Oregon State University (OSU), in Corvallis and founded in 1868, is Oregon’s largest university. As a public land-grant university, conducting scientific research is part of OSU's mission. However, the school’s new information and technology officer found it unacceptable that the university could not engage in health care research requiring HIPAA-level security standards because its previous cloud service didn’t meet security requirements. To address this challenge, the school chose to migrate its data to Microsoft Azure. As a result, the university now has reliable, compliant, and more secure data management that has positioned the school for additional research opportunities.
When Andrea Ballinger became Chief Information and Technology Officer at OSU, she considered digital transformation a top priority. The cloud service OSU was using didn’t meet HIPAA-level security standards for protected health information, which the school needed for certain regulated research projects. The cost of trying to protect its secure data on-premises was out of reach.
Ballinger pushed hard to maximize the university’s cloud presence and protect OSU’s digital assets. The university needed a cloud service that worked with its existing systems, including the secure data collection tool Research Electronic Data Capture (REDCap), created and maintained by what is now the REDCap Consortium at Vanderbilt University, and used by researchers affiliated with OSU's Center for Quantitative Life Sciences (CQLS) and the College of Public Health and Human Sciences. OSU also sought enhanced security for sensitive research data. David McMorries, Chief Information Security Officer at OSU, was familiar with the Microsoft Azure platform’s compliance with requirements for the use, disclosure, and safeguarding of protected health information. McMorries explains, “The kind of data we were processing required a full, HIPAA-compliant solution, so we needed to use Microsoft Azure.”
OSU, which had an ongoing relationship with Microsoft, engaged with a Microsoft team of higher-ed Azure Specialists and Cloud Solution Architects to brainstorm the possibilities. “The Microsoft team worked with us on how to create a thoughtfully engineered solution so we could build it right from the start,” says McMorries. OSU’s solution architecture builds on the Azure Cloud Adoption Framework, specifically Azure Enterprise Scale Landing Zone. OSU deployed the REDCap front-end website using several Azure PaaS services, including Azure App Service, Azure Database for MySQL, Azure Storage, Azure Key Vault, Azure FrontDoor, and Azure Application Insights.
“The configuration of cloud services may sound complex, but we made it easier to implement by adopting DevOps practices and using Infrastructure as code for a repeatable deployment process,” says Paul Yu, Microsoft Cloud Solution Architect.
Solving compliance and identity management issues
For Matthew Peterson, Senior Faculty Research Assistant at OSU’s Center for Quantitative Life Sciences, the switch to Azure has been ideal due to its HIPAA HITRUST compliance, and because it worked with OSU’s on-premises instance. “Another piece is identity management,” Peterson says. “To sufficiently secure everything, you need to pin ownership and access control at every step of the process, and the Microsoft Azure deployment is far more cohesive and trackable than what we had before.”
OSU improved its security and compliance positions by using Microsoft 365 and Azure Security together. With support from the Microsoft team, the university deployed a number of security tools and services, including Azure Firewall, Azure Network Security Groups, as well as Azure Private Link, Private Endpoint, and Service Endpoints. Azure Active Directory acts as a single source of truth for identification, authentication, and authorization. Microsoft Information Protection suite, included in Microsoft 365, provides data loss prevention technology and offers unique in-motion encryption capabilities that help protect information even after it leaves OSU’s environment. Microsoft Cloud App Security provides cloud access security broker capabilities that reach into cloud services to enforce the university’s security policies wherever data resides.
“All the telemetry we're generating to meet this HIPAA HITRUST compliance gets thrown into a Log Analytics bucket, and our Security Operations Center and Azure Sentinel can make sense of it and know what's going on,” says Peterson. “The fact that the Microsoft environment can check every piece of the puzzle, every minute, at least the stuff that could technically be audited, and report anything that’s out of compliance, is a huge win.”
Not only would a security breach compromise public trust in OSU, it would affect anyone whose information was exposed. “The means to mitigate those breaches, specifically cybersecurity insurance, is getting more and more expensive and has higher and higher levels of deductibles,” says McMorries. “It has been really important for us to engineer and build the right kind of capability to protect this important data and those who entrusted us with it, and to allow our researchers to do what they need to do.”
