Newsletter Archives

• HIPAA compliance using Win10 Enterprise

  Posted on April 14, 2017 at 06:40 CDT by woody • Comment in the Forums

  Here’s an excellent article about walking the thin line between modern technology and HIPAA (think: keeping private information private in the US — if that isn’t an oxymoron). From HIPAA One, Steven Marco, Arch Bear, and Markus Muller have put together an insightful analysis. From the introduction:

  In today’s computing environment, record-breaking data breaches (e.g. Premera Blue Cross with 11+ Million members breached in 2015) that include healthcare identity theft have increased by over 20% year-over-year between 2012 and 2014

  1. It is no surprise most of us feel we have lost control of our personal data

  2 . This is especially true in the healthcare industry in the form of data breaches and HIPAA Privacy violations.

  Simultaneously, massive populations of users are fully-embracing new mobile applications to store and share data across platforms. As a result, cloud computing has bridged the gap between consumer devices and sensitive data. Is there a price to pay for our love affair with cloud-based apps and mobile devices?

  As a cloud-based technology user, have you ever wondered about the safeguards protecting your personal and health information? Ever contemplated how modern operating systems like Google Android, Apple iOS and Microsoft Windows 10 access your data to provide cloud
  powered features?

  For example, Siri, the Dragon dictation cloud, Google Voice search and Docs all send voice recordings to the cloud and back while other built-in OS features share contacts between apps. How do these cloud-powered features impact these risks?

  If a medical facility utilizes voice-to-text technology (e.g. by saying “Hey Cortana”, “Siri” “OK Google”, or “Alexa”) to dictate notes about a patient, that information is automatically exchanged with the cloud. Without a business associate agreement, that medical facility could
  face a HIPAA violation. How do we combine the past 30 years of email-use, file and print sharing with today’s cloud-enabled apps securely?

  These questions and concerns are currently top-of-mind for IT and legal professionals responsible for managing electronic Protected Health Information (ePHI) while ensuring and maintaining HIPAA compliance. In light of the recent focus on HIPAA enforcement actions, hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Additionally, many of these healthcare organizations are under pressure to broadly embrace the benefits of cloud computing.

  Microsoft has invested heavily in security and privacy technologies to mitigate today’s threats.

  Lounger zero2dash, who posted the original link to this story, says:

  They configured the heck out of 10 AU Enterprise to not phone home, and it did it anyway. Very interesting to see all the settings they tweaked in GP but still saw all the traffic going to MS.

  Having to deal with PCI Compliance is bad enough for me; I’m glad I don’t have to try to keep our environment HIPAA compliant.

  Well worth reading (PDF).

   

  Windows News HIPAA, Privacy

• Does Windows snooping break data privacy laws?

  Posted on March 14, 2016 at 10:34 CDT by woody • Comment in the Forums

  I received a very well-considered question from DB:

  Mr. Leonhard,

  I just read your article about the forced Windows 10 update on InfoWorld. I also see that you have published other work on Windows 10. I have a question that I have been unable to get answered, even after asking Microsoft directly. I’m hoping you can assist me.

  I am a college instructor. As such, I am bound by college policy and federal law to maintain the privacy and security of my students’ personal and educational data. This includes obvious things like their home addresses and phone numbers, but it also includes their grades, communication about missed classes and even which classes they are currently taking.

  I use my personal computers to log into my college email, my learning management system (where grades are recorded) and to create my own files for assignments, projects, and general record keeping that is the constant side-task of any teacher. My college runs Windows 7 on campus currently. I have multiple laptops running multiple OSs but I am reluctant to upgrade to Windows 10 because I have not yet been assured that Microsoft will not collect data from my daily usage that could compromise my adherence to FERPA (the HIPAA laws for education).

  I’ve read plenty of articles that describe Microsoft’s data collection ranging from benign to outrageous, so I posted directly to their own forums asking if Windows 10 collects data that violates FERPA. I received a response, however the technician seemed to think I was asking about firewalls and malware. Even after restating my question, no response from Microsoft was forthcoming.

  I do have access to the enterprise version of Windows 10 and I know some things can be disabled, but then I read something about data still being sent, despite disabling anything and everything to do with this process. Can you help me figure out if I can actually safely and securely use Windows 10 when I am dealing with student data?

  Thank you for your time.

  My response:

  I’ve seen lots of evidence that Microsoft is snooping more in Win10 than it was in Win7 — and I’ve seen ancillary evidence that it’s snooping more in Win7 than it used to.

  But the people who report on the traffic between Windows and Microsoft’s servers suffer from one manifest flaw: They have no idea what’s being sent. Microsoft encrypts the data, and nobody’s been able to decode it.
  That’s good, mind you. Any harvested data flowing from your computer to the outside world should be encrypted.
  Even though the data’s going out, I’ve seen no evidence that it’s being misused. And I certainly haven’t seen any evidence that it’s being used in a way that would violate HIPAA (or FERPA).
  Can I guarantee that Microsoft’s methods don’t break the law? No. But it seems highly unlikely.
  Windows News FERPA, HIPAA, Privacy