The Future of HIPAA and Changes to NIST 800-66: Access Control and Information Access Management
We can peer somewhat into the future of the Health Insurance Portability and Accountability Act (HIPAA) and overall healthcare data security policy by following the trend in heightened attacks against healthcare providers and proposals for new Federal policy, but there are also key signs for healthcare providers and Electronic Health Records (EHR) system vendors when reviewing the possible changes to National Institute of Standards and Technology (NIST) Special Publication 800-66 (NIST 800-66). NIST 800-66r2 Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, is “designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI.” 1 There are two subjects emphasized and woven throughout the newly published NIST 800-66r2 Draft. The first is risk analysis and management, and the second is access management. Interestingly, an entire risk management section is injected into the document, and both topics have more net new content than others throughout the draft. It is for this reason I’d like to highlight some of the new guidance, implications for these additions, and potential capabilities within Microsoft 365 and Azure that can address it.
Microsoft Purview - Paint By Numbers Series (Part 2e) – Using Multiple Sensitivity Labels
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be discussing multiple Sensitivity Labels and how they work. How multiple Sensitivity labels work together Examples of how to multiple Sensitivity labels can be laid out. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. It is presumed that you already have multiple Sensitivity labels created for your testing. This document is only meant to be an introduction to the topic of multiple Sensitivity labels. Always refer back to official Microsoft documentation or your Microsoft account team for the latest information. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Sensitive Information Types Exact Data Matching Data Protection Loss (DLP) for Exchange, OneDrive, Devices Microsoft Cloud App Security (MCAS) Records Management (retention and disposal) Overview of Advanced eDiscovery (AeD) Reports and Analytics available in of Advanced eDiscovery (AeD) Insider Risk Management Privacy Management It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or an Exact Data Match (EDM) that you have created for your testing. We will not be covering the auto-labeling of data at rest. That will be covered in another blog post and those auto-labeling policies should not be done until after you have locked down your Sensitivity labeling of all “net new” data. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Overview of Document How multiple Sensitivity labels work together Examples of how to multiple Sensitivity labels can be laid out. Use Case Using multiple Sensitivity labels in a single tenant Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant Notes How are conflicts resolved when it comes to Sensitivity labels? The best way to understand this is the official chart and link below Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Pre-requisites You have read Part 2 of this blog series You have created multiple Sensitivity labels for your testing. Overview of Prioritization of Multiple Sensitivity Labels Once you have published your Sensitivity label you will prioritize the policies based on what is the least restrictive label versus the most restrictive label. What to know – In the Policies tab, the policy with the lowest “Order” number is listed at the top and the highest at the bottom. Here is a screenshot from the Compliance Portal that explains this in a different way. How to apply this – You should place your lowest priority Sensitivity label policy at the top of the list of Sensitivity labels policies. This will create a baseline of label. You should then place your highest priority Sensitivity label policy at the bottom of the list. Tip #1 – The trick is to remember that the higher the number in the “Order” column the stricter the label. This is a challenge because the order starts with 0 at the top and then as you go down, the “order” becomes greater. Tip #2 – Place your Labels in the same order as your Policies so that no matter which tab you are on, you will know the priority of your labels Example, the Sensitivity label policy positioned at Order #2 will be a more restrictive label than the Sensitivity label policy with positioned at Order #1 The following 3 examples will attempt to flesh this out. Example #1 – 4 Sensitivity labels Here is an example of how you might lay out 4 Sensitivity labels from the least restrictive to the most restrictive Sensitivity label. Note – These applications labels will be based on which Sensitive Information Types (SITs) are associated with each. We will not be covering these at this time because we are presuming you have configured your labels previously. Look at the following screenshot of 4 Sensitivity label policies and their order The chart below lays out how the order of these will affect the docuement Order Label name Priority of Sensitivity Label policy 0 Public Document Policy Least Restrictive 1 Internal Document Policy Second Least Restrictive 2 Secret Document Policy Second Most Restrictive 3 Top Secret Document Policy Most Restrictive Example #2 – 3 labels with a one being a “Default” Sensitivity label Here is an example of how you