EHR20.COMINFO@EHR20.COM

866-276-8309

HIPAA Hardening for

Azure/Microsoft Services

EDUCATIONOnline Training, Webinars and Customized Workshop

CONSULTINGProfessional servicesto help you with your Compliance needs

WHO WE ARE …

Assist healthcare organizations to develop and implement practices to secure IT systems and comply with

HIPAA/HITECH regulations

1

DISCLAIMERConsult your attorney

2

ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION

This webinar has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice.

Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.

3

• Applications Architect for over 20 years

• Security and Compliance

• HIPAA, PCI, Sarbanes-Oxley

• Interests: Teaching, Community giving Back

• Previously - VP of AppDev at KKR, Architect of Blackstone’s IT & Director of IT at TPG

• Designing Cloud Systems for almost 10 years since the inception of AWS and Eucalyptus

Bhuvan Pasham

CEO, Tradon

Always available via email to answer any questions

Running HIPAA Workloads Securely on Microsoft Azure

Azure Cloud Architectures

HIPAA Requirements

Addressing HIPAA Requirements in

Azure

Security Guardrails

Focus AreasOngoing Security

Operations

6

TERMS YOU MAY HEAR …

Acronyms

HHS

HIPAA

PHI

OCR

HITECH

Anyone who is not handling patients directly

Breaches in 2018

Source:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HHS HIPAA Rules• Privacy Rule – December 2000

➢the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.

• Security Rule – Feb 2003➢Sets the standards for administrative, technical, and physical safeguards to

protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).

• HITECH ACT – Feb 2009• Health Information Technology for Economic and Clinical Health (HITECH) Act➢The HITECH Breach Notification Final Rule - requires giving notice to individuals

and the government when a breach of unsecured PHI occurs.

List of breaches are listed as public information at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA Security Rule

CIA

Technical Safeguards

Physical Safeguards

Administrative Safeguards

Privacy Rule “Reasonable” Safeguards

• Access Control• Audit Control• Integrity• Person or entity Authentication• Transmission Security

• Facility Access Controls• Workstation Use• Workstation Security• Device & Media Controls

• Security Mgmt, Process, Sec Officer• Workforce Security, Info. Access Mgmt.• Security Training, Security Incident Proc.• Contingency Plan, Evaluation, BACs

What Changed after 2009 HITECH ACT?• There was no Cloud in 2009.

• Development, testing and deployment of Applications took a dramatic shift.

• Most HIPAA Security rule requirements are no longer under your control.

• Security matters – how you think of security changed almost entirely.• Proliferation of API services completely changed the technology industry• We are in a true distributed services model.

• Value of each patient record is far less - as the volume and service aspect increased

• Scale of applications & services went up significantly – thereby your liability also increased

What didn’t change?

• You are still liable for data breaches

Business Associate Agreement for Azure

1. Cloud Services (web and worker roles)2. Virtual Machines (including with SQL Server)3. Storage (Blobs, Tables, Queues)4. Virtual Network5. Traffic Manager6. Batch7. Web Apps8. BizTalk Services9. Media Services10. Mobile Services11. Service Bus

12. Notification Hub13. Workflow Manager14. ExpressRoute15. Scheduler16. Multi-Factor Authentication17. Active Directory18. Rights Management Service19. SQL Database20. HDInsight21. Any other features identified as included on the

Microsoft Azure Trust Center

ScopeMicrosoft currently offers a HIPAA BAA for the following Microsoft Azure core services:

In the event of a breach from the Microsoft side, then Microsoft is liable and will take responsibility.

Distributed API Economy

You

r Fr

on

t En

dCloud Platform

(Azure, AWS, Etc.)

SQL

App Service

Orchestration Service

Integration Service

Storage

Billing

Insurance Validation

Prescription Drug Lists

EMR Requests

Credit Card Hub

Insurance Providers

What’s your Liability – What Can you control?

Drug Costs

Traditional Apps Moved to AzureTraditional Apps Moved to Azure

Azure App Service

Desired Security StateApp Service Plan Azure SQL

Production Storage

ProdSQL

ProdDB

Blob Container

Blobs, Docs & Server Logs

Production App

Last-known-good

production

staging

Deployment slots

Azure AD

authenticate

IP Address

Validate deployment

Source Control

Access for external

usersCreate identical QA environment and move continuous integration/delivery to isolated QA environment from Release branches of Git, and master into staging.

Secure resources using AAD Principals.

Secure Certificates using Key Vault

Nightly Database backups for BECP/LTR to Amazon S3 storage.

