Windows 10 & 11 Computer Security Instructions

1) Turn on Full-Device Encryption

Using full-disk encryption is an amazing way to protect your clients and your practice from privacy breaches. Used properly, it also qualifies your device for the safe harbor in HIPAA’s Breach Notification Rule. Use it everywhere!

• What is HIPAA Breach Notification

• Easy Safe Harbor From HIPAA Breach Notification: Now On Your Computer and Smartphone

If you have Windows 11 click here to watch a video on upgrading from Home to Pro, and enabling your Full Disk Encryption. 

2) Make a user account for doing IPA business that is separate from your personal user account

This one applies to laptop and desktop computers, and to Surface tablets. Other devices cannot make multiple user accounts.

If you have Windows 11 click this link to watch a video on how to add a local user. 

3) Make sure your password is strong

Your device’s password is also the password for its encryption. So be sure to set a strong one! Strong passwords are also a HIPAA standard. 

4) Turn on or add anti-virus software

Anti-virus is a minimum must for all devices. Use of software to prevent virus infections is also a HIPAA standard.

5) Activate your firewall

Firewalls watch your Internet connection to make sure nothing suspicious gets through. They’re very important to keeping your devices clean and safe for managing client information. They are also an important part of complying with the HIPAA standard around preventing virus infections. 

6) Make sure the operating system is updated

It is important that device software be kept up-to-date, because companies issue important security updates frequently. It is also a HIPAA standard that the system software be kept updated. 

7) Set the device to logout or lock after a short period of idle time

HIPAA requires that devices automatically log out after you’ve left them idle for some short period of time. This prevents people from walking up to or picking up a device that you’re logged into. 

8) Turn on remote tracking

This is not applicable to your Windows computer as remote tracking works best with smartphones, however, because their cellular phone connections make them much better able to stay connected to the Internet as they move around. If you are working through security instructions for other device types, you may see a video or other instructions here.

9) Make sure your device isn’t sending client information to Microsoft everyday

10) If needed, make a strategy for keeping the device backed up

If your personal device is holding on to information about client care that isn’t also held on devices or services elsewhere, you need to keep it backed up. Maintaining backups of all PHI is a HIPAA standard.

A few examples of data that is often found on personal devices:

• Text messages with clients

• Emails with clients

• Clinical notes about clients

• Written reports

• Superbills

If using an external hard drive, or another physical device, to back up your Windows 10 PC, you’ll want to use the built-in backup software, called Windows Backup. A video explaining how to use Windows Backup will be coming in the future. In the meantime, use this tutorial from the Windows website.

If your backup strategy for the device includes an external hard drive, your external hard drive must also be encrypted; this can be done using the native encryption software that was used to encrypt the device itself. See here for tutorial.

11) Make sure the device doesn't have any disallowed software on it

The Bring Your Own Device policy requires you to be thoughtful and careful about how you install software. You must not disable any settings that prevent the computer from warning you if you are about to run an app that was installed after downloading it from a webpage. 

12) Make sure the device’s basic security is not compromised

This is not applicable to Windows computers, lucky you! If you are working through security instructions for other device types, you may see a video or other instructions here.