Health organizations and Microsoft business cloud services
Get the security, compliance, and privacy of protected health information in Microsoft business cloud services.
Accelerate your deployment of HIPAA/HITRUST solutions on Azure
Get the tools and guidance to build HIPAA/HITRUST solutions today. Harness the benefits of the cloud for health data solutions with the Azure Security and Compliance Blueprint—HIPAA/HITRUST Health Data and AI.
Office 365 Earns HITRUST CSF Certification
Office 365 has earned HITRUST Certification from The Health Information Trust (HITRUST) Alliance. The HITRUST Common Security Framework helps health organizations address security and risk management.
Microsoft takes a defense-in-depth approach to security in its cloud services
Health organizations can be vulnerable to data breaches and cyberattack. Bad actors target not only health networks but point-of-sale devices like cash registers, medical devices such as pacemakers, medical apps such as those offering virtual healthcare, and proliferating mobile devices, both medical and personal. According to the Verizon Protected Health Information Data Breach Report for 2015, 1,400 health organizations, both large and small, suffered breaches of PHI data that exposed more than 157 million medical records. These were the result not only of criminal activity, but also of inadequate data protection and misuse on the part of health workers themselves.
Microsoft business cloud services and commercial support are designed, developed, and operated to help ensure that your data and all the devices that access it are highly secure. The guiding principle of the security strategy at Microsoft is to assume breaches of our systems, and shorten the time between any compromise and its detection. Our global incident response team works around the clock to mitigate the effects of any attack against the Microsoft Cloud.
Our systems and software help protect your data with strong security controls, along with a portfolio of technologies to help you arm your organization against emerging cyberthreats, manage a mobile workforce, and comply with government regulations.
Layers of up-to-date antispam technology, such as Microsoft Antimalware, help identify and remove spam, viruses, and other malicious software, both known and unknown. We monitor servers, networks, and applications to detect intrusions and prevent attacks, and we constantly strengthen these defenses. And in the event of an attack, systems are in place both to defend the network and to recover quickly.
No matter where your data is—on a local server, in the public cloud, or on portable devices—we help you ensure that those accessing your network are who they say they are, that their access to data is controlled, and that only those who are authorized to view PHI can do so.
Data Encryption is unreadable to anyone who doesn’t have the decryption key. Microsoft uses industry-standard secure transport protocols to encrypt data as it travels between devices and Microsoft datacenters or moves within datacenters. To protect data at rest, Microsoft offers a range of built-in encryption capabilities.
HIPAA and the HITECH Act are US health laws that establish requirements for the use, disclosure, and protection of individually identifiable health information. These laws require health organizations to enter into contracts with service providers like Microsoft that have access to and process patients’ PHI. These contracts, or Business Associate Agreements (BAA), clarify and limit how the cloud service handles PHI, and set forth each party’s adherence to the security and privacy provisions in these laws.
Microsoft has implemented physical, technical, and administrative safeguards required by HIPAA to support our role as a business associate, and is compliant with the HITECH Act, which requires giving notice to individuals and the government when a breach of PHI occurs. Although there is currently no official certification for compliance with these laws, Microsoft services covered under the BAA have undergone audits by accredited independent third parties. For example, our ISO/IEC 27001 audit scope includes controls that address HIPAA security practices.
Under the Microsoft HIPAA BAA, we offer more covered services than any other cloud provider. Through Microsoft Azure, Microsoft Dynamics 365, Microsoft Intune, Microsoft Office 365, and Microsoft Power BI, we offer comprehensive and integrated solutions that encompass productivity and collaboration, patient relationship management, analytics, application hosting, data storage, and application and device management.
In offering a BAA, Microsoft helps support your HIPAA compliance, although your organization is responsible for ensuring that your particular use of Microsoft services aligns with HIPAA and the HITECH Act. Toward that end, we offer resources such as HIPAA/HITECH Act Implementation Guidance for Azure and for Dynamics 365 and Office 365, and A practical guide to designing secure health solutions using Microsoft Azure.
The Center for Medicare and Medicaid Services (CMS) has published the Minimum Acceptable Risk Standards for Exchanges (MARS-E), which include a framework to address the confidentiality, integrity, and availability in health exchanges of protected data. The MARS-E 2.0 framework provides information aimed at securing this protected data and applies to all US Affordable Care Act administering entities including exchanges or marketplaces.
Although there is currently no formal authorization and accreditation process for MARS-E, Azure platform services have undergone independent FedRAMP audits and are authorized according to its standards. Although these standards do not specifically focus on MARS-E, the MARS-E control requirements and objectives are closely aligned, and provide assurance that Azure adequately helps protect the confidentiality, integrity, and availability of data.
Our time-tested approach to privacy is grounded in the Microsoft Privacy Standard and the Microsoft Security Development Lifecycle. Third-party audits and certifications validate our rigorous technical development standards and help ensure that privacy and data protections are systematically implemented. For example, Microsoft was the first major cloud provider to incorporate the first international code of practice for cloud privacy, ISO/IEC 27018. We also back those protections with strong contractual commitments.
Ultimately, we give you control over the collection, use, and distribution of your data:
- We use your customer data only to provide the services we have agreed upon. We do not scan it for marketing purposes or treat it as a product to sell to others.
- You know where your customer data is stored in our datacenters around the globe. You know who can access it and under what circumstances, and how it is responsibly protected, transferred, and deleted.
- When data from many customers is stored at a shared physical location, we use logical isolation to segregate each customer’s cloud services data from that of others.