HIPAA compliance using Win10 Enterprise

Topic

New Reply

Here’s an excellent article about walking the thin line between modern technology and HIPAA (think: keeping private information private in the US — i
[See the full post at: HIPAA compliance using Win10 Enterprise]

Reply | Quote

Replies

The real problem is that the majority of smaller medical entities will not be using the enterprise version of Win 10.  More than likely, Win 10 Pro would be used, supplied with a new computer by the vendor.  My understanding is that Win 10 Pro is not HIPAA compliant and can not be configured in any way to be such.

<!– Protanopia filter –>

<!– Deuteranopia filter –>

<!– Tritanopia filter –>

1 user thanked author for this post.

b

Reply | Quote

Exactly what I have seen at the dental surgeon the other day. Plus they didn’t remove any of the ridiculous bloat, so when he clicks on the start menu to open his fancy x-ray app, you see Candy Crush and all those very serious apps.

1 user thanked author for this post.

NetDef

Reply | Quote

Most definitely not HIPAA-compliant. And they definitely don’t have a clue about HIPAA protection as it relates to Windows.

Any business handling HIPAA information should get someone who knows about these issues to give their operation a thorough going over, to see where vulnerabilities are.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

AlexEiffel wrote:

Exactly what I have seen at the dental surgeon the other day. Plus they didn’t remove any of the ridiculous bloat, so when he clicks on the start menu to open his fancy x-ray app, you see Candy Crush and all those very serious apps.

This is one of two major pet peeves I have about some medical offices.  And no, it’s not in compliance at all.

(The other pet peeve is watching nurses or doctors type on their keyboards, then come at me to treat me – without washing their hands after touching keyboard/mouse.  YUCK!)

~ Group "Weekend" ~

1 user thanked author for this post.

HiFlyer

Reply | Quote

Do they at least wear surgical gloves?

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

People should be aware that the the minimum for volume licensing is only 5. It also gets you the LTSB that is useful for critical systems.

1 user thanked author for this post.

woody

Reply | Quote

So a business has to pay a minimum of $420 dollars a year (at current pricing) to have an Enterprise edition that can be configured to comply with HIPPA? A domestic violence center staffed by volunteers and funded by grants and donations… and barely making ends meet… has great need for privacy for its clients… and definitely cannot afford what might seem a small amount to a commercial enterprise to insure privacy.

That isn’t the only example of people needing small scale privacy… and being prevented from running Win 10 on that issue alone. However, HIPPA does outline standards that other people desiring privacy would like to follow as well.

Trust me isn’t something you ask a woman who has been abused… and Microsoft has been acting abusively towards its customers, eliminating options not just up front, but for the more technically inclined. Do it my way, or else we will cut you off…

I can see that it is way more “profitable” for Microsoft to rent five Enterprise licenses for a year than sell a license for the life of a particular computer. But it isn’t economically viable for so many of us. Privacy is only for the wealthy and technically able? What about the promise of using technology to enable those with disabilities, or to provide access to information and resources without regard to race or where you live or social status or wealth?

If they can’t get updates right, they can be trusted with privacy issues? I don’t think so…

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

RamRod, Wheel_D

Reply | Quote

Elly, I’m sorry to say it, but in order to get adequate privacy and confidentiality in today’s world, you’re going to have to pay for it. You’re also going to have to train your people to think and act in such a way that enhances, not weakens, privacy and confidentiality.

If your network and your computers are correctly set up and configured (this will require that you employ the services of an IT professional), and if everyone is careful as to what they do online, you will likely be able to achieve HIPAA compliance.

The problem is, there is so much working against privacy and confidentiality these days, it takes expertise and constant vigilance in order to pull it off.

The one way I know of which could work for most people is if they have secure terminals (not computers) which are connected to a secure system, and which have access only to secure HIPAA-compliant resources, then you would probably be successful. Less expensive would be Citrix remote desktop Windows (or Linux?) sessions, hosted by a secure organization, so that they, not you, handle the security and the HIPAA compliance. This will cost your organization, but not nearly as much as trying to do it all yourself.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

If I handle HIPAA-protected information as part of my job, and my employer has chosen to employ an OS that allows HIPAA-protected information to leak out (i.e. become unprotected), who is guilty of the HIPAA violation? Me? or my employer?

