Microsoft Teams and Office 365 HIPAA Compliance
Learn more about the Health Insurance Portability and Accountability Act (HIPAA) and how to set the standard for protecting sensitive patient data in your Microsoft 365 environment.
Traditional IT management roles have moved beyond the perimeter, forcing governance to become agile, responsive and required to adapt and scale their compliance processes. Alongside these internal drivers, there are many government-led data-driven initiatives, and laws are continuously enacted or updated while considering human privacy rights.
Getting compliance right means securing your business, safeguarding corporate reputation, and gaining a competitive advantage. Particularly now, with workforces more distributed, architectures more hybrid, and attack surfaces growing wider. That’s why Microsoft 365 offers a suite of tools to support you in ensuring compliance for the modern era.
Microsoft 365 offers multiple components to help your business adhere to standards, policies and best practices for compliance and data governance.
These have been designed for different requirements faced by compliance teams today. From governments and regulators to strict industry-led standards typical within highly controlled industries such as financial services. Each administrative tool can help you build a plan for keeping your environment compliant while making sure users have the least-privilege access.
Europe’s GDPR was introduced in 2018, helping to align the previously divergent laws within member countries.
Since then, other regions have adopted similarly far-reaching legislative approaches. The US is currently evaluating the American Data and Privacy Protection Act, the first federal privacy law for the country.
Brazil’s LGPD came into effect in 2020 to unify 40+ data processing laws.
“By 2024, 75% of the global population will have its personal data covered under privacy regulations”
Gartner
Of course, legislative alignment at such a scale will take time.
The challenge for organizations — particularly those with complex architectures — is that compliance can’t wait. Even if the business is compliant, they also have to be able to demonstrate compliance to independent auditors. That means gaining the visibility to identify, monitor and show the necessary controls are in place and functioning correctly.
Here’s what some common frameworks require and how Microsoft 365 helps:
The Microsoft 365 Advanced Compliance Suite will augment your compliance and data governance requirements. It includes Microsoft Purview, your starting point for data, security, and risk management. Microsoft Purview can also act as an automated element of any Data Protection Officer requirements.
Microsoft Purview can cover your data estate end-to-end, including Teams, SharePoint, OneDrive, and Exchange.
You’ll need an activated Microsoft Purview account that’s been created in Azure. You’ll also need permission to access the governance portal: https://web.purview.azure.com/resource. From there, you can deploy Microsoft Purview solutions such as:
It’s a constant challenge to keep up with worldwide and industry-based compliance. That’s why Microsoft runs a variety of Governance, Risk, and Compliance (GRC) certifications. These range from Cybersecurity Architect Expert to Microsoft 365 Security Administrator Associate.
For cloud-oriented upskilling, the Azure Compliance Hub offers 100+ certifications. These span global regions, industry-specific regulations, and emerging government-driven initiatives. Options include Azure Security Engineer and the Azure AD-focused Identity and Access Administrator Associate certification. There are also how-to guides for compliance implementations and mappings.
As digital estates grow in complexity, automation is becoming an increasingly crucial tool for SharePoint compliance. This is evident in how Microsoft has added auto labeling capabilities for detecting sensitive data. For example, automatically labeling SharePoint files containing credit card numbers. This data can also be automatically encrypted to ensure your organization fulfils storage compliance requirements.
For behavioral-based SharePoint compliance monitoring, there are also Microsoft 365 usage reports. These allow admins to view how employees are using services in the tenant.
Although when an employee leaves, deleting their account means their data usage is also deleted –within 30 days. So, it’s worth checking the relevant compliance and governance processes first.
Additionally, you may also need to adjust your privacy settings to view identifiable internal user details. Here’s how you can do that:
Admins can apply sensitivity labels and policies in the Microsoft Purview compliance portal. These are extended and enforced across Teams, Microsoft 365 Groups, and Microsoft Purview.
A use case would be labeling Teams to restrict control guest access, preventing external users from being added. Maintaining strict control of ownership will also help reduce the risk of orphaned channels in Microsoft Teams.
