Compliance is one of the biggest issues of businesses in moving to the cloud. US-based healthcare companies for instance must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires them to conform with national standards in treating electronic health care transactions. HIPAA is basically enacted to give privacy to individuals from 12 – 18 years old, by having respective electronic data records of children securely stored and not disclosed to anyone without their permission.
Because of this, HIPAA and other compliance regulations are perceived to be main hindrances in moving to the cloud. The issue in general points back to how data is treated. Being founded on the principles of economies of scale, data on the cloud is distributed across different servers all across varying geographic locations which in most cases, users have no control of. In effect companies are worried on how their data is being treated and processed.
The cloud architecture of Office 365
Although built to on a multi-tenant architecture, Microsoft’s Office 365 uses a more advanced technology to segregate data storage and processing. For instance, Office 365 uses advanced cryptographic solutions and holds 49 separate FIPS 140-2 for its encryption.
Windows Azure SDK also allows the protection of data at rest where application level encryption can be done to protect sensitive data stored in Windows Azure. Once encrypted, this data can only be decrypted by authorized users. In effect, by giving more security to data at rest, companies gain more flexibility in distributing and sharing information.
Data in transit can also be protected through SSL encryption and also through a tabular data stream TDS using SLL. By leveraging ADO.NET encryption and trusted server certificates, it is easier to enforce policies and procedures that are necessary for HIPAA.
Making SharePoint 2013 HIPAA Compliant
In making SharePoint compliant to HIPAA, there are four basic principles to follow. First, access controls are very important for compliance, therefore a robust role based access policy should be implemented. This can be easily done in SharePoint through a company’s Active Directory, and at the same time, its respective security group that is necessary to control site access.
Second, keeping audit logs is central in HIPAA compliance. This is necessary to gain reference of access, adding and deletion of data relative to the user performing it. Making your SharePoint perform audit tasks is also easy. Just enable a site collection feature call reporting, and you are all set. Since auditing is done in the site collection level, data can easily be audited by referring to Audit Log Reports, identifying a document library location, together with the required audit report.
Finally, protection of data at rest and data in transit is very important. This can be answered by the default security measures of Microsoft for Office 365. In SharePoint, this translates to enabling version control at every iteration list or library data changes; and also by using SSL certificates.
Is your SharePoint system HIPAA compliant?
In making your SharePoint systems compliant to HIPAA and other legal and industry regulations, the first step must always be finding the right partner. Our team of experts at Portal Integrators can help you transition your system achieve industry and legal standards. Contact us to know more