My guess is that my employer would bear the full responsibility, and I would bear none.

What are other people’s thoughts on this?

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Good question, the answer probably depends on how say you have in the OS choice. Working in medical industry, I have been very concerned that no version of W10 is HIPPA compliant because of MS’ insistence on phoning home. The only way to prevent data leaks, accidental or otherwise, is to severely limit the data that leaves your control. But if you can do this then it is a matter of time before a serious data leak occurs.

If MS is stupid enough to say W10 is HIPPA compliant they would a target of many nasty lawsuits. Even if the did not, the fact they insisted on phoning home might make they a rather juicy target.

1 user thanked author for this post.

Elly

Reply | Quote

At my last job, we handled HIPAA-protected information, but I had absolutely no say in what OS I used. However, I could check my email from the web or from my smart phone. And we were encouraged to use Google for searches. So I would say that there were some holes in our HIPAA protection, but since the employer told us to do all of these things, they were fully responsible for anything that happened, as long as we observed normal “HIPAA” caution whenever working.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Elly

Reply | Quote

“We recently announced that Windows 10 can be fully HIPAA compliant by making certain configuration setting in the OS.”
Windows 10 & HIPAA Compliance

Reply | Quote

The HIPAA One report (PDF) at the second link has an interesting and pretty long list of tweaks in Appendix A, which might be of interest to some folks here.

A notable quote from that document that nicely justifies the discussion in this thread:

When using any desktop operating system, the default configuration may violate HIPAA.

The description of telemetry levels in that document is now a bit out of date (since it’s written against version 1607 “Anniversary”). And it’s Enterprise, not Pro, they’re talking about in the report.

When starting to get into the nitty gritty, the report states:

Microsoft has provided tools to disable these built-in apps’ connectivity back to Microsoft as part of its “zero-exhaust” initiative – meaning that no inadvertent data may be communicated to the Internet or other cloud services. Correctly configuring the telemetry level and app connectivity will significantly reduce your organization’s risk of violating HIPAA.

Is it me or does “significantly reduce” not quite seem to take us all the way to “fully compliant”?

“Zero-exhaust” may be an interesting term to research.

-Noel

2 users thanked author for this post.

Elly, Sessh

Reply | Quote

The thing that keeps going through my head in all of this is what kind of user are most computer owners? Most of them are not interested in “tech” or reading through Woody’s blog reading conversations about settings, registries, command prompts and telemetry and even if they did, they wouldn’t understand much if any of it much less know that they should be looking into this stuff in the first place. Why should they be punished by having their rights unknowingly violated just because they aren’t techies (at all) and just want a PC that works? They don’t have the time or the desire to learn all the ins and outs of Windows and probably have no idea that their rights are being violated or that they need to research some special configuration to prevent it.

It is unfair that anyone has to have some kind of special computer knowledge in order to avoid this stuff from their OS. It’s the same with cars, really; the majority of people just want a car that works and is reliable without having to become a mechanic in order to reprogram the computer so that it doesn’t intercept wifi internet connection from my cell phone or something and send it somewhere against my knowledge, hypothetically speaking. It doesn’t matter that there’s a “certain configuration setting”; the point is that “certain configuration setting” should be the DEFAULT setting.

2 users thanked author for this post.

Wheel_D, Elly

Reply | Quote

I think the thing that frustrates me most isn’t that the technology isn’t developed yet to allow privacy, but that technology is being actively deployed to prevent privacy from being an option for the majority of home users. Where do you think your HIPPA information comes from in the first place… YOU!

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

anonymous #109028 user thanked author for this post

Reply | Quote

MrJimPhelps wrote:

If I handle HIPAA-protected information as part of my job, and my employer has chosen to employ an OS that allows HIPAA-protected information to leak out (i.e. become unprotected), who is guilty of the HIPAA violation? Me? or my employer? My guess is that my employer would bear the full responsibility, and I would bear none. What are other people’s thoughts on this?

