HIPAA-Compliance-with-Microsoft-Windows-10-Enterprise


Чтобы посмотреть этот PDF файл с форматированием и разметкой, скачайте его и откройте на своем компьютере.
HIPAA One
In todays computing environment, record-break
ing data breaches (e.g. Premera Blue Cross
with 11+ Million members breached in 2015) that include healthcare identity theft have
l StudLJ on Medical IdentitLJ Th
nd ͞ϮϬϭϯ SuƌǀeLJ on Medical IdentitLJ Theft͟
, Septemďeƌ
ϮϬϭϯ.
Ϯ Time Magazine, ͞ϵ in ϭϬ Ameƌic
ans Feel TheLJ’ǀe Lost Contƌol o
f Theiƌ Peƌsonal Data͟
, Noǀemďeƌ ϭϮ, ϮϬϭϰ.
HIPAA One
CIOs, IT Directors and IT Managers are often depu
tized as their organizations Health Insurance
Portability and Accountability Act (HIPAA) Security
Officer. In addition to being responsible for
HIPAA security and compliance, these individuals may also be tasked with overseeing a
company-wide upgrade to Windows 10. Organizations in every industry, including the Pentagon
and Department of Defense, are upgrading to Windows 10 to improve their security posture.
HIPAA One
Health Insuƌance
PoƌtaďilitLJ and
AccountaďilitLJ Act
Title ϭ: Insuƌance
PoƌtaďilitLJ
Fƌaud & Aďuse &
Medical LiaďilitLJ
Refoƌm
Administƌatiǀe
Simplifications
PƌiǀacLJ
SecuƌitLJ
EDI ;Electƌonic Data
InteƌchangeͿ
Tƌansactions
Code Sets
Title III: Tadž Related
Health Pƌoǀisions
Title IV: Gƌoup Health
Plan ReƋuiƌements
Title IV: Reǀenue
Offsets
HIPAA One
HITECH Act Suďtitle D, Section ϭϯϰϬϭ.
HITECH Act Suďtitle D, Section ϭϯϰϬϴ.
HIPAA One
Under ARRA and HIPAAs Omnibus rule, virtually al
l organizations that access, maintain, retain,
modify, record, store, destroy, or
otherwise hold, use, or disclose ePHI must also comply with
rigorous breach notification rules when PHI is
compromised. For example, if the number of
patients affected by a data privacy breach is mo
re than 500 in a given state or jurisdiction, the
media must be notified.
The HIPAA standard for audit controls states, I
mplement hardware, software, and/or procedural
mechanisms that record and examine activity
in information systems that contain or use
electronic protected health information.
To comply, organizations must have systems and
processes that collect, store, alert, and report
on non-compliant ePHI acce
ss, use, or disclosure
(i.e., breach), thus creating the required audit trail and limiting PHI disclosures to the minimum
necessary.
ePHI
is individually identifiable health informatio
n that is transmitted by, or maintained in,
electronic media or any other fo
rm or medium. This
information must relate to any of the
following:
The past, present or future physical or ment
al health or condition of an individual
Provision of healthcare to an individual
Payment for the provision of healthcare to an individual
If the information identifies or provides a reason
able basis to identify an individual, it is
considered individually identifiable health inform
ation. Elements that ma
ke health information
individually identifiable include, but are not limited to, the following 18 Identifiers:
(A) Names
(B) All geographic subdivisions smaller than a
State
precinct, zip code, and their equivalent geocodes, except for the initial three digits of a
zip code if, according to the current public
ly available data from the Bureau of the
Census:
(1) The geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people, and
(2) The initial three digits of a zip code for all such geographic units containing
20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an
individual
including birth date, admission
date, discharge date, date of death; and all ages over
89 and all elements of dates (including year)
indicative of such age, except that such
ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(E) Fax numbers
(F) Electronic mail addresses
(G) Social security numbers
(H) Medical record numbers
(I)
beneficiary numbers
(J) Account numbers
(K) Certificate/license numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(M) Device identifiers and serial numbers


HITECH Act Suďtitle D, Section ϭϯϰϬϮ.
ϰϱ CFR § ϭϲϰ.ϯϭϮ;ďͿ.
