heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
And scan and report all the files on the storage as well? In any case, you'd need a domain to control that properly. And that's kind of the key to Windows in an enterprise environment.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
How to make Windows 10 HIPAA compliant?
- Thread starter HvyMtl
- Start date
And scan and report all the files on the storage as well? In any case, you'd need a domain to control that properly. And that's kind of the key to Windows in an enterprise environment.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
I believe Microsoft's necessity regarding the use of ADDC on any network with ten machines or under is a downright joke. The use of ADDC should implement the use of two ADDC servers for redundancy, this never happens in the case of networks running 40 machines let alone networks running 10 machines due to budget constraints! The OP has already highlighted the client's budget as a requirement, Windows 10 is not an affordable or practical solution in this instance. One ADDC server is a single point of massive failure in any small business network, and chances are we are talking about a small business here, not a corporate environment.
You don't really implement Group Policy in the workplace without the use of a DC.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
You could install a Linux distro on a machine as is, hand it to a user that handles medical data, and that's not one bit more HIPPA compliant, at least if you read the HIPPA docs, than doing the same thing with Windows 10. Most of the HIPPA IT docs talk about how devices are managed, data recovery, device loss mitigation and access control. If all you're worried about is the damned OS then I guarantee you have glaring HIPPA problems.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
What?
I can assure you, every restriction you can care to implement on a Windows 10 machine you can implement on a Linux machine! Having said that I never even specifically mentioned Linux. When it comes to corporate server implementation, Microsoft is the little guy in direct comparison to Linux.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
The point being you would have to implement the restrictions. Are you preventing employees from copying patient data to a USB device, FTPing it or sending through email? If the device is lost, do you have remote wipe capability? Do you enforce a password policies. This is what HIPPA is about.
Little guy in corporate servers? Not exactly. And they still rule the corporate desktop.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
We all know what HIPAA compliance is about, the OP is asking a question specifically relating to the OS. When it comes to HIPAA compliance it's going to be far easier to achieve on a Linux machine than a Windows 10 machine - For example.
And compared to Linux, Windows is the little guy when it comes to corporate servers. Geezus.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
I doubt that. Because there's no such thing as a HIPPA compliant OS.
In an enterprise domain environment, I'd disagree. In whatever environment the OP is talking about, I have no idea. Without centralized monitoring and control there's no way to even think about HIPPA, whatever the OS.
We run tons of Windows and Linux servers. We're a typical large enterprise environment where there tends to a mix of Linux and Windows servers these days.
D
Deleted member 245375
Guest
HIPAA, HIPAA, come on say it with me, HIPAA... Hip-AHHHH... Hip-AHHH and not HIP-PAH... to paraphrase a line from one of my favorite movies, "Give me a P, Vasily... one P only, please." 
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Hmmmm, whatever. A predictable line of discussion as always that's not really worth perusing TBH. Believe whatever you want to believe.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
It's just that I work for at a place where data security is pretty much the whole enchilada. A hospital gets hacked, you're still probably going to there if that's what your insurance covers or a doctor you like is in that system. You account gets cleared out along with thousands of millions of others, you're never going to that bank again. This is very serious stuff, and it involves a lot more than just what OS you're using.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
The answer:
If you want to make Windows 10 HIPAA compliant there are better options considering the obvious budget of the client. As I stated, the job is not really one that I'd consider perusing as the needs of the client vs budget conflict.
That's not Windows 10 bashing, even though bash is now available under Windows 10 as MS looses the server war - That's fact.
For some hilarious reason you keep confusing enterprise with small business! There's a vast difference between enterprise and an independent insurance agent.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
That's not an answer because there's no such thing as a HIPPA compliant OS. HIPPA from an IT standpoint are guidelines to manage systems. If you wiped Windows 10 from every system and installed Linux on all them, without centralized monitoring and controls you'd be no more HIAPPA compliant.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Well, the OP appears to think otherwise Heatlesssun.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
You might be able to block all the MS IP ranges at the firewall. For computers that are dedicated for EHR use and do not really need internet access, could even have those on a separate vlan that has no internet access, or only access to a specific set of sites.
