HIPAA compliance using Win10 Enterprise

Here’s an excellent article about walking the thin line between modern technology and HIPAA (think: keeping private information private in the US — if that isn’t an oxymoron). From HIPAA One, Steven Marco, Arch Bear, and Markus Muller have put together an insightful analysis. From the introduction:

In today’s computing environment, record-breaking data breaches (e.g. Premera Blue Cross with 11+ Million members breached in 2015) that include healthcare identity theft have increased by over 20% year-over-year between 2012 and 2014

1. It is no surprise most of us feel we have lost control of our personal data

2 . This is especially true in the healthcare industry in the form of data breaches and HIPAA Privacy violations.

Simultaneously, massive populations of users are fully-embracing new mobile applications to store and share data across platforms. As a result, cloud computing has bridged the gap between consumer devices and sensitive data. Is there a price to pay for our love affair with cloud-based apps and mobile devices?

As a cloud-based technology user, have you ever wondered about the safeguards protecting your personal and health information? Ever contemplated how modern operating systems like Google Android, Apple iOS and Microsoft Windows 10 access your data to provide cloud
powered features?

For example, Siri, the Dragon dictation cloud, Google Voice search and Docs all send voice recordings to the cloud and back while other built-in OS features share contacts between apps. How do these cloud-powered features impact these risks?

If a medical facility utilizes voice-to-text technology (e.g. by saying “Hey Cortana”, “Siri” “OK Google”, or “Alexa”) to dictate notes about a patient, that information is automatically exchanged with the cloud. Without a business associate agreement, that medical facility could
face a HIPAA violation. How do we combine the past 30 years of email-use, file and print sharing with today’s cloud-enabled apps securely?

These questions and concerns are currently top-of-mind for IT and legal professionals responsible for managing electronic Protected Health Information (ePHI) while ensuring and maintaining HIPAA compliance. In light of the recent focus on HIPAA enforcement actions, hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Additionally, many of these healthcare organizations are under pressure to broadly embrace the benefits of cloud computing.

Microsoft has invested heavily in security and privacy technologies to mitigate today’s threats.

Lounger zero2dash, who posted the original link to this story, says:

They configured the heck out of 10 AU Enterprise to not phone home, and it did it anyway. Very interesting to see all the settings they tweaked in GP but still saw all the traffic going to MS.

Having to deal with PCI Compliance is bad enough for me; I’m glad I don’t have to try to keep our environment HIPAA compliant.

Well worth reading (PDF).

Microsoft’s newfound telemetry transparency with 1,966 basic data points

Even on the “Basic” setting, Win10 Creators Update still sends 1,966 individual pieces of data to the Microsoft mother ship.

At least, now we have some documentation.

InfoWorld Woody on Windows

Microsoft coming (a little bit) clean on its telemetry settings for Win10 Creators Update

I’ll have more as I get a chance to step through the details, but the post this morning from Brian Lich is a decided step in the right direction.

Version 1703 diagnostic data

Version 1703 basic level Windows diagnostic events and fields

Version 1703 installation privacy settings

That latter article duplicates some info that we’ve known for quite a while. See the info I posted earlier in 5 Fatal flaws that dog the new Windows 10.

Thx to Peter Bright at Ars Technica.

Mozilla-sponsored “Privacy Paradox: Note to self”

Privacy remains a thorny problem with no clear solution. I, personally, like to have Gmail scan my mail to snag flights. I don’t mind Cortana. My phone tracks everywhere I go. And I constantly use OK Google. So I’m not a poster child for computer privacy. Still, I understand folks who don’t want all of their data fed into a future General Dynamics overlord. Don’t laugh too hard.

A friend just forwarded an email to me from Mozilla (the Firefox people), suggesting that I take a look at a series of five talks put on by WNYC, the big public radio station for New York City.

They have a great hook:

In today’s world, privacy is less about being alone and more about protecting our identities and information. But if we’re all so concerned about protecting our personal data, why do we regularly give it away to apps, marketers, social media and websites?

That’s the privacy paradox. And it’s time to tackle it.

If you’re interested in pursuing the subject, you might want to venture to the Privacy Paradox site. It’s very well put together – and you might change your mind about privacy.

Or maybe not.

Reality check: How Windows 10’s proposed new privacy controls work in the real world

You’ve read about the new Windows 10 Creators Update privacy push – a new setup routine, new questions, new online privacy dashboard. The proposal is so persuasive the government of Switzerland has called off its threatened privacy lawsuit, and even EFF has backed off its original scathing indictment of Windows 10’s assaults on privacy.

Here’s what you need to know about what’s happening – and what isn’t happening – behind the scenes.