Empowering collaborative, accessible, and secure research
Whereas OSU researchers had previously addressed their secure research computing needs with each new research grant or project, the migration to Azure created a solution for all projects that use sensitive data. “Now we have a clearer path for establishing research data use agreements for our research grants and projects,” says Dr. Denise Hynes, CQLS Director for Health Data and Informatics, and an early advocate for OSU to acquire this capability.
Migrating to Azure also created opportunities for cross-discipline coordination and collaboration in OSU research projects, replacing the previous semi-siloed approach. “Now, for instance, the College of Engineering or maybe the College of Liberal Arts or an external university partner can get involved with data analysis on a public health research project,” elaborates Hynes. “Having a platform like this allows us all to conduct collaborative research.”
Peterson says that Azure offers a portfolio of integrated pieces that work right out of the box. "They are redundant, scalable, and can click together like LEGO® pieces," he adds. "Researchers care about security, but they don't have the bandwidth to spend all their time focusing on how to solve security challenges. They're there to focus on the research, achieve the grant goals, apply for new grants, be competitive, ask new questions. We're trying to provide a pathway, a guardrail, to ensure that they can do compliant research without going outside those parameters. Our goal is to make it as easy as possible for them to do their research the right way.”
With its Azure migration, the university is now able to streamline access to research data. Christopher Viggiani, Associate Vice President for Research Integrity at OSU, explains that, “We have a virtual desktop we can deliver to a researcher almost anywhere. This opens up new and exciting opportunities for OSU to work with other institutions and partners on solving difficult problems. It definitely has the potential to catalyze research, build strong partnerships and expand the impact of our research.”
Researchers are using OSU’s Azure services throughout the entire research lifecycle: applying for research grants, completing projects, and preparing high-impact papers for publication. Should a natural disaster occur (OSU is located near the Cascadia earthquake subduction zone), researchers will be able to access the computational and research support infrastructure from virtually anywhere. “We need to make researchers as effective and productive as possible, and I think Azure is a major component of that,” says McMorries.
Creating a robust environment and toolset for impactful research
The university recently upgraded its license to Microsoft 365 A5, so it now uses a full range of Microsoft products, including Power BI, which aids the research department with its analytics work and presentations. OSU also uses Microsoft Teams for “just about everything,” says McMorries. “Everything from day-to-day research collaboration to outages and incident responses from an IT perspective. We used it to collaborate with the Oregon State Police to get our criminal justice information system certification in order. It’s astonishing how much it’s been used in the last year and a half.”
OSU’s IT community adopted Teams when it shifted to remote work during the health crisis, according to McMorries. He elaborates, “Then our CIO did something very smart. She got the Provost, the number-two person at the university, on a Teams channel. People started saying, ‘Hey, the Provost said he couldn’t reach me on Teams,’ and maybe a month later, everybody was on Teams. I think that was very clever to get key leaders involved. Since then, it’s been implemented everywhere.”
McMorries and Peterson are both thrilled with OSU’s current cloud environment. “Microsoft duct-taped a warp engine on us,” says McMorries. “We've gotten further in six months than we thought was possible. My jaw hit the floor when [Microsoft] told us at the beginning, ‘We’re not going away when this is done. You can still engage us and ask questions. We're here to help.’ The Microsoft team was dedicated to the project and really helped ensure its success.”
The OSU Azure migration project is ongoing. “We do still have an end goal,” says Peterson. “We want to be doing one-click deployments almost blindfolded, where we can go get a cup of coffee, and when we get back, everything is ‘auto-magically’ wired up, and we're good to go.”
CQLS Health Data &Informatics Director Denise Hynes predicts that the success of the organization’s migration to Azure will influence future initiatives within the OSU research community. “The more people we can empower to go after research grant dollars that require meeting HIPAA-level privacy and data security standards, the fewer dollars we’re leaving on the table and the more our researchers can advance their careers, advance the research, serve the public, and just keep on going.” Leading by example in their adoption of Azure, CQLS is demonstrating that impactful research projects—to improve health, better utilize natural and agricultural resources, and understand the global environment—can be conducted more securely and efficiently in the cloud.
“The kind of data we were processing required a full, HIPAA-compliant solution, so we needed to use Microsoft Azure.”
David McMorries, Chief Information Security Officer, Oregon State University
Follow Microsoft