The kicker is that someone needs to keep track of MS's IP ranges. I'm sure they're smart and switch them around a lot or add new ones a lot to deter people from blocking outgoing connections to them so idealy you probably want this to be automated.
Either way, I'd start at the firewall, and look at the options there. Might be the thing of also having a "reverse honeypot" machine and tracking all the IPs it connects to and having something automatically block them.
The kicker is that someone needs to keep track of MS's IP ranges. I'm sure they're smart and switch them around a lot or add new ones a lot to deter people from blocking outgoing connections to them so idealy you probably want this to be automated.
Either way, I'd start at the firewall, and look at the options there. Might be the thing of also having a "reverse honeypot" machine and tracking all the IPs it connects to and having something automatically block them.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Here's someone asking the same question on the Microsoft forums, the mods moved the question from the 'Questions forum' to the 'Discussion forum'. That way they're not obliged to provide an incriminating answer.
https://answers.microsoft.com/en-us...e/037e3f2e-8262-42eb-8909-05832e856645?auth=1
And more...
http://blog.capterra.com/hipaa-compliance-and-windows-10-5-things-you-need-to-know/
To make matters worse, there's growing concern that Office 365 may also be an issue relating to privacy.
https://answers.microsoft.com/en-us...e/037e3f2e-8262-42eb-8909-05832e856645?auth=1
And more...
http://blog.capterra.com/hipaa-compliance-and-windows-10-5-things-you-need-to-know/
To make matters worse, there's growing concern that Office 365 may also be an issue relating to privacy.
Last edited:
Remember guys - Independent Insurance Agent = 1 person, not an entity which can afford to set up their own network environment. 1 person, not a huge corporation, with an IT department. 1 person. In addition, HIPAA compliance is a layered onion. The Singular Insurance Agent is not held to the same standard as a 200+ member business, or a 2000+ member Corporation.
Effectively, there seems to be no way to make 10 compliant.
Unless... Is there a way to turn off Cortana? Is there a way to block updates? Is there a way to cut off the Telemetry? (Basic telemetry on crash reports sounds fine, but that does not deal with the advertising...)
NOTE: Office 365/2013/2016 I do not recommend as it is designed to automatically upload your files to Microsoft's cloud. It either uses SkyDrive/OneDrive and its derivatives, or its own upload service incorporated into the program. Automatically, and it is not obvious to the user. And is a pain in the @ss to attempt to stop. I am still looking for a good way to stop it.
Effectively, there seems to be no way to make 10 compliant.
Unless... Is there a way to turn off Cortana? Is there a way to block updates? Is there a way to cut off the Telemetry? (Basic telemetry on crash reports sounds fine, but that does not deal with the advertising...)
NOTE: Office 365/2013/2016 I do not recommend as it is designed to automatically upload your files to Microsoft's cloud. It either uses SkyDrive/OneDrive and its derivatives, or its own upload service incorporated into the program. Automatically, and it is not obvious to the user. And is a pain in the @ss to attempt to stop. I am still looking for a good way to stop it.
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
Basic telemetry and you don't have to completely disable Cortana, the History view, device and search history controls the options where and local data would be sent elsewhere via Cortana.
Again, there's no such thing a HIPPA compliant OS, cause how the hell would a mobile phone be allowed? Most of it deals with how a device is managed and controlled.
Remember, we are not talking HIPPA ( a decapod crustacean) but, HIPAA ( a federal privacy law.)
Yes, there is no such thing as a complaint OS, so you must take steps on any OS to prevent... leakage.
And I am looking for a way to diaper this thing, so it does not leak all over the place.
Yes, there is no such thing as a complaint OS, so you must take steps on any OS to prevent... leakage.
And I am looking for a way to diaper this thing, so it does not leak all over the place.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Of course there's no such thing as an OS that's automatically HIPAA compliant. The point is that there's going to be far easier ways to gain HIPAA compliance than using Windows 10 with it's known issues surrounding data gathering and changing settings upon updating.
As HvyMtl states, making W10 water tight is going to be far harder than it needs to be, perhaps impossible.
