HIPAA Compliance in Microsoft 365

Businesses that deal in healthcare know the importance of HIPAA and HITECH compliance. Violations of the privacy and security rules can result in large fines from the Office of Civil Rights. The team behind Office 365 is well aware of the issue and has made strong efforts to aid your efforts towards HIPAA compliance in Microsoft 365. Intelligent use of the tools it provides will minimize the possibility of a breach of ePHI while providing industry leading data governance tools for healthcare organizations.

Microsoft’s HIPAA Role

Healthcare companies that use Office 365 need to enter a business associate agreement with Microsoft. The agreement falls under Tier B of Microsoft’s compliance framework. The tier includes a commitment to ISO 27001 and 27018, no mining of data for advertising, no voluntary disclosure to law enforcement, and more. The BAA is available by default to all covered entities and business associates. A business that engages in HIPAA-covered activities should obtain it before using Office 365 for that purpose.

Entering a BAA provides a solid basis for keeping data confidential and safe. ISO 27001 commits Microsoft to maintain comprehensive security controls and applying appropriate management procedures. ISO 27018 says that customers will know what is being done with their data and that it won’t be given to others without their consent.

Nonetheless, the agreement isn’t sufficient to ensure HIPAA compliance. The business needs to exercise a strong level of diligence to prevent breaches. It’s unlikely that a breach will happen due to Microsoft’s fault, but the business needs to keep its end up carefully. This includes understanding and making the best use of the tools available with Office 365, as well as engaging in best data protection practices.

Recommendations for Compliance

HIPAA Compliance in Microsoft 365 Microsoft recommends a 90-day plan for achieving compliance. It’s broken down into low-impact tasks for the first 30 days, improvements between 30 and 90 days, and ongoing practices beyond that. Accomplishing them on a faster schedule is better yet, provided haste doesn’t get in the way of thoroughness.

The First 30 Days

In the first 30 days, establishing basic security practices and spotting any gaping holes is the first priority. It’s easier to start by doing things right than to fix bad practices that are already in place. It only takes one day, or even one minute, for a weakness to become a serious problem. As much as possible, a full-scale move to Office 365 shouldn’t happen until pilot tests demonstrate an adequate level of HIPAA compliance. These are Microsoft’s recommendations for the first 30 days.

  • Determining your secure score. Administrators do this from their console. It measures the settings which the account has in use and returns a secure score summary. The goal isn’t to achieve the maximum possible number of points, but to give a sense of how securely the account is configured. The score comes with recommendations for improving it. The administrator can ask for recommendations which are necessary to achieve a particular score.
  • Enabling audit logging. Once enabled, audit logging may take as much as 24 hours to become fully active. The audit log records many kinds of user activity. People with the necessary privileges can conduct searches of the log and then filter the search results. For example, if there’s reason to suspect that an account is being misused, the log can find all the actions which that account has taken on files. Having appropriate logs is a requirement for HIPAA auditing.
  • Setting up tenant security. Configuring tenant-wide settings is an important step toward uniformly secure practices. Spam and phishing controls reduce the chances that malicious email will trick employees. Safe links and safe attachments will lock out many sources of malware. In some cases, administrators can choose the security level which best suits the organization. Multi-factor authentication will make it harder to break into accounts.
  • Connecting Cloud App Security. The protections under Cloud App Security include cloud discovery, data protection, and threat protection. It can identify risky applications, enforce data usage policies, control access from outside, For example, some applications can be restricted to IP addresses located on-premises. Cloud App Security isn’t included in a basic Office 365 subscription, but it should be considered essential for an organization that needs to be HIPAA-compliant.
  • Adding Azure Active Directory identity protection. AD identity protection lets administrators catch vulnerabilities, look into incidents, and set up automated responses to questionable actions. It uses heuristics to spot accounts that may have been compromised. Policies can include automatic blocking of accounts or taking other actions when the risk level reaches a specified threshold. Policies can apply to all users or a subset.
  • Securing SharePoint sites and files. File sharing is a special concern for businesses handling personal health data. If the organization uses SharePoint, it needs to keep it under tight security. Access should be limited to those who need it. Sharing outside the organization has to be disabled, and non-owners can’t be allowed to invite new users. Offline synchronization is risky and should be disabled.
  • Setting up a data governance policy. The aim of data governance is to establish and enforce the rules for the security, integrity, and use of an organization’s data throughout its lifecycle. The Data Governance framework aids in enforcing policies for data storage across all services. Microsoft’s way of putting it is “You keep what you need and get rid of what you don’t.” The policy isn’t just a matter of using the tools, though; all participants need to be aware of the policies and get training in suitable practices.