might lay out a “default” Sensitivity label policy and then layer on stricter Sensitivity labels policies based on the amount of Sensitive Information Types (SITs) found in a file/email. Regard the following screenshot of 3 Sensitivity label policies and their order The Default Label policy above will be applied to all new files/emails by default. If the end user adds 1 piece of PHI data (ex. a social security number) to the file/email, then the “Sensitive” label will be applied. If the user adds 2 piece of PHI data (ex. a social security number and a credit card number) to the file/email, then the “Highly Confidential” label will be applied. The chart below shows how the Order column will map to both the label and the quantity of Sensitive Information Type (SIT) information in a file/email. Order Label Numbers pieces of PHI data 0 Default 0 1 Sensitive 1 2 Highly Confidential 2 Tip – you should never have more than 1 “default” Sensitivity label and it should always be set at an “Order” of 0 in your policy list. This is to avoid possible labeling conflicts of this particular type of label. See blog Part 2a tk for more information on “default” Sensitivity labels. Link is in the Appendix and Links below Appendix and Links Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Get started with sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Create and publish sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft Docs Learn about the default labels and policies for Microsoft Information Protection - Microsoft 365 Compliance | Microsoft Docs Learn about sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft DocsMicrosoft Purview - Paint By Numbers Series (Part 2c) – Default Labels
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the following: Create a Default label Publish a Default label It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Sensitive Information Types Exact Data Matching Information Protection (creating a basic label) Data Protection Loss (DLP) for Exchange, OneDrive, Devices Microsoft Cloud App Security (MCAS) Records Management (retention and disposal) Overview of Advanced eDiscovery (AeD) Reports and Analytics available in Advanced eDiscovery (AeD) Insider Risk Management Privacy Management It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Overview of Document Create a Default label Publish a Default label Use Case You wish to apply a “default” label to all newly created files/emails in you tenant. This is done without the user needed to perform any action. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant. This is also how a Sensitive label policy is created. Default Label – a Sensitivity label that is applied to a file/email automatically. Notes Default labels are not the same things as Required labels. Default labels, simply put, place a baseline Sensitivity label on all new files/emails. Default labels take the initial labeling if files/emails out of the hands of the end user and automate them. On the other hand, required labels “force” users to apply a label to any a file/email before it can be saved or sent. After a Sensitivity label is created and published, it should be visible within a few minutes, but can take up to 24 hours depending on what else is going on inside your test tenant. Tip – It is recommended that you should never have more than 1 “default” Sensitivity label and it should always be set at an “Order” of 0 in your policy list (meaning a baseline or lowest possible labeling policy for files/emails). These two things are recommended to avoid possible labeling conflicts of this particular type of label Pre-requisites You have create a Sensitive Information Type (SIT) in Part 1 OR an Exact Data Match (EDM) in Part 1a of this blog series. Create Default Label We now will create our Default Label. Go to your Compliance console Navigate to your Information Protection -> Labels and click Create a Label. Name & Description - Give the Label a name (ex. “Default Label”) and click Next. Scope - Select only Files & emails and click Next. Files & Emails - File related settings will be disabled. Click Next. Under Choose Protection for settings for Files and Emails, check the box to Mark the content of files. Click Next. On the next Content Marking, turn on Content marking and under a Watermark, select Add a header. For the custom text, enter the name “Default Label”. Click Save and then Next. You will now come to the section labeled Auto-labeling for files and emails. Accept the default of disabled and click Next. The next step in the wizard is Define protection settings for groups and sites. Since we are not working with groups of sites, this page will be disabled. Click Next. Azure Purview (preview). This feature is not in General Availability yet. Leave this disabled. Click Next. Now you will review your label settings. When you are satisfied, click Create Label. You are not ready to publish your label. Publish Default Label We will now publish our Default Label. Publishing a Default label. Click Publish Labels Select Choose Sensitive labels to publish and select your labels from above. Select your Default label and click Add. Then click Next. Select which users and groups this will apply to. We will accept the default of All for this test. Click Next. For Policy Settings select User must provide a justification to remove a label or lower its classification. As this option says, this will force the user