Eliminate passwords from connection strings

Azure SQLStage Storage

StgSQL

StgDB

Blob Container

Blobs, Docs & Server Logs

Minimum (cloud) Infrastructure Security for HIPAA Compliance

Security AvailabilityRisk Mitigation & Business Continuity

➢ Is your Overall Data Secure?❑ Encryption at Rest❑ Where are your Backups❑ Connection Strings and Passwords❑ Access Control

➢ Is ePHI Obfuscated?➢ How are your passwords encrypted?➢ Are your documents encrypted?➢ Where are your backups stored?➢ Are your Keys & Certs safeguarded?➢ What’s your Admin & Developer access

policies?❑ App Management❑ SQL Server❑ Document Stores

➢ Authentication❑ RBAC & SP Access❑ AD Authentication❑ MFA Enabled

➢ How are you taking backups?❑ SQL Backups❑ Documents Backups❑ App & Service Backups

➢ What are your retention policies➢ How are your encrypting your backups?

❑ SQL Backups❑ Documents Backups

➢ Do you have a recovery plan?➢ What’s your SLA?➢ Where are your Keys & Certs?

Survey

What is the most common Breach for Cloud hosted applications?

a. Password Guess – Too weak

b. Users Sharing Password

c. API Hack

d. Network Vulnerability

DevOps – Most Common Mistakes

1. Developers or managers downloaded data to excel and sent the file to wrong recipients

2. Developers have access to Production data – deleted data accidentally

3. Clicked publish button by mistake bringing down the production service.

4. Developer disabled a security measure for simplifying testing and forgot to put it back before production rollout

5. Developer downloaded and used an unauthorized library from internet

6. Developer trying to debug a problem in production, enabled a debugger and forgot to remove.

DevOps – Most Ignored – Most Vulnerable

• Code Review

• Security Perimeter

• Key Developer Risk

• Malicious Code Risk

• Insecure API Risk

• Business Continuity

• Cloud Security Configuration

Azure DevOps - Simple Workflow & Automation

Project Management

Change Management

Source Code Control

Release Management

Staging

QA Process

Azure App Services

Prod

Last Known(resiliency/BCP)

1. Zero down-Time Production Rollouts2. Integrated fully traceable code/change management -

Auditability3. Policy Enforcements

4. Continuous Build and deployments5. Instant Roll-backs in the event of any failures6. All within Azure – Cost savings - both on development and

project management due to improved efficiency.

Azure DevOps

Benefits

Code Review

For the Developers

Stag

ing

Pro

d

Last

G

oo

d

Inte

grat

ion

Test

/QA

Build

Clear Separation of Development/QA environment from Production access environments is necessary

Simplify and Enable Switching

How to Stay Secure?

© 2018 EHR 2.0. All rights reserved. To purchase reprints of this document, please email info@ehr20.com.

Have An External Risk Assessment

Fix Identified Vulnerabilities

Establish Security Processes

Lockdown App Update

Procedures (DevOps)

Monitor

Setup Alerts

Recommended:

➢ Audit Report: every 3 months

➢ Full Assessment: Once a Year

Azure Security Guidance

• http://download.microsoft.com/download/0/D/6/0D68AE95-6414-4074-B4B8-34039831E2BF/Privacy-and-security-compliance-in-the-health-care-cloud.pdf

• https://gallery.technet.microsoft.com/Azure-HIPAAHITECH-Act-1d27efb0/file/163557/1/Microsoft%20Azure%20HIPAA%20Implementation%20Guide%20November%202016.pdf

BluePrints

• https://servicetrust.microsoft.com/ViewPage/HIPAABlueprint

KEY TAKEAWAYS• Microsoft provides a framework but it is you who need to

implement.

• HHS/OCR enforcement on HIPAA Covered Entities and Business Associates - Maintain a Framework and minimize risk.

• Security risk analysis, training and policies and procedures are key required documents• Monitor and make sure you are secure

• HIPAA Compliance needs continuous monitoring.

• Healthcare entities have wide footprint of patient data

26Annual update is required

CALL US

866-276 8309SERVICE

info@ehr20.comLOCATION

150, Cornerstone Dr. Cary, NC

SOCIALIZE

FacebookTwitter

FIND US

Twitter: @ehr_20 Facebook: ehr2027

Upcoming Events

How You Can Get More Money, Faster into Your Medical Practice ? – Nov’ 8 @ 1 p.m. ET

29

Please don’t hesitate to ask

Questions

30

for your attention!

Thank You

Thank you for joining us today

31

To purchase reprints of this document, please email info@ehr20.com.