How to make Windows 10 HIPAA compliant?

H

HvyMtl

[H]ard|Gawd
Joined
Dec 3, 2003
Messages
1,730
Yes, I know there is a lot of fud on the issue. I just need to get to the best way of making 10 HIPAA compliant.
I don't need the 10 bashing, and the 10 hyping.

I just need a simple set of steps to make it so 10 can be used by an independent insurance agent. (They deal with medical data, driver license, and social security #s on every life insurance application, and are required to abide by the law...) Since 10's EULA and its setting to spy on the user for add revenue, creates the possibility of this info being leaked, or sent, without permission/consent of the owner of such data, there is a risk of substantial fines, or even prison time, for HIPAA violations...

And, considering this is a group known for being "thrifty," it cannot be expensive to implement...

So, how DOES one make 10 HIPAA compliant?
 
Last edited:
This seems to cover it fairly well and they offer a whitepaper (upon request) that gives you the necessary instructions to configure Windows 10 for HIPAA compliance, at least to acceptable degrees. Personally I'd just say avoid the potential hassles and use something else but that's just me.

http://www.hipaaone.com/windows-10-and-hipaa/
 
I agree about the "use something else" idea, but costs, quick need, etc.

And what about Cortana?
 
HvyMtl said:
So, how DOES one make 10 HIPAA compliant?
Click to expand...

One doesn't, because one can't. And trying to use hacks, tweaks or GPO's to attempt to suppress the data snooping, Cortana, Bing indexing, etc isn't reliable because the next forced windows update is likely to just break those hacks and tweaks, and reset everything back to non-compliant MS defaults.

Windows 7 is really the only viable option, or a heavily tweaked 8.1 with updates disabled. 10 is a HIPAA nightmare.
 
Last edited:
DPI said:
One doesn't, because one can't. And trying to use hacks, tweaks or GPO's to attempt to suppress the data snooping, Cortana, Bing indexing, etc isn't reliable because the next forced windows update is likely to just break those hacks and tweaks.

Windows 7 is really the only viable option, or a heavily tweaked 8.1 with updates disabled. 10 is a hornet's nest.
Click to expand...

Exactly.

From the article Tiberian linked to.

The short answer is that the default configuration of Windows 10 may violate HIPAA.
Click to expand...

Basically, if you have to deal with HIPPA, any time you see "MAY violate HIPPA", assume (quite safely) that it DOES violate HIPPA.
 
gah, so, it is what I expected... And yet, here I have agents buying 10, cause that is what is available at Beast Buy, Orifice Depot, Stapled, etc.

I have seen Microsoft pressing updates to 7/8.1 which add telemetry to those OS. So, how do those impact?

And, if you HAVE to make 10 compliant, what would you do?
 
HvyMtl said:
gah, so, it is what I expected... And yet, here I have agents buying 10, cause that is what is available at Beast Buy, Orifice Depot, Stapled, etc.

I have seen Microsoft pressing updates to 7/8.1 which add telemetry to those OS. So, how do those impact?

And, if you HAVE to make 10 compliant, what would you do?
Click to expand...
You can still suppress updates in 7 and 8.1, and the Enterprise version allows you to pick what updates to push to your users.

I work for a large regional healthcare system and the opinion of the IT leadership here at the moment is that we're going to be using 7 in perpetuity unless Microsoft actually makes some serious changes or they release a "HIPAA" edition of 10.
 
I may be out of my lane here but doesnt a secure VPN system, assuming the data is on a compliant server edition, bypass any need for the client to be running a HIPPA compliant OS?
 
hmm. vpn I am weak on. I do need to educate myself on it.

Remember: Dealing with people with zero knowledge of computers. The Joe Average, or less, knowledge... So, looking for things I can do to fix the issue for them...
 
rehab said:
I may be out of my lane here but doesnt a secure VPN system, assuming the data is on a compliant server edition, bypass any need for the client to be running a HIPPA compliant OS?
Click to expand...
All a VPN does is move the endpoint where your internet traffic comes out of, it adds precisely zilch security to the operating system. It also doesn't ensure stuff like the data being encrypted at rest either. (HIPAA requirement)

really the best OS choice for HIPAA stuff would be Linux or some BSD variant.
 
HvyMtl said:
Yes, I know there is a lot of fud on the issue. I just need to get to the best way of making 10 HIPAA compliant.
I don't need the 10 bashing, and the 10 hyping.

I just need a simple set of steps to make it so 10 can be used by an independent insurance agent. (They deal with medical data, driver license, and social security #s on every life insurance application, and are required to abide by the law...) Since 10's EULA and its setting to spy on the user for add revenue, creates the possibility of this info being leaked, or sent, without permission/consent of the owner of such data, there is a risk of substantial fines, or even prison time, for HIPAA violations...

