HIPAA compliance must be improved in the cloud but also be optimized in deskbound technology. You can take steps toward compliance through improvements of your security policies. Some changes are particularly important for HIPAA compliance. Steps that should be taken within Windows 10 settings, via Group Policy tweaks, are reviewed below.
General Group Policy Tweaks to Improve Windows Security
Windows Group Policy security can be utilized so that your organization’s PCs are more adherent to data security best practices. Some of the most important security best practices for Windows include:
Restrict access.
You can reduce the extent to which users can get into systems. You can restrict access to each individual control panel, either allowing limited access or blocking it completely.
Disable forced restarts.
Every time Windows updates, if you have Windows Update on, it will prompt a restart. You can push back when the restart occurs, but you do not need that prompt to keep coming up on each of the computers. Group Policy can turn off the forced restart feature. Restart the system again once you change that setting. You can also run the Command Prompt, elevated, and command “gpupdate/force” – which puts any group policy changes you make into action.
Disable software installation capability.
Change the configurations of your Group Policy to remove authority to install software from the typical user. By disallowing people from installing these programs, you will minimize the amount of cleanup and maintenance that might be necessary if malware is accidentally downloaded.
Outlaw removable media.
Drives for removable media are common in business as a way to physically carry certain files with you. However, these drives are easy targets to be injected with malware or viruses. Plugging in a drive that is infected could have negative consequences network-wide. To be safe from this threat, you can simply disable removable drives. You can additionally disallow other types of drives, such as USB drives, CDs, and DVDs.
Enable write protection for USB and other removable storage devices within Windows 10 to ensure that no one accidentally or maliciously copies files over to the removable drive (especially when the drive is unencrypted). To enable write protection via the Group Policy:
- Enter the Run command (Windows key + R).
- Enter gpedit.msc. Click OK.
- Within Computer Configuration, under Administrative Templates, within the System tab, choose Removable Storage Access.
- You should see Removable Disks: Deny Write Access. Double-click it.
- Choose Enabled, Apply, and OK.
- Close the window.
- Restart your PC.
That will apply to USB drives. Within the same window, you can also disallow access to all CD, DVDs, and other storage by following steps 6-8 within All Removable Storage Classes: Deny All Access.
A HIPAA-Safe Windows Environment
For positive security impact and to more directly meet the needs of HIPAA compliance, do the following within your Windows Group Policy:
Assess your telemetry settings.
A key point from Microsoft on HIPAA compliance with Windows 10 is the telemetry settings. There are four levels at which you can set the telemetry data: Security, Basic, Enhanced, and Full. The Security level is the data that you need to keep the System Center, Windows Server, and Windows protected – and that extends to Windows Defender, the Malicious Software Removal Tool, the telemetry component settings, and the Connected User Experience information.
You can utilize the Microsoft documentation on telemetry configuration for reference. If you do use the Security level and disable all other Microsoft network endpoint connections, you can make sure that Windows does not transmit any data to Microsoft – documentation for which is here. Otherwise, Windows 10 sends crash data to Microsoft along with whatever other data it can from the crashed app, which puts you at risk of a violation.
Disable Wi-Fi Sense.
There are times when Windows users want to be able to share their Wi-Fi networks with contacts. You can share it directly rather than having to use passwords. Wi-Fi Sense can tie together various people who all can use your network simultaneously. Wi-Fi Sense can even include all your Facebook friends.
This feature may sound interesting from a convenience standpoint, but is horrifying from a security standpoint for Windows 10 and HIPAA compliance. It should be turned off in a healthcare setting since it is so easy to use for nefarious purposes.
Use a local account.
People do not necessarily expect for their basic computer data to be synchronized with servers around the clock – but that is increasingly the reality. The Admin account on Windows 10 is automatically set, by default, to back up to cloud continually – meaning that your information is being saved locally as well as to a Microsoft data center. While the redundancy of backup and its importance for data security (ransomware protection, for instance) are compelling, this process exposes you to potential violations because of any protected health information contained within your PC.
The simplest option to keep Windows 10 HIPAA-safe is to use a local account. (Notably, that local account could be cloud; the concern with the connection to the Microsoft server is that you need HIPAA-ready servers with encryption and other protections.)
HIPAA Compliance Throughout Your Ecosystem
HIPAA compliance can be incredibly complex – particularly when it comes to meeting the Security Rule and properly safeguarding your data. Working with the right business associates can simplify the process, provided your relationship is grounded in a HIPAA-compliant business associate agreement. By working with strong providers while strengthening your security and HIPAA compliance as noted above, you will be ready with the right protections for the healthcare threat landscape.