I’ve been to several training seminars on this topic over the years, and the point has repeatedly been made that if there is a major violation the lawyers will go fishing and anyone who touched the system can be brought in for potential fines or worse.

This blog nicely outlines what I’ve heard in training:

http://blog.securitymetrics.com/2015/09/hipaa-violations.html

(Note, yes they sell security, and compliance assistance, but the liability info is – afaik, accurate.)

Is it your responsibility to ensure that your clinic is HIPAA compliant? Is it the doctor’s responsibility? What if you’re the IT guy? Is HIPAA your duty? What if you are just a janitor at a healthcare organization? The answer to all those questions is: every single person who interacts with patient health information in any way must protect it. That means if you . . .

– Talk to patients directly
– Give out prescriptions
– Take blood pressure
– Manage the firewall for a healthcare environment
– Manage a database that holds patient data
– Encrypt patient data on behalf a provider

. . .you are responsible for HIPAA and HIPAA violations! Employees may individually face charges if patient data is compromised, but that doesn’t mean providers are exempt from making sure the organization is HIPAA compliant.

 

Hope that helps.

~ Group "Weekend" ~

2 users thanked author for this post.

MrJimPhelps

Reply | Quote

I agree with the writer that everyone who touches HIPAA info is responsible for its proper handling. For example, a pharmacy tech should not share my medical information with anyone except those who need to know (e.g. the insurance company). And when sharing my info, he should make sure that he is out of anyone else’s hearing. If there are unauthorized people within hearing range, then that pharmacy tech has violated HIPAA.

The issues are more gray when it comes to IT concerns. I personally think that no one should be able to use free email when transmitting or receiving HIPAA information, because it is clear that the email service is scanning the emails. I know a therapist who uses Yahoo email to communicate with his patients; I advised him against doing that, but to my knowledge, he is still doing it.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

NetDef

Reply | Quote

Much worse than that, in theory, there is absolutely no warranty that email is encrypted end to end so it is not to be considered a safe mean of communicating any sensitive information. The server who handles your email also has an unencrypted copy of it, so if it gets hacked, it is not good.

That is why you never send credit card information by email and you should never send anything sensitive, yet people do it all the time.

Simply put, email hasn’t been designed with security in mind from the start and should not be considered safe.

2 users thanked author for this post.

Noel Carboni, NetDef

Reply | Quote

Startmail (www.startmail.com) looks pretty secure to me. Those who handle HIPAA-protected info should use something like Startmail for sending and receiving email. Or, they could type the sensitive info into a document, encrypting the document, and emailing it as an attachment, rather than putting the sensitive info into the body of the email.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Reply | Quote

zero2dash wrote:

Very interesting to see all the settings they tweaked in GP but still saw all the traffic going to MS

I think the second “all” there is very misleading:

A DNS query of packet communications shows limited communications for DNS purposes, and Microsoft Activation.
(Page 19 of the PDF)

Reply | Quote

From page 20 of the PDF:

 

“This is a list of DNS Queries from the WireShark packet capture exercise (Local Area Network

Domain references were removed):

DNS.MSFTNCSI.COM

WIN10.IPV6.MICROSOFT.COM

CLIENT.WNS.WINDOWS.COM

BN3SCH020020359.WNS.WINDOWS.COM

FE2.UPDATE.MICROSOFT.COM

FE2.UPDATE.MICROSOFT.COM

GEOVER-PROD.DO.DSP.MP.MICROSOFT.COM

GEO-PROD.DO.DSP.MP.MICROSOFT.COM

KV401-PROD.DO.DSP.MP.MICROSOFT.COM

CP401-PROD.DO.DSP.MP.MICROSOFT.COM

DISC401-PROD.DO.DSP.MP.MICROSOFT.COM

ARRAY406-PROD.DO.DSP.MP.MICROSOFT.COM

ARRAY408-PROD.DO.DSP.MP.MICROSOFT.COM

ARRAY403-PROD.DO.DSP.MP.MICROSOFT.COM

ARRAY407-PROD.DO.DSP.MP.MICROSOFT.COM

Varying results are possible with additional programs installed outside of the base-installation of

Windows 10 Enterprise. Therefore, any additional programs, applications or utilities installed that

alter data communications are outside the scope of this whitepaper and should be considered

when new applications are introduced.”