ϰϱ CFR § ϭϲϰ.ϱϭϰ;dͿ.
HIPAA One
(N) Web Universal Resource Locators (URLs)
The HIPAA Security Rule imposes standards in five
categories: administrative safeguards, physical
safeguards, technical safeguards, organiza
tional requirements, and documentation
requirements (policies, procedures, etc.).
If a standard applies to ePHI, compliance is no
t optional. Strict adherence to specially-marked
implementation specifications, however, can be co
nsidered optional, if after an assessment is
performed they are determined to be not reas
onable and appropriate, the rationale to forgo
the specification is documented, and evidence ca
n be produced that a good faith effort was
made to identify and implement an equivalent alternative measure. Therefore,
implementation specifications are categorize
d as either required or addressable.
Required:
If an implementation specification is marked
as required, it must be implemented by
every covered entity.
Addressable:
If an implementation spec
ification is marked as addressable, it may be used to
determine if it is reasonable and appropriate. If deemed reasonable and appropriate to
ϰϱ C.F.R. § ϭϲϰ.ϱϭϰ;ďͿ.
See page ϱϱϴϯ of the Fedeƌal Reg
isteƌ, JanuaƌLJ Ϯϱ, ϮϬϭϯ. Refeƌ
ence ͞TABLE Ϯ—CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY
AMOUNTS AVAILABLE
HIPAA One
protect/prevent exposure of these 18 elements
of specific data CONTENT, any element of which
might possibly be transferred from the desktop electronically and may be exposed via email or
file transfer. Any/all other content outside of th
ese 18 elements is not identified as Protected
Health Information, so it is not subject to this
HIPAA whitepaper. Other rules and regulations exist
in order to also protect additional sensitive data
us/privacystatement/default.aspx
) as part of the Microsoft License terms July 2015
https://www.microsoft.com/en-
language on how Personal Data is collected, used
and shared. Specifically
, this provision states:
We will access, disclose and preserve personal data, including your content (such as the
content of your emails, other private communications
or files in private folders), when we have a
good faith belief that doing so is necessary to protect our customers or enforce the terms
governing the use of the services
.
As with any convenient feature, there is alwa
ys an impact on security, as security and
functionality are often inversely
related. Thankfully, Windows 10 Enterprise has been overhauled
HIPAA One
With the proliferation of information security thre


Windoǁs Hello ƌeƋuiƌes specialized
haƌdǁaƌe, including fingeƌpƌ
int ƌeadeƌ, illuminated IR senso
ƌ, oƌ otheƌ ďiometƌic sensoƌs.
ReƋuiƌes UEFI Ϯ.ϯ.ϭ oƌ gƌeateƌ ǁith Tƌusted Boot; Viƌtualizatio
n Edžtensions such as Intel VT-dž,
AMD-V, and SLAT must ďe enaďle
d; džϲϰ ǀeƌsion
of Windoǁs; IOMMU, such as Intel
VT-d, AMD-Vi; BIOS Lockdoǁn; T
PM Ϯ.Ϭ ƌecommended foƌ deǀice h
ealth attestation ;ǁill use soft
TPM Ϯ.Ϭ not pƌesentͿ
HIPAA One
Threat Resistance:
SmartScreen
Windows Firewall
Device Guard
Information Protection
BitLocker and BitLocker to Go
Windows Information Protection
Breach detection, investigation and
response
Conditional Access
All these capabilities are designed to provide additional controls for protecting, detecting and
reducing the likelihood of data breaches.
By default, Windows collects telemetry that Microsoft uses to improve and further develop the
product. Windows telemetry is vital technical da
ta from Windows devices about the device and
how Windows and related software are performing. It's used in the following ways:
To keep Windows up to date
To keep Windows secure, reliable, and performant
To improve Windows through the aggregate analysis of the use of Windows
To personalize Windows engagement surfaces
In the Anniversary Update (Windows 10, Build 1607),
Telemetry data is categorized into four
levels:
Security
: Information thats required to help ke
ep Windows secure, including data about
the Connected User Experience and Telemetry component settings, the Malicious
Software Removal Tool, and Windows Defender. Note: This level is only available in
Windows 10 Enterprise Edition
: Basic device info, including: quality-related data, app compatibility, app usage
data, and data from the
Security
level
Enhanced
: Additional insights, including: how
Windows and apps are used, how they
perform, advanced reliability data, and data from both the
and the
Security
levels
: All data necessary to identify and help to fix problems, plus data from the
Security
, and
Enhanced
levels


ReƋuiƌes TPM ϭ.Ϯ oƌ gƌeateƌ f
oƌ TPM ďased keLJ pƌotection.
