locked
SkyDrive, Cloud, Metro and HIPAA

    Question

  • How does Windows 8 protect patient data (HIPAA) in a medical environment? Of concern is the automatic cloud storage of Metro apps and whether Metro apps run in a sandbox that limits the data they can access, especially data created by non-cloud apps.
    Saturday, October 08, 2011 3:29 AM

All replies

  • You'll definitely need to consult with your entity's legal department before being certain that your use of the device is HIPAA compliant. As such, I don't believe that we're the right crowd to ask.

    Basically, if you cannot make the device and your live id theft-proof, don't store PHI locally or in the cloud.



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    Saturday, October 08, 2011 4:31 AM
  • I believe you've misunderstood my question. The question is not a legal question, it is an OS/API question. I am asking whether Windows 8's internal security for Metro apps allows them equal access to the systems resources that a non-cloud, non-dotnet app has. If it does, then Metro apps and any Live content for that matter could be a security risk that would have to be addressed using some other technology. If on the other hand Metro apps use an isolated storage area similar to ClickOnce apps, then at least some level of security is provided by Windows 8 Metro API's. And that's what I'm hoping for. That Metro apps run in isolated storage, or in a sandbox, thereby restricting their access to any resources they have not specificlly been given persmission to access during the install procedure. And if that is the case, group policy restrictions can therefore be used to prevent apps from installing which request security permission, for example, to access files outside their own program and data folders, or "Windows Authentication mode" access to SQL Server instances and databases.
    Saturday, October 08, 2011 5:46 AM
  • Isolated storage is a limitation for apps. Admins can still open explorer.exe to read files off isolated storage and backup programs can access the whole file system. There is no permission against them. 

    Besides when regulators are knocking your door you need to show them who pulled which patient information and when. This is not provided by isolated storage and cloud.



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    Saturday, October 08, 2011 6:12 AM
  • I'm not concerned about admins accessing files in explorer. I'm concerned about Metro apps accessing files they should not have access to. Okay, you have either missed the point a second time or are avoiding the issue. I will assume that this indicates that there is currently no sandbox for Metro apps and that a Metro app has unlimited access to all data in the file system. In that case, can group policy in Windows 8 (or some other mechanism) be used to block both installation and update (either automatic or user initialted) of Metro apps which request direct access to the file system?
    Saturday, October 08, 2011 6:30 AM
  • I will assume that this indicates that there is currently no sandbox for Metro apps and that a Metro app has unlimited access to all data in the file system. In that case, can group policy in Windows 8 (or some other mechanism) be used to block both installation and update (either automatic or user initialted) of Metro apps which request direct access to the file system?


    I'm not sure why you would assume the worst based on the responses above. I have no direct insight into HIPAA rules or Windows 7's curent architecture to ensure privacy concerns are adequately addressed. I would have to assume so considering all the Win 7 implementations floating around the medical institutions I have been around. I would also have to assume that Windows 8, desktop side, is doing nothing to break that paradigm. I would also assume that in that vein MS is not providing Metro apps unfettered access into an environment they have previously taken great pains to assure is compliant.

    I think we are a little early to ask for unequivocal assurance that Win 8 and Metro will be HIPAA compliant, but I would bet that not being so is not the plan.

    Sunday, October 09, 2011 7:59 PM