You can configure labels and policies at two levels:
Naturally, user-based compliance is at the heart of Microsoft Teams. All activities have to be logged for audit compliance. However, this also must be balanced with employees’ privacy around stored data logs, video calls, and other sensitive communication and collaboration content.
Maximizing Microsoft 365 means mapping and unifying your data governance across on-premises, multi-cloud, and SaaS. Here are some key areas to consider within your environment:
The need to set data retention policies is clear. However, things get more complex when you go deeper into data retention requirements.
With HIPAA, organizations must store and manage records for at least six years after the creation date. That’s relatively straightforward. However, HIPAA also requires these records to be kept six years after the “last effective date.”
This calls for high levels of visibility into the Microsoft 365 cloud environment to know when data is no longer used. Microsoft Defender for Cloud Apps can provide this across your connected apps’ activities. Through the Activity Log, you can uncover Shadow IT with comprehensive control over sensitive data.
Microsoft offers a 99.99% uptime guarantee with Teams. For the remaining 00.01%, organizations require outage backup scenarios to be put in place.
Today’s distributed and scalable ecosystems also need to have automated incident protection. One option is Microsoft Defender for Office 365. Its automated investigation and response capabilities (AIR) are augmented by investigation and remediation processes. These can take care of recognized threats while your team focuses on more high-level security demands.
Cloud access is business-critical – and so is access management. Azure offers both Role-Based Access Control and Identity Access Management, for managing, controlling, and auditing resource access.
Microsoft also recommends syncing cloud identities with any identities still based on-premises. You can do this using Azure AD’s hybrid identity solution. By creating and managing single identities in this way, hybrid enterprises can stay productive. Employees can collaborate with external third parties while mitigating security risks beyond the traditional perimeter.
This is one of the most vulnerable attack vectors, underscored by the fact nearly two-thirds (63%) of companies were breached last year. Now, combine this vulnerability with the growing volume of sensitive data flowing in and out of organizations. It’s clear organizations require similarly dynamic protection. That means policy enforcement – at scale.
Azure Information Protection (AIP) is built for this scenario. You can configure policies for classifying, labeling, and protecting data based on sensitivity levels and Personally Identifiable Information (PII). This can be automated or user-driven, with events viewed through one consolidated service. As with all Microsoft security and compliance solutions, access to AIP depends on your Microsoft 365 license.
For today’s hybrid organizations, device management is evolving as fast as industry legislation. Mobile devices, long-established since the days of BYOD (Bring your own device), are now joined by IoT devices, virtual machines, and other physical machines.
To protect these distributed environments, organizations require a robust device management solution. Many have turned to Microsoft Intune to secure their proprietary data, wherever it’s stored and accessed. What’s more, it’s possible to cloud-attach Intune to on-premises configurations. This unlocks cloud-based capabilities, such as conditional access and the ability to run remote actions (with Windows Autopilot).
As an organization’s headcount increases, managing the tenant can quickly require extra resources. There can be more admins, a larger helpdesk, with more configuration support. Add in the global rise in remote working, and user complexity is magnified – just as visibility decreases.
Azure Active Directory (Azure AD) offers multiple ways to align and centralize user access. For hybrid environments, Microsoft recommends integrating on-premises and cloud directories.
Other best practices for managing users include tracking account creations and deletions. Accounts created and deleted within 24 hours should raise an alert. Alerts can also be triggered when non-approved users or processes create accounts. Privileged and non-privileged accounts should also be monitored, for users being assigned by non-approved users.
This involves defining policies for tracking user access to resources and devices. These are the minimum requirement for an endpoint to connect to your systems. You’ll also need to decide whether policies should apply to devices or users.
Start by considering if you want a consistent device experience for every employee (such as for a specific mobile device). In this scenario, you could have policies apply to users. If the device type varies, such as a kiosk compared to a mobile card reader, device policies are often the best option.
You can manage compliance processes through Azure AD, for applications such as SharePoint, Microsoft 365, and OneDrive. It starts with creating definitions of normal and expected behaviors. Any violation can trigger an alert or action. To reduce manual effort, you can integrate Conditional Access to block users or devices automatically.