ReƋuiƌes eitheƌ Moďile Deǀice Man
agement ;MDMͿ oƌ SCCM to manag
e settings. Actiǀe DiƌectoƌLJ makes management easieƌ, ďut is n
HIPAA One
The levels are cumulative and are il
lustrated in the following diagram:
You can configure the Windows 10 system teleme
try level using the management tools youre
already using. Details on this can be found here:
https://technet.microsoft.com/
itpro/windows/manage/configur
e-windows-telemetry-in-your-
organization
Connected Features
There are also new end user-driven features that by default communicate data and must be
understood and accounted for by IT. These features include:
Cortana
: Microsofts answer to Siri, Google
Talk and Alexa. Cortana learns how
each person speaks and writes by taking
samples. In addition, names, nicknames,
recent calendar events and contacts are maintained
Those familiar with the Windows dialog box
offering to send diagnostic information
after a program crashes to Micr
osoft for product improvement.
HIPAA One
Microsoft has provided tools to disable these built
-in apps connectivity back to Microsoft as part
of its zero-exhaust initiative meaning that no inadvertent data may be communicated to the
created in the same way as the
Windows security baselines
that are often used to efficiently
configure Windows to a known secure state. Ru
nning the Windows Restri
cted Traffic Limited
Functionality Baseline on devices in your organization will allow you to quickly configure all of the
your-organization
Microsoft Security Baselines
https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-
v1607-anniversary-edition-and-windows-server-2016/
Manage connections from Windows operating
system components to Microsoft services
https://technet.microsoft.com/en-us/libr
ary/mt577208(v=vs.85).aspx#BKMK_Cortana
The following section will lay-out the HIPAA Security regulations as selected by the Office for Civil
Rights (OCR) HIPAA Audit Protocol and break down exactly where Windows 10 Enterprise can
HIPAA One
With an explosive growth of cloud-usage an
d corresponding data communications, we at
HIPAA One have done extensive research on how to configure Windows 10 Enterprise so that it
statements
, and the fact that other editions of Wind
ows 10 such as Windows 10 Pro and Home
do not offer the same controls (i.e. ability to co
ntrol Telemetry). When installing any operating
system in a computing environment that stores eP
HI (or accesses sensitiv
e information), it is
critical to research and access to resources to
ensure that disclosures, even inadvertent
outbound communications, do not happen. Failure to apply some recommended and
documented hardening strategies for Windows 10
Enterprise in a health
care environment may
expose organizations to potentia
l HIPAA violations and potential penalties aforementioned in
Part 1 above.
The following compliance table lists where an entity may be compliant with respect to HIPAA
and using the Windows 10 Enterprise operating syst
em residing on dedicated hardware. It clearly
shows that Microsoft Windows 10
Enterprise can be configured to ensure ePHI is not leaked
through outside or cloud communications.
Appendix A addresses recommended Active Director
y Group Policy settings for a basis of HIPAA
compliance as it relates to the Windows 10 Enterp
rise operating system and a zero-exhaust, or
zero-cloud communications instances of the op
erating system phoning home to Microsoft
with potential ePHI.
Windows 10 Enterprise (rolled-up with Anniversary Update July 2016)
HIPAA Safeguards
administrative 164.308(a)(1)(i) Security
Management
Process
P&P to manage security
violations
- This is performed outside of
the Operating System.
administrative 164.308(a)(1)(ii)(A) Risk Analysis Conduct vulnerability
assessment
Applying knowledge from this
whitepaper helps achieve this
requirement regarding ePHI
communications outside of
Treatment, Payment or
Operations (TPO).
administrative 164.308(a)(1)(ii)(B) Risk Management Implement security
measures to reduce risk of
security breaches
YES Implementing Windows 10
Enterprise with
recommended hardening.
administrative 164.308(a)(1)(ii)(C) Sancti
on Policy Worker sanction for P&P
violations
- This is performed outside of
the Operating System.
administrative 164.308(a)(1)(ii)(D) Information
System Activity
Review
Procedures to review
system activity
- This is performed outside of
the Operating System.
administrative 164.308(a)(2) Assigned Security
Responsibility
Identify security official
responsible for P&P
- This is performed outside of
the Operating System.


