HIPAA/HITECH Implementation Guidance. For Microsoft Azure

Similar documents
HIPAA Business Associate Agreement

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

Developing Microsoft Azure Solutions 20532B; 5 Days, Instructor-led

- Procedures for Administrative Access

HIPAA/HITECH Compliance Using VMware vcloud Air

Volume Licensing. Service Level Agreement for Microsoft Online Services August 5, 2015

Assignment # 1 (Cloud Computing Security)

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Service Level Agreement for Windows Azure operated by 21Vianet

Security Best Practices for Microsoft Azure Applications

Linux A first-class citizen in Windows Azure. Bruno Terkaly bterkaly@microsoft.com Principal Software Engineer Mobile/Cloud/Startup/Enterprise

CHIS, Inc. Privacy General Guidelines

Course Outline. Microsoft Azure Fundamentals Course 10979A: 2 days Instructor Led. About this Course. Audience Profile. At Course Completion

Microsoft Hyper-V Powered by Rackspace & Microsoft Cloud Platform Powered by Rackspace Support Services Terms & Conditions

MIGRATIONWIZ SECURITY OVERVIEW

GoodData Corporation Security White Paper

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5. Microsoft Azure Fundamentals M Length: 2 days Price: $ 1,295.

Implementing Microsoft Azure Infrastructure Solutions

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions

ACHIEVING HIPAA COMPLIANCE WITH POSTGRES PLUS CLOUD DATABASE

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Installing and configuring Microsoft Reporting Services

Microsoft Online Subscription Agreement/Open Program License Agreement Business Associate Amendment Amendment ID MOS13

CLOUD SERVICES FOR EMS

Network Security Policy

CallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

enicq 5 System Administrator s Guide

Netwrix Auditor for Exchange

SharePoint 2013 Business Connectivity Services Hybrid Overview

Developing Microsoft Azure Solutions

VMware vcloud Air HIPAA Matrix

Cloud Inspiration Day Azure Beyond Marketing Slides

Developing Microsoft Azure Solutions 20532A; 5 days

Microsoft SharePoint Architectural Models

December P Xerox App Studio 3.0 Information Assurance Disclosure

Retention & Destruction

SQL Server on Azure An e2e Overview. Nosheen Syed Principal Group Program Manager Microsoft

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Hosting Models. Business Model Software (as a Service) Platform (as a Service) Infrastructure (as a Service) On Premises. Applications. Data.

Administering a SQL Database Infrastructure (MS )

Implementing Microsoft Azure Infrastructure Solutions

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Implementing Microsoft Azure Infrastructure Solutions

Microsoft Azure for IT Professionals 55065A; 3 days

Client Security Risk Assessment Questionnaire

HIPAA Privacy & Security White Paper

SHARPCLOUD SECURITY STATEMENT

White Paper How Noah Mobile uses Microsoft Azure Core Services

Big data variety, 179 velocity, 179 volume, 179 Blob storage containers

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Hang Seng HSBCnet Security. May 2016

How to Build an End-to-End Secured Hybrid Cloud for Your Enterprise. Ekkarat Klinbubpa Henky Alimin Sanguan Thammarojsakul

Microsoft Azure Cloud oplossing als een extensie op mijn datacenter? Frederik Baert Solution Advisor

AUTOMATED DISASTER RECOVERY SOLUTION USING AZURE SITE RECOVERY FOR FILE SHARES HOSTED ON STORSIMPLE

Security Controls for the Autodesk 360 Managed Services

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

efolder White Paper: HIPAA Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Microsoft Azure. The cloud platform built for business. Tarmo Tikerpäe DC SSP Microsoft

MS 20532B - Developing Microsoft Azure Solutions

Xerox Mobile Print Cloud

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Implementing Microsoft Azure Infrastructure Solutions

How Serious is Game Development?

