Health organizations and Microsoft business cloud services
Security, compliance, and privacy of protected health information in Microsoft business cloud services
Microsoft understands that when you, our customer, use our cloud services, you are entrusting us with your most valuable and irreplaceable asset—your data.
Trust is essential as you move clinical applications and datasets containing protected health information (PHI), including patient demographics and treatment information, to the public cloud. It is critical as you share data across the health ecosystem, and expand how and where health professionals and patients access confidential information.
So wherever you are on your journey to the cloud, it’s vital to work with a service provider that you can trust. You must trust that confidential information is protected, that it’s held and managed securely and in compliance with regulations and laws, and that its privacy is protected.
The Microsoft holistic approach is designed to build this trust by:
Microsoft takes a defense-in-depth approach to security in its cloud services
Health organizations can be vulnerable to data breaches and cyberattack. Bad actors target not only health networks but point-of-sale devices like cash registers, medical devices such as pacemakers, medical apps such as those offering virtual healthcare, and proliferating mobile devices, both medical and personal. According to the Verizon Protected Health Information Data Breach Report for 2015, 1,400 health organizations, both large and small, suffered breaches of PHI data that exposed more than 157 million medical records. These were the result not only of criminal activity, but also of inadequate data protection and misuse on the part of health workers themselves.
Microsoft business cloud services and commercial support are designed, developed, and operated to help ensure that your data and all the devices that access it are highly secure. The guiding principle of the security strategy at Microsoft is to assume breaches of our systems, and shorten the time between any compromise and its detection. Our global incident response team works around the clock to mitigate the effects of any attack against the Microsoft Cloud.
Our systems and software help protect your data with strong security controls, along with a portfolio of technologies to help you arm your organization against emerging cyberthreats, manage a mobile workforce, and comply with government regulations.
Microsoft proactively guards against threats in the cloud from both malicious software and cyberattacks. Layers of up-to-date antispam technology, such as Microsoft Antimalware, help identify and remove spam, viruses, and other malicious software, both known and unknown. We monitor servers, networks, and applications to detect intrusions and prevent attacks, and we constantly strengthen these defenses. And in the event of an attack, systems are in place both to defend the network and to recover quickly.
Microsoft helps your organization manage user identities and access privileges. No matter where your data is—on a local server, in the public cloud, or on portable devices—we help you ensure that those accessing your network are who they say they are, that their access to data is controlled, and that only those who are authorized to view PHI can do so.
We help protect your data with encryption, which renders it unreadable to anyone who doesn’t have the decryption key. Microsoft uses industry-standard secure transport protocols to encrypt data as it travels between devices and Microsoft datacenters or moves within datacenters. To protect data at rest, Microsoft offers a range of built-in encryption capabilities.
Microsoft complies with applicable regulatory requirements
Microsoft business products and cloud services are audited by independent external auditors, under industry standards such as ISO/IEC 27001 and ISO/IEC 27018. In addition, we support HIPAA and the HITECH Act, as well as the Minimum Acceptable Risk Standards for Exchanges (MARS-E).
HIPAA and the HITECH Act are US health laws that establish requirements for the use, disclosure, and protection of individually identifiable health information. These laws require health organizations to enter into contracts with service providers like Microsoft that have access to and process patients’ PHI. These contracts, or Business Associate Agreements (BAA), clarify and limit how the cloud service handles PHI, and set forth each party’s adherence to the security and privacy provisions in these laws.
Microsoft has implemented physical, technical, and administrative safeguards required by HIPAA to support our role as a business associate, and is compliant with the HITECH Act, which requires giving notice to individuals and the government when a breach of PHI occurs. Although there is currently no official certification for compliance with these laws, Microsoft services covered under the BAA have undergone audits by accredited independent third parties. For example, our ISO/IEC 27001 audit scope includes controls that address HIPAA security practices.
Under the Microsoft HIPAA BAA, we offer more covered services than any other cloud provider. Through Microsoft Azure, Microsoft Dynamics 365, Microsoft Intune, Microsoft Office 365, and Microsoft Power BI, we offer comprehensive and integrated solutions that encompass productivity and collaboration, patient relationship management, analytics, application hosting, data storage, and application and device management.
In offering a BAA, Microsoft helps support your HIPAA compliance, although your organization is responsible for ensuring that your particular use of Microsoft services aligns with HIPAA and the HITECH Act. Toward that end, we offer resources such as HIPAA/HITECH Act Implementation Guidance for Azure and for Dynamics 365 and Office 365, and A practical guide to designing secure health solutions using Microsoft Azure.
The Center for Medicare and Medicaid Services (CMS) has published the Minimum Acceptable Risk Standards for Exchanges (MARS-E), which include a framework to address the confidentiality, integrity, and availability in health exchanges of protected data. The MARS-E 2.0 framework provides information aimed at securing this protected data and applies to all US Affordable Care Act administering entities including exchanges or marketplaces.
Although there is currently no formal authorization and accreditation process for MARS-E, Azure platform services have undergone independent FedRAMP audits and are authorized according to its standards. Although these standards do not specifically focus on MARS-E, the MARS-E control requirements and objectives are closely aligned, and provide assurance that Azure adequately helps protect the confidentiality, integrity, and availability of data.
The information in this section does not apply to Microsoft Cognitive Services.
Microsoft helps protect the privacy of PHI and other data
Our time-tested approach to privacy is grounded in the Microsoft Privacy Standard and the Microsoft Security Development Lifecycle. Third-party audits and certifications validate our rigorous technical development standards and help ensure that privacy and data protections are systematically implemented. For example, Microsoft was the first major cloud provider to incorporate the first international code of practice for cloud privacy, ISO/IEC 27018. We also back those protections with strong contractual commitments.
Ultimately, we give you control over the collection, use, and distribution of your data:
- We use your customer data only to provide the services we have agreed upon. We do not scan it for marketing purposes or treat it as a product to sell to others.
- You know where your customer data is stored in our datacenters around the globe. You know who can access it and under what circumstances, and how it is responsibly protected, transferred, and deleted.
- When data from many customers is stored at a shared physical location, we use logical isolation to segregate each customer’s cloud services data from that of others.
- Microsoft enterprise health care solutions
- Building rigor into cybersecurity: A blueprint for healthcare organizations
- Protecting data and privacy in the cloud
- Minimum Acceptable Risk Standards for Exchanges (MARS-E) background
- ISO/IEC 27001 background
- ISO/IEC 27018 background
- FedRAMP background
HIPAA and HITECH resources
- HIPAA and the HITECH Act background
- Your compliance, your way: Get flexibility and choice with your HIPAA BAA
- Addressing HIPAA security and privacy requirements in the Microsoft Cloud
- A practical guide to designing secure health solutions using Azure