HITRUST CSF Validation: Accelerating Trust in Office 365
In my role at Microsoft, I evangelize for adoption of Microsoft’s Office 365 cloud platform at healthcare organizations as a way to:
- modernize communication, collaboration and productivity tools;
- lower cost and complexity of managing IT; and
- improve the reliability and availability of mission-critical applications.
Over the last four years, I have spoken to hundreds of healthcare organizations about their concerns with cloud adoption. In doing so, I found that it is imperative to demonstrate that the above can be accomplished without compromising on functionality, control, and most importantly, security, privacy and compliance with HIPAA/HITECH regulations.
Microsoft is no stranger to being a trusted data steward for healthcare, bringing the breadth of information and communication technology to healthcare as an enterprise grade, evergreen, flexible, scalable, cost-saving, secure and compliant utility. In fact, Microsoft was the first major cloud services provider to offer regulated entities an industry co-developed HIPAA Business Associate Agreement. This BAA, jointly developed by a consortium of academic medical centers, memorializes Microsoft’s compliance commitment to implementing the physical, technical and administrative safeguards and breach notification requirements set forth in HIPAA/HITECH.
Today, hundreds of organizations representing over 10M enterprise users have signed this BAA. These include small physician practices like Mihills Webb Medical, academic medical centers like Thomas Jefferson University, large multi-hospital health systems like Steward Health Care to state Health and Human Services departments like State of Texas. Most recently, in November 2014, the Department of Health and Human Services, the entity promulgating HIPAA, announced it will be moving 125,000 seats to Office 365, awarding Microsoft the FedRAMP authorization to operate.
Although references like this are enough to help establish trust in Microsoft as a recognized trusted healthcare cloud vendor, we understand that we must continue to drive alignment with the standards and certifications that the industry expects.
Even if an organization has internalized the value proposition of cloud economics, functionality and reliability, they may still experience delays in the adoption and active use of cloud technologies. This is because the decision to use the cloud usually needs to be vetted with a series of organizational departments in charge of information security, privacy and compliance. Depending on the maturity of its information security program, there can be a lengthy process for cross departmental assessment of vendors that may take custody of a regulated entity’s patient electronic protected health information (ePHI). This usually involves a vendor filling out lengthy questionnaires that need to be reviewed, as well as requests for information, multiple security and compliance briefings, and legal contract negotiations.
Offering a comprehensive Business Associate Agreement created in collaboration with the industry, and executed by a broad range of provider, payer, academic and government customers is only one (albeit critical) piece of that assessment puzzle. While a BAA is a terrific self-attestation by a cloud vendor, it is not the result of an assessment by a certified assessor recognized by a standards setting body.
The Department of Health and Human Services, the entity promulgating HIPAA law, makes it clear here that “HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as “HIPAA compliant.” To compound matters, HIPAA rules are written to be elastic enough to accommodate organizations of all sizes and complexity, often leaving covered entities to determine on their own what they feel would be a “reasonable and appropriate” level of protection. In the absence of a HIPAA certification, a healthcare covered entity evaluating Office 365 often has to validate for themselves that a vendor is doing the right things, beyond the mere signing of a BAA.
To quote my 6th grade math teacher, “It is not enough that you gave me the final answer, you must show your work!”
Microsoft believes cloud vendors should also transparently validate how they support HIPAA compliance. The validation of “how” can be accomplished via confirmation of several other critical standards and certifications including ISO 27001, the recent ISO 27018 put out by the International Organization for Standardization, and SSAE 16 governed by the American Institute of Certified Public Accountants. A healthcare organization can bypass or accelerate reviews, because certification to these standards confirms, through an independent third party audit by entities endorsed by the standard setting body, that Microsoft has appropriate controls in place.
To help support this approach of reviewing multiple certification standards, an organization contemplating a move to the cloud can also look to alignment with the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF). HITRUST was “born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST includes membership from organizations such as:
- Health Care Service Corporation
- Humana, Inc.
- Children’s Medical Center of Dallas
- IMS Health
- Highmark Inc.
- Anthem, Inc.
- UnitedHealth Group
- Express Scripts, Inc.