Baƌe metal installation, local i
nstallation of Windoǁs ϭϬ Enteƌ
pƌise ǁith AnniǀeƌsaƌLJ Update applied.
HIPAA One
administrative 164.308(a)(3)(i) Workforce
Security
Implement P&P to ensure
appropriate ePHI access
- This is performed outside of
the Operating System.
administrative 164.308(a)(3)(ii)(A) Authorization
Supervision
Authorization/supervision
for ePHI access
- This is performed outside of
the Operating System.
administrative 164.308(a)(3)(ii)(B) Workforce
Clearance
Procedures to ensure
appropriate ePHI access
- This is performed outside of
the Operating System.
administrative 164.308(a)(3)(ii)(C) Termination
Procedures
Procedures to terminate
ePHI access
- This is performed outside of
the Operating System.
administrative 164.308(a)(4)(ii)(A) Isolation Health
Clearinghouse
Functions
P&P to separate ePHI from
other operations
- This is performed outside of
the Operating System.
administrative 164.308(a)(4)(ii)(B) Access
Authorization
P&P to authorize access
to ePHI
- This is performed outside of
the Operating System.
administrative 164.312(a)(1),
164.308(a)(4)(ii)(C),
164.308(a)(4)(i)
Access
Establishment and
Modification
P&P to grant access to
ePHI
- This is performed outside of
the Operating System.
administrative 164.308(a)(5)(i) Security
Awareness
Training
Training program for
workers and managers
YES Exercising diligence using
Windows 10 Enterprise can
administrative 164.308(a)(5)(ii)(A) Security
Reminders
Distribute periodic security
updates
YES Applying knowledge from this
whitepaper helps achieve
this requirement, along with
security reminders, regarding
training IT staff on secured OS
configurations for HIPAA.
administrative 164.308(a)(5)(ii)(B) Protection from
Malicious
Software
Procedures to guard
against malicious
software
YES Turn on Windows 10 Security
with Windows Defender and
Microsoft Edge browser
usage.
administrative 164.308(a)(5)(ii)(C) Log-in Monitoring
(IT Manager)
Procedures and
monitoring of log-in
attempts
- Performed at the server-level.
administrative 164.308(a)(5)(ii)(D) Password
Management
Procedures for password
management
YES Password policies using
Administrative Templates.
administrative 164.308(a)(6)(i) Security Incident
Procedures
P&P to manage security
incidents
- This is performed outside of
the Operating System.
administrative 164.308(a)(6)(ii) Response and
Reporting
Mitigate and document
security incidents
- This is performed outside of
the Operating System.
administrative 164.308(a)(7)(i) Contingency Plan Emergency resp
onse P&P - This is performed outside of
the Operating System.
administrative 164.308(a)(7)(ii)(A) Data Backup Plan Data backup planning &
procedures
- This is performed outside of
the Operating System.
administrative 164.308(a)(7)(ii)(B) Disaster Recovery
Plan
Data recovery planning &
procedures
- This is performed outside of
the Operating System.
administrative 164.308(a)(7)(ii)(C) Emergency Mode
Operation Plan
Business continuity
procedures
- This is performed outside of
the Operating System.
administrative 164.308(a)(7)(ii)(D) Testing and
Revision
Procedures
Contingency planning
periodic testing
procedures
- This is performed outside of
the Operating System.
administrative 164.308(a)(7)(ii)(E) Applications and
Data Criticality
Analysis
Prioritize data and system
criticality for contingency
planning
YES Identify Windows 10
Enterprise systems as access-
devices which contain ePHI
in a health care environment.
