Call now for cybersecurity help: 888-646-1616
Josh Ablett

Azure HIPAA Compliant - 3 things you should know about the compliance.

Is Azure HIPAA Compliant? How can we use Microsoft's cloud services without violating the HIPPA norms? We often get clients who want to use Microsoft Azure as a HIPAA-compliant disaster recovery site, so we took a look.

Here’s what we found about Microsoft Azure and HIPAA compliance.

Will Microsoft Azure sign a HIPAA Business Associate Agreement?

Any company that handles PHI is what’s called a HIPAA Business Associate.

Business Associates must sign a contract that says they will protect a patient’s confidential information.

Microsoft will sign a HIPAA Business Associate agreement.  You can’t find the form online -- you’ll need to work with a salesperson to execute an agreement.

Which Microsoft Azure services are covered for HIPAA use?

Microsoft spells out exactly which services can hold PHI on their HIPAA Compliance page. As of this writing, this includes:

azure hipaa compliant services

Download Microsoft documentation for Azure HIPAA Compliant.

This list is perfect for disaster recovery.  It includes storage, virtual machines, a virtual network, and a VPN gateway.

What about IT security measures in Azure HIPAA Compliant?

There are key items that we look for to make sure that clients will be able to use while making Azure HIPAA Compliant.  Here are the key ones we reviewed:

A secure connection between Microsoft Azure and our business

Microsoft Azure provides a secure VPN for connecting into their environment.  Anything sent between Azure and your business is sent over this encrypted, secure tunnel.

Azure HIPAA Compliant

A way to restrict what users can and can’t do

Making Azure HIPAA Compliant enhances security. Azure uses Azure Active Directory to provide roles and permission controls.

A word of caution -- the concepts in Azure AD may be familiar to legacy users of Active Directory.  Our experience is that it’s much easier to set up accurate roles and permissions in both Amazon Web Services and Google Cloud Platform.  Part of good IT security is good usability, and we prefer AWS and GCP in this instance.

Multi-factor authentication

Yes, while making Microsoft Azure HIPAA Compliant we can enable multi-factor authentication.  In fact, we found their Azure Authenticator app much easier to use than the Google Authenticator app.  It’s also more secure, as you approve the login directly through the app (instead of keying in some numbers).

However, it’s a bit disappointing that Azure makes you pay extra for multi-factor authentication.

azure hipaa compliant mfa pricing

It’s not a lot of money, but still.  Boo.  Hiss.  Two-factor authentication is such a critical security control, there should be NO barriers to its adoption.

Detailed logging of system and user activity

By default, Microsoft Azure logs every interaction with the Azure environment.  This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.

Logging can also record what happens in each virtual machine.

azure hipaa compliant logging

Encryption Keys

Many companies never change their encryption keys, leaving them exposed to risk if one is ever compromised.

Microsoft Azure offers a “key vault” key management service to store and rotate encryption keys used to connect to servers.

azure hipaa compliant key vault

Data Encryption

Microsoft provides tools that you can use to encrypt data at rest, much like Amazon Web Services.

Unfortunately, unlike Google Cloud Platform, Microsoft Azure does NOT automatically encrypt all data at rest.  This is from their “Microsoft Azure HIPAA/HITECH Act Implementation Guidance”:

azure hipaa compliant encryption at rest

This isn’t a showstopper, but we prefer an environment where encryption is the default.

Speaking of that, what about Google employee access to my data?

It appears that, technically, Microsoft employees could access your data as they control the encryption keys for file storage.  One way to prevent this would be to encrypt all your data with your own encryption keys, which we strongly recommend.

The “Microsoft Azure HIPAA/HITECH Act Implementation Guidance” doesn’t specifically cover how Azure manages this.  Given the number of audits that they receive, though, there's likely a robust process in place to manage this.

What about web-based applications?

Microsoft offers a paid third-party solution called Qualys to scan servers for vulnerabilities.

Azure also offers a Web Application Firewall, though it’s not fully integrated with their Security Center yet.

Is Microsoft Azure HIPAA Compliant?

Based on all the measures described above, Microsoft Azure can definitely be used in a way that is HIPAA compliant.

However, there is a lot of complexity.  In our experience, there’s even more complex than AWS or Google Cloud Platform.  They’re worth a look if you’re a heavy Microsoft organization or if their pricing is compelling, but be extra careful to make sure you’re setting it up the right way.

Still feeling a bit overwhelmed?

Get some free help!  Get in touch with our Azure HIPAA Compliant experts today. You can also reach out to our Twitter account for more details on how to make Azure HIPAA Compliant.

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved