The Future of HIPAA and Changes to NIST 800-66: Access Control and Information Access Management
We can peer somewhat into the future of the Health Insurance Portability and Accountability Act (HIPAA) and overall healthcare data security policy by following the trend in heightened attacks against healthcare providers and proposals for new Federal policy, but there are also key signs for healthcare providers and Electronic Health Records (EHR) system vendors when reviewing the possible changes to National Institute of Standards and Technology (NIST) Special Publication 800-66 (NIST 800-66). NIST 800-66r2 Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, is “designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI.” 1 There are two subjects emphasized and woven throughout the newly published NIST 800-66r2 Draft. The first is risk analysis and management, and the second is access management. Interestingly, an entire risk management section is injected into the document, and both topics have more net new content than others throughout the draft. It is for this reason I’d like to highlight some of the new guidance, implications for these additions, and potential capabilities within Microsoft 365 and Azure that can address it.
Permissions to only create Cases and HoldPolicy and HoldRule
I want to provide some of our staff the ability to only create a new eDiscovery case (New-ComplianceCase), and a Case Hold Policy (New-CaseHoldPolicy) and Case Hold Rule (New-CaseHoldRule) via PowerShell. Before I start digging into the documentations wanted to ask if anyone knows what permissions and roles are needed to allow only these commands? For a little more context, when we separate a user from our organization I want to create an eDiscovery case and place said users mailbox and OneDrive site on compliance hold. The "Compliance Administrator" and "Compliance Data Administrator" are more permissive then the admin staff performing these actions needs so I'm looking to limit it. Thanks!