And, considering this is a group known for being "thrifty," it cannot be expensive to implement...

So, how DOES one make 10 HIPAA compliant?
Click to expand...

I would say to contact Microsoft directly for assistance. They are not stupid and I am certain they have thought of this as well. They may very well have a document on how to lock it down for HIPPA compliance that would be of help for you. Fact is, you have what they bought but, they may need to spend the money and upgrade to at least Windows 10 Pro since Home was never designed to run in a Business environment. This is not a hurray or a bashing, this is saying straight up where the most likely help for this will be available from.
 
ManofGod said:
I would say to contact Microsoft directly for assistance. They are not stupid and I am certain they have thought of this as well. They may very well have a document on how to lock it down for HIPPA compliance that would be of help for you. Fact is, you have what they bought but, they may need to spend the money and upgrade to at least Windows 10 Pro since Home was never designed to run in a Business environment. This is not a hurray or a bashing, this is saying straight up where the most likely help for this will be available from.
Click to expand...

If Windows 10 was able to be made HIPAA compliant, it wouldn't be some obscure secret that requires a phonecall to unlock. It would be plastered everywhere, including Microsoft's own HIPAA page like have for Office 365. https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA

Their silence says everything. There's no way to make 10 Pro HIPAA compliant, and I don't even think Enterprise can be made compliant since there is still a trickle of telemetry even with it "disabled" via GP.

Its probably going to require a few lawsuits and additional government inquiries before Microsoft is finally forced to back off on the privacy and data collection stuff that makes 10 a HIPAA no-go.
 
Last edited:
odditory said:
If Windows 10 was able to be made HIPAA compliant, it wouldn't be some obscure secret that requires a phonecall to unlock. It would be plastered everywhere, including Microsoft's own HIPAA page like have for Office 365. https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA

Their silence says everything. There's no way to make 10 Pro HIPAA compliant, and I don't even think Enterprise can be made compliant since there is still a trickle of telemetry even with it "disabled" via GP.

Its probably going to require a few lawsuits and additional government inquiries before Microsoft is finally forced to back off on the privacy and data collection stuff that makes 10 a HIPAA no-go.
Click to expand...

Hi All

That would be my conclusion as well.
 
It's not possible. We had to discontinue using Windows in our labs at work for similar reasons.
 
odditory said:
If Windows 10 was able to be made HIPAA compliant, it wouldn't be some obscure secret that requires a phonecall to unlock. It would be plastered everywhere, including Microsoft's own HIPAA page like have for Office 365. https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA

Their silence says everything. There's no way to make 10 Pro HIPAA compliant, and I don't even think Enterprise can be made compliant since there is still a trickle of telemetry even with it "disabled" via GP.

Its probably going to require a few lawsuits and additional government inquiries before Microsoft is finally forced to back off on the privacy and data collection stuff that makes 10 a HIPAA no-go.
Click to expand...

Eh, forget it, if the OP wants to take the time and contact Microsoft to help out his customer, that is his choice. If he does not, that is on him as well. They are not my customer so it is not any skin off my back. However, if the OP is armed with actual, verifiable information, he can take that to the customer when he explains why they have to spend the money they need too.
 
Last edited:
About Microsoft and HIPAA, yes, Microsoft will aid you with OFFICE, including 365, IF you pay for a license. That is merely half the battle. They are silent on the OS. Calling them does not seem to work. I had a client who did so, they told him to turn off a bunch of things during the initial start up, but would not tell him if this would make the OS compliant... Their suggestions did not remove the Cortana issues (the searches it does, the information it sent) nor did the suggestions remove the issues with the EULA, the telemetry, and the crash report.

I think it is telling, whenever people ask about HIPAA compliance on Microsoft's forum, it gets sent to the "discussion" section, and not responded to by actual Microsoft Employees...

As for Pro vs Home... Well, Pro is now more Home than the Pro it used to be. And getting the licensing for Enterprise is not possible (not big enough to get.)

What about removing Cortana from the OS? Anyone try this? I know it removes the ability to search for anything, but it may be the only way.

And, then cut it away from the internet... which won't go over with these guys...

Want to chat with them online? You HAVE to have a Live account... seriously.
 
Last edited:
The safest choice in your situation is to take a virtual desktop approach. Your organization will have to create and maintain the infrastructure but it will allow you to turn your remote users Win10 machines into nothing more than dumb terminals.

The a client I consult for is currently investigating this as a solution to use when they are forced to transition to Win10 and it looks like the only known safe option.
 
Hmm. VPN/ virtual desktop... again, weak on these subjects, so I am going to look into that. Issue is, the files necessary would still be on the computer, and would have to be written to... and looked at. Which sounds like there is still an issue.

Anyone try to, and I hate to do this, cut up the OS, or even butcher it, to make it compliant?
 
