When people find out what I do for a living, they often ask if I think the Cloud is secure. We’ve written about this before and my response is along the lines of:
“Cloud Service Providers probably do a better job of securing their servers and networks than a typical business.” You can see in their eyes the relief in believing that their decision to move to the Cloud is a safe one. Then I say “But the Cloud is something that is entirely managed and accessed via the public Internet so it’s fundamentally riskier.”
The Cloud Dichotomy
This duality can be hard to grasp. After all, this statement implies that the Cloud is more secure and also not. For organizations that require compliance with various industry and legislative standards such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or International Traffic in Arm Regulations (ITAR) the stakes are high as the efficiencies provided by Cloud services are incredibly appealing but the impact of a security or privacy breach can result in massive fines and other expenses. Creating additional challenges is the fact that the security, visibility, and control associated with industry and legislative compliance is directly at odds with the reason users are adopting Cloud services. Users are often more interested in performing their jobs as efficiently as possible as opposed to maintaining compliance with regulation du jour.
In an effort to make this clearer CipherPoint is writing a series of articles to review the controls necessary for compliance with PCI DSS, HIPAA, and ITAR, and identify which controls are available in Office 365 or otherwise provided by Microsoft. This first article in the series covers PCI DSS (an easy task as you will find out soon enough) and the Administrative Safeguards required by HIPAA.
Remember that many compliance mandates are an organizational responsibility, not a technology certification. As a general rule, your organization cannot offload the entire compliance burden to Microsoft. Microsoft runs the data centers but your organization is still responsible for the behavior of your users.
Microsoft claims Level 1 compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their own billing systems. Per Microsoft, however, “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.” This means that Office 365 must be out of scope for any organizations that store, process, or transmit cardholder data. Microsoft doesn’t say why this is the case and any organization that intends to store sensitive information of any kind in Office 365 should attempt to get an answer. One possible reason could be that organizations storing cardholder data in Office 365 will not be able to demonstrate many of the requirement controls for their Qualified Security Assessor (QSA) since Microsoft is performing those functions.
The HIPAA and HITECH Acts together include specific guidance on privacy, information security, and breach notification. The HIPAA Security Rule requires common technical security controls such as user authentication, authorization, access control, encryption, data integrity, and audit logging. The security rule also includes requirements for physical safeguards including controls related to physical access to information and systems including workstation access controls, device and media controls, and facility access control. There are also contractual requirements for risk sharing, called Business Associate Agreements (BAA), among covered entities and service providers.
It is important to understand that HIPAA compliance is an organizational responsibility, not a technology certification. As such, Microsoft can only help your organization meet the HIPAA compliance requirements because Microsoft is responsible only for their employees’ access to patient information; they are not responsible for the compliance requirements associated with your employees and business associates accessing patient information.
You can use the table below as a worksheet to identify gaps in your organization’s compliance posture relative to the Administrative Safeguards required by HIPAA.
|45 CFR § 164.308(a)(1)Security Management Processes. Implement policies and procedures to prevent, detect, contain, and correct security violations.||Yes||?||Microsoft uses QualysGuard to automatically identify vulnerabilities and other configuration issues across the Microsoft online services. Not all requirements under this section can be automated with technology (e.g. workforce sanctioning) but it is safe to assume that Microsoft has a policy to reprimand their workers who fail to comply with security policies.
Your organization can safely rely on Microsoft’s vulnerability and patch management processes for the infrastructure aspects of Office 365. You will need to provide for yourself, however, policies and procedures for the configuration settings that are exposed to your end-users and administrative staff.
|45 CFR § 164.308(a)(2) Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.||Yes||?||Ensure that your organization has assigned responsibility for the policies and procedures specific to the online services that comprise the Office 365 suite. This is likely to be an extension of existing roles and, while policies may not have to change, you need to update or create procedures specific to Office 365.|
|45 CFR § 164.308(a)(3) Workforce security. Implement policies & procedures to ensure that all members of workforce have appropriate access to electronic protected healthcare information.||Yes||?||Microsoft states that database administrators and key members of their operations response team have access to customer content.http://www.microsoft.com/online/legal/v2/?docid=24
The Office 365 administrators in your organization will have access to ePHI but they probably would rather not be exposed to that information and associated compliance culpability.
|45 CFR § 164.308(a)(4) Information access management. Implement policies & procedures for authorizing access to ePHI||Yes||?||Office 365 lacks centralized permissions visibility and management which will make it challenging for your organization to enforce policies and procedures. You may need a third party solution to manage and audit access to ePHI in Office 365 – especially if you plan to allow access by external users.|
|45 CFR § 164.308(a)(5) Security awareness training||Yes||?|
|45 CFR § 164.308(a)(6) Security incident procedures||Yes||?||Given that information in Office 365 can be accessed from anywhere and from any device, your organization will need a strategy to identify security incidents in public Cloud platforms. The SharePoint Online and OneDrive for Business components of Office 365 do not provide activity logging sufficient for monitoring user behavior and identify suspicious activity.|
|45 CFR § 164.308(a)(7) Contingency plan||Yes||?||The native backup capabilities in Office 365, especially those in SharePoint Online and OneDrive, are rudimentary. Microsoft has a robust infrastructure and provides 99.99% uptime on average but your organization must also have its own ability to maintain and restore exact copies of ePHI. You need to determine the impact to your organization if Office365 is unavailable and plan accordingly.|
|45 CFR § 164.308(b)(1) Business Associate Agreement||Yes||N/A|
Making the Grade
Compliance is a perennial and effective catalyst for information security budgets and priorities. The HIPAA requirements above are just the first example of the need to understand exactly which aspects of compliance you may outsource to Microsoft and which aspects your organization remains responsible for. As the table above indicates, there are very few categories that Microsoft can assume total ownership of. In fact, the compliance relationship between your organization and Microsoft is more one of partnership than outsourcing.
Future articles in the series will cover the remaining Technical and Physical Safeguard under HIPAA, and ITAR.