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Windows Azure Pack Installation and Initial Configuration

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA Compliance for the Wireless LAN

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Course 10978A Introduction to Azure for Developers

Altus UC Security Overview

Administration Guide for the System Center Cloud Services Process Pack

Alfresco Enterprise on Azure: Reference Architecture. September 2014

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

The Impact of HIPAA and HITECH

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

Omniquad Exchange Archiving

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

John Essner, CISO Office of Information Technology State of New Jersey

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

The Education Fellowship Finance Centralisation IT Security Strategy

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

Trust. The essential ingredient for innovation. Thomas Langkabel National Technology Officer Microsoft Germany

Xerox Mobile Print Cloud

HIPAA Security Alert

Transcription:

HIPAA/HITECH Implementation Guidance For Microsoft Azure

Disclaimer Published November 2016 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided as-is. Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. NOTE: Certain recommendations in this paper may result in increased data, network, or compute resource usage, and may increase your license or subscription costs. 2016 Microsoft. All rights reserved. Abstract HIPAA and the HITECH Act are United States laws that apply to most doctors offices, hospitals, health insurance companies, and other companies involved in the healthcare industry that may have access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a service such as Microsoft Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set out in HIPAA and the HITECH Act. This guide was developed to assist customers interested in HIPAA and the HITECH Act to understand the relevant capabilities of Microsoft Azure. The intended audience for this guide includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. While Microsoft Azure includes features to help enable customers privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations. Page 2

Table of Contents Abstract... 2 Signing a Business Associate Agreement (BAA)... 4 Scope... 4 Storing PHI Data on the Service... 5 Recommendations for Enabling Compliance... 5 Handling Security Incidents... 9 Page 3

Signing a Business Associate Agreement (BAA) To help customers comply with HIPAA and the HITECH Act, Microsoft includes execution of the HIPAA BAA as part of a customer s volume licensing agreement, which includes any agreement that incorporates the Online Services Terms by reference. The BAA (full text of which is available at http://aka.ms/baa) applies to a customer that is a covered entity or a business associate and includes "protected health information" in Customer Data. Microsoft currently offers the BAA for the services listed in the Scope section below. Customers may opt out of the BAA by sending the following information to Microsoft in a written notice (under the terms of the Customer s license agreement): the full legal name of the Customer and any Affiliate that is opting out; if the Customer has multiple licenses, the licensing agreement to which the opt-out applies. Scope Microsoft currently offers a HIPAA BAA for the following Microsoft Azure services (as of June 2016): Active Directory Notification Hub API Management Operational Insights App Services - API Apps, Mobile Apps, Web Apps Redis Cache Automation Rights Management Service Backup Scheduler Batch Service Bus BizTalk Services Site Recovery Cloud Services SQL Database DocumentDB Storage Event Hubs StorSimple Express Route Stream Analytics HDInsight Traffic Manager Key Vault Virtual Machines Load Balancer Virtual Network Machine Learning Visual Studio Team Services Management Portal Workflow Manager Media Services Multi-Factor Authentication Page 4

Storing PHI Data on the Service Customers should not store or process PHI in Microsoft Azure services outside of the BAA scope. Special Considerations Microsoft recommends that you train your personnel to be aware of how to manage and operate PHI, such as only storing PHI in the objects and data structures designated to for this type of data. For SQL Database this means: Data structures suitable for PHI data: Database fields, including BLOBs O/S managed through Filestream Data structures not suitable for storing PHI data: Login names User Names Database names Schema names Schema Object Names, such as Table Names, View Names, Function Names, or Procedure Names Column Names Recommendations for Enabling Compliance Microsoft Azure employs a risk-management model of shared-responsibility between the customer and Microsoft. Microsoft is responsible for the platform including services offered, and seeks to provide a cloud service that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, and compliance with regulatory requirements applicable to their particular industry and locale. It is possible to use Microsoft Azure in a way that complies with HIPAA and HITECH Act requirements. However, customers are responsible for determining if Azure itself and the particular applications they intend to run in Azure comply with HIPAA and HITECH Act requirements. Microsoft does not analyze customer data or applications deployed in Azure. Each customer should have their own compliance mechanisms, policies, and procedures in place to ensure they meet HIPAA and HITECH Act requirements. Customers should independently verify with their own legal counsel that their implementation meets all HIPAA and HITECH Act requirements. Page 5

