Is Windows® 10 HIPPA Compliant?
Posted on February 19, 2016
By Michael Grzesik, Infrastructure Security Specialist
I started a small project last week in an effort to learn more about the new Microsoft® Windows 10 operating system. Right now, Microsoft is offering users of Windows 7, 8 and 8.1 Professional the opportunity to upgrade to Windows 10 Professional for free. To take advantage of this generous offer, I assembled a group of several computers that have legal Windows 7 Pro license keys. With this test bed in place, I began the process of manually upgrading each system to Windows 10. Here is what I learned:
- Windows 10 is the most chatting operating system (OS) Microsoft has ever made and talks to the Internet a lot! The Windows 10 Professional version is the consumer version of this latest OS.
- There are over two dozen privacy settings buried within Windows 10 that are turned on by default, and start collecting information about your interaction with the computer from the moment you turn it on and start using it.
- Windows 10 was designed by Microsoft to operate on a local network, but wants to talk to the Internet and specifically Microsoft’s OneDrive “Cloud” to provide cross connectivity between your computer, your “devices” and the Bing search engine.
- There is a voice engine named Cortana that you can interact with on Windows 10. Cortana will take any question you ask or any search you conduct on the computer and share it with the (very public) Bing search engine.
- Cortana wants to know more about you, and will “collect info like contacts, recent calendar events, speech and handwriting patterns, and typing history” for analysis.
- There is a geolocation (telemetry) service that reports the location of your computer to Microsoft to help improve the Windows 10 experience.
This being said, I began to wonder how medical practices will be able to use Windows 10 Professional and not break any HIPPA privacy and patient confidentiality rules. If they choose the default privacy settings, they will find their computer isn’t very private. You have to choose to turn them off manually.
Much to the credit of Microsoft, they offer to help you in configuring Windows 10 privacy settings during installation and post-installation. That updated document is here: Setting your preferences for Windows 10 services (http://windows.microsoft.com/en-us/windows-10/services-setting-preferences).
However, due to the price of OS licensing, most small and medium sized medical practices will likely choose to buy computers with Windows 10 Professional because it is cost effective. The “Professional” version comes with most PC’s sold by retail computer vendors. So it could become the default choice rolled out in a computer upgrade.
The next step up is the full featured (and more costly) version of Windows 10 Enterprise. Windows 10 Enterprise offers one main benefit over Professional: total privacy control. Those privacy settings are also aided by the fact that if you join a Windows 10 Enterprise computer to a Windows Active Directory domain, it is treated as a business system and most privacy and tracking concerns disappear. The “Enterprise” Microsoft OS, though, is only available with a business contract (called Software Assurance) for multiple computers and users. That can be a very complex purchase to solve a very simple concern around information privacy.
All this is a lot to take into consideration for HIPPA compliance. Should nurses need to worry about doing a records search containing private medical information on a Windows 10 computer, and having that search hit BING on the Internet? If they are running on the consumer version of Windows 10, they may not have a choice.
These questions and concerns are not meant to stir the pool of fear, uncertainty and doubt around Windows 10. What is being asked is really: “What version of Windows 10 should you choose for the best privacy?” The cost-effective route may not be the best option. We need to choose wisely.
How to you make that choice? Here are some plausible options:
- Become informed. Microsoft has started to publish a lot of information about privacy in Windows 10, in order to allay fears about its newest OS release. Microsoft’s Terry Myerson has a blog on the privacy topic here: https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/
- Don’t accept the default settings for privacy. It is best to try to turn everything off until you can understand exactly what Windows 10 is trying to do. As the OS matures, more privacy features and lockdown settings will likely be added to help secure your computer system.
- You are not the only person that may have concerns about privacy. Other people have been writing about this topic since Windows 10 first rolled out. Microsoft is listening to what people have to say, and it will only help the cause.
- If you are planning a computer upgrade in a medical practice, hire a consultant to help you consider security, privacy and licensing with Windows 10.
Moving to Windows 10 is not something that should be rushed, but it will become inevitable, so do your homework. As with past operating systems from Microsoft, they will go end-of-life eventually and you will be forced to consider a new purchase. After all the prep-work, if your office computer fails, and the next one comes with Windows 10, you will be ready for the upgrade.
Announcements | Blog | Security