 

Within these test parameters, all of the online traffic noted (15 connections) was indeed going to Microsoft, so the second “all” is technically accurate, though it may imply more information leakage than what is actually being transmitted.

Reply | Quote

“Very” misleading? You’re splitting hairs. The obvious meaning of zero2dash’s post is that a lot of information is going from Windows 10 to Microsoft. Many times, in actual conversation, people use the word “all” to mean “a lot”. That’s how zero2dash’s statement comes across to me.

In reading the PDF, it doesn’t sound like HIPAA One did a lot of digging deep in an IT sense. Rather, they were following the script that they were given by Microsoft. So it is to be expected that they won’t veer far from the propaganda that Microsoft puts out about their products.

On the other hand, zero2dash (and lots of others here at AskWoody) are trying to dig deep into Windows 10 telemetry to see what info (and how much info) is being sent “home” to Microsoft, and in this case, what implications that would have with regard to being HIPAA compliant.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Elly

Reply | Quote

“A lot” would also be an exaggeration.

They didn’t just follow a Microsoft script:

With an explosive growth of cloud-usage and corresponding data communications, we at HIPAA One have done extensive research on how to configure Windows 10 Enterprise so that it can be “quiet” in terms of cloud-communications.

Appendix A addresses recommended Active Directory Group Policy settings for a basis of HIPAA compliance as it relates to the Windows 10 Enterprise operating system and a “zero-exhaust”, or “zero-cloud” communications instances of the operating system “phoning home” to Microsoft with potential ePHI.

The following configuration was tested and verified to provide minimal cloud-communications that would not compromise required functionality. (e.g. Allow Windows Registration data, etc.). It is provided as a suggested configuration to reduce data communications as initiated by the cloud-features of Windows 10 Enterprise.

Reply | Quote

With millions of users daily affected by privacy and security breaches, I wonder what kind of catastrophe must unavoidably occur to bring not only the cloud, but possibly the Web to a screeching halt? The dependency of everything on and that of corporate interests–that are no longer able and motivated to provide goods and services when they can generate huge rents from just mining and exploiting data–are so absolute, that avoiding or recovering from  such catastrophes will be as easy as returning a modicum of democracy to the US and the West.

Technology  has indeed been not just disruptive, but destructive and it’s now become impossible to prevent or escape tyranny.

1 user thanked author for this post.

Elly

Reply | Quote

Sixty-four percent of IT professionals say the Cloud is more secure than legacy systems.
4 Reasons Why the Cloud Is More Secure Than Legacy Systems

Reply | Quote

If proper security practices are followed, then the cloud probably is very secure.

Part of those practices include going with a cloud provider who follows proper security practices.

My observation is that a lot of people go with whatever IT product is put in front of them, but they don’t know enough to know if it’s secure, or what that even means. Hopefully those handing HIPAA-protected information will do things in a secure way, but I’m not confident of that.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

flackcatcher

Reply | Quote

Sixty-four percent of IT professionals say the Cloud is more secure than legacy systems.

Anytime you see the word “[the] cloud” replace it with “someone else’s computer” and then recheck the statement as to whether or not it still makes sense.

Beyond that, “[the] cloud” has the same limitations as everything else. Just look at documentation for the “security focused” operating systems … the first thing they will tell you is that they are really secure, until you add anything else, and at that point it is anyone guess. A cloud provider may have top notch security, but once some business loads their poorly developed code, which originated from some outsourcing firm, that probably outsourced it to someone even cheaper, all that security goes straight out the window.

Heck… in the confines of this article, the concern is all the data that is leaking to Microsoft via various settings. Given that a large focus of this site is discussing Microsoft’s mishandling of patches/seemingly untested code, can you really believe they are all that secure?