- McKesson Corporation
- Kaiser Permanente
- Blue Cross Blue Shield of Massachusetts
- Hospital Corporation of America
- CVS Caremark
Their goal was to create a CSF with an accompanying assessment and certification process that would reduce the complexity of managing multiple standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The HITRUST CSF is modeled after the National Institute of Standards and Technology’s Computer Security Division’s NISTIR 7358 standard – Program Review for Information Security Management Assistance (PRISMA), where an organization can demonstrate 5 different levels of “maturity” for a particular security requirement.
The CSF allows healthcare organizations to gauge their – and their business associates’- information security programs’ maturity across a spectrum of assurance levels that go beyond HIPAA level requirements. This is done by organizations like Microsoft bringing in certified assessors to perform their audits and produce reports that would not simply “check off” that a policy exists, but also detail an organizations maturity level against NIST, HIPAA and other requirements.
As a result, a healthcare organization may rely on a CSF report produced by a HITRUST certified assessor to dramatically accelerate their security review cycle for a cloud service provider, and provide a HIPAA regulated entity’s security and compliance officers a better comfort level to green light cloud technology deployment and usage.
According to IDC Health Insights, by 2020, 80% of all healthcare data will “pass through the cloud at some point in its lifetime.” Healthcare organizations are recognizing across the board that the cloud is not an “if” but “when.” The faster they can get there without compromising security, the quicker they can capitalize on the financial and operational benefits.
To this end, Microsoft is once again leading the charge, empowering healthcare organizations to move faster to the cloud, in particular, to Office 365. Partnering with Veris Group, a certified HITRUST assessor, Microsoft has undergone an assessment based on the requirements of the Common Security Framework for Office 365, and achieved a Level 5 rating – the highest possible rating.
Centura Health, comprised of 18,000+ professionals across 15 hospitals, 11 affiliate hospitals, and over 100 physician practices and clinics in Colorado and Kansas, is a leading example of the impact of HITRUST.
Like all our healthcare customers, Centura Health’s compliance team was deliberate and thoughtful in considering its move to Office 365. Centura Health has a well-established governance, risk and compliance program in place, and trusting Microsoft with mission critical messaging and communication systems was a big decision. For Centura Health, Microsoft’s BAA was a critical component of the cloud offering, however they wanted an additional transparent demonstration of how their patient data would be protected. Centura Health identified HITRUST CSF validation as another requirement they wanted Microsoft to meet.
“For Centura Health, it is important that our business partners are securing our information to the same standards that we adhere to,” said Kris Kistler, director, data security, Centura Health. “We believe that the HITRUST Common Security Framework (CSF) is the most comprehensive security framework available.”
Microsoft’s posture on healthcare data security and privacy is to always embrace the responsibility of a compliant and trusted data steward, proactively collaborate with its healthcare customers, and continually demonstrate transparency to show why it has earned the industry’s trust. Microsoft took the HITRUST CSF request from its customers such as Centura Health, and escalated it to Office 365’s Compliance team, which proactively tracks standards and regulations, developing common control sets for the product engineering team to build into the service. With over 1000 controls already implemented in the Office 365 compliance framework, and in recognition of the impact HITRUST would have on accelerating cloud adoption, Microsoft was quickly able to align its Office 365 service to the CSF requirements.
Kistler added, “In today’s environment of ever increasing security threats, it is refreshing to see more organizations, including Microsoft, be willing to undergo the HITRUST CSF validation which further demonstrates an organization’s commitment to security and compliance.”
Microsoft is committed to data integrity and aligning its organization to best practices. Similar to Centura Health, we know more organizations are adopting the HITRUST CSF framework. If your healthcare organization is evaluating Office 365, I am happy to report that we are not only ready to sign a HIPAA Business Associate Agreement, with the CSF assessment, we are ready to show our work!
For more information on Office 365 Security, Privacy and Compliance, visit www.trustoffice365.com
For more information on Office 365 in Healthcare, visit www.microsoft.com/en-us/health/products/office365
![[4:56 PM] Jordan Davis (Wipro Designit Services, Inc.) Green background with colored swoops on the top and an image of a young adult helping older adult with a computer.](https://www.microsoft.com/en-us/industry/blog/wp-content/uploads/2024/04/MSFT_Azure_APR08_328468_Blog_Blogheader_240408_V01-1-300x169.webp)
