Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protecting Electronic Protected Health Information (EPHI). Whether you view it as a positive or negative, the Federal Government has left the requirements of IT Security in HIPAA purposely vague. The overarching guideline is to employ best practices based on the size of your organization.
For healthcare organizations looking to leverage Microsoft Azure for healthcare data in the cloud, Microsoft has published implementation guidance for adhering to HIPAA and HITECH on Azure (available here). The guidance defines items in scope as: cloud services (both web and worker roll), Virtual Machines, Storage, Virtual Networks, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Azure Active Directory, SQL Database and any other features identified on the Azure Trust Center.
However, there are some important things to know regarding Microsoft’s HIPAA guidelines for Azure:
The Business Associates Agreement: The guidelines include requirements for Microsoft to agree to sign a Business Associates Agreement (BAA). A BAA is a common contract between a Healthcare Organization and a service provider with access to EPHI that transfers the risk in case of a breach to the service provider. The guide is clear that Microsoft will only sign a BAA with customers who have purchased an Enterprise Agreement. Microsoft also recommends in the document that customers should NOT (their emphasis, not mine) store or process EPHI in Azure outside of the BAA’s scope unless it is done in a way to render the EPHI unusable, unreadable or indecipherable so that the breach notification requirement of HIPAA and HITECH do not apply.
Your responsibility to safeguards: While Microsoft takes responsibility for the underlying platform, the customer is still responsible for their environment once the services have been provisioned. So, what does this mean for you as the healthcare provider? It means you still need to ensure you apply the applicable safe guards in your Azure environment as you would on-premise. These include items like: Encryption of Data at rest, Encryption of Data in Transit, Least privileged access models, Data Preservation policies (DR, BC), Strong Authentication policies and defense in depth security strategies.
So what is a healthcare provider to do if they want to take advantage of Azure’s cloud platform all the while ensuring that the proper safeguards are in place? For some, that means involving a managed services cloud provider such as Concerto to design, advise and provide round-the-cloud management of these secured environments. Visit Concerto’s website for more information on fully-managed cloud services for HIPAA HITECH. To learn best practices regarding how to deploy these controls in an Azure Environment, follow Concerto Cloud Services on Twitter to be alerted on future blog posts on this topic.