This morning, I went to the doctor for a scheduled appointment. While she was looking at the results of blood tests from two years ago on the screen (and suggested repeating them for a follow-up), I realized she was using Windows 11. A detail came to mind. The doctor is extremely polite and friendly, so I asked her, “How do you handle the feature called Recall?” The doctor was taken aback and had no idea what I was talking about. I was about to drop the conversation, but she, being a serious professional, immediately called the technicians who manage their PCs to ask for clarification. They downplayed it, saying it’s not an issue and that it’s a feature “on all PCs, so we can’t do anything about it.” She started to express that she didn’t like it and wanted it deactivated. No luck: they won’t proceed because, according to them, even deactivating it is “a hack that could compromise future updates.” She’s furious and will talk to her colleagues and the decision-makers. She wants secure systems because “there’s patient data involved.”
In reality, patient data is stored on servers (which I haven’t investigated), but everything that appears on the screen is, in my opinion, at risk.
I’ve offered to help them find a solution—because, if I’m right, all they need is LibreOffice and a browser. In that case, I’ll suggest one of the *BSD or Linux systems and do it for free.
I don’t want to make money off my doctor. I just want patient data to be (sufficiently) secure.
#IT #Recall #Windows #OwnYourData #Security #Privacy #RunBSD #Linux
@stefano@bsd.cafe Recall is not released yet. Only Windows Insider with a Dev Build can test it at the moment. Recall is completely offline and needs a special NPU chip to work. And on top of that, you can deactivate Recall in the settings. I tested it. So this doctor does not have Recall on the PC and nothing is collecting any data.
@stefano@bsd.cafe Recall is still a preview feature in the Insider build and it requires compatible hardware. Also, it is disabled on enterprise installs.
@slyecho@mdon.ee the doctor’s PC isn’t an enterprise installation, but a normal Windows installation, on a normal PC. GPs aren’t a part of enterprise systems, here
@stefano@bsd.cafe how do you recognize Win11? I haven’t even seen screenshots, and last windows I honestly touched was ME, with some glances at Win… 7? from my ex.
@stefano@bsd.cafe using Windows to browse a hospital web and edit some documents is like driving a 1-ton truck to buy bread in a corner shop.
She could use less than a half of computing resources and energy, yet achieve the same without Windows 11.
I can understand why Windows is popular in home computing. But at industry level? Do they use home knifes to perform surgery too?
@stefano@bsd.cafe
DISM /ONLINE /DISABLE-FEATURE /FEATURENAME:RECALL
@stefano@bsd.cafe oh hell I hadn’t thought about my patient data. I hate Microsoft so much.
@stefano@bsd.cafe @nixCraft@mastodon.social
I work for an ambulance service and asked our higher up managers about this. I was initially fobbed off with “that won’t be an issue because Microsoft won’t enable it.” When I pushed and said what if, I was told it wouldn’t happen, because Microsoft has withdrawn it. When I pushed one last time and suggested a Linux or other OSS alternative would resolve the issue, the head of IT security said “the NHS doesn’t like Open Source because it could be hiding malicious code” 🤦🏻♂️
@DodoTheDev@front-end.social @nixCraft@mastodon.social This is unfortunately a very common problem. I also often hear that open source is less secure because “everyone can see how it’s made.” Fortunately, when I explain that security through obscurity has limited effectiveness, many agree.
@stefano@bsd.cafe @nixCraft@mastodon.social
I understand that point of view, but to think that oss is “hiding” malware just blew my mind coming from a tech security manager.@DodoTheDev@front-end.social @nixCraft@mastodon.social I agree. open and hiding sounds like an oxymoron to me
@stefano@bsd.cafe
Worked in software for 20 years, open source for most of it, but for the last 10 years of my career I did medical software.
If you’re in the us… There is no way “LibreOffice and a browser” fulfills regulations around electronic medical records, unless you’re saying their EMR system is web based and they just need a client.
@aubreyjones@gaygeek.social as far as I know, they’re just using a web browser and LibreOffice (to write and print letters, when needed) - Italy
@stefano@bsd.cafe Oh I see. They are already only using LO and browser. Got it! Godspeed and carry on! Sorry for my intrusion.
@aubreyjones@gaygeek.social thank you and don’t be sorry, I appreciated your post!
@stefano@bsd.cafe IT orgs can (and do) turn off copilot and recall via Group Policy. Now, in Office 365, it’s a bit harder, but doable.
@Xavier@infosec.exchange no group policy involved, here. Just a simple PC - I think acting mainly as a thin client
@stefano@bsd.cafe I’m sure they have some type of endpoint management software. If not Active Directory, then Intune or Ivanti, to something else. You just can’t manage large networks without some management suite.
Often, Microsoft give enterprises options that they don’t give to consumers.
@Xavier@infosec.exchange it’s not a large network. GPs have their own independent offices, here. It’s different for hospitals, of course.
@stefano@bsd.cafe Having worked with the IT side of healthcare for years, this is probably a bit of an oversimplification.
If your doctor thinks they are a techy person and just installed their own machines, then they aren’t following compliance rules anyway and are suspect.
Few doctors will risk this. Every doctor and dentist I’ve even been in pays for managed support, with someone specializing in healthcare rules. This includes things like GPOs to disable harmful features like this
@stefano@bsd.cafe How about
C:\Windows\System32>Dism /Online /Disable-Feature /Featurename:Recall
? It’s not productive on a European pc, so I can’t try that, just read about it and wrote it down for some moment@eggsandjam@ruhr.social I don’t know - I’m not managing that PC and don’t want to mess with someone else’s work 🙂
But, if possible, I’d get rid of Windows there 😆
@stefano Using this Swiss-cheese of an OS for critical services should be illegal.
@stefano@bsd.cafe My spouse has patient data on her managed computer and it is a real hassle. I don’t know why Microsoft hasn’t already been sued for HIPAA violations.
@stefano@bsd.cafe kudos to you ! 👍
@stefano@bsd.cafe I’m confused, afaict, even on a non-enterprise install, it can still be deactivated in system settings by the local user.
Is this not the case ?
@toadjaune@hostux.social the people managing that PC clearly stated they won’t disable it. That’s concerning.
@stefano@bsd.cafe it is concerning, and in this context, of course you’d want it to be force-disabled centrally
Still, if I understand well how Microsoft implemented it, she should still be able to at least disable it through the normal system settings window, on her machine, without any intervention from them.
