Does Windows 10 violate HIPAA?

by Steve Hoffenberg | 08/03/2015

According to Microsoft's privacy statement for Windows 10 (https://www.microsoft.com/en-us/privacystatement/default.aspx), for the Input Personalization feature, "...your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers."

Some observers have likened this feature to a keylogger, and it is turned on by default in Windows 10.

In addition, Windows 10 Input Personalization, "collect[s] your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."

Now consider a worker at a hospital, healthcare company, or even a doctor's office using a Windows 10 PC to enter medical records data or simply schedule patient appointments. Does Microsoft's collection of typed text and other information constitute a breach of HIPAA (Health Insurance Portability and Accountability Act) privacy regulations? That depends on exactly how Microsoft is collecting the input.

  • Is the input scrubbed of personally identifiable information before or after it's sent to Microsoft (i.e. on the local PC or in Microsoft's servers)?
  • Is the input data encrypted before it's transmitted to Microsoft?
  • Is Microsoft storing the collected data?

And so on. Of course, IT administrators at hospitals and healthcare companies are likely to turn off the Input Personalization feature as well as a number of other privacy settings in Windows 10 (which reside in both Home and Pro editions). But many small private practices don't have IT administrators and might not realize what's going on in the operating system.

By having Input Personalization turned on by default, Microsoft has the responsibility to detail exactly how the feature might impact legally mandated data privacy. Thus far Microsoft has revealed little about how Windows 10's Input Personalization works. The company has some explaining to do.

View the 2017 IoT & Embedded Technology Research Outline to learn more.


ADDRESS


TWITTER FEED