administrative 164.308(a)(8) Evaluation Periodic security
evaluation
YES Review Windows 10 Enterprise
HIPAA One
administrative 164.308(b)(4) Written Contract Implement compliant
BAAs
Microsoft does sign BAAs for
Windows 10 Enterprise users
only if bundled with
Office365.
administrative 164.308(b)(1),
164.308(b)(3)
Written Contract Obtain satisfactory
assurances
Microsoft services covered
under the BAA have
undergone audits
conducted by accredited
independent auditors for the
Microsoft ISO/IEC 27001
certification.
physical 164.310(a)(1) Facility Access
Controls
Physical safeguards for
authorized server access
- This is performed outside of
the Operating System.
physical 164.310(a)(2)(i) Contingency
Operations
Procedures to support
emergency operations
and recovery
- This is performed outside of
the Operating System.
physical 164.310(a)(2)(ii) Facility Security
Plan
P&P to safeguard
equipment and facilities
- This is performed outside of
the Operating System.
physical 164.310(a)(2)(iii) Access Control
Validation
Procedures
Facility access
procedures for personnel
- This is performed outside of
the Operating System.
physical 164.310(a)(2)(iv) Maintenance
Records
P&P to document
security-related repairs
and modifications
- This is performed outside of
the Operating System.
physical 164.310(b) Workstation Use P&P to specify
workstation environment
& use
- This is performed outside of
the Operating System.
physical 164.310(c) Workstation
Security
Physical safeguards for
workstation access
- This is performed outside of
the Operating System.
physical 164.310(d)(2)(i) Disposal P&P to manage media
and equipment disposal
YES Using Device Encryption,
BitLocker and BitLocker to Go
may assist in this requirement
rendering the ePHI unusable.
physical 164.310(d)(2)(ii) Media Re-use P&P to remove ePHI from
media and equipment
YES Using Device Encryption,
BitLocker and BitLocker to Go
may assist in this requirement
rendering the ePHI unusable.
physical 164.310(d)(1),
164.310(d)(2)(iii)
Accountability Document hardware and
media movement
- Using System Center
Configuration Manager to
manage inventory scans can
physical 164.310(d)(2)(iv) Data Backup and
Storage
Backup ePHI before
moving equipment
- This is performed outside of
the Operating System.
technical 164.312(a)(2)(i) Unique User
Identification
(EMR/ePHI/PII
Administrator)
Assign unique IDs to
support tracking
- This is performed outside of
the Operating System.
technical 164.312(a)(2)(ii) Emergency
Access Procedure
Procedures to support
emergency access
- This is performed outside of
the Operating System.
technical 164.312(a)(2)(iii) Automatic Logoff Session termination
mechanisms
YES Idle Timer settings may be set
to meet this requirement at
the local machine-level.
technical 164.312(a)(2)(iv) Encryption and
Decryption
Mechanism for
encryption of stored ePHI
YES Using Device Encryption,
BitLocker and BitLocker to Go
may assist in this requirement
rendering the ePHI unusable.


https://ǁǁǁ.micƌosoft.com/en-us/
tƌustcenteƌ/Compliance/HIPAA
HIPAA One
technical 164.312(b) Audit Controls Procedures and
mechanisms for
monitoring system activity
- This is performed outside of
the Operating System.
technical 164.312(c)(1)-(2),
170.314(d)(1)(ii)
Mechanism to
Authenticate
Electronic
Protected Health
Information
Mechanisms to
corroborate ePHI not
altered
- This is performed outside of
the Operating System.
technical 164.312(e)(1)-(2)(i),
170.314(d)(8)
Integrity Controls Measures to ensure
integrity of ePHI on
transmission
- This is performed outside of
the Operating System.
technical 164.312(e)(1)-(2)(ii) Encryption Mechanism for
encryption of
transmitted ePHI
- This is performed outside of
the Operating System.
organizational 164.314(a)(2)(i)(A)-
(C), 164.314(a)(2)(ii)-
(iii)
Associate
Contracts
BAAs must contain
security language
YES
Microsoft does sign BAAs for
Windows 10 Enterprise users
only in conjunction with
Office365.
organizational 164.314(a)(1) Business
Associate
Contracts or
Other
Arrangements
Approval process for
contract template
deviations
- This is performed outside of
the Operating System.
