Like all compliance policies, the Health Insurance Portability and Accountability Act (HIPAA) is not without its twists and turns. The act itself details out the handling of patient health and identifying data (PHI and PII) (the cliff notes are here), but what does all of this mean for the Office 365 suite?
Office 365 in general contains the tools to meet the technical safeguards for HIPAA compliance. Unfortunately out of the box it will absolutely not meet the safeguards, but thankfully a few minutes is all it takes to bring the suite up to snuff.
1. Secure the User.
Set Password Policies
If you are using Office 365 without a federated domain to an on-premise Active Directory/ADFS environment (or even if you are), make sure that all user accounts are governed by a password policy. Stale and easy to guess passwords will make an easy entry point for data breach.
Use Multifactor Authentication
Azure AD even in Office 365/Basic mode contains some nice threat detection and auditing features out of the box. Most importantly though is the need to insure that users in the organization when accessing from a remote location are who they say they are.
Turn off Anonymous data sharing
The standard sharing method for SharePoint Online and OneDrive for Business is to allow anonymous access of shared links. This needs to at least be changed to allow new and existing external guest accounts. This enforces the remote user to authenticate, thus creating an audit entry for that user’s activities. Anonymous anything can not be allowed.
2. Secure the Endpoint.
Now that the user is secured, next up is the endpoint itself.
Stop Syncing of One Drive for Business on devices that are not domain joined
OneDrive for Business is a fantastic file and collaboration platform, but the last thing you want is for your users to be able to synchronize data to endpoints outside of your control. OneDrive itself includes a feature that will only allow the local sync client to run on machines that are joined to the on-premise Active Directory domain.
Maintain Device Compliance via MDM.
Available but limited to the premium licenses is the ability to deploy MDM compliance policies via Intune, thereby protecting all endpoints including mobile. Only devices that meet encryption standards and manageability should be allowed to download and configure mobile apps to the Office 365 suite.
3. Secure the Data.
Securing data in Office 365 is handled mostly via the Security and Compliance center. The primary foci will be Classification, Governance, and Prevention.
Classification and Governance
Given the sensitivity of PHI, first and foremost it is important that data containing this information is identified and secured. Office 365 contains a very robust identifying engine that will crawl through and categorize data based on classifications. The first thing you want to do is create a classification label, link it to the prebuilt health information classification, and assign a retention policy. The data can also be given “record” status, which means it is part of the actual patient record and not just a copy of or a secondary representation of the record that is stored elsewhere, such as an EMR system. HIPAA itself is very vague with retention, and its best to speak to your legal and compliance teams to determine the best retention policy.
After creating a classification label, you would also want to deploy the classification to users on SharePoint Online, OneDrive for business, and Exchange Online so that users have the ability to classify data manually in the event the engine does not pick it up.
Lastly, but just as important is data loss prevention. You would want to create a DLP policy that either reports on or rejects the outside sharing of classified data. This policy firms up the audit requirements of HIPAA, and provides the security and insight to track and act on any data breaches.