Whitepaper: HIPAA Compliance with Microsoft Windows 10

NEW VERSION AVAILABLE!

This whitepaper, co-authored by Microsoft and HIPAA One, provides guidance on how to leverage Microsoft Windows 10 Enterprise as a HIPAA-compliant, baseline operating system for functionality and security. As part of their on-going commitment to user security, Microsoft enlisted HIPAA One to assist in configuring Microsoft Windows 10 to support HIPAA security and privacy requirements and debunk the common misconception that using Windows 10 opens an organization to HIPAA violations.

Executive Summary

In today’s computing environment, record-breaking data breaches (918 identified breach incidents involving 1.9 billion records in the first half of 2017 alone) including healthcare identity theft are occurring every day. With the Total Average Cost of a data breach in the U.S. currently sitting at $7.35 million, and each sensitive or confidential record lost or stolen having a TAC of $2,252, the burden placed on healthcare providers to secure electronic health records is enormous. It is no surprise most of us feel we have lost control of our personal data. This is especially true in the healthcare industry in the form of data breaches and HIPAA Privacy violations. Simultaneously, massive populations of users are fully-embracing new mobile applications to store and share data across platforms. As a result, cloud computing has bridged the gap between consumer devices and sensitive data. Is there a price to pay for our love affair with cloud-based apps and mobile devices?

As a cloud-based technology user, have you ever wondered about the safeguards protecting your personal and health information? Ever contemplated how modern operating systems like Google Android, Apple iOS and Microsoft Windows 10 access your data to provide cloud powered features? For example, Siri, the Dragon dictation cloud, Google Voice search and Docs all send voice recordings to the cloud and back while other built-in OS features share contacts between apps. These separate applications, when brought together on the same device, may also expose or “move” data in unintended ways. How do cloud-powered features impact these risks?

These questions and concerns are currently top-of-mind for IT and legal professionals responsible for managing electronic Protected Health Information while ensuring and maintaining HIPAA compliance. In light of the recent focus on HIPAA enforcement actions, hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Additionally, many of these healthcare organizations are under pressure to broadly embrace the benefits of cloud computing.

By pursuing global mandates such as the approaching European General Data Protection Regulation and domestic HIPAA mandates, Microsoft has invested heavily in security and privacy technologies to mitigate today’s threats and made strides in ensuring personally identifiable information is not provided with the Basic level of Diagnostics Data. In April 2017, Microsoft released Creators Update 1703 for Windows 104. This update provided granular details on amended basic level Windows diagnostic events and fields and most importantly, furthered Microsoft’s commitment to decreasing the exposure of ePHI. The following whitepaper consists of three sections and appendices containing relevant guidance and illustrations intended to demonstrate how Microsoft Windows 10 Enterprise as a baseline operating system may enable and support HIPAA compliance, privacy, and security.