Home

Office 365 Earns HITRUST CSF Certification

Hector Rodriguez, Worldwide Health Chief Industry Security Officer, Microsoft Corporation

 

I’m pleased to announce that Office 365 has earned HITRUST Certification from the Health Information Trust (HITRUST) Alliance, the widely adopted security and risk management framework in the U.S. healthcare industry. This also includes the NIST Cybersecurity Framework certification. The independent Letter of Certification of HITRUST CSF by HITRUST Services Corp. for Office 365 provides more detail. As the Worldwide Health Chief Industry Security Officer at Microsoft, a favorite aspect of my work is helping customers solve their deepest security, privacy and regulatory compliance concerns. The HITRUST Common Security Framework (CSF) helps health organizations address these concerns through a comprehensive, flexible framework of both prescriptive and scalable security controls. That is why I’m excited to share this important milestone. As a HIPAA business associate, our Office 365 platform and services meet the industry expectation of continued regulatory compliance and risk management, and we enable our health customers to meet their requirements while also managing the cost of compliance.

 

At Microsoft, we have created a culture that runs on trust. When it comes to data protection and privacy, we are transparent about how we handle customer data. We know that our business can succeed only if our customers trust us to protect their privacy and use their data in the ways that they permit us. That’s why we have compliance offerings for Office 365 across ISO 27001, NIST 800-53, the Health Insurance Portability and Accountability Act (HIPAA) and the European Union General Data Protection Regulation (GDPR).

 

Health organizations face increasing cybersecurity attacks in an evolving regulatory environment. Patient privacy is paramount and regulatory authorities have set a high bar for security, privacy, and compliance. At the same time, the approach to medical care, clinician satisfaction, and patient expectations is transforming and has evolved. To keep pace with these changes, health organizations need new ways to provide patients with the best care possible, without compromising patient privacy and data integrity.  That’s why Microsoft 365 provides a complete, intelligent and secure solution that empowers health teams by bringing together Office 365, Windows 10, and Enterprise Mobility & Security. While Microsoft understands and acknowledges that overall regulatory compliance is ultimately the responsibility of the covered entity, the addition of the HITRUST CSF certification ensures our healthcare customers that our offerings meet the risk management requirements for a covered entity.  The HITRUST Alliance is developed with security, privacy, and compliance professionals and rationalizes a myriad of regulations into one overarching common security framework. I value how we work together to reduce the burden and cost of compliance by bringing clarity to our customers around evolving regulations and security risks. Microsoft 365 empowers health organizations to deliver the best care possible on a secure platform.

 

Empowering the Quadruple Aim

The health industry’s purposeful execution and successful attainment of the “Quadruple Aim” objectives would be compromised without the foundational ability and capability to maintain patient’s sensitive and protected health information. Microsoft’s goal is to enable organizations to be trusted data stewards while attaining the greatest possible benefit from the effective, appropriate use of health data. This allows you to spend time (1) improving the health of populations, (2) enhancing the patient experience of care, (3) reducing the per capita cost of health care and (4) improving the work life of health care clinicians and staff. As care becomes more complex and team based, many clinicians struggle to communicate quickly, securely, and effectively. We can eliminate that complexity and improve work life productivity by empowering collaboration on a secure platform. The Microsoft 365 platform enables healthcare entities to be trusted data stewards by streamlining the controls and processes that are in the center of good data governance.


Managing Compliance

To accelerate compliance with national, regional, and industry-specific regulatory requirements, Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider.  Additionally, Microsoft’s Compliance Manager is designed to help simplify the compliance process with built-in control management, collaboration, evidence collection, and audit-ready reporting tools.  It provides an at-a-glance summary of the shared responsibility model reflecting Microsoft's and your organization’s data protection and compliance posture and gives you step-by-step guidance to implement and enhance your data protection controls.

 

Intelligent Security Graph Powers Security Insights and Analytics

The Microsoft Intelligent Security Graph uses advanced analytics to gain unique insights informed by trillions of signals to combat cyberthreats. Microsoft 365 is directly integrated with the Intelligent Security Graph and the new Security API empowers customers and partners to build solutions that authenticate once and use a single API call to access or act on security insights by connecting to multiple security solutions and integrating with existing workflows. Additional value is uncovered when other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) are leveraged to tie business context with the customer’s security insights. The Security API integration also supports high volume streaming of alerts to a SIEM (Security Information & Event Management) through Azure Monitor to enable seamless ingestion of alerts from multiple sources.

 

Increased Security and Lower Cost of Ownership

Health organizations such as Fullerton Health, Sutter Health, and Advocate Health Care are already experiencing significant productivity gains from using components of the Microsoft 365 platform including Office 365, Windows 10, and Enterprise Mobility & Security. A commissioned study by Forrester Consulting, “A Total Economic Impact Analysis of Microsoft Office 365”, describes the tremendous cost savings from adopting Office 365.

 

Additional Resources

Access the Service Trust Portal for our audit reports, certifications, blueprints, and other trust documents.  To Learn more about Microsoft’s innovations in health, please visit Microsoft's health industry website.