1 user thanked author for this post.

Elly

Reply | Quote

anonymous wrote:

Anytime you see the word “[the] cloud” replace it with “someone else’s computer” and then recheck the statement as to whether or not it still makes sense.

I did. It does.

Reply | Quote

I’m not seeing the gist of the OP post here.  That PDF document is pretty clear about several things, and their wireshark trace almost matches our testing results on a fully locked down Win 10 ENT.

They made one mistake, but that a) does not break HIPAA compliance and b) is easily fixed via GPO deployment:  they left location services running.

The other communications we (and they) saw are:  DNS queries for Windows Update, Office 365 Updates (yes they are different), Heartbeat pings (this mainly lets your network icon and several services “know” if they are on a LAN and the Internet, or not) and Activation/License check-in services for Win 10 and Office 2016.

“A common misconception in the industry is that using Windows 10 opens an organization to HIPAA violations.  The truth is Windows 10 can be easily configured to support HIPAA security and privacy requirements.”

That statement on their preamble is slightly wrong too:  you cannot configure Home or Pro to be fully HIPAA compliant.  You can configure the Enterprise edition to be more than compliant, and in fact MS provides templates and tools via Technet for the ENT edition to easily lock down the client OS to exceed the standard.

~ Group "Weekend" ~

2 users thanked author for this post.

Wheel_D, MrBrian

Reply | Quote

NetDef wrote:

That statement on their preamble is slightly wrong too: you cannot configure Home or Pro to be fully HIPAA compliant.

They addressed that on Page 13:

There are other considerations, such as … the fact that other editions of Windows 10 such as Windows 10 Pro and Home do not offer the same controls (i.e. ability to control Telemetry).

2 users thanked author for this post.

radosuaf, NetDef

Reply | Quote

NetDef wrote:

That statement on their preamble is slightly wrong too: you cannot configure Home or Pro to be fully HIPAA compliant. You can configure the Enterprise edition to be more than compliant, and in fact MS provides templates and tools via Technet for the ENT edition to easily lock down the client OS to exceed the standard.

Hopefully they’re buying Windows 10 Enterprise and getting it configured in a secure way. I’m not confident of that. I think a lot of people simply go to Walmart or Office Depot to buy their computers, and they don’t know enough to check if it’s Enterprise or something else, or to get it configured to be secure.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Would you bet against employees doing work that should be HIPAA compliant at both work and at home which is not even when the employer system is ENT and properly configured?

Would you bet that somebody, somewhere, somehow will not find a way around compliance?

 

1 user thanked author for this post.

NetDef

Reply | Quote

fp wrote:

Would you bet against employees doing work that should be HIPAA compliant at both work and at home which is not even when the employer system is ENT and properly configured? Would you bet that somebody, somewhere, somehow will not find a way around compliance?

I cannot take that bet. 

Even with properly deployed back-end systems, all it takes is one employee on their own smartphone, connected to a secured Exchange server . . .  but what about their other “Apps” that insist on having more access than can be explained?  (But . . . but . . . I NEED that free coupon app!)

. . . sigh . . .

 

~ Group "Weekend" ~

Reply | Quote

It most certainly does break HIPPA compliance.

Reply | Quote

anonymous wrote:

It most certainly does break HIPPA compliance.

Either I just wasted 10 minutes of googling, or you are misinformed about HIPAA requirements, or I am wrong and the answer is deeply buried.  I cannot find any reference that would suggest that OS provided geo-location services (as might be used by various apps on a PC or SmartPhone) would fail a HIPAA audit.

Please provide a citation for this claim, as I would really like to know if your statement is valid.

~ Group "Weekend" ~

Reply | Quote

Where are the GPOs that can be imported to be free of most communication like in the PDF. I removed a bunch of things from 10 but its still connecting to things.

Reply | Quote

anonymous wrote:

Where are the GPOs that can be imported to be free of most communication like in the PDF. I removed a bunch of things from 10 but its still connecting to things.

