With the continuing evolution of cloud computing technology, different sectors continue to be forever changed. Many larger organizations that provide healthcare services are looking to Microsoft Azure as their chosen cloud provider.
Azure can be considered as HIPAA compliant if your organization takes a number of steps when configuring it. A business associate agreement must be completed with Microsoft. Microsoft will complete one and this represents a major step towards HIPAA compliance.
However, HIPPA compliance depends more on how a healthcare organization utilizes the services of a cloud service provider than platforms and their data security measures. A healthcare facility could implement the services of Azure in a manner that breaches HIPAA rules regardless of the presence of a business associate agreement between the two parties.
What this means is that it is the responsibility of the client to make sure that they configure and use Azure’s cloud services without breaching HIPAA compliance rules. Due to this Azure is more of a HIPAA cognizant cloud service provider than a compliant entity. Microsoft will supply all the necessary safeguards to meet the requirements of HIPAA. It incorporates high-level integrity, audit and security measures, which are all key to ensuring patients’ personal health data security. But the responsibility really is with the healthcare organization to ensure compliance.
Azure uses a complex VPN technology that ensures any client data uploaded, downloaded or stored is highly encrypted. This effectively controls who can access patients’ personal health information. The company offers a range of tools that clients can use for data encryption purposes. However, it is crucial to remember to note that unlike other cloud service providers, such as Google Cloud Platform, Azure does not automatically encrypt all data at rest due to HIPAA/HITECH Act Implementation Guidance. That means that the company’s technical department could easily access clients’ data since they manage the encryption keys for file storage. The good news is that clients can stop this by encrypting all their data with their own encryption keys, which Microsoft strongly recommends.
Along with this, Azure uses Active Directory to allow their clients to set permissions (even with multi-factor authentication) to their cloud stored data. This is a more secure manner of clients accessing their cloud based data as they have to prove their logins directly through an app as opposed to entering some digits.
Azure also provides thorough reports so that clients are able to see who accessed their data or who tried to. Clients can then put in place further data security measures to ensure that this never occurs again.
In relation to web-based applications, Azure provides Qualys, which is a paid third-party application for scanning these applications’ servers for data security loopholes. Lastly, the company make a secure Web Application Firewall available, which is soon to be linked fully with their Security Center.
Apart from a secure VPN and thorough loggings, Azure incorporates a safe connection to enable clients to take advantage of their cloud platform without breaking the rules of HIPAA. Anything sent between the client and Azure is completed through a highly encrypted and secured channel.