Direct Link: https://www.washingtoncybercenter.com/publications-projects
Windows 10 implementation in to the Hospital/private practice environment brings benefits and some issues. One of the issues is related to HDD/SSD encryption via Bitlocker. Healthcare environment is populated by diverse computer systems – some are cutting edge, while others are up to 5 years old or older. Those machines are kept in the Hospital environment due to specific needs/tasks. On the other hand there are machines which have self encrypted HDD/SSD and UEFI. This mixed up computer pool provided challenge in implement Windows 10 according to the HIPAA requirements("Breach Notification Guidance | HHS.gov," 2009).
One of the HIPAA requirements is that any devices which are used to store or to process PHI should have FIPS 140.2 compliant encryption("HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf," 2016). The afore mentioned requirement can lead to twofold issues. Ones comes from incompatibilities between aging machines due to software and unsupported hardware, the second ones comes from ability to physically tamper with laptops which contain self encrypt drives. Those general issues become more unmanageable due to that the majority of the medical devices are serviced by manufactures contractor and/or technical team("AOA_Report_TrapX_MEDJACK.2.pdf," 2016).
Aging laptops provide challenges for Bitlocker due to hardware/software issues. The extensive list of Bilocker requirements for Windows 10 is provided by Brian Linch in his article “Bitlocker frequently asked questions” (Lich, 2016a).
Another issue with Bitlocker is whether FIPS mode is enabled in Windows 10. In 2014 article by Aaron Margosis, the statement is that Microsoft doesn’t recommend FIPS mode for majority of their product users – “Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode“, (Margosis, 2014). For example Windows 10 E3 enterprise edition didn’t have enabled FIPS by default: 2 General steps to take whether FIPS is enabled on the particular machine is: Type Run in the search bar (or Win key +R), it will open Run.
Type gpedit.msc into the Run window.
Locate Computer Configuration, then Windows Settings, then Security Settings,
then Local Policies, then Security Options.
Within Security Options find “System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing” – open with left double click.
Change the settings from “Disabled” to “Enabled”.
Close window and restart machine.
To minimize the issues which are based in hardware please verify whether HDD/SSD drives and their controllers are certified by Microsoft to use in particular Windows 10 edition. Direct link for the Microsoft site is: http://sysdev.microsoft.com/en-US/Hardware/LPL/DEFAULT.ASPX
Using the tool provided by Microsoft you will be able to find whether your particularhardware is Microsoft certified for use in fallowing editions:
Windows 10 Client;
Windows 10 Client x64;
Windows 10 Aniversary Update Client;
Windows 10 Aniversary Update Client x64;
Regarding Intel RST conflicts with Bitlocker on the Win 10 editions. Some Intel RST
versions had issues with Bitlocker on Windows 10. On the Intel product user forum can found extensive records which starts in in August, 2015 and up to November 2016. (of series of the records can be found - direct link htps://communities.intel.com/message/319342#319342 ).
If on the Hospital/private practices have computers and/or medical devices with older machines which are not supported by the newest versions of the Intel RST drives, then it can lead to inability to deploy Bitlocker. Physical tampering with laptop/tablet. Traveling nurses, doctors and others personal of a hospital/medical practice – which have engadge in traveling between several medical practices locations are daily routine. Due to that the risk of stolen/lost laptop/tablet increase proportionally to the time spend on the road. Additionally it will lead direct business impact by restoring lost device, if data breaches occur, then the company will need to follow the HIPAA guidelines and company’s own policies.
Recommendation to the HIPAA compliant officer and/or Chief Information Security
Officer to review the inventory list and verify whether people who engage in telework or traveling between hospitals/medical offices and have access to the PHI – have tamper proof laptops/tablets. Ponemon’s Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data(LLC, 2016), on the question – “Resources prevent or quickly detect unauthorized patient data access, loss or theft“, receive agreement in 2016 – 37 from respondents. The data shows, that not all of Hospitals and medical practices follow the guidelines provided by HHS.gov, to minimize the risk of theft.