to justify their change to the default label. This will also be logged as part of the activity. Click Next. Now you will arrive at Apply default label to documents. From the drop down, select the Default label you just created. Click Next. Now you will arrive at Apply default label to emails. From the drop down, select the None or Same as Document. We will select None as we are not testing email at this time. Note – We will not be requiring users to apply a label to their emails at this time. Click Next. Now you will arrive at Apply default label to Power BI Content. Accept the default of None and click Next. Name and describe your policy. Now review the settings and when you are ready, click Submit. You have now published your Default label of use. Before proceeding to Testing this Default label, please wait up to 24 hours for the Label to be published into your test tenant. Note however, this could be as quick as an hour. Testing After waiting for the Default Label to be published, we can now test that it is applied to a new file. For our test here, we will use Microsoft Word. Open a Word document on your Windows test Tenant Create a new Blank Document In the top right of the ribbon, you should see the Sensitivity dropdown. In the drop-down you should see the Default Label selected. You should see a Header in the file similar to the one below. If you want, you can now enter some text if you want and Save. You are now done with testing your Default Label. Appendix and Links Learn about sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Get started with sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Automatically apply a sensitivity label to content in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Manage sensitivity labels in Office apps - Microsoft 365 Compliance | Microsoft DocsMicrosoft Purview - Paint By Number (Part 2b) – Add a Sensitivity Label to a Container or Site
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through. We will be creating Sensitivity Labels for net-new Teams sites only Create labels Publish labels Add labels to a Teams site. It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy. For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Sensitive Information Types Exact Data Matching Data Protection Loss (DLP) for Exchange, OneDrive, Devices Microsoft Cloud App Security (MCAS) Records Management (retention and disposal) Overview of Advanced eDiscovery (AeD) Reports and Analytics available in of Advanced eDiscovery (AeD) Insider Risk Management Privacy Management It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing. We will not be working with pre-existing Teams sites. Overview of Document We will create 2 labels: one Private and one Public Publish your Labels Add your Label Policy to a Teams Site Use Case Create a Sensitivity Label and apply it to a Microsoft Team. This will apply the protection of a Sensitivity Label to protect the files within a Microsoft Team. Definitions Sensitivity Label – a metadata tag Publish Label – making the metadata tag available to your tenant Notes Containers (in SharePoint) are a gate keeper for access to files inside SharePoint/Teams sites Container labels do not apply labels to objects inside the container (ex. PPT and Word docs do not receive the label of the Container) When there is a mismatch of the label of a container versus that of a file inside the container, then this can be audited. The application of a sensitivity label at the Team container level prevents inappropriate / external team members from being added to the Team. This prevents oversharing from occurring in the first place. Privacy labels (Private, org-wide & public). These Sensitivity Labels are linked to the corresponding setting in the Container/Site configuration. Private – data stays inside a certain group of users within the organization Org-wide – data stays inside the organization Public – data available for access outside the organization Pre-requisites Create a Sensitive Information Type (SIT) in Part 1 OR an Exact Data Match (EDM) in Part 1a of this blog series. You have done the steps in Part 2a of this Paint by Number Series “Adding the ability to label Sensitivity Labels to Containers and Sites” Configure the Sensitivity Labels We will create 2 labels now but only user one until the testing later on. Go to your Compliance console Navigate to your Information Protection -> Labels and click New Label. Name & Description - Give the Label a name (ex. “Container Label”) and click Next. Scope - Select only Groups & Sites and click Next. Files & Emails - File related settings will be disabled. Click Next. You can define the protection settings for groups and sites. We will not be configuring this at the present time but you can do this later. Select both and click Next. You will not be taken to the Privacy and External User Access Settings. For Privacy Options, the default is Public but we will change this to Private. b. For External User Access, leave this un-selected as we will not be testing this aspect of the policy at this time. Click Next. We will now define our External Sharing and Conditional Access Setting. a. For the moment, enable Control External Sharing from labeled SharePoint sites. Review your options for who can access the Group/Site data. Notice the default is Anyone. b. Under Azure AD conditional Access to protect labeled SharePoint sites. This is used to facilitate allow/deny