I never pass up an occasion to discuss a subject that I am quite passionate about: data privacy and security. Recently, I spoke at the American Bar Association’s 16th Annual Conference on Emerging Issues in Healthcare Law in Orlando, FL. During the conference, I had the chance to connect with many of the leading healthcare lawyers in the United States, and one of their collective areas of concern was around the control, privacy, and security of healthcare data-especially when stored and maintained with third-party IT cloud providers. This gave me the opportunity to address a new standard developed by the International Organization for Standardization (ISO) for privacy in the cloud: ISO/IEC (ISO 27018).
For background, ISO 27001 has been the current and well-established international information security standard, and Microsoft has a longstanding commitment to that still applicable standard. ISO 27018 is built upon the ISO 27001 foundation and modernizes data security and privacy by adding key protections for customer personally identifiable information (PII) stored in the cloud. Cloud providers adopting ISO/IEC 27018 are required to validate their service against six key pillars:
- Consent: Cloud providers must not process PII for any ulterior purposes such as advertising or marketing without the express consent of a customer. Cloud services should be “advertising and marketing free” and it must be possible for a customer to use the cloud services without submitting to use of its data for any such purpose. Microsoft has a longstanding commitment not to use data processed by its commercial cloud services for advertising purposes.
- Data Control: Customers must retain clear control of how their data is used by their cloud provider, and cloud providers must commit to only process that information according to customer instructions. Further, cloud providers must give their customers explicit control over how their personal data is used and must implement a policy to allow for the return, transfer, and/or secure disposal of data within a reasonable period of time. This ensures that customers can avoid “lock-in” and can switch providers whenever they wish-leaving customers in full control over their own data.
- Transparency on Data Location and Subcontractors: Cloud providers are required to make a clear disclosure about where customer data resides. Customers may be subject to a myriad of rules about where their data can be stored, and ISO 27018 requires visibility to data location to allow customers to address their compliance obligations. Further, ISO 27018 requires a disclosure of subcontractors who may handle customer data and prompt notice to the customer if there are changes to any subcontractors handling their data, and it must allow customers an opportunity to object to such changes or terminate their agreement.
- Accountability & Communication: ISO 27018 requires a cloud provider to promptly investigate any security incidents to determine if there was any unauthorized disclosure or breach. In case of a validated breach or security incident, a cloud provider must promptly notify customers and not only keep, but also provide, clear records to the customers to help them comply with their own reporting obligations.
- Requests for Data Disclosure: Cloud providers must commit to reject requests for the disclosure of customer data, including from law enforcement, that are not legally binding. If the request is legally binding, the cloud provider must notify the customer of the request, unless prohibited from doing so by law.
- Annual Independent Audit: A cloud provider must subject itself to an annual independent third- party verification of its conformance with ISO 27018 standards.
Many of these pillars will look familiar to the healthcare industry, as they align to requirements already set forth in HIPAA. A few years ago, Microsoft collaborated with a cross section of healthcare insurers, providers, and academic medical centers to create a HIPAA Business Associate Agreement (BAA), which resulted in Microsoft being the first major cloud provider that proactively addressed HIPAA requirements for both itself and its regulated customers. In our opinion, a HIPAA BAA is just a threshold requirement for providing cloud services to the healthcare industry. Healthcare organizations need more than just a signed BAA with a cloud provider, they need to be able to trust that their cloud provider will live up to the commitments and restrictions contained in their BAA. The third-party audit requirement in ISO 27018 provides a valuable mechanism for assessing the validity of commitments made in a cloud provider’s BAA. While there is not 100% overlap between HIPAA and ISO 27018, an ISO 27018 validation is an important litmus test for how serious a cloud provider is about living up to HIPAA obligations. In February, Microsoft was delighted to announce that it is now the first major cloud provider to be independently audited in conformance with ISO 27018 with regard to the protection of PII across the following four major cloud offerings: Microsoft Azure, Office 365, Dynamics CRM Online, and Windows Intune.
It should also be noted that being the first major cloud provider to provide a HIPAA BAA and adopt ISO 27018 are not the only steps Microsoft has taken to demonstrate its leadership in protecting the privacy of customer data in the cloud. For example, Microsoft has committed to encrypt customer data, using best-in-class, 24-bit encryption, when the data is in transit between the customer and Microsoft, and between Microsoft datacenters. Microsoft also offers Windows 8 BitLocker and BitLocker To Go, which encrypt data while stored on a PC or portable USB device and thereby helps prevent unauthorized access to data if an employee’s device is lost or stolen-which is one of the most frequent causes of reportable customer HIPAA breaches. Recently, Microsoft Office 365 went through an independent assessment against the Health Information Trust Alliance (HITRUST) Common Security Framework, which includes a prescriptive set of controls and supporting requirements aligned with existing standards and regulations, including HIPAA, HITECH, PCI, COBIT & NIST. This independent assessment resulted in Microsoft receiving a Level 5 HITRUST rating-the highest possible rating.
More than 25,000 US health organizations currently take advantage of Microsoft cloud solutions. As I have written previously, data privacy and compliance in the cloud are essential for these organizations. It is our steadfast position that cloud providers must verify trusted data stewardship through compliance with applicable privacy laws and newly recognized cloud data privacy standards. The adoption of ISO 27018 is an important step for privacy in the cloud. The standard will help foster transparency in cloud provider privacy practices while advancing stronger protections for customer data. ISO 27018 is another critical standard Microsoft is meeting to demonstrate its commitment to remaining a leader in protecting the privacy of customer data in the cloud. Microsoft believes that a cloud provider’s adoption of ISO 27018 is not only complimentary to HIPAA, but also necessary for our healthcare customers to confidently migrate their important and sensitive data to the cloud in a compliant manner.
For further information regarding Microsoft’s commitments to Trustworthy Cloud Computing, please see the following:
- Trustworthy Cloud Computing
- Office 365
- Microsoft Azure
- Microsoft Dynamics CRM