technical 164.312(d) Audit Controls Audit Controls - This is performed outside of
the Operating System.
technical 164.312(b) Audit Controls Procedures and
mechanisms to monitor
system activity
- This is performed outside of
the Operating System.
organizational 164.314(b)(1) Requirements
specifications
Plan Sponsor
demarcation
- This is performed outside of
the Operating System.
organizational 164.314(b)(1) Requirements
specifications
Plan Sponsor
agreements must
contain security
language
- This is performed outside of
the Operating System.
organizational 164.314(b)(1),
164.314(b)(2)(i)-(iv)
Requirements
specifications
Plan Sponsor
agreements must
contain security
language
- This is performed outside of
the Operating System.
organizational 164.316(a),(b)(1) Documentation Document P&P and
actions & activities
- This is performed outside of
the Operating System.
organizational 164.316(b)(2)(ii) Availability Documentation
available to system
administrators
- This is performed outside of
the Operating System.
organizational 164.316(b)(2)(iii) Updates
Periodic review and updates
to changing needs
- This is performed outside of
the Operating System.


http://ǁǁǁ.micƌosoftǀolumelicensi
ng.com/DocumentSeaƌch.aspdž?Mod
e=ϯ&DocumentTLJpeId=ϱϮ&Language=ϭ
HIPAA One
HIPAA One
User Configurat�ion Administrative Templa
�tes Windows Componen
�ts Location and
Turn off location - Enabled
Turn off sensors - Enabled
User Configurat�ion Administrative Templa
�tes Wind�ows Components Windows Media
Player
HIPAA One
Computer Configurat�ion Administrative
Templa�tes Windows Components� Windows
Defend�er MAPS
Join Microsoft MAPS - Disabled
Computer Configuration\Administrative
communications for DNS purposes
, and Microsoft Activation.
HIPAA One
This is a list of DNS Queries from the WireShark packet capture exercise (Local Area Network
Domain references were removed):
DNS.MSFTNCSI.COM
WIN10.IPV6.MICROSOFT.COM
CLIENT.WNS.WINDOWS.COM
BN3SCH020020359.WNS.WINDOWS.COM
FE2.UPDATE.MICROSOFT.COM
FE2.UPDATE.MICROSOFT.COM
GEOVER-PROD.DO.DSP.MP.MICROSOFT.COM
GEO-PROD.DO.DSP.MP.MICROSOFT.COM
KV401-PROD.DO.DSP.MP.MICROSOFT.COM
CP401-PROD.DO.DSP.MP.MICROSOFT.COM
DISC401-PROD.DO.DSP.MP.MICROSOFT.COM
ARRAY406-PROD.DO.DSP.MP.MICROSOFT.COM
ARRAY408-PROD.DO.DSP.MP.MICROSOFT.COM
ARRAY403-PROD.DO.DSP.MP.MICROSOFT.COM
ARRAY407-PROD.DO.DSP.MP.MICROSOFT.COM
Varying results are possible with additional progra
ms installed outside of the base-installation of
Windows 10 Enterprise. Therefore, any additional pr
ograms, applications or utilities installed that
alter data communications are outside the scope of this whitepaper and should be considered
when new applications are introduced.
Part 1 Updates to
Regulations and IT Security
Compliance Implications
a. HIPAA overview
Review of 18 HIPAA
Identifiers
Part 2 - Microsofts
Windows 10 Enterprise:
Data Security and HIPAA
Compliance
b. Updates to Windows
10 for Modern Devices
Part 3 Windows 10 and
HIPAA Traceability Section
c. Group Policy
Templates to support
HIPAA compliance
Appendix A Active
Directory Templates with
bout the Autho
Steven Marco, President of HIPAA
One, has a passion for IS Security and
over 18 years as a leader in executing
various regulatory compliance
mandates and Health IT. A Certified
Information Systems Auditor since
Steven Marco
CISA, HIPAA One
President
Arch Beard
InfoSec Officer,
Adventist Health

Приложенные файлы

  • pdf 10868320
    Размер файла: 1 MB Загрузок: 0

Добавить комментарий