Microsoft Azure and HIPAA HITECH compliance: Four configuration safeguards for your data

hand-showing-four-fingers

This blog was originally published by Concerto Cloud Services. Since then, Concerto Cloud Services has become DXC Concerto, the mid-market cloud offering within DXC Technology.

Many companies are looking to get out of the data center business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in hardware. And for organizations in the healthcare industry adhering to HIPAA and HITECH Standards, there are a few keys to safeguarding their sensitive data.

Microsoft supports running workloads with Electronic Protected Health Information (EPHI) in Azure, but it is important to understand their stance on Business Associate Agreements (BAAs) and the  shared risk model. In this model, the customer bears the burden of configuring the environment, or ensuring their service providers adhere to HIPAA and HITECH Standards.

The federal government doesn’t clearly outline in black and white what is required for HIPAA and HITECH, as much as require an organization to implement safeguards that are reasonable for their size.  The below keys are some of the safeguards a mid-market healthcare organization would be expected to implement to protect personal data.

Disable access from external networks or encrypt data in transit

By default, Azure Virtual Machines allow for Remote Desktop Services (RDS) and Remote PowerShell directly from the internet. This can easily be disabled by administrators, and should be done so to prevent access from external networks.  If there is a need to publish access directly over the internet, all data in transit should be encrypted via SSL. For traffic between a client site and an Azure virtual network, customers can leverage either a site to site VPN, or an Express Route connection.

Monitor and manage log-in access

Organizations need to monitor and log operations in their Azure environment, such as client or application access to EPHI. At the same time, companies also should look at deploying solutions to monitor for security breaches or incidents within their applications for virtual environments. Doing so will help to identify when bad actors are attempting to gain access and shut them down prior to the breach.

Just like an on-premises deployment, organizations need to leverage complex password policies and ensure proper access controls are in place. In addition to on-premises resources, companies will now need to ensure access to virtual machines, storage accounts and the Azure portal are all secure.

Back-up the system

Companies sometimes mistakenly believe because they are now in the cloud, their data is backed up. IaaS workloads in Azure replicate storage to three copies within a local datacenter, however this doesn’t allow for protection against data change or corruption.  Customers will need to develop and deploy a strategy that will backup the data as well as replicate it to a geographically dispersed facility. A great solution here is to leverage Azure backup to backup the system with Geo-redundant storage (GRS), which will replicate those backups to an alternate Azure datacenter.

Encrypt data at rest

Organizations should also be aware that Azure does not automatically encrypt customers’ data at rest. There are several solutions that can be leveraged, ranging from Azure storage service encryption (which is now available in all geos), Azure disk encryption for IaaS VM’s, Encrypted File System built into windows and even Azure Rights Management Services.

Whether working with a cloud services provider to manage your Azure environment or managing the environment for your organization, it is important to understand the configurations required and the risk model for dealing with HIPAA and HITECH compliance on Azure.


Rob-Curls-headshotRob Curls is the Sales Solutions Advisor for DXC Concerto.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: