HIPAA and Azure: Cloud Architect’s View
Organizations in the healthcare industry must meet stringent security and compliance standards under the Health Insurance Portability and Accountability Act (HIPAA), when adopting a public cloud service. The main elements of HIPAA are the administrative, physical and technical safeguards for protected health information (PHI). Many healthcare organizations are using the Azure cloud to host their workloads because Microsoft provides extensive native support to meet the security, privacy and compliance requirements mandated by HIPAA for hosting sensitive PHI.
Azure offers specific operational and implementation guidelines for different services, helping to adhere to HIPAA standards and host their workloads in the cloud in a secure manner. There are 86 Azure services geared to meeting HIPAA requirements, but clients are responsible for configuring them to meet the compliance standards. This blog post will share the best practices you will need to consider for the deployment, configuration, and management to ensure your Azure deployments are HIPAA-compliant, and how using a managed cloud service provider (MCSP) like Navisite can ensure your organization successfully implements all the necessary compliance elements.
Shared Responsibility Model and HIPAA
A public cloud operates on a shared responsibility model, where clients are expected to oversee service-related configurations. Cloud service providers ensure a secure hosting environment and manage other areas like physical security, high availability (HA), and resiliency of the services. When it comes to HIPAA compliance in Azure, there are several tools are available for the client to understand this shared responsibility model and monitor the controls under their purview.
For workloads hosted in Azure, the ownership of security configurations depends to a great extent on the cloud model used – such as infrastructure-as-a-service (IaaS), platform-as-service (PaaS) or software-as-a-service (SaaS). If the IaaS model is used to host applications that handle data under the scope of HIPAA, clients are responsible for implementing infrastructure, an OS and application-layer security measures. This includes OS patching, firewall configuration, DMZ configuration, network monitoring, and OS and application authentication.
With PaaS, clients need to focus on application-layer controls to ensure secure access to applications dealing with PHI information. When adopting a SaaS model, the infrastructure and application platforms are managed entirely by the cloud service provider, but data classification and access security is the responsibility of the client.
Deployment and Configuration Checkpoints
The U.S. Department of Health & Human Services provides a set of guidelines for organizations in the healthcare industry. The guidelines ensure the privacy and the security of electronic protected health information (ePHI) when hosting applications or storing data in the cloud. Let’s explore how this translates to specific deployment and configuration checkpoints in Azure.
Data Security
Azure offers several data encryption mechanisms for data held in storage accounts or handled by applications. Data in Azure Storage is encrypted by default using 256-bit AES encryption. client-supplied keys can be used for this encryption using key vault integration. Azure Key Vault offers an HSM-based secure storage that can be used by clients to store keys, secrets, and certificates. For data in transit, clients should configure secure transport protocols for their application endpoints. Internal data transfer between two virtual networks or data centers is secured by the Azure platform using industry standard protocols like TLS.
Network Security
To ensure that only legitimate traffic reaches your workloads hosted in Azure VMs, organizations can use the filtering mechanisms of Azure Network Security Groups (Azure NSG) or Azure Firewall. For example, if a healthcare organization employee is required to access applications hosted in Azure, access can be restricted based on the source IP in Azure NSG. Secure communication between on-premises and cloud infrastructures can be achieved using a site-to-site VPN, a point-to-site VPN, or an Express Route to avoid eavesdropping on sensitive ePHI data in transit. We also recommended using the Azure DDOS protection service in virtual networks to protect against volumetric, protocol or application-layer attacks.
Vulnerability Management/Endpoint Protection and Response
When using IaaS, OS-level hardening and patch management are the responsibility of the client. For VMs hosted in Azure, the Azure Security Center gives insights to the patch level of systems and sends out alerts when security patches are missing. Patch management can be done by enabling Windows Update services. Clients should also ensure that all third-party applications use a proper update management solution to address vulnerabilities. Anti-malware and anti-virus solutions should be enabled in hosted systems to protect against system-level malware and virus attacks. Microsoft Endpoint Protection for Azure (Azure EPP) is implemented by default to ensure real-time protection for your Azure VMs, with alerts on when malware, spyware or other unwanted software tries to install on your VMs, along with unexpected Windows setting changes.
Azure EPP also supports scanning for vulnerabilities, from scheduling regular scans to the flexibility to determine your optimal settings for the handling of detected threats, from the default immediate removal of severe threats, to how you’d like less urgent threats remediated, beyond normal alerting on them.
BC/DR
HIPAA mandates secure access and contingencies for electronic protected health information (ePHI) wherever it is hosted. Hence, implementing a proper backup and disaster recovery solution is important when hosting applications in the cloud. Azure Backup is a cloud-based backup as a solution that can be used to meet this requirement. Azure Backup can be used to take backups of files, applications, and VMs hosted in Azure at varying time intervals. The data is encrypted and stored securely in Azure Storage. Azure Site Recovery is a DR offering that can be used to ensure the instant recovery of your application to a designated geographical region in Azure.
