Azure & HIPAA HITECH Compliance: Four Configuration Safeguards for Your Data
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in hardware. And for organizations in the healthcare industry adhering to HIPAA and HITECH Standards, there are a few keys to safeguarding their sensitive data.
Microsoft supports running workloads with Electronic Protected Health Information (EPHI) in Azure, but as discussed in an earlier article, it is important to understand their stance on Business Associate Agreements (BAAs) and the shared risk model. In this model, the customer bears the burden of configuring the environment, or ensuring their service providers adhere to HIPAA and HITECH Standards.
Therefore, in this article, we discuss four key safeguards an organization can take when deploying workloads into Azure. To this end, the federal government doesn’t clearly outline in black and white what is required for HIPAA and HITECH, as much as require an organization to implement safeguards that are reasonable for their size. The below keys are some of the safeguards a mid-market healthcare organization would be expected to implement to protect personal data.
Disable access from external networks or encrypt data in transit
By default, Azure Virtual Machines allow for Remote Desktop Services (RDS) and Remote PowerShell directly from the internet. This can easily be disabled by administrators, and should be done so to prevent access from external networks. If there is a need to publish access directly over the internet, all data in transit should be encrypted via SSL. For traffic between a client site and an Azure virtual network, customers can leverage either a site to site VPN, or an Express Route connection.
Monitor and manage log-in access
Organizations need to monitor and log operations in their Azure environment, such as client or application access to EPHI. At the same time, companies also should look at deploying solutions to monitor for security breaches or incidents within their applications for virtual environments. Doing so will help to identify when bad actors are attempting to gain access and shut them down prior to the breach.
Just like an on-premise deployment, organizations need to leverage complex password policies and ensure proper access controls are in place. In addition to on-premise resources, companies will now need to ensure access to virtual machines, storage accounts and the Azure portal are all secure.
Back-up the system
Companies sometimes mistakenly believe because they are now in the cloud, their data is backed up. IaaS workloads in Azure replicate storage to three copies within a local datacenter, however this doesn’t allow for protection against data change or corruption. Customers will need to develop and deploy a strategy that will backup the data as well as replicate it to a geographically dispersed facility. A great solution here is to leverage Azure backup to backup the system with Geo-redundant storage (GRS), which will replicate those backups to an alternate Azure datacenter.
Encrypt data at rest
Organizations should also be aware that Azure does not automatically encrypt customers’ data at rest. There are several solutions that can be leveraged, ranging from Azure storage service encryption (which is now available in all geos), Azure disk encryption for IaaS VM’s, Encrypted File System built into windows and even Azure Rights Management Services.
Whether working with a cloud services provider to manage your Azure environment or managing the environment for your organization, it is important to understand the configurations required and the risk model for dealing with HIPAA and HITECH compliance on Azure. Stay tuned for more posts on the topic as our next installment in this series will go further into the newly released Azure Storage Service Encryption.
Comparing Service Level Agreements: Stacked SLAs, Reindeer Games and Defining the Cost of an Outage