Windows 11 Includes Security Layers that Protect Patient Data
While OSs have become much more secure over the years due to firewalls, anti-virus software and malware scans, Brown says that nothing was blocking the worst hole in the entire infrastructure: an end user clicking on a link to launch something he or she thought was benign. In fact, the “human element” was a factor in 74 percent of total breaches according to a report from Verizon. Windows 11 could change that.
“Windows is now constantly scanning every internet site that you visit, every document that you open, and running processes to make sure they are legitimate and safe to continue,” Brown says.
Windows 11 does this using a feature called Microsoft Defender SmartScreen, one of several new tools rolled out with the operating system update. Here are security features of note that healthcare organizations should be aware of when considering a migration to Windows 11:
- BitLocker: While this feature was included on Windows 10, it was optional. Now, device and drive encryption are built into the OS by default to protect patient data from unauthorized access, Brown says.
- Credential Guard: This feature uses virtualization-based security (VBS) to defend systems from credential theft and malware attacks even if they are running with admin privileges, according to a Microsoft blog.
- Config Lock: Using mobile device management policies, this feature monitors registry keys to detect changes in a healthcare organization’s device ecosystem and reverts changed systems to an IT-desired state. Microsoft states that it also prevents users from altering security settings.
- Hypervisor-Protected Code Integrity: Also known as memory integrity, HVCI is another VBS feature integral to ensuring that all drivers plugged into the OS are safe and trustworthy.
- Microsoft Defender SmartScreen: This program addresses the vulnerability created by end users by protecting against phishing, malware and malicious files. SmartScreen is constantly watching the sites a user browses no matter which browser is used, Brown says. It will reference each site visited against Microsoft’s known secure databases and alert a user if a site could be malicious. “Before you even move your mouse, that website, link or attachment has been checked and validated,” he adds.
- Microsoft Pluton: This security processor was built on the principles of zero trust. It is integrated into the CPU and OS to protect personal information, credentials and encryption keys, according to Microsoft. Instead of requiring health IT teams to manually update the processor, it can be done via Windows Update, adding another level of security.
- Smart App Control: According to Microsoft, this feature blocks malicious and untrustworthy apps as well as unwanted apps that can slow down devices or come with unexpected or unwanted properties such as ads or extra software.
All of these security layers and more are in constant communication, prepared to isolate suspicious applications and lock down the system so that malicious programs can’t take over and propagate onto other devices, Brown says. It’s all a part of a zero-trust architecture.
“Even though your device might be managed, if you have certain things turned off, the system will no longer trust that device. If Microsoft Defender anti-virus isn’t running, it will say, ‘I no longer trust you. You cannot come in until that’s fixed.’ If you don’t have the latest Microsoft patches installed, it won’t trust you until Microsoft Intune finishes pushing the update to you,” Brown says, adding that Microsoft Azure cloud tools and Microsoft Intune work together with the OS to protect the health IT ecosystem.
As devices proliferate in healthcare, having integrated, secure hardware and software is crucial. Not only can bad actors sell patient data on the dark web, they can use it for social engineering purposes to take advantage of patients: Cybercriminals can use that data to send an email pretending to be a patient’s doctor to get the patient to click a malicious link.
“Now you’re encrypting data at the hardware layer as well as at the software layer, which makes it much more difficult to break into systems to access patient records,” Brown says.
Windows Hello for Business can unlock the encryption by scanning a clinician’s face or fingerprint.
“Having encryption across the board from all these different tools, rather than just a simple password, is really going to change the game in the healthcare space,” he adds.
For more on the specific security features offered by Windows 11, Brown recommends that health IT leaders check out Windows 11 Security Book: Powerful Security by Design.
Windows 11 Migration Requires Partnership and Planning
Migrating to Windows 11 isn’t something that can happen overnight. It requires careful planning and preparation. However, healthcare organizations don’t have to do it alone. Brown says that a technology partner such as CDW can offer an assessment tool to help organizations determine whether their applications and hardware are ready to run Windows 11.
Older devices might not be authorized to run the new OS because the hardware may not be able to run the different credentialing tools and zero-trust capabilities in Windows 11. Brown says that some users have found a way around the credential check to install the OS; however, this leaves organizations without the security benefits of the Windows 11 and hardware integration.
Through an assessment, CDW can help healthcare organizations determine whether their systems can support the OS and, if not, which hardware is recommended to run Windows 11 while meeting their business needs.