Call Us Today to learn more: 888-646-1616

Is Microsoft Azure HIPAA Compliant?

Thinking about moving some services to the cloud?  Is Microsoft Azure HIPAA compliant and suitable for ePHI?

A client wanted to use Microsoft Azure as a HIPAA-compliant disaster recovery site, so we took a look.

Here’s what we found about Microsoft Azure and HIPAA compliance.

Will Microsoft Azure sign a HIPAA Business Associate Agreement?

Any company that handles PHI is what’s called a HIPAA Business Associate.

Business Associates must sign a contract that says they will protect a patient’s confidential information.

Microsoft will sign a HIPAA Business Associate agreement.  You can’t find the form online — you’ll need to work with a salesperson to execute an agreement.

Which Microsoft Azure services are covered for HIPAA use?

Microsoft spells out exactly which services can hold PHI on their HIPAA compliance page.  As of this writing, this includes:

azure hipaa compliant services

This list is perfect for disaster recovery.  It includes storage, virtual machines, a virtual network, and VPN gateway.

What about IT security measures?

There are key items that we look for to make sure that clients will be able to use a cloud environment in a HIPAA-compliant way.  Here are the key ones we reviewed:

A secure connection between Microsoft Azure and our business

Microsoft Azure provides a secure VPN for connecting into their environment.  Anything sent between Azure and your business is sent over this encrypted, secure tunnel.

azure hipaa compliant vpn

A way to restrict what users can and can’t do

Azure uses Azure Active Directory to provide roles and permission controls.

A word of caution — the concepts in Azure AD may be familiar to legacy users of Active Directory.  Our experience is that it’s much easier to set up accurate roles and permissions in both Amazon Web Services and Google Cloud Platform.  Part of good IT security is good usability, and we prefer AWS and GCP in this instance.

Multi-factor authentication

Yes, Microsoft Azure provides multi-factor authentication.  In fact, we found their Azure Authenticator app much easier to use than the Google Authenticator app.  It’s also more secure, as you approve the login directly through the app (instead of keying in some numbers).

However, it’s a bit disappointing that Azure makes you pay extra for multi-factor authentication.

azure hipaa compliant mfa pricing

It’s not a lot of money, but still.  Boo.  Hiss.  Two factor authentication is such a critical security control, there should be NO barriers for its adoption.

Detailed logging of system and user activity

By default, Microsoft Azure logs every interaction with the Azure environment.  This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.

Logging can also record what happens in each virtual machine.

azure hipaa compliant logging

Encryption Keys

Many companies never change their encryption keys, leaving them exposed to risk if one is ever compromised.

Microsoft Azure offers a “key vault” key management service to store and rotate encryption keys used to connect to servers.

azure hipaa compliant key vault

Data Encryption

Microsoft provides tools that you can use to encrypt data at rest, much like Amazon Web Services.

Unfortunately, unlike Google Cloud Platform, Microsoft Azure does NOT automatically encrypt all data at rest.  This is from their “Microsoft Azure HIPAA/HITECH Act Implementation Guidance”:

azure hipaa compliant encryption at rest

This isn’t a showstopper, but we prefer an environment where encryption is the default.

Speaking of that, what about Google employee access to my data?

It appears that, technically, Microsoft employees could access your data as they control the encryption keys for file storage.  One way to prevent this would be to encrypt all your data with your own encryption keys, which we strongly recommend.

The “Microsoft Azure HIPAA/HITECH Act Implementation Guidance” doesn’t specifically cover how Azure manages this.  Given the number of audits that they receive, though, there’s likely a robust process in place to manage this.

What about web-based applications?

Microsoft offers a paid third-party solution called Qualys to scan servers for vulnerabilities.

Azure also offers a Web Application Firewall, though it’s not fully integrated with their Security Center yet.

Is Microsoft Azure HIPAA Compliant?

Based on all the measures described above, Microsoft Azure can definitely be used in a way that is HIPAA compliant.

However, there is a lot of complexity.  In our experience, there’s even more complexity than AWS or Google Cloud Platform.  They’re worth a look if you’re a heavy Microsoft organization or if their pricing is compelling, but be extra careful to make sure you’re setting it up the right way.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

By |2019-01-04T04:19:00+00:00October 13th, 2018|Cloud Cyber Security, HIPAA|0 Comments

Leave A Comment