  This is not another post on whether or not Windows 10 is HIPAA compliant; for more on that you can read https://maaadit.wordpress.com/2015/12/15/hipaa-windows-10-privacy-concerns/.

What this post is about is how to better secure ePHI if using Windows 10 in healthcare.  Should you use Windows 10 in healthcare amid all the HIPAA concerns?  HIPAA compliance, as it has been said before is up to the covered entity.  You, as a covered entity, are ultimately responsible for securing ePHI.

Windows 10 is fairly new.  As it applies to every other new technology out there, it is recommended to wait until it has been widely accepted by the healthcare industry before implementing it as a full blown computing solution.   Having said that, you may still find a place for Windows 10 in your organization.

 

HIPAA HITECH – Windows 10 – 5 settings to better secure ePHI (Electronic Protected Health Information).

 

Telemetry – Sends system data to Microsoft after a system/ app hang or crash

Why should Telemetry settings be configured for organizations that work with ePHI?  The following excerpt from a ZDNet article by Ed Bott explains that at the Enhanced setting, data transmissions to Microsoft include memory contents of faulting processes.

IS IT POSSIBLE FOR MICROSOFT TO COLLECT BUSINESS OR PERSONAL INFORMATION?

Yes, especially at the higher telemetry settings.

The collection process is tailored so that the telemetry component avoids gathering information that could directly identify a person or an organization. However, at the Enhanced setting, when Windows or an app crashes or hangs, the memory contents of the faulting process are included in the diagnostic report generated at the time of the crash or hang, and that crash dump might include sensitive information.

Enhanced is the default Telemetry setting in Windows 10.  Why is this important for HIPAA covered entities?  If a user accessed patient information when the application in use crashed, is it possible that patient information was loaded in memory at the time of crash/ hang.? Could there exist the possibility of it being included in a diagnostic report and be accidentally sent to Microsoft?

How to configure Telemetry settings in Windows 10 computers on the domain using Group Policy?

Use Group Policy to set the telemetry level

Use a Group Policy object to set your organization’s telemetry level.

  1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
  2. Double-click Allow Telemetry.
  3. In the Options box, select the level that you want to configure, and then click OK.

 

Speech, Inking and Typing – Collects information like speech and handwriting patterns and typing history

Why Input Personalization should probably be disabled for organizations that work with ePHI? As pointed out in Windows 10 speech, inking, typing, and privacy: FAQ:

We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services.

Is it possible that any collected words may accidentally include patient information?

To disable Speech, Inking and Typing using Group Policy:

In Group Policy Management Console navigate to Computer Configuration\ Administrative Templates\ Control Panel\ Regional and Language Options\ Allow Input Personalization and set to Disabled.

 

OneDrive – Microsoft cloud storage

If you are a HIPAA covered entity, unless you have a signed BAA with Microsoft, you should probably prevent the usage of OneDrive for file storage.  Why?  Because less tech savvy users could accidentally store files containing ePHI in OneDrive; without a BAA, this would be in violation of HIPAA privacy rules.  It is possible to acquire a BAA with Microsoft however if you do wish to use Microsoft’s cloud storage service.

To turn off OneDrive in your organization:

  • Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

Note: Set to Enabled

 

Microsoft accounts – In Windows 10, allows users to log in to workstations using a Microsoft account

It is strongly recommended that Microsoft Accounts be disabled via Group Policy unless a BAA has been signed with Microsoft.  More information regarding Microsoft cloud services and HIPAA/ HITECH ACT here.

Why you may want to prohibit the use of Microsoft accounts to log in to Windows 10?  Users logging in to Windows 10 with a Microsoft account will have access to storage in the cloud with OneDrive.  Also, they will be able to sync settings which could include content in certain apps as explained here. Might any of this content contain ePHI?

In Group Policy navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts and set to Users can’t add or log on with Microsoft accounts

 

Cortana – Mircrosoft’s virtual assistant

Why you should probably disable Cortana for workstations running Windows 10 in healthcare organizations:

Cortana, Search, and privacy: FAQ

When I use Cortana, what information is collected and where is it saved?