Information – Windows Telemetry:

https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization

https://technet.microsoft.com/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services

Information – Office 2016 Telemetry:

https://technet.microsoft.com/library/jj863580.aspx

Available Download – Windows Restricted Traffic Limited Functionality Baseline

https://go.microsoft.com/fwlink/?linkid=828887

Much of the above can be done on Windows 10 Pro, but some will only be effective on the Enterprise edition.

For example, there is a basic setting under Settings >> Privacy >> Feedback and diagnostics >> Diagnostic and usage data that does not appear under Pro or Home.

Pro and Home have three settings:  Basic, Enhanced and Full.  The Enterprise edition has one additional setting:  Security.  The first link I posted above explains the differences between all four.  The Security level sends the least amount of telemetry back to Microsoft.

 

 

~ Group "Weekend" ~

Reply | Quote

NetDef wrote:

Information – Office 2016 Telemetry:

https://technet.microsoft.com/library/jj863580.aspx

That seems to be about Office 2013, not 2016, and only for enterprise internal use, as it includes a dashboard for admins to monitor usage and issues. It doesn’t appear to include anything which is transmitted to Microsoft.

NetDef wrote:

Much of the above can be done on Windows 10 Pro, but some will only be effective on the Enterprise edition.

For example, there is a basic setting under Settings >> Privacy >> Feedback and diagnostics >> Diagnostic and usage data that does not appear under Pro or Home.

Basic is available in all versions:
https://privacy.microsoft.com/en-US/windows-10-feedback-diagnostics-and-privacy

NetDef wrote:

Pro and Home have three settings: Basic, Enhanced and Full. The Enterprise edition has one additional setting: Security. The first link I posted above explains the differences between all four. The Security level sends the least amount of telemetry back to Microsoft.

Enhanced went away with 1703 Creators Update:
Second, we’ve simplified our Diagnostic data collection from three levels to two: Basic and Full. If you previously selected the Enhanced level, you’ll have the option to choose Basic or Full with the Creators Update.
https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10

1 user thanked author for this post.

NetDef

Reply | Quote

Note that HIPPA compliance is not the only issue with regards to the deep telemetry which is embedded in Windows 10 since MS has also pushed out several updates which embed telemetry and deep telemetry into Windows 7 and Windows 8x operating systems. The same issue with regards to telemetry also applies to law firms who don’t realize that there is telemetry invasion into their Windows 7 and/or 8x operating systems via Windows Update, let alone realize that with Windows 10, all flavors of Windows 10 except Windows 10 Enterprise will not allow them to prevent telemetry leaks of confidential data.

I hate to think about the gamut of other corporations and businesses, in particular small to medium sized enterprises who may not have either a dedicated IT department or a particularly sharp IT department which does not realize the above.

 

3 users thanked author for this post.

HiFlyer, lurks about, Kirsty

Reply | Quote

I am waiting for a major data leak to traced to MS’ data  vacuuming. There are too many instances where a business or professional must protect client/customer information by law. Also, there many more industry best practices that mandate proper handling. In both cases there can be financial penalties and with the legal requirements possibly jail time. I would hate to be fined or jailed for something caused the (criminal) stupidity of MS.

Reply | Quote

Just the fact that his thread is so long and full of if this and that indicates a big problem in my opinion. There should not be a need to have an IT specialized in this to be able to run your computer in HIPAA compliance mode. The problem is there is a lot of small professional offices like lawyers and small medical places that know nothing about computers except a bit about how to use them and they might rely on a self-proclaim expert to have their installation managed and they will have no clue how far they are from compliance. Just knowing that templates exist and you have to apply them is too much. There should be something very simple that is a HIPAA button with a password. You hit it, bam, done, Microsoft is responsible for insuring all their non compliant stuff is disabled.

Then, everybody who would get training would know about this and they could focus on the other aspects that are far from trivial anyway.

And limiting this to Enterprise is also a problem. Enterprise is not the solution for small offices with 2-3 lawyers and a shared assistant. It should not be. Why having to pay more to have less? Microsoft is killing the serious and professional small businesses market.