Reporting
HIPAA requires that cloud service providers report any security incidents related to ePHI to the client, mitigate them as much as possible, and document the outcomes. Microsoft follows a five-step incident response process a in Azure: Detect → Assess → Diagnose → Stabilize/Reco → Close.
Any unauthorized access to client data is reported to client through a client incident notification process. Microsoft will also take necessary steps for mitigation of issue to minimize client impact
Identity and Access Management
Identity and access management are important to avoid unauthorized access to sensitive ePHI data. Organizations need to consider their separate roles and responsibilities along with implementation of a least-privilege policy at each resource level.
Azure AD is an identity management solution that can be used to secure access to data hosted in the Azure cloud. Permissions should be managed at the platform level to prevent unauthorized access to an Azure portal where the applications are hosted. Implementing application-level identity management is equally important for protection against unauthorized access to applications.
Navisite recommends implementing multi-factor authentication (MFA) for Azure portal administrators to enforce two-step authentication before accessing the Azure platform management plane. This protects against potential identity theft of administrator accounts that might be used to steal critical business data.
Layering role-based access control (RBAC) at the Azure resource level ensures that administrators are assigned only the necessary rights to perform activities within their purview. Privileged identity management then helps monitor any administrative activities happening in the Azure environment and flag any changes in access-permission assignments.
The Just-In-Time administrative access feature enabled by Azure AD Privileged Identity Management helps implement tighter access controls by restricting administrative access for a fixed period. In addition, Azure AD conditional access should be considered by organizations to ensure that users are signing in from secure networks, approved devices, and approved applications. These additional access control mechanisms will ensure that unauthorized personnel are denied access to sensitive client health information hosted in the cloud.
Logging and Monitoring
Organizations should maintain a cloud environment with a logging and monitoring solution that gives a holistic view of infrastructure health and flags any issues. Azure Security Center monitors and measures your infrastructure against security baselines –the tool then generates a recommendation in case security best practices are not being followed. To detect incoming threats and take remedial action, security center comes with advanced analytics and advanced threat detection based on global threat intelligence.
Log Analytics is another useful resource natively available in Azure to collect logs from various sources, analyze them and provide useful insights. The management solutions available in Log Analytics have built-in queries that cater to multiple use cases, such as activity log analytics, malware assessment, update management, and change tracking. These resources analyze log inputs from various resources in your Azure environment hosting ePHI, and provide useful information about how and when your data is accessed, what changes are made, and about possible vulnerabilities due to missing updates.
So, is your organization’s cloud HIPAA compliant?
Managing HIPAA compliance in complex cloud environments can be a daunting task considering the architectural components, as well as the participants involved in various stages of administration. Organizations need to focus on management-plane security as well as data- plane security. The cloud-native tools built into Azure discussed in this blog are a great way to ensure the standards of data protection, security, and privacy mandated by HIPAA. The security elements incorporated will differ depending on the complexity of the architecture, or application-specific requirements.
Yet the intricacies of cloud management, with the additional concerns of ensuring HIPAA compliance, can be extremely challenging for many organizations to oversee on a daily basis, especially with IT teams trying to balance critical business objectives with limited staff and knowledge gaps in cloud infrastructure. This is why many organizations turn to an experienced MCSP like Navisite, to identify and incorporate the necessary services to ensure HIPAA compliance.
As a Microsoft Gold partner and Azure Expert MSP, with the extensive experience our 117+ Azure experts have in managing complex Azure environments, we can help guide your organization to implement the best practices that ensure optimal HIPAA compliance, while offering additional levels of security and compliance tools beyond those built into Azure.
We can also offload the daily management functions of your Azure cloud, so your IT team can focus on more key objectives that ensure your organization remains nimble in today’s ever-changing business world.
Visit our website to learn more about our Azure Cloud managed services, call us at (888) 298-8222, or contact us for further information.
Abstract
Organizations operating in the healthcare business vertical must meet stringent security and compliance stands enforced by HIPAA during adoption of public cloud services. Administrative, physical and technical safeguards to be implemented for Protected Health Information (PHI) form the crux of HIPAA regulation.
Azure offers several operational and implementation guidelines for different services that help organizations adhere to these standards and securely host their workloads in the cloud. A total of 86 available Azure services are available to meet HIPAA requirements, but clients are responsible for configuring these services to align them with the standard.
This blog post will focus on deployment, configuration and management best practices to be considered to make your Azure deployments HIPAA-compliant, and how an Azure Expert MSP like Navisite can help you ensure your Azure deployment meets the requisite guidelines.