Microsoft Azure services are audited by independent external auditors under industry standards, including ISO 27001. Our ISO 27001 audit scope includes controls that address HIPAA security practices as recommended by the U.S. Department of Health and Human Services. Additional information on security, privacy, and compliance certifications is available at http://azure.microsoft.com/en-us/support/trust-center/. Many security elements, however, will be determined by applications and systems controlled by the customer. A few specifics that you may wish to evaluate as you design, implement, and operate a customer solution on Microsoft Azure are: Risk and Security Management: Microsoft does not monitor the applications and data that customers choose to run in Azure. Thus, to minimize risks to information, you should continuously monitor and log operations in/by guest VMs, Azure Portal, SMAPI, and Azure Storage. This includes monitoring log-in attempts to VMs, RDP access to VMs, applications hosted on Microsoft Azure, and access to storage accounts through various means such as the REST API. When using Microsoft Azure SQL Database, the customer is responsible for identifying, responding to, or mitigating suspected or known incidents that affect or compromise their application with the intent to cause harm to the Azure SQL DB service. When using Microsoft Azure HDInsight and installing third party applications and/or components onto HDInsight clusters, customers are responsible for patching and maintaining any software they might install as part of the cluster customization. Applications and Data: Critical functionality such as end user access to customer data (including PHI) will be controlled by the design, implementation, and operation of customers applications. In general, Azure customers are responsible for ensuring the integrity of the information that's written to storage by their applications. For example, customers are responsible for monitoring all application/client level access to their databases to prevent unauthorized access including malicious/accidental changes or deletion of data. Customers should also monitor for security breaches, security incidents, or impermissible uses and disclosures of PHI that occur within or through your applications or virtual machines. When using Microsoft Azure SQL Database, customers are responsible for securing their own applications and clients that access SQL databases in order to prevent unauthorized access. This includes monitoring T-SQL statements executed against their databases through application programs or client-level interfaces for unusual or improper activities (as would be accomplished through application auditing). Customers are also responsible for regular, timely reviews of the audit records they collect as well as any reports and/or alerts they are producing based on those. Resources on building secure applications are available in the security section of the Microsoft Azure Trust Center. Configuration of Services: As a platform service and development environment, Microsoft Page 6

Azure provides customers with substantial flexibility to configure the features they use, and customers are responsible for doing so in a manner consistent with HIPAA requirements. This is particularly important for configuration of Cloud Services or Virtual Machines. Customers should perform an individualized risk analysis that examines not only the configuration of the Microsoft Azure services they are using but also the management of their accounts, passwords, RDP session settings (such as timeout periods), and security settings on their work stations that access PHI or applications that process PHI. From there, customers should implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. Access Controls: Ensuring proper access controls is key to protecting the integrity and privacy of company and patient data. Azure customers are responsible for managing access to VMs, Storage Accounts, SQL Databases, the Azure Portal or any other cloud services and resources they use. This includes provisioning and managing Login and User principals for access to their servers and databases respectively (as well as objects within the databases). Logins must be assigned passwords and the customer is responsible for ensuring that their users are aware of their password complexity standards and that they rotate them in a timely manner. Customers must also safeguard their own user identities and credentials (names, passwords, and certificates), other authentication information, and workstations that can be used to gain access to PHI hosted in their service. If a customer believes their access credentials or certificates have been compromised, they should immediately change them and contact Microsoft Azure Customer Support. Customers are strongly advised to identify and document the roles and responsibilities of their administrators and users who have access to PHI and to institute formal security processes. Redundancy and Backups: Microsoft Azure offers a number of features intended to minimize downtime and loss of data. For example, Azure Storage stores multiple copies of data on different fault domains, and, by default, will replicate data to a backup data center (the geo-replication feature can be turned off if desired). Customers are responsible for assessing additional steps to provide added fault tolerance, such as creating additional backups of Customer Data, storing backups of Customer Data off the platform, deploying redundant compute instances within and across data centers, or backing up state within a virtual machine. Customer should review business continuity options for Microsoft Azure, located at http://msdn.microsoft.com/en-us/library/windowsazure/hh873027.aspx Data Center Location: Customers can configure Microsoft Azure to use data centers in particular regions and deploy data and applications across multiple data centers for added redundancy. For additional details on the available data centers and data transfer practices, please see the Privacy section of the Microsoft Azure Trust Center. Encryption-at-Rest: Microsoft Azure does not automatically encrypt customer data at rest. Customers may implement encryption at rest using.net Cryptographic Services. Page 7