Microsoft made changes in the November, 2016 update regarding Bitlocker functionality and mitigation of the exploits against the Bitlocker (Hakala, 2016). One of the changes was to ability to block DMA ports during startup it will mitigate threat which involves use of Firewire to capture the content of the RAM(Afonin, 2016).
Some computer manufacturers include in the BIOS settings which allow to prevent physical tampering with HDD or RAM. Those settings are secured by password in the BIOS.4 Additional some manufacturers add detection of tampering with internal storage: Those settings will help mitigate attacks on systems integrity by exploiting SATA hot plug functions.5
The Bitlocker is most vulnerable in pre-boot attack. Microsoft provided guidance that Bitlocker should be used with secondary authentication key stored in the USB or PIN(Lich, 2016b). However people during everyday routine persons tend to forget PIN and lose USB keys. In the guidelines by Microsoft wasn’t mentioned use of BIOS password as preventive to the Bitlocker pre-boot attacks(Haken, 2015).
Hot-unplug attack can be successfully implemented against laptop with Btilocker installed and sleep mode enabled on the machine(Daniel Boteanu, 2015). If computer/tablet is tamper proof it will be more difficult to use Forced Restart Attack, Hot Unplug Attack and Key Capture Attack against machine.
1. Audit computer/tablet inventory to determine if hardware is certfied for use for Windows 10 OS.
2. Verify weather FIPS is enabled on the computers/tablets which are planned to encrypt with Bitlocker or already are encryped. Enable FIPS to enforce HIPAA compliance.
3. Audit computer/tablet inventory to determine wether Intel RST versions which are installed on the machines are compatible with Bitlocker.
4. Disable Sleep mode on all computers/tablets to lower success rate for Forced Restart Attack, Hot Unplug Attack and Key Capture Attack against machines.
5. Deploy tamper proof computer/tablets for machines which are use on the move.
6. Audit whether machines which are used on the move have memory slots under the keyboard and those memory slots can be easily accessible by third party. Don't deploy such machines to prevent tampering and use of Memory Pins Short for forcing BSOD.
7. For the computers/tablets which are used on the mode enable BIOS password, to mitigate Bitlocker pre-boot attack.
8. For computers on the move – use least amount of the HDD/SSD within, the computer, to prevent carrying around information which are unnecessary for daily business.
If you have any questions regarding HIPAA compliance and Bitlocker, please free to
Afonin, O. (2016). BitLocker: What’s New in Windows 10 November Update, And How To Break It « Advanced Password Cracking – Insight. Retrieved from https://blog.elcomsoft.com/ website: https://blog.elcomsoft.com/2016/03/bitlocker-whats-new-in-windows-10-
AOA_Report_TrapX_MEDJACK.2.pdf. (2016). TrapX Investigative Report. Retrieved from
Breach Notification Guidance | HHS.gov. (2009). Retrieved from HHS.gov website:
Daniel Boteanu, K. F. (2015). Bypassing Self - Encrypting Drives (SED) in Enterprise
Environments. Paper presented at the Defcon 2015. https://www.blackhat.com/docs/eu-
Hakala, T. (2016). What's new in Windows 10, versions 1507 and 1511 (Windows 10).
technet.microsoft.com. Retrieved from www.technet.microsoft.com website:
Haken, I. (2015). Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Paper
presented at the Defcon 2015. https://www.blackhat.com/docs/eu-15/materials/eu-15-
HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf. (2016). HIPAA Security
Series, 44. Retrieved from HHS.gov website:
Lich, B. (2016a). BitLocker frequently asked questions (FAQ) (Windows 10). Retrieved from
Lich, B. (2016b). Protect BitLocker from pre-boot attacks (Windows 10). technet.microsft.com.
LLC, P. I. (2016). Sixth Annual Patient Privacy & Data Security Report - Resources - Sixth Annual
Benchmark Study on Privacy and Security of Healthcare Data .pdf. Retrieved from
Annual Benchmark Study on Privacy and Security of Healthcare Data
Annual Benchmark Study on Privacy and Security of Healthcare Data
Margosis, A. (2014). Why We’re Not Recommending “FIPS Mode” Anymore.