On May 1st, 2017, published in cooperation with Goerge Socha "EDRM Glossary"

Short Description: The EDRM Glossary is EDRM's most comprehensive listing of electronic discovery terms. It includes terms from the specialized glossaries listed below as well as terms not in those glossaries. 
The terms are listed in alphabetical order with definitions and attributions where available. 

The book was published in cooperation with George Socha, Co-founder of the Electronic Discovery Reference Model (EDRM) and EDRM, Duke University - http://www.edrm.net .

Direct Link: http://itunes.apple.com/us/book/id1232031889

Published on Washingon Center for Cybersecurity, Research & Development: "Windows 10 encryption issues in the perspective of HIPAA compliance – short overview "

Direct Link: https://www.washingtoncybercenter.com/publications-projects

Windows 10 implementation in to the Hospital/private practice environment brings benefits and some issues. One of the issues is related to HDD/SSD encryption via Bitlocker. Healthcare environment is populated by diverse computer systems – some are cutting edge, while others are up to 5 years old or older. Those machines are kept in the Hospital environment due to specific needs/tasks. On the other hand there are machines which have self encrypted HDD/SSD and UEFI. This mixed up computer pool provided challenge in implement Windows 10 according to the HIPAA requirements("Breach Notification Guidance | HHS.gov," 2009).

One of the HIPAA requirements is that any devices which are used to store or to process PHI should have FIPS 140.2 compliant encryption("HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf," 2016). The afore mentioned requirement can lead to twofold issues. Ones comes from incompatibilities between aging machines due to software and unsupported hardware, the second ones comes from ability to physically tamper with laptops which contain self encrypt drives. Those general issues become more unmanageable due to that the majority of the medical devices are serviced by manufactures contractor and/or technical team("AOA_Report_TrapX_MEDJACK.2.pdf," 2016).

Aging laptops provide challenges for Bitlocker due to hardware/software issues. The extensive list of Bilocker requirements for Windows 10 is provided by Brian Linch in his article “Bitlocker frequently asked questions” (Lich, 2016a).

Another issue with Bitlocker is whether FIPS mode is enabled in Windows 10. In 2014 article by Aaron Margosis, the statement is that Microsoft doesn’t recommend FIPS mode for majority of their product users – “Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode“, (Margosis, 2014). For example Windows 10 E3 enterprise edition didn’t have enabled FIPS by default: 2 General steps to take whether FIPS is enabled on the particular machine is: Type Run in the search bar (or Win key +R), it will open Run.

Type gpedit.msc into the Run window.

Locate Computer Configuration, then Windows Settings, then Security Settings,

then Local Policies, then Security Options.

Within Security Options find “System cryptography: Use FIPS compliant

algorithms for encryption, hashing, and signing” – open with left double click.

Change the settings from “Disabled” to “Enabled”.

Close window and restart machine.

To minimize the issues which are based in hardware please verify whether HDD/SSD drives and their controllers are certified by Microsoft to use in particular Windows 10 edition. Direct link for the Microsoft site is: http://sysdev.microsoft.com/en-US/Hardware/LPL/DEFAULT.ASPX

Using the tool provided by Microsoft you will be able to find whether your particularhardware is Microsoft certified for use in fallowing editions:

􀀁 Windows 10 Client;

􀀁 Windows 10 Client x64;

􀀁 Windows 10 Aniversary Update Client;

􀀁 Windows 10 Aniversary Update Client x64;

Regarding Intel RST conflicts with Bitlocker on the Win 10 editions. Some Intel RST

versions had issues with Bitlocker on Windows 10. On the Intel product user forum can found extensive records which starts in in August, 2015 and up to November 2016. (of series of the records can be found - direct link htps://communities.intel.com/message/319342#319342 ).

If on the Hospital/private practices have computers and/or medical devices with older machines which are not supported by the newest versions of the Intel RST drives, then it can lead to inability to deploy Bitlocker. Physical tampering with laptop/tablet. Traveling nurses, doctors and others personal of a hospital/medical practice – which have engadge in traveling between several medical practices locations are daily routine. Due to that the risk of stolen/lost laptop/tablet increase proportionally to the time spend on the road. Additionally it will lead direct business impact by restoring lost device, if data breaches occur, then the company will need to follow the HIPAA guidelines and company’s own policies.

Recommendation to the HIPAA compliant officer and/or Chief Information Security

Officer to review the inventory list and verify whether people who engage in telework or traveling between hospitals/medical offices and have access to the PHI – have tamper proof laptops/tablets. Ponemon’s Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data(LLC, 2016), on the question – “Resources prevent or quickly detect unauthorized patient data access, loss or theft“, receive agreement in 2016 – 37 from respondents. The data shows, that not all of Hospitals and medical practices follow the guidelines provided by HHS.gov, to minimize the risk of theft.

Microsoft made changes in the November, 2016 update regarding Bitlocker functionality and mitigation of the exploits against the Bitlocker (Hakala, 2016). One of the changes was to ability to block DMA ports during startup it will mitigate threat which involves use of Firewire to capture the content of the RAM(Afonin, 2016).

Some computer manufacturers include in the BIOS settings which allow to prevent physical tampering with HDD or RAM. Those settings are secured by password in the BIOS.4 Additional some manufacturers add detection of tampering with internal storage: Those settings will help mitigate attacks on systems integrity by exploiting SATA hot plug functions.5

The Bitlocker is most vulnerable in pre-boot attack. Microsoft provided guidance that Bitlocker should be used with secondary authentication key stored in the USB or PIN(Lich, 2016b). However people during everyday routine persons tend to forget PIN and lose USB keys. In the guidelines by Microsoft wasn’t mentioned use of BIOS password as preventive to the Bitlocker pre-boot attacks(Haken, 2015).

