Thinking about moving some services to the cloud? Is Microsoft Azure HIPAA compliant and suitable for ePHI?
A client wanted to use Microsoft Azure as a HIPAA-compliant disaster recovery site, so we took a look.
Here’s what we found about Microsoft Azure and HIPAA compliance.
Any company that handles PHI is what’s called a HIPAA Business Associate.
Business Associates must sign a contract that says they will protect a patient’s confidential information.
Microsoft will sign a HIPAA Business Associate agreement. You can’t find the form online -- you’ll need to work with a salesperson to execute an agreement.
Microsoft spells out exactly which services can hold PHI on their HIPAA compliance page. As of this writing, this includes:
This list is perfect for disaster recovery. It includes storage, virtual machines, a virtual network, and VPN gateway.
There are key items that we look for to make sure that clients will be able to use a cloud environment in a HIPAA-compliant way. Here are the key ones we reviewed:
Microsoft Azure provides a secure VPN for connecting into their environment. Anything sent between Azure and your business is sent over this encrypted, secure tunnel.
Azure uses Azure Active Directory to provide roles and permission controls.
A word of caution -- the concepts in Azure AD may be familiar to legacy users of Active Directory. Our experience is that it’s much easier to set up accurate roles and permissions in both Amazon Web Services and Google Cloud Platform. Part of good IT security is good usability, and we prefer AWS and GCP in this instance.
Yes, Microsoft Azure provides multi-factor authentication. In fact, we found their Azure Authenticator app much easier to use than the Google Authenticator app. It’s also more secure, as you approve the login directly through the app (instead of keying in some numbers).
However, it’s a bit disappointing that Azure makes you pay extra for multi-factor authentication.
It’s not a lot of money, but still. Boo. Hiss. Two factor authentication is such a critical security control, there should be NO barriers for its adoption.
By default, Microsoft Azure logs every interaction with the Azure environment. This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.
Logging can also record what happens in each virtual machine.
Many companies never change their encryption keys, leaving them exposed to risk if one is ever compromised.
Microsoft Azure offers a “key vault” key management service to store and rotate encryption keys used to connect to servers.
Microsoft provides tools that you can use to encrypt data at rest, much like Amazon Web Services.
Unfortunately, unlike Google Cloud Platform, Microsoft Azure does NOT automatically encrypt all data at rest. This is from their “Microsoft Azure HIPAA/HITECH Act Implementation Guidance”:
This isn’t a showstopper, but we prefer an environment where encryption is the default.
It appears that, technically, Microsoft employees could access your data as they control the encryption keys for file storage. One way to prevent this would be to encrypt all your data with your own encryption keys, which we strongly recommend.
The “Microsoft Azure HIPAA/HITECH Act Implementation Guidance” doesn’t specifically cover how Azure manages this. Given the number of audits that they receive, though, there's likely a robust process in place to manage this.
Microsoft offers a paid third-party solution called Qualys to scan servers for vulnerabilities.
Azure also offers a Web Application Firewall, though it’s not fully integrated with their Security Center yet.
Based on all the measures described above, Microsoft Azure can definitely be used in a way that is HIPAA compliant.
However, there is a lot of complexity. In our experience, there’s even more complexity than AWS or Google Cloud Platform. They’re worth a look if you’re a heavy Microsoft organization or if their pricing is compelling, but be extra careful to make sure you’re setting it up the right way.
Get some free help! Talk to an Adelia Risk cybersecurity consultant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!