Does Windows 10 Violate HIPAA, GLBA, and SOX?

Win10-securityMicrosoft has made Windows 10 one of the most highly personalized and cloud integrated operating systems ever, and this may introduce new security risks into using your computer.  They do this by keeping track of what you do, where you go an the Internet, and what you are typing.  This is how features such as Cortana get to know your preferences, and begin to make suggestions.  Microsoft says this information is scrubbed of personally identifying information (PII), but they have not been terribly forthcoming about how that works exactly.

If your company works in a regulated environment where compliance is an issue, such as HIPAA, SOX, GLBA, and even PCI-DSS, this is an major issue from your Information Security staff.  The issue around HIPAA was explored by Steve Hoffenberg last year on a LinkedIn post.

To complicate this issue, Windows 10 upgrades are beginning to happen spontaneously, without the user requesting the upgrade.  I’m not a happy camper when a third party makes decisions for me on systems that I own, so the first thing you should know is that you have 30 days to reverse the process and go back to Windows 7.  Go to Settings, Update and Security, and choose the option to return to Windows 7.  If you just want to prevent it from happening, there is a great article on ZDNet that will explain how to block Windows 10 upgrades.

I am running Windows 10 on my computers, and I have not hardened them using the methods discussed in this article.  Maybe I should.  But changing the security settings will disable Cortana and other web-linked integration, and in my profession it is important to understand how these features work, so I have left most everything in the default state.

I am not going to provide step by step instructions in this article, but refer you to other resources where this has been ably accomplished already.  Please refer to the links that follow.

If you just want to have this done quickly and easily, try O&O ShutUp10.  If you are a bit more of a hands-on sort of computer user, check out the ZDNet guide for paranoids.  If you are supporting a large network where compliance is an issue, and you would rather configure this through Group Policy, check out the three part article on Windows Security.

Some of this information is older, and Microsoft has already disabled some of the least secure features via the Windows Update process, most recently the highly questionable Wi-Fi password sharing feature called Wi-Fi Sense.  So some of the controls mentioned in the articles may have been moved, renamed, or eliminated.  Best of luck to you if you embark on the security path.  Please let me know how it works out for you, and I will post your comments.

More information:



About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment