Increasingly more healthcare service providers are using cloud services largely because it allows practitioners to access health records from any location. Storing health records in the cloud also makes it easier for patients to access and edit their records if required.
However, as you might expect, storing sensitive patient data on a platform that is owned by a third party, and theoretically accessible by everyone, comes with concerns relating to security, privacy, and compliance.
Fortunately, many cloud service providers and app vendors have noted such concerns, and have adapted to meet the demands of healthcare organizations that are subject to the Health Insurance Portability and Accountability Act (HIPAA).
Microsoft 365 and Business Associate Agreements
Microsoft 365 provides a business associate agreement (BAA) as a part of their service, which acts as a contract between Microsoft and all participating HIPAA-covered entities. When a covered entity upload protected health information (PHI) to Microsoft 365, both parties are automatically covered by the BAA. The agreement cannot be modified by the covered entity, so it is important that they carefully review the agreement before choosing to store ePHI in the cloud, to ensure that it is suitable for their needs.
It’s worth noting that Microsoft has subjected itself to audits in accordance with the ISO 27001 standard, to ensure that they have adequate security and privacy controls in place and that they are following the recommendations put forth by the U.S. Department of Health and Human Services (HHS).
Microsoft 365 Security Features for HIPAA
Microsoft 365 has numerous security features that help to facilitate HIPAA compliance. These features include:
When MFA is enabled, users will be required to enter additional information that is sent to their device in order to login.
Microsoft 365 gives users the ability to restrict access to ePHI to those who really need it.
Users can designate representatives, or “Privacy Readers”, who will have access to Message Center notifications, which will enable them to identify potential breaches.
All data stored on Microsoft 365 under a BAA will be encrypted, including data that is transferred to a location outside of Microsoft’s servers. However, it’s worth noting that email subject lines are not encrypted.
Data Loss Prevention
As above, data is encrypted in transit, thus preventing users from sharing data outside of the organization’s environment.
Administrators can review the native audit logs to determine who has access to what data, how they access the data, when, and from where.
Administrators have a wide range of security settings that they can change to suit their needs. For HIPAA-covered entities, it is generally recommended that they use the strictest possible settings. The options are described in more detail in Microsoft’s HIPAA implementation guide.
To comply with HIPAA, covered entities are required to keep a reliable backup of their ePHI.
How Does Microsoft Handle Security Breaches?
In the event of a security breach, Microsoft will notify all global admins, as well as users who are designated as Privacy Readers, within 30 days. The covered entity will be required to scan their repositories for signs of compromise, as well as notify their customers and the relevant authorities, as this is not Microsoft’s responsibility.
How Can Lepide Help with HIPAA Compliance
Even though Microsoft provides security features and breaches notifications to HIPAA-covered entities, they have made it very clear that it is the responsibility of the customer to protect their ePHI. There are third-party solutions, such as the Lepide Data Security Platform, which provide additional features that can help you streamline your HIPAA compliance efforts. These features include;
Data Discovery & Classification
Lepide can help you locate and classify your ePHI across your Microsoft 365 environment, as well as other cloud and on-premise environments. Using the built-in pre-defined classification taxonomies, you can classify your ePHI in accordance with the HIPAA guidelines.
Assigning Access Permissions
While Microsoft 365 enables you to set up access controls to protect your ePHI, the Lepide Data Security Platform will give you more visibility into how your data is accessed and used, thus making it easier to assign access controls in a more informed manner.
Detecting and Responding to Changes to ePHI
Lepide uses machine learning models to establish a baseline that represents the usage patterns that are typical for each and every user. When user behavior deviates too far from this baseline, an alert is sent to the administrator who can review the changes, and take action accordingly. In some cases, an automated response can be initiated. For example, if a large number of files are copied or encrypted within a given time frame, a custom script can disable a user account, stop a specific process, change the security settings, and do any other actions that will minimize the damage caused by the attack. With Lepide, all important changes to your ePHI can be reviewed via a centralized console, and pre-defined HIPAA compliance reports can be generated at the push of a button.
If you’d like to see how the Lepide Data Security Platform can help you satisfy HIPAA compliance requirements, schedule a demo with one of our engineers or start your free trial today.