Security "Bits"

Where Office 365 Falls Short in Securing PHI

By Mike Schuricht | August 8, 2016 at 11:49 AM


Healthcare organizations struggle with BYOD security when they adopt cloud applications and are forced to figure out how to protect apps like Office 365. Securing Office 365 becomes even more difficult when medical practitioners work for multiple hospitals since only one mobile security solution, like an MDM, can be installed on a device at a time. However, this is only part of the problem. Securing protected health information (PHI), stored and shared by healthcare professionals, is the real challenge.

HIPAA requires that PHI be protected while in transit across networks, when accessed, when stored at rest in the cloud, and when downloaded to devices. On top of that, there must be a reviewable audit trail to track who accessed PHI and when, so that in the event of a security breach, the risk can be assessed to determine if external disclosure is required.

One of the first places to turn, when looking to secure Office 365, is Microsoft’s own cloud security solution and available product options. At the E3 license level and above, the solution includes eDiscovery, email archiving and legal hold, digital rights management for Sharepoint, data loss prevention (DLP), online file editing with tools like Word Online and collaboration tools like Yammer. Unfortunately, Microsoft’s mobile Intune MDM solution is a component of their Mobility Suite, a costly add-on that cannot solve the multiple hospital affiliations problem for physicians unless each hospital were to provide dedicated phones. This sort of solution is a non-starter since most will refuse to carry more than one phone.

Some of the other limitations of the platforms built into Microsoft’s SaaS security offering include:

DLP for OneDrive and Sharepoint is limited - allowing only complete blocking or alerting.
  • What if you want to all the data to be shared internally, but block external sharing?
    • Microsoft’s solution doesn’t allow for granular policy controls. What most organizations need is the ability to automatically quarantine files that may contain PHI for review. This check for compliance violations before a document is shared externally allows employees more flexibility than outright blocking, but still provides adequate protection.
The inability to control unmitigated sync of corporate data using the native OneDrive sync client is another limitation, particularly risky on unmanaged devices. Microsoft enables organizations to block installation of sync clients, but requires that machines be domain joined. This is important so PHI is not synced down to PCs IT does not control (e.g. personal laptops). 
  • What happens when a machine is corporate property but not joined to the domain? (e.g. Macs)
    • Organizations need a solution that restricts unmitigated sync of corporate data on both unmanaged personal devices and corporate networks that are not domain joined. Simply blocking access from these client apps is easily accomplished with a CASB.

Office 365 native security capabilities are helpful as basic controls, however IT security professionals often need third-party security solutions that can augment Microsoft’s offerings. They search for solutions like Cloud Access Security Brokers that offer an agentless alternative to MDM, cloud access controls, limits on external sharing, and more.

For organizations that search on these terms, the resulting matches can be confusing and require time to understand  a lot of time to figure out how the solutions compare.

Bitglass’ upcoming webinar: The Security Gap: Protecting Healthcare Data in Office 365 will dive into how CASB solutions can help your achieve HIPAA compliance in the cloud, how to identify a complete cloud security solution, and understand other Office 365 security shortcomings.


register for the webinar



see all