So I've been following this issue on Windows 10 and HIPPA for a while. If you read the official HIPPA docs, I've seen nothing in them about telemetry. Almost all of it has to do with standard IT stuff regarding security practices like encryption, backup and recovery, access control to patient data etc. Without standards for this stuff in place, and I'm guessing many of the folks worried about Windows 10 and not this stuff, are probably not HIPPA compliant anyway.

If you have Windows 10 set for basic telemetry there's no sharing of local data with Microsoft. Is there anything in HIPPA that would require anything else?
 
The telemetry can report data in use at the time of the OS crash. So, if you are in the file, typing PHI/PII (name, address, phone #, date of birth, driver license, social securty #, and medical records) there is a possibility the PHI/PII could be transmitted. Which would be a direct violation of HIPAA, and would require the Agent to report the violation, and face being fined. They are not fully clear on what "basic" is.

Honestly, if Microsoft would be a bit more transparent, this concern might be addressed. Sadly, not the case. I do believe a government will have to force the change, or a large lawsuit.

Cortana uses internet searches, including Bing, and if you search on your PC, and it taps Bing, that data could be searchable by a 3rd party, which is a violation, and must be reported.

The EULA has issues, too.
 
HvyMtl said:
The telemetry can report data in use at the time of the OS crash. So, if you are in the file, typing PHI/PII (name, address, phone #, date of birth, driver license, social securty #, and medical records) there is a possibility the PHI/PII could be transmitted. Which would be a direct violation of HIPAA, and would require the Agent to report the violation, and face being fined. They are not fully clear on what "basic" is.
Click to expand...

Basic telemetry in Windows 10 doesn't do this: https://privacy.microsoft.com/en-US/windows-10-feedback-diagnostics-and-privacy. Also applications themselves might have an enhanced mode for error reporting that sends data back to the vendor.
HvyMtl said:
Honestly, if Microsoft would be a bit more transparent, this concern might be addressed. Sadly, not the case. I do believe a government will have to force the change, or a large lawsuit.
Click to expand...

It could be better but there is a lot on this subject and lot of people simply haven't read it.

HvyMtl said:
Cortana uses internet searches, including Bing, and if you search on your PC, and it taps Bing, that data could be searchable by a 3rd party, which is a violation, and must be reported.

The EULA has issues, too.
Click to expand...

Tons of mobile OS devices in the medical field do the same thing and I don't know of anything in HIPPA that explicitly says that those searches are a violation of HIPPA. There's a GREAT deal of HIPPA compliance documentation that goes into mobile device compliance and there's no mention of any of this in anything I've seen. But it's easy enough to disable Cortana buy switching off all the options.
 
With a proper VDI setup in place nothing would be resident on the remote Win10 machine.

The problem with this whole situation is that in all likelihood Win10 is going to be considered HIPAA compliant by OCR. However, there isn't any guidance or case law at the moment and becoming the test case isn't going to be good for anyone's career or future job prospects.
 
rehab said:
I may be out of my lane here but doesnt a secure VPN system, assuming the data is on a compliant server edition, bypass any need for the client to be running a HIPPA compliant OS?
Click to expand...

The client OS is still processing the data. It is moving packets around, it is displaying the data onscreen, it caches. VPN provides the conduit, but the actual processing of meaningful info can still be done by the client OS and as such you can't prove it's not leaking.

The burden of the proof is as huge of a problem as the technical side of things. Tweaks are probably no-go, because you cannot prove that a push update won't reverse the tweak. That's a huge problem - you just can't prove your OS is consistent at all times. If you don't know when and what will find its way into your system, you won't be able to answer this question when inquired. You won't be able to say you trust Microsoft, if you don't have what you need in writing _pertaning_ to HIPAA.
Mind you, I'm not the US, but the EU also has quite anal data protection laws and from the very beginning this has been a problem for me.

Doesn't the LTSB edition (highest tier? please correct me if I'm wrong) facilitate these things? This situation is akin to protecting a company's intellectual property, and if you can't find HIPAA specific information you could try shooting at the trade secrets/ IP side of things.

HvyMtl said:
Hmm. VPN/ virtual desktop... again, weak on these subjects, so I am going to look into that. Issue is, the files necessary would still be on the computer, and would have to be written to... and looked at. Which sounds like there is still an issue.

Anyone try to, and I hate to do this, cut up the OS, or even butcher it, to make it compliant?
Click to expand...

You can't butcher it. You have no proof that a tweak/modification actually works and will work, and - worse - you are no longer running an OS that is fully supported by the manufacturer. You modified it, so Microsoft can wash their hands as far as responsibility goes.
 
The healthcare providers and insurance companies use cloud hosting, terminal services or vdi to maintain compliance regardless of what front-end OS/box is used. No data resides on the client's front-end. As such, they don't care if the doctor's office uses Win10 or XP (it's still out there).
 