As HvyMtl states, making W10 water tight is going to be far harder than it needs to be, perhaps impossible.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Last time I used Windows 10 Enterprise it still had targeted advertising by default, even if there is slightly more control since the anniversary update there's still no way you could assume data gathering is fully disabled. Due purely to it's closed source nature, I doubt you could ever assume any close sourced OS is completely leak proof.
D
Deleted member 245375
Guest
Remember, we are not talking HIPPA ( a decapod crustacean) but, HIPAA ( a federal privacy law.)
I DID try to make that distinction clear earlier in the thread, but alas it still gets lost in the noise.
michalrz
Supreme [H]ardness
- Joined
- Jun 4, 2012
- Messages
- 4,336
Honestly curious - is 10 sending out things (not talking about crash dumps) such as keystrokes, clipboard contents, open filenames, screen contents anywhere or does it not?
There is plenty of confusion at this particular point. If it doesn't - it's as compliant as any other like you said. If it does, we need to reconsider that. I'm genuinely asking. And I don't mean the highest (LTSB?) version. Just Pro. With the obvious telemetry switches turned off.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
By default it is as advertising is most certainly targeted.
SJConsultant
2[H]4U
- Joined
- Jan 14, 2004
- Messages
- 3,599
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Geezus, you may as well write your own OS. Talk about jumping through hoops!
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
SJConsultant
2[H]4U
- Joined
- Jan 14, 2004
- Messages
- 3,599
An hour or two of work which is hardly jumping through hoops.
Incorrect. The only mention of HIPAA compliance is for the teleconferencing portion. That one mention does not mean the entire OS distro is HIPAA compliant.
Tawnos
2[H]4U
- Joined
- Sep 9, 2001
- Messages
- 3,808
No, the whole OP's point and the FUD that proliferates is quite crazy. Set the level to "basic" and this is what is sent:
I could address each of the misconceptions (part of privacy training is HIPAA compliance), but right now I'm not feeling like dealing with the frustration that
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
An hour or two disabling features that shouldn't exist in a basic enterprise, enterprise! OS install. However good job, that's what the OP asked for, that's what he got.
However Windows 10 Enterprise is only HIPAA compliant if you agree to the BAA, and agreeing to that BAA shifts all the blame off Microsoft should the OS fail to meet the requirements for any reason - All onus is on yourself as an IT professional.
You'd wanna hope those security updates don't go screwing with any of your numerous HIPAA tweaks....
I can assure you, making this OS HIPAA compliant would take far less time than the hoops you're jumping through with Windows 10, with a measurable reduction in risk.
But honestly, this whole idea of HIPAA compliance sounds like a complete witch hunt to me. No wonder organisations are quick to offload all the work, and responsibility, off to the smaller IT companies.
Last edited:
SuperSubZero
2[H]4U
- Joined
- Nov 21, 2000
- Messages
- 3,780
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,795
Win 10 LTSB.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
I don't know what this independent insurance agent wants to achieve on their PC, but without a locked down PC and network, this just isn't in any way practical. Even Windows LTSB is only really intended for very special purpose devices. If any software package leaks, the IT consultant signing off on the job is literally screwed in the event of a data breach.
This is something that cannot be achieved practically on a budget.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,795
LTSB is for anyone who does not want all the "crap" in windows 10, included cortana and only wants security updates and that is it (no new features until the next release and a complete reinstall) But of course you need a VL license to get this.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
I know what it is, the issue is that the whole scenario is in no way practical with dubious security for the IT consultant signing off on the job.
D
Deleted member 245375
Guest
Unfortunately the only organization making that claim is Microsoft and they have not - at least to my knowledge - ever absolutely proven without any shadow of any doubt precisely what data is actually being collected and sent in those encrypted packets. They've never proven it to any agency that I'm aware of and they aren't going to decrypt the packets for some agency to see naked: all they can and will do and state is "We're collecting <this> and you're just going to have to trust us when we say that because we're not about to let you in on our technology secrets..." and that's just not good enough for me. The only actual transparency that Windows 10 offers is a) the shrink wrap on the packaging of the retail product and b) the transparency effects of the GUI such as they happen to be.