Hot-unplug attack can be successfully implemented against laptop with Btilocker installed and sleep mode enabled on the machine(Daniel Boteanu, 2015). If computer/tablet is tamper proof it will be more difficult to use Forced Restart Attack, Hot Unplug Attack and Key Capture Attack against machine.

Recommendations

1. Audit computer/tablet inventory to determine if hardware is certfied for use for Windows 10 OS.

2. Verify weather FIPS is enabled on the computers/tablets which are planned to encrypt with Bitlocker or already are encryped. Enable FIPS to enforce HIPAA compliance.

3. Audit computer/tablet inventory to determine wether Intel RST versions which are installed on the machines are compatible with Bitlocker.

4. Disable Sleep mode on all computers/tablets to lower success rate for Forced Restart Attack, Hot Unplug Attack and Key Capture Attack against machines.

5. Deploy tamper proof computer/tablets for machines which are use on the move.

6. Audit whether machines which are used on the move have memory slots under the keyboard and those memory slots can be easily accessible by third party. Don't deploy such machines to prevent tampering and use of Memory Pins Short for forcing BSOD.

7. For the computers/tablets which are used on the mode enable BIOS password, to mitigate Bitlocker pre-boot attack.

8. For computers on the move – use least amount of the HDD/SSD within, the computer, to prevent carrying around information which are unnecessary for daily business.

If you have any questions regarding HIPAA compliance and Bitlocker, please free to

contact me viestursb@v-vdg.pro or Rudolfs Gulbis rudolfs.gulbis@rtu.lv .

References:

Afonin, O. (2016). BitLocker: What’s New in Windows 10 November Update, And How To Break It « Advanced Password Cracking – Insight. Retrieved from https://blog.elcomsoft.com/ website: https://blog.elcomsoft.com/2016/03/bitlocker-whats-new-in-windows-10-

november-update-and-how-to-break-it/

AOA_Report_TrapX_MEDJACK.2.pdf. (2016). TrapX Investigative Report. Retrieved from

http://deceive.trapx.com/rs/929-JEW-

675/images/AOA_Report_TrapX_MEDJACK.2.pdf

6

Breach Notification Guidance | HHS.gov. (2009). Retrieved from HHS.gov website:

http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

Daniel Boteanu, K. F. (2015). Bypassing Self - Encrypting Drives (SED) in Enterprise

Environments. Paper presented at the Defcon 2015. https://www.blackhat.com/docs/eu-

15/materials/eu-15-Boteanu-Bypassing-Self-Encrypting-Drives-SED-In-Enterprise-

Environments-wp.pdf

Hakala, T. (2016). What's new in Windows 10, versions 1507 and 1511 (Windows 10).

technet.microsoft.com. Retrieved from www.technet.microsoft.com website:

https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-

1507-and-1511

Haken, I. (2015). Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Paper

presented at the Defcon 2015. https://www.blackhat.com/docs/eu-15/materials/eu-15-

Haken-Bypassing-Local-Windows-Authentication-To-Defeat-Full-Disk-Encryptionwp.

pdf

HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf. (2016). HIPAA Security

Series, 44. Retrieved from HHS.gov website:

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techs

afeguards.pdf

Lich, B. (2016a). BitLocker frequently asked questions (FAQ) (Windows 10). Retrieved from

https://technet.microsoft.com/ website: https://technet.microsoft.com/enus/

itpro/windows/keep-secure/bitlocker-frequently-asked-questions

Lich, B. (2016b). Protect BitLocker from pre-boot attacks (Windows 10). technet.microsft.com.

Retrieved from www.technet.microsoft.com website: https://technet.microsoft.com/enus/

itpro/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks

LLC, P. I. (2016). Sixth Annual Patient Privacy & Data Security Report - Resources - Sixth Annual

Benchmark Study on Privacy and Security of Healthcare Data .pdf. Retrieved from

http://lpa.idexpertscorp.com/acton/attachment/6200/f-04aa/1/-/-/-/-/Resources - Sixth

Annual Benchmark Study on Privacy and Security of Healthcare Data

.pdf?cm_mmc=Act-On%20Software-_-email-_-ID%20Experts%20Download%20-

%20Sixth%20Annual%20Benchmark%20Study%20on%20Privacy%20%26%20Security

%20of%20Healthcare%20Data-_-Download%20Now&sid=TV2:gsiiVEbqP:

http://lpa.idexpertscorp.com/acton/attachment/6200/f-04aa/1/-/-/-/-/Resources - Sixth

Annual Benchmark Study on Privacy and Security of Healthcare Data

.pdf?cm_mmc=Act-On%20Software-_-email-_-ID%20Experts%20Download%20-

%20Sixth%20Annual%20Benchmark%20Study%20on%20Privacy%20%26%20Security

%20of%20Healthcare%20Data-_-Download%20Now&sid=TV2:gsiiVEbqP

Margosis, A. (2014). Why We’re Not Recommending “FIPS Mode” Anymore.

https://blogs.technet.microsoft.com/. Retrieved from https://blogs.technet.microsoft.com/

website: https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-notrecommending-fips-mode-anymore