As I understand it, telemetry can be turned off completely in the Enterprise version of Windows 10.
 
Just use Terminal Services and remote desktop, the Windows 10 machine is no more than a terminal.
 
BulletDust said:
It's Windows 10....Who knows?! ;)

Disable all ports but TCP 3389?
Click to expand...

Well, in an enterprise environment, yeah, we know. Banks probably have more valuable personal data than hospitals and there's no way we'd ever use Windows 10 if it was sending account info to Microsoft. And in an enterprise environment, it's SOP to lock down ports on local devices, 20 FTP, yeah, you lock that one down, along with popular ports for things like database servers, file sharing apps, etc. Anything that can be used to transmit or store data.

In reading through this thread, whatever the problems with Windows 10 there's a lot of considerations about data security that are not being discussed. I mean, what do you do about a person who takes patient info and copies it to a flash drive? If one is more worried about Windows 10 telemetry than that kind of thing, they're missing the point about HIPPA and data security in general.
 
heatlesssun said:
Well, in an enterprise environment, yeah, we know. Banks probably have more valuable personal data than hospitals and there's no way we'd ever use Windows 10 if it was sending account info to Microsoft. And in an enterprise environment, it's SOP to lock down ports on local devices, 20 FTP, yeah, you lock that one down, along with popular ports for things like database servers, file sharing apps, etc. Anything that can be used to transmit or store data.

In reading through this thread, whatever the problems with Windows 10 there's a lot of considerations about data security that are not being discussed. I mean, what do you do about a person who takes patient info and copies it to a flash drive? If one is more worried about Windows 10 telemetry than that kind of thing, they're missing the point about HIPPA and data security in general.
Click to expand...

The issue is it's not account info that's the issue here, it's personal info that's the issue here.

It's undesputable that when it comes to personal information Windows 10 falls flat on it's face.
 
BulletDust said:
The issue is it's not account info that's the issue here, it's personal info that's the issue here.
Click to expand...

Bank account info, peoples mortgages, car loans, credit/debit card transactions, checking accounts balances,etc. is about as personal information as it gets.

BulletDust said:
It's undesputable that when it comes to personal information Windows 10 falls flat on it's face.
Click to expand...

LOL! In an true enterprise 10 is a much different thing, which far more control and options than consumer users. I mean we lock out USB/SD ports so that you can't write data to them. Again, if one is worried about Windows 10 telemetry and hasn't considered users just copying data to a flash drive, they've really not thought a great deal about data security.
 
heatlesssun said:
LOL! In an true enterprise 10 is a much different thing, which far more control and options than consumer users. I mean we lock out USB/SD ports so that you can't write data to them. Again, if one is worried about Windows 10 telemetry and hasn't considered users just copying data to a flash drive, they've really not thought a great deal about data security.
Click to expand...

I've used Enterprise, it's not that different to Pro TBH. If it uses targeted advertising like all the other Windows 10 platforms than security of personal data is questionable.

There are far easier ways to ensure security of personal information that don't involve the use of Windows 10.
 
You disable USB ports via Group Policy, this is hardly anything unique to Windows Enterprise.
 
BulletDust said:
I've used Enterprise, it's not that different to Pro TBH. If it uses targeted advertising like all the other Windows 10 platforms than security of personal data is questionable.
Click to expand...

I use the Enterprise version on my sig rig as well. But with it connected to a domain you have a totally different level of control than not. In our environment there is no telemetry, there are no automatic updates. Setting it in this kind of environment isn't that different from 7. And we'll be using LTSB which another level of stability and control beyond enterprise.
 
BulletDust said:
You disable USB ports via Group Policy, this is hardly anything unique to Windows Enterprise.
Click to expand...

We don't flat out disable them though. We prevent writes and track all the files on those devices. If you plug a USB device into one of our managed devices, every file on that devices gets reported.
 
heatlesssun said:
I use the Enterprise version on my sig rig as well. But with it connected to a domain you have a totally different level of control than not. In our environment there is no telemetry, there are no automatic updates. Setting it in this kind of environment isn't that different from 7. And we'll be using LTSB which another level of stability and control beyond enterprise.
Click to expand...

I wouldn't say you have a totally different level of control, you have a few more additional options that were restricted in Windows 10 Professional Group Policy editor with the advent of the AE update. Once again, there are easier ways to ensure security and HIPAA compliance than to use Windows 10 and shell out for Enterprise licencing.
 
heatlesssun said:
We don't flat out disable them though. We prevent writes and track all the files on those devices. If you plug a USB device into one of our managed devices, every file on that devices gets reported.
Click to expand...

Yes, you do that through Group Policy.
 
You must log in or register to reply here.
Back
Top