Does Windows 10 Violate HIPAA, GLBA, and SOX?

Win10-securityMicrosoft has made Windows 10 one of the most highly personalized and cloud integrated operating systems ever, and this may introduce new security risks into using your computer.  They do this by keeping track of what you do, where you go an the Internet, and what you are typing.  This is how features such as Cortana get to know your preferences, and begin to make suggestions.  Microsoft says this information is scrubbed of personally identifying information (PII), but they have not been terribly forthcoming about how that works exactly.

If your company works in a regulated environment where compliance is an issue, such as HIPAA, SOX, GLBA, and even PCI-DSS, this is an major issue from your Information Security staff.  The issue around HIPAA was explored by Steve Hoffenberg last year on a LinkedIn post.

To complicate this issue, Windows 10 upgrades are beginning to happen spontaneously, without the user requesting the upgrade.  I’m not a happy camper when a third party makes decisions for me on systems that I own, so the first thing you should know is that you have 30 days to reverse the process and go back to Windows 7.  Go to Settings, Update and Security, and choose the option to return to Windows 7.  If you just want to prevent it from happening, there is a great article on ZDNet that will explain how to block Windows 10 upgrades.

I am running Windows 10 on my computers, and I have not hardened them using the methods discussed in this article.  Maybe I should.  But changing the security settings will disable Cortana and other web-linked integration, and in my profession it is important to understand how these features work, so I have left most everything in the default state.

I am not going to provide step by step instructions in this article, but refer you to other resources where this has been ably accomplished already.  Please refer to the links that follow.

If you just want to have this done quickly and easily, try O&O ShutUp10.  If you are a bit more of a hands-on sort of computer user, check out the ZDNet guide for paranoids.  If you are supporting a large network where compliance is an issue, and you would rather configure this through Group Policy, check out the three part article on Windows Security.

Some of this information is older, and Microsoft has already disabled some of the least secure features via the Windows Update process, most recently the highly questionable Wi-Fi password sharing feature called Wi-Fi Sense.  So some of the controls mentioned in the articles may have been moved, renamed, or eliminated.  Best of luck to you if you embark on the security path.  Please let me know how it works out for you, and I will post your comments.

More information:



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.