Beyond 30 days

Once the measures already mentioned are in place, additional steps will further improve compliance. These are more complicated than the previous steps and not quite as high in priority. There is no need to delay them till after 30 days; Microsoft lists them in a second group just so that administrators can prioritize the first group.

  • Running attack simulations. This is also known as penetration testing. The test attacks won’t do actual harm, but they will identify weaknesses that need to be fixed. Office 365 Threat Intelligence includes an attack simulator. So far it has only a limited repertoire. Hiring an outside firm to run simulated attacks can give the system a more rigorous workout.
  • Using the Compliance Manager. IT people aren’t lawyers, and the Compliance Manager helps to bridge the gap between understanding regulations and understanding tech. It lets administrators see a risk score and find out actions that will improve the score. It associates risks with specific regulatory frameworks, including HIPAA, to aid administrators who are more familiar with security procedures than with legal requirements.
  • Setting up Active Directory Privileged Identity Management. Some organizations need more detailed control over privileged access than AD identity protection provides. Privileged Identity Management allows temporary granting of authorizations where they’re needed. Privileged role administrators can designate eligible users and approvers. Designated approvers can grant or deny requests for temporary privileges.
  • Enabling multi-factor authentication. The organization might have already done this when configuring tenant security, but Microsoft makes it an explicit point here. Guessed or stolen passwords are a major source of security breaches, and confirmation by SMS or other means makes breaking into accounts harder.
  • Keeping protection policies updated. Experience will reveal areas where the first round of policies wasn’t quite right. Reviewing them after the first 30 days will allow better classification of data and refinements to access and storage policies. Reviewing the audit logs may turn up areas where the policies need improvement.

Ongoing Practices

Maintaining a secure, HIPAA-compliant set of services is a task that never ends. After the initial 90-day period, Microsoft recommends additional and ongoing practices.

  • Reviewing your secure score. Usage will change over time and might require additional security controls. Improving the score from the initial target can be a worthwhile long-term goal. Certainly it shouldn’t go down because of neglect. The particular issues under the score summary should be the main focus. What’s important at one organization may not be a real issue at another.
  • Setting up secure privileged access. Workstations, where administrators run privileged accounts, need extra strong protection. Secure privileged access isn’t a specific tool but a set of practices. They include using admin accounts only for administration, generating randomized passwords, and reducing the attack surface.
  • Using Azure Active Directory identity protection. This item is a little odd, since enabling it was part of the 30-day agenda. It’s apparently just a reminder that it has to be used to be useful.
  • Refining protection policies. The principle of least privilege minimizes the damage done if any account or workstation is compromised. Reviewing the policies periodically will identify ways that the administrators can tighten protection.

Learn More About HIPAA Compliance in Microsoft 365

HIPAA Journal notes that using Office 365, used under a BAA, can be HIPAA compliant, but only if the covered entity keeps its end up. Protecting personal information is a serious matter for any entity that falls under the regulations. Systematically following the recommendations for Office 365 will keep the risks low, and administrators will be able to detect and mitigate any problems quickly. Contact us to learn how we can help you achieve this goal.

Request a Quote

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sean.L@Agileit.com

Don’t want to wait for us to get back to you?