2 users thanked author for this post.

Elly, NetDef

Reply | Quote

AlexEiffel wrote:

There should be something very simple that is a HIPAA button with a password.

Here’s how you could achieve this:
* If there is a company which provides a secure, remote login session, and they make sure that the login session is set up in a HIPAA-compliant way.

Citrix offers software which provides for remote desktop sessions. We handled a lot of HIPAA-protected information at my last job, and that’s what my employer used for allowing people to connect remotely and work from offsite. In my opinion, this is one way to achieve a HIPAA-compliant working environment. But any alternate methods into and out of that environment, other than logging in via the ‘front door’, would introduce possible vulnerabilities into the environment. For example, email and web browsing. But in these cases, the user needs to take reasonable precautions so as not to violate HIPAA.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I have been on several interview withing the IT field, and on one occasion in this particular field of talk.

When I had a chance to ask some questions, my first is always about “Their” policy on BYOD and IoT connection to the LAN.  The COO literally said we are lackadaisical about it as a concern.

I’m convinced that we need a “Digital Opt Out” amendment to the “Bill of Right”….  I can’t believe I just typed that; it reeks naivety.  However, where can you go and not be inundated with ridiculous request for information from a system or person lacking true thoughtfulness and trustworthiness?

We are bound by this system, and it has been engineered/marketed/sold with more regard to convenience than we ever deserved.  We’ve all been given this rope to hang ourselves with.

Apologies if I offended a BOT!

2 users thanked author for this post.

Elly, AlexEiffel

Reply | Quote

MrJimPhelps wrote:

AlexEiffel wrote:

There should be something very simple that is a HIPAA button with a password.

Here’s how you could achieve this: * If there is a company which provides a secure, remote login session, and they make sure that the login session is set up in a HIPAA-compliant way. Citrix offers software which provides for remote desktop sessions. We handled a lot of HIPAA-protected information at my last job, and that’s what my employer used for allowing people to connect remotely and work from offsite. In my opinion, this is one way to achieve a HIPAA-compliant working environment. But any alternate methods into and out of that environment, other than logging in via the ‘front door’, would introduce possible vulnerabilities into the environment. For example, email and web browsing. But in these cases, the user needs to take reasonable precautions so as not to violate HIPAA.

It doesn’t matter whether or not any such software (Citrix, WebEx, RealVNC) uses 128-bit or 256-bit or higher encryption. What DOES inherently matter is both the length and how strong a password is which one uses for initiating such encrypted connections, since the number of characters and the overall strength of the password is crucial when establishing such encrypted connections. If you use a short password, regardless of the implemented encryption standard, then you should consider yourself to be potentially breached. Most people think that, somehow, 256-bit or higher encryption is inherently more secure than 128-bit encryption. This is simply not true since the overall length and strength of the password which is used to establish either a 128-bit or 256-bit or higher encrypted connection is in fact the most crucial element! The same applies to Windows login and Administrator passwords!

More than 15 characters! This is what you want, in terms of password length, and which must include at least one special character (other than letters and digits), for passwords. The Achilles heel of all encryption algorithms is the length and complexity of either the password or the public/private keys. Above, we are dealing with remote secure access which requires a password for remote access. A too short and/or weak password can potentially defeat the inherent security of the the encryption method.

 

 

 

2 users thanked author for this post.

Elly, AlexEiffel

Reply | Quote

Password is not that useful too if your remote computer is compromised with a keylogger. Reading about security, I came to the conclusion that there is nothing that is quite secure unless you have two-factors authentication. Then, you would need two independent compromised devices to obtain access.

When you establish a vpn session using Ike, a secure key exchange is performed and then the encrypted tunnel to be used with 128 bits or 256 bits will be established with long temporary keys that will be safe. Then, periodically, the tunnel will rekey in a secure manner if you activated perfect forward secrecy and then it won’t matter if the previous keys were decrypted anyway. I might not be 100% accurate here, but from memory, it is something like this.

1 user thanked author for this post.

Elly

Reply | Quote