InfoWorld Woody on Windows

By the way, there’s a link to a cached Google page in the article that’s been changed. You can see a text version of the original Microsoft post here: http://webcache.googleusercontent.com/search?q=cache:YrpOjHVkC20J:https://support.microsoft.com/en-us/instantanswers/948e1d63-b92d-4d89-a6c3-66d7b7921d15/view-or-delete-browsing-history-in-microsoft-edge&num=1&hl=en&gl=us&strip=1&vwsrc=0

The cached copy shows that on January 12, there was no mention of browser history stored on the web. Compare the new version of the View and delete browser history in Microsoft Edge post with this old (Jan. 12) version

View or delete browsing history in Microsoft Edge

Windows 10 – Windows 10 Mobile

> Your browsing history includes sites you’ve visited, passwords, info you’ve entered into forms, and cookies. Microsoft Edge remembers this info and stores it on your PC as you browse the web.

> To view your browsing history, select the Hub icon  , and then History. To delete it, select Clear all history, choose what you want to remove, and then select Clear.

What gets deleted when you delete your browsing history

What to expect from Microsoft’s latest Windows 10 privacy promises

See https://www.askwoody.com/2017/reality-check-how-windows-10s-proposed-new-privacy-controls-work-in-the-real-world/

At the mercy of AI: Your job, your health, your money

If you’re concerned about personal privacy – and you should be – this article will take you back a step and look at a bigger picture.

The focus on loss of privacy from Watson, Cortana, Google, Facebook, DeepMind, and Siri risks us missing an even greater threat

Scary. I really do think the proposed kind of data oversight and regulation will be one of the big battlefields of the coming decade. The credit reporting agencies got a free ride for far too long (don’t get me started). We need to put the same type of assurances in place for all data collection, if it’s used to categorize/vet/pigeon-hole people.

InfoWorld Galen Gruman’s Smart User

Are we fighting a losing battle for privacy?

Helluva good question from Brian, in a comment on the Avast post:

In your professional opinion- are we, the public of the world, fighting a loosing battle against Microsoft in trying to keep our Windows 7/8.1 and our private lives in tact?

Here’s my response:

In short, we’re losing the battle to keep our private lives private. It isn’t just Windows. It’s ab-so-lute-ly everything. When you think of the privacy implications of, e.g., face recognition on public-facing cameras, the mind boggles.

People need to figure out their tolerance for snooping. Many of the capabilities people want – say, maps with directions on their phones, or Alexa responding to factual questions, or Google sorting out photos – are only possible if they give up some privacy.

I think one of the great political debates of the coming decade will be about data gathering and retention. Right now, we have some (ineffective) safeguards in place for the credit reporting industry. There are more-effective but still holey safeguards with medical data and credit card info. Some day, people are going to demand details about what data is being gathered about them – they’ll want full reporting, and the ability to delete (or at least challenge) data they don’t like.

Or maybe people don’t care. Maybe the benefits being provided (and there ARE benefits) outweigh the loss of privacy. I don’t claim to have a one-size-fits-all answer to the problem.

As for privacy in Win7/8.1… clearly, Microsoft is trying to retrofit more data gathering into Win7 and 8.1. If you install all of the updates to Win7 or 8.1, they’re going to get more telemetry – more snooping. All of the telemetry between your machine and Microsoft’s big data dump in the sky is encrypted, just as you would want it to be. But that means nobody (outside of a very small handful of people inside Microsoft) knows what’s being collected.

Some of the new telemetry, we’re told, is tied to the Customer Experience Improvement program (CEIP) settings on a computer. Again, we have no way of knowing exactly what gets sent with a CEIP-on computer, vs a CEIP-off computer. We’ve never known what gets sent with CEIP on, which is why I’ve recommended that people turn CEIP off, and I’ve been recommending that since the early days of XP.

Bottom line: Microsoft has published lots of info about how they treat data, how they protect it, how they won’t let it go. You can opt in to certain snooping ways in Win7, 8.1 and 10, or you can opt out. But there’s no hard information about what’s being collected, how it’s being handled, and there are few promises about what will be done with it one, five, ten years down the road.

As for keeping Win7/8.1 on your machine – I haven’t seen any indication that Microsoft is changing the rules of engagement. If you’re using GWX Control Panel, or Never10 – or you’ve flipped the Registry bits manually — I think there’s a very good chance you’ll never get Win10 forced on you. Microsoft’s running out of sticks. Perhaps they’ll finally revert to a primarily-carrot approach.

Almost certainly, Google has more information about you than Microsoft. Almost certainly, every other software manufacturer is trying hard to get more info about you and guide you to more targeted advertising. Apple has just announced a unique approach, but the techniques behind “Differential Privacy” are hotly debated.

It’s a jungle out there. But then, it always has been.