Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How healthcare organizations can protect their data within Microsoft cloud systems

Sep 02, 2020

A common concern in the healthcare industry is that using cloud-based collaboration suites like Microsoft 365 and Teams exposes an organization to HIPAA violations. The truth is, Microsoft 365 can be easily configured to support HIPAA security and privacy requirements. 

The Microsoft 365 platform falls into the Software as a Service (SaaS) model. In the SaaS model, Microsoft’s platform controls 60% of the management efforts, giving the healthcare organization control over data governance and rights management, client endpoint management, account and access management and management of the identity infrastructure.

How healthcare organizations can protect their data within Microsoft cloud systems 

Source: Microsoft: Shared responsibility in the cloud

For its part, Microsoft is responsible for physical security of the Microsoft 365 environment as well as access controls to the underlying network, operating system and application. Microsoft has a rigorous security control compliance program for Microsoft 365, including SOC 2 and HITRUST. The Microsoft Business Associate agreement is located in the Microsoft Volume Licensing Center. As a business associate, Microsoft is committed to maintaining effective security controls over their cloud-based solutions.

The platform’s security features can be individually licensed; however, it can be more cost effective to use the Microsoft 365 E5 license bundle to gain access to the necessary features to comply with HIPAA security requirements. 

Microsoft’s healthcare cloud security features

By leveraging Microsoft’s Trusted Cloud principles, organizations can achieve some quick HIPAA security and compliance wins. The following features of the Microsoft cloud are available with Microsoft 365 E5 or standalone licensing:

Feature Benefit
Microsoft 365 Advanced Threat Protection (ATP): Exchange e-mail gateway/anti-malware services Protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content.
Azure ATP Monitors and analyzes user activities and information across your network, such as permissions and group membership, creating a behavioral baseline for each user.
Windows Defender with Advanced Threat Protection (WATP) Provides endpoint protection for malware and virus scanning, including everything in Azure ATP.
Cloud App Security (CAS) Discovers and controls the use of Shadow IT: Identifies the cloud apps, IaaS and PaaS services used by your organization. Investigates usage patterns and assesses the risk levels and business readiness of more than 16,000 SaaS apps against more than 80 risks.
Azure AD Identity Protection Allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk-detection data to third-party utilities for further analysis.
Azure Security Center: A unified infrastructure security management system Strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud — whether they're in Azure or not — as well as on-premises.
Log Analytics workspace Collects, analyzes and acts on telemetry data from your Azure and on-premises environments.
Microsoft Intune Focuses on mobile device management (MDM) and mobile application management (MAM). Devices can be Windows 10, iOS or Android.
Windows Information Protection (WIP), previously known as enterprise data protection (EDP) Helps to protect against potential data leakage from personal or company-owned devices.

By leveraging Microsoft 365 E5 business or enterprise subscriptions, healthcare organizations have access to a host of other platform tools, including Microsoft 365 Information Protection, to manage Microsoft 365, Teams and other core Microsoft services for storing and accessing data. 

To learn more about how your organization can implement these features, contact Wipfli. Or continue reading on:

Telehealth, HIPAA and COVID-19: What you need to know

Common misconceptions from a HITRUST Authorized External Assessor

What the ‘good faith’ rule means for HIPAA during COVID-19 pandemic 


Jason Vander Velde
Senior Manager
View Profile