Azure Storage offers encryption for data at rest through the Storage Service Encryption (SSE) feature. This can be enabled on any Azure Resource Manager storage account using the Azure Portal, Azure Powershell, Azure CLI or the Microsoft Azure Storage Resource Provider API. For a complete understanding on how SSE works, refer to detailed SSE documentation from the Azure Storage team. SQL Database: Customers can enable SQL Server Encryption, including Transparent Data Encryption with Azure SQL Database, or externally encrypt the data prior to uploading to Azure SQL Database. Externally encrypted records cannot be queried using T-SQL (other than retrieve all ) and may require a schema change such as the introduction of surrogate keys to enable retrieval of specific records or ranges of records. For customers using Virtual Machines (Infrastructure-as-a-Service), additional options are available, including the Encrypting File System in Windows Server 2008 R2 (and above), Azure Rights Management Services, as well as Transparent Data Encryption (TDE) in SQL Server 2008 R2 (and above). HDInsight: To process data that is encrypted in HDInsight or to generate encrypted data from HDInsight clusters, customers may use custom code in form of serializersdeserializers (SerDes). Encryption-in-Transit: Customers may configure Microsoft Azure to enable encryption- intransit by configuring HTTPS endpoints. Customers using Virtual Machines who wish to encrypt traffic between Web clients and Web servers in their VMs can implement SSL on Windows Server Internet Information Services (IIS). Other enhancements to network traffic security include using IPsec VPNs or ExpressRoute to encrypt direct communications between the customer s data center and Microsoft Azure. Additional details can be found in the Microsoft Azure Network Security white paper. SQL Database. All communication to and from Microsoft Azure SQL DB requires encryption (SSL, TLS 1.1) at all times. For customers who are connecting with a client that does not validate certificates upon connection, the connection to Azure SQL Database is susceptible to "man in the middle" attacks. It is the customer s responsibility to determine if they are susceptible to this type of attack. See the section on Encryption and Certificate Validation in the MSDN how-to guide on Security Guidelines and Limitations (Windows Azure SQL Database) for details, including how to defend against this type of attack. HDInsight: To Address files in Blob storage, the URI scheme provides unencrypted access (with the wasb: prefix) and SSL encrypted access (with wasbs). We recommend using SSL encrypted access using wasbs wherever possible, even when accessing data that lives inside the same datacenter in Azure. Personnel: Customers are responsible for their own employees training and conduct as it applies to PHI stored in Microsoft Azure. This may include screening and establishing proper Page 8

clearance to access certain cloud services, and ensuring authorized personnel's information is kept up to date in Microsoft Azure. The above list is not exhaustive and represents just some of the issues to consider in building a HIPAA-compliant solution on Microsoft Azure. Customers should obtain their own security and legal guidance to ensure their particular use of Azure meets all applicable HIPAA and HITECH requirements. Customers with specific technical questions may consult Microsoft Azure Customer Support. Additional technical resources are available at the Microsoft Azure Developer Center. Handling Security Incidents As discussed previously, Microsoft does not monitor for security breaches or other security incidents within customers applications or virtual machines. Customers are responsible for implementing appropriate monitoring in these and other systems they control. Microsoft does monitor Azure at the platform level, as well as other systems that Microsoft controls. A security incident is unlawful access to any Customer Data stored on Microsoft s equipment or in Microsoft s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of PHI or other Customer Data. It does not include Unsuccessful Security Incidents, such as pings and other broadcast attacks on Microsoft s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI or other Customer Data. Upon becoming aware of a Security Incident involving PHI, Microsoft will report the Security Incident to the emergency contact or administrator(s) of the affected Azure subscriptions. Microsoft will report any information it has developed on PHI involved in a security breach within 30 days after discovery of the breach. Microsoft will attempt to provide meaningful information as quickly as possible, to give you time to notify affected individuals. We rely on you (the customer) to handle all notifications to affected individuals. Azure enables customers to set a designated emergency contact for subscriptions. This can be done within the Azure Security Center - Set Security and Compliance Contact Information in Azure Security Center. It is up to you to keep this and all contact information up to date. Prior to sending a notification, Microsoft will work to contain the breach, analyze its impact, and assess the results. Depending on the nature of the breach, Microsoft may (a) provide you a preliminary notification followed by subsequent details, or (b) wait until a full review has occurred and notify you then. In either case, as stated above, Microsoft will attempt to provide you, within 30 days, sufficient detail for you to understand the security breach s impact on patients, and to fulfill Page 9

any requirements you may have under HIPAA. Additional information on handling security incidents is available at Microsoft Azure Security Response in the Cloud. Additional Resources The following resources are not HIPAA-specific but may assist you in understanding security, privacy, and technical architecture of the service, which can help in planning your HIPAA compliance strategy. Microsoft Trust Center Microsoft Azure Documentation Center Microsoft Azure Support Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information