We are pleased to announce that Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting can help healthcare and life science customers in meeting their Health Insurance Portability and Accountability Act (HIPAA) obligations. To carry out proactive threat hunting and managed detection and response on behalf of our customers, our Defender Experts team needs access to their Microsoft Defender portal alerts, incidents, and advanced threat hunting data. We can now support our customers’ compliance with HIPAA when they utilize Defender Experts services through a Business Associate Agreement (BAA) to ensure that protected health information (PHI) is appropriately safeguarded.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of U.S. healthcare laws that establish requirements for the use, disclosure, and safeguarding of individually identifiable health information. HIPAA applies to covered entities (e.g., health care providers, health plans, etc.) that create, receive, maintain, transmit, or access patients' PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity.
Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27001 certification and the Health Information Technology for Economic and Clinical Health (HITRUST) Common Security Framework (CSF) certification. Both Defender Experts services are also ISO 27001, 27017, and 27018 certified:
- ISO 27001 provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
- ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 (access control, cryptography, human resource security, and incident response), as well as additional controls with implementation guidance that specifically relate to cloud services.
- ISO 27018 provides guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
To learn how Microsoft helps healthcare and life science customers demonstrate compliance, visit the Microsoft HIPAA compliance documentation page.
Click here to discover more about our services or check out the Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting documentation pages. Make sure you bookmark our Defender Experts Ninja Hub for the latest resources and videos.