If other people want to trust 'em, go for it. And for those making the claim that Google has been doing this sort of thing for years, even Android isn't this intrusive because it is by default open source and the basis for Android (the Android Open Source Project) is right there for anyone to take a look at in terms of dissecting the code. Sure there's a lot of content that's proprietary after the fact in the apps themselves which are not necessarily open source (especially the ones provided by Google itself as part of the Gapps package), but even so there's more transparency with Android available than Windows has ever offered in its entire existence.
And LTSB isn't nearly as clean as people keep believing which is one reason why it's not something the average Joe consumer can really use legitimately - it's out of their reach for a reason (and it's not just the cost aspect). It's arguably one of the most pirated versions of Windows that's ever existed and I still laugh every time I see it mentioned knowing that people are - as I've stated before - jumping through every hoop Microsoft puts out just to run that horrid OS which really brings not much of anything new to the table save for DX12. It's practically like addicts having to have their fix anymore: regardless of the negatives aka the side effects of the drug aka DX12, people still take the drugs aka use the OS anyway.
Windows 10 just ain't all that, even if it did have a bag of chips included.
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
Unfortunately the only organization making that claim is Microsoft and they have not - at least to my knowledge - ever absolutely proven without any shadow of any doubt precisely what data is actually being collected and sent in those encrypted packets. They've never proven it to any agency that I'm aware of and they aren't going to decrypt the packets for some agency to see naked: all they can and will do and state is "We're collecting <this> and you're just going to have to trust us when we say that because we're not about to let you in on our technology secrets..." and that's just not good enough for me. The only actual transparency that Windows 10 offers is a) the shrink wrap on the packaging of the retail product and b) the transparency effects of the GUI such as they happen to be.
If other people want to trust 'em, go for it. And for those making the claim that Google has been doing this sort of thing for years, even Android isn't this intrusive because it is by default open source and the basis for Android (the Android Open Source Project) is right there for anyone to take a look at in terms of dissecting the code. Sure there's a lot of content that's proprietary after the fact in the apps themselves which are not necessarily open source (especially the ones provided by Google itself as part of the Gapps package), but even so there's more transparency with Android available than Windows has ever offered in its entire existence.
And LTSB isn't nearly as clean as people keep believing which is one reason why it's not something the average Joe consumer can really use legitimately - it's out of their reach for a reason (and it's not just the cost aspect). It's arguably one of the most pirated versions of Windows that's ever existed and I still laugh every time I see it mentioned knowing that people are - as I've stated before - jumping through every hoop Microsoft puts out just to run that horrid OS which really brings not much of anything new to the table save for DX12. It's practically like addicts having to have their fix anymore: regardless of the negatives aka the side effects of the drug aka DX12, people still take the drugs aka use the OS anyway.
Windows 10 just ain't all that, even if it did have a bag of chips included.
Agreed, just bear in mind that Google stuffs all the spyware in gapps, which you need if you want to access the Play Store. However I do love AOSP and the freedom to swap roms under Android.
When it comes to Mobile devices, we didn't know what was coming in relation to spyware and by the time we realised it the game was all but over. It's the reason why I'm so hellbent on privacy when it comes to desktop operating systems - the OS should provide the interface between the user and the machine, no more.
michalrz
Supreme [H]ardness
- Joined
- Jun 4, 2012
- Messages
- 4,336
No, the whole OP's point and the FUD that proliferates is quite crazy. Set the level to "basic" and this is what is sent:
I could address each of the misconceptions (part of privacy training is HIPAA compliance), but right now I'm not feeling like dealing with the frustration that
Thank you - that's what I needed to know.
Unfortunately the only organization making that claim is Microsoft and they have not - at least to my knowledge - ever absolutely proven without any shadow of any doubt precisely what data is actually being collected and sent in those encrypted packets. They've never proven it to any agency that I'm aware of and they aren't going to decrypt the packets for some agency to see naked: all they can and will do and state is "We're collecting <this> and you're just going to have to trust us when we say that because we're not about to let you in on our technology secrets..." and that's just not good enough for me. The only actual transparency that Windows 10 offers is a) the shrink wrap on the packaging of the retail product and b) the transparency effects of the GUI such as they happen to be.