When you use Cortana, Microsoft collects and uses information including your device location information and location history, contacts (People), voice input, searching history, calendar details, content and communication history from messages and apps, and other information on your device. In Microsoft Edge, Cortana collects and uses your browsing history.

This information is saved on your device, in your Cortana Notebook, and in the cloud on the Bing.com dashboard.

Why might this be of concern for HIPAA covered entities using Windows 10?

If conducting a search for patient files on a Windows 10 PC using Cortana, and if you are using patient identifiers to conduct your search queries, is it possible for those identifiers to be saved in search history and perhaps in the Bing.com Dashboard?

To disable Cortana in Group Policy navigate to Computer Configuration > Administrative Templates > Windows Components > Search> Allow Cortana and set to Disabled.

 

Other Windows 10 Group Policy settings to consider modifying:

 

Don’t search the web or display web results in Search

and..

Don’t search the web or display web results in Search over metered connections – Prevents searching the web via Windows Search

Why might you want to disable web search?  It is a good idea if you don’t want your local search queries sent to Bing.

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search over metered connections

Note: Set to Enabled.

 

Disable Pre-release features or settings – This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior

In a production environment you may not want to allow Microsoft to experiment with the product.

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Disable pre-release features or settings

Note: Set to Disabled.

 

Turn off the advertising ID – Advertising ID allows sharing of information for the purpose of delivering targeted ads

Turn off the advertising ID to disable targeted ads

Computer Configuration> Administrative Templates> System> User Profiles> Turn off the advertising ID

Note: Set to Enabled

 

WiFi Sense – Allows Windows 10 users to share WiFi bandwidth with their contacts without sharing the password directly with the other users; also, it allows Windows 10 users to connect to WiFi hotspots that are shared by others

What does Wi‑Fi Sense do?

Wi‑Fi Sense connects you to Wi‑Fi networks around you. It can do these things for you to get you Internet access:
  • Automatically connect you to open Wi‑Fi networks it knows about by crowdsourcing networks that other people using Windows have connected to. These are typically open Wi‑Fi hotspots you see when you’re out and about.

  • Automatically connect you to Wi‑Fi networks that your Facebook friends, Outlook.com contacts, or Skype contacts have shared with you after you’ve shared at least one network with your contacts. When you and your contacts share Wi‑Fi networks with each other, you give each other Internet access without having to tell each other your passwords. No networks are shared automatically. When you first connect to a network that you decide to share, you’ll need to enter the password, and then select the Share network with my contacts check box to share that network.

Why might this be a problem?  From an IT administrative standpoint, you do not want your users to have access to unsecured networks outside of the organization nor do you want users sharing the organizations bandwidth with individuals outside of the organization.

Users have to be signed in to a Microsoft account in order to use WiFi Sense (another good reason why you may want to disable Microsoft accounts in a work environment).  To prohibit users from accessing WiFi hotspots, in Group Policy go to Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts and to hotspots offering paid services and set it to Disabled.

 

Lastly, will applying these Group Policy settings make Windows 10 HIPAA compliant?  Consult with your IT security administrator to determine what is appropriate to meet HIPAA regulations.

#hipaa-windows-10, #windows-10-cortana-privacy, #windows-10-ephi, #windows-10-hipaa-compliance, #windows-10-hitech, #windows-10-microsoft-accounts-privacy, #windows-10-onedrive-privacy, #windows-10-pre-release-features-or-settings, #windows-10-speech-inking-and-typing-privacy, #windows-10-telemetry-privacy, #windows-10-turn-off-advertising-id, #windows-10-web-search, #windows-10-wifi-sense-risk

HIPAA Windows 10 Privacy Concerns

Windows 10 has generated privacy concerns for Healthcare IT professinals as much as it has generated interest in the consumer market.

HIPAA Windows 10 Privacy Concerns are in full swing as healthcare organizations begin making preparations to update.