If other people want to trust 'em, go for it. And for those making the claim that Google has been doing this sort of thing for years, even Android isn't this intrusive because it is by default open source and the basis for Android (the Android Open Source Project) is right there for anyone to take a look at in terms of dissecting the code. Sure there's a lot of content that's proprietary after the fact in the apps themselves which are not necessarily open source (especially the ones provided by Google itself as part of the Gapps package), but even so there's more transparency with Android available than Windows has ever offered in its entire existence.
And LTSB isn't nearly as clean as people keep believing which is one reason why it's not something the average Joe consumer can really use legitimately - it's out of their reach for a reason (and it's not just the cost aspect). It's arguably one of the most pirated versions of Windows that's ever existed and I still laugh every time I see it mentioned knowing that people are - as I've stated before - jumping through every hoop Microsoft puts out just to run that horrid OS which really brings not much of anything new to the table save for DX12. It's practically like addicts having to have their fix anymore: regardless of the negatives aka the side effects of the drug aka DX12, people still take the drugs aka use the OS anyway.
Windows 10 just ain't all that, even if it did have a bag of chips included.
And then there's this. And frankly I'm torn between those two positions. I think a lot of what we're arguing on this forum boils down to this. What is written - okay, I'm willing to believe. We'll wait for proof to the otherwise. But at the same time, I don't use wifi or google stuff for sensitive stuff. Nothing evil, just my "stuff", ideas, projects.
Sadly, the insurance agent has to deal with HIPAA... The level is not as drastic as a Medical Provider, nor any Medical coder... That said, it is not very clear as to what level we are fully required to do, probably because it has not been adjudicated.... (ie. there have not been enough lawsuits, yet.) So, I basically have to use either 7 or 8.1 with certain updates blocked, or find a decent Linux OS, which could be streamlined to enable compliance... Which I would have to learn how to use Linux, and perhaps a bit of coding to do so... Ugh.
Bad thing is, most agents have ZERO clue about HIPAA, are not warned about it, and probably break the law on a daily basis, particularly when they just go buy a Win 10 pc... (the fun of being a 1099 "employee" - the corporation has little to no liability for your actions.)
That article was for Enterprise... I hate to see what one has to do to Pro or, dare I say it, Home to make it viable. Looks like you would have to remove the ability to update the OS - to make it possible... sigh.
Just going to keep advising people to buy 7 or 8.1...
I just hope someone takes Microsoft to task for this, and force a change. (Someone with deep pockets, and good lawyers... That leaves me out.)
Remember, you have to do things to the OS to ensure HIPAA compliance, or you cannot be compliant. From having a password on the OS (yeah, bypassing that is easy, but it is advice some give) to ensuring any identifiable info is not searched... These steps are not the only thing you have to do. (I have to have locks on the doors, and file cabinets to be compliant, as well...)
Bad thing is, most agents have ZERO clue about HIPAA, are not warned about it, and probably break the law on a daily basis, particularly when they just go buy a Win 10 pc... (the fun of being a 1099 "employee" - the corporation has little to no liability for your actions.)
That article was for Enterprise... I hate to see what one has to do to Pro or, dare I say it, Home to make it viable. Looks like you would have to remove the ability to update the OS - to make it possible... sigh.
Just going to keep advising people to buy 7 or 8.1...
I just hope someone takes Microsoft to task for this, and force a change. (Someone with deep pockets, and good lawyers... That leaves me out.)
Remember, you have to do things to the OS to ensure HIPAA compliance, or you cannot be compliant. From having a password on the OS (yeah, bypassing that is easy, but it is advice some give) to ensuring any identifiable info is not searched... These steps are not the only thing you have to do. (I have to have locks on the doors, and file cabinets to be compliant, as well...)
Last edited:
BulletDust
Supreme [H]ardness
- Joined
- Feb 17, 2016
- Messages
- 6,057
I know it's difficult to turn down work, but as a self employed tech myself some things are just best avoided from a liability perspective.