Windows 10 privacy concerns regarding HIPAA regulations has risen from all the new features offered in Windows 10.  Windows 10 has been described by some as residing partially in the cloud.  That is, as consumers are now being lead to cloud based services, so Microsoft has developed  it’s Windows 10 operating system to be evermore so connected to their servers in the back end.

 

Some of the features that Healthcare IT professionals are concerned about include Input Personalization as noted in this popular article.

https://www.linkedin.com/pulse/does-windows-10-violate-hipaa-steve-hoffenberg

According to Microsoft’s privacy statement for Windows 10 (https://www.microsoft.com/en-us/privacystatement/default.aspx), for the “Input Personalization” feature, “…your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers.”…

…In addition, Windows 10 Input Personalization, “collect[s] your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”…

  • Is the input scrubbed of personally identifiable information before or after it’s sent to Microsoft (i.e. on the local PC or in Microsoft’s servers)?
  • Is the input data encrypted before it’s transmitted to Microsoft?
  • Is Microsoft storing the collected data?

 

Mr. Hoffenberg is not alone in his privacy concerns regarding Windows 10.   The question of whether or not Windows 10 is HIPAA and HITECH compliant was posted on Microsoft’s website as detailed in the linked article below.  As of now, I believe the question remains unanswered but was moved over to a discussion forum.

http://blog.capterra.com/hipaa-compliance-and-windows-10-5-things-you-need-to-know/

 

Another cause for Windows 10 privacy concerns is Data Syncing as explained in The Windows 10 Privacy Issues you Should Know About.

 

…and the list of HIPAA Windows 10 privacy concerns goes on…

 

http://www.hipaaone.com/windows-10-and-hipaa/

The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.

  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.

  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.

  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.

  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.

 

Regarding Telemetry you can read Windows 10 makes diagnostic data collection compulsory.  Of key interest to those concerned with HIPAA compliance is this tidbit of information:

Full switches on other data gleaning, including advanced diagnostics “that collect … such [things] as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred.”

 

Microsoft’s new license agreement as explained in this article is painfully straightforward in regards to personal data.  The article goes on to describe it (Windows 10) as “a privacy nightmare for everyone”.

Let’s look at the Windows 10’s new license agreement, which contains this nugget in its privacy policy. Microsoft says:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”

 

Another Windows 10 feature that is troubling, not only for Healthcare IT Professionals, but for network administrators is Wi-Fi Sense.

https://personcenteredtech.com/2015/09/21/4-settings-to-change-on-windows-10-for-hipaa-ethics-and-your-clients/

Wi-Fi Sense is a feature of Windows 10 that allows you to easily share your various Wi-Fi networks with people on your contact list. It’s handy because you don’t have to give them the password to your Wi-Fi. You simply add them to your computer’s Wi-Fi Sense list and it Just Works.

The list of people that you can share your Wi-Fi networks with through Wi-Fi Sense is very extensive. It can go so far as anyone who is your Facebook friend. Experts have determined that there are various ways for bad guys to exploit Wi-Fi Sense and get access to places they really shouldn’t be.

 

It is quite obvious that the contest for delivering cloud based services has been accelerating and will continue to do so.  Microsoft has made an aggressive push towards that end with Windows 10.

While regular consumers will voice their own privacy concerns they will likely be ignored;  healthcare organizations, on the other hand,  are obligated by law to comply in keeping patient data private…and privacy is what seems to be going out the window in order to enhance functionality and provide feature rich content.

In closing, HIPAA Windows 10 privacy concerns need to be addressed before moving forward with an upgrade to Windows 10.

**Update**  For information on better securing ePHI while using Windows 10 in healthcare read https://maaadit.wordpress.com/2016/03/22/hipaa-hitech-and-windows-10-5-settings-to-better-secure-ephi/.

#hipaa-2, #hipaa-cortana, #hipaa-data-sync, #hipaa-input-personalization, #hipaa-telemetry, #hipaa-wifi-sense, #hipaa-windows-10, #windows-10-privacy-concerns