access via users with unmanaged devices. c. Deselect both of these options and click Next. Azure Purview (preview). This feature is not in General Availability yet. Lleave this disabled. Click Next. The next thing you will see in the wizard is the ability to configure auto-labeling. As of the write of this blog, this is in Preview only and not Generally Availability. Click Next. Now you will review your label settings. When you are satisfied, click Create Label. Publish your Sensitivity Labels We will publish our 2 labels now but only user one until the testing later on. Click Publish Labels Select Choose Sensitive labels to publish and select your labels from above. Select your label and click Add. Then click Next. Select which users and groups this will apply to. We accept the default of All for this test. Then click Next. For Policy Settings there is nothing to be configured. Click Next. Now you will arrive at Policy Settings for sites and groups. From the drop down, select the label you just creat3d. Decide if you want to require labels to you sites for these users. When you are satisfied, click Next. Give the policy a name and description Now review the settings and when you are ready, clic Submit. You have now published your label of use. Apply a Label to an MS Team Open Teams and Go to your Teams tab. At the bottom left, click Join or create a team. Click Create a team. I will be selecting From scratch for my team. Select your label from the drop down. Finish setting up your Team site. I will choose the Privacy setting of Public for my test. 7. Give the team a name and description. 8. Click Create. Apply a Label to a SharePoint Site Open your Sharepoint Administrative site Navigate to Sites -> Active Sites Click Create. For the purpose of this blog, we will select Team Site. Enter a Site name. Enter the other information as you see fit. Click Advanced Settings Choose your Sensitivity Label 8. Click Next 9. Enter any additional owners or members you wish to add to the site. 10. Click Finish 11. To verify that the site has received its label, click on the properties for the team and navigate to the Policies tab. You should see a Sensitivity label on the right of this tab. 12. You are now done adding a label to your SharePoint site. Testing – Add data to a Team’s Site Click on your new team then Files – Upload Decide if you want to upload a test file(s) or a folder with a file(s). Overview Sites to follow, in order: Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Testing – Share a Teams file via SharePoint In teams, click on the file(s)/folder you want to share. Right click the three dots next to the file and clock Open in SharePoint Click on a file Click the Share button. Enter the external email address of the users you wish to share with the file with. You should see a message such as the one above that states: “Your org doesn’t allow sharing with these people. To continue sharing, remove the highlighted recipients.” You have now completed the testing sharing a file. Testing – Share Teams a file via Link In teams, click on the file(s)/folder you want to share. Right click the three dots next to the file and clock Open in SharePoint Next to the file, click the 3 horizontal dots Select Copy link. Copy the link to your email and send it to an external address for your test users. Then click Send. Hou will see a pop-up similar to this message below: Click Send Anyway Go to your external user’s mailbox. Click on the file link and after asked to authenticate, you should encounter an message similar to the one below. You have now completed your testing of the sharing of a file link. Testing – Owner can change the label on the container Here we will use the second label (Public) we created previously. We will change the label on the Teams container so we can now change an “internal” team with its associated files and make it public facing/accessible and vice versa. Right click your MS Team and click Edit Team Select Sensitivity and change the label to an external label Change Privacy to Public (or Org-wide) Click Done. Wait 15-30 minutes to allow the change to take affect in the Team. Repeat both share tests. You should now be able to share the data inside of the file. Note – this will not change the Sensitivity Label of the file itself. You are now done with this part of the testing. Appendix and Links Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft 365 Compliance | Microsoft Docs Assign sensitivity labels to groups - Azure AD | Microsoft Docs Connect to Security & Compliance Center PowerShell using the EXO V2 module | Microsoft Docs Assign sensitivity labels to groups - Azure AD | Microsoft Docs Learn about sensitivity labels - Microsoft 365 Compliance | Microsoft Docs Adding guests to Microsoft 365 Groups Cloud apps, actions, and authentication context in Conditional Access policy - Azure Active Directory | Microsoft Docs Labeling in Azure Purview - Azure Purview | Microsoft Docs Cloud apps, actions, and authentication context in Conditional Access policy - Azure Active Directory | Microsoft Docs Assign sensitivity labels to groups - Azure AD | Microsoft Docs Create a site - SharePoint in Microsoft 365 | Microsoft Docs About the Exchange Online PowerShell V2 module | Microsoft Docs Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell | Microsoft DocsMicrosoft Purview - Paint By Numbers Series (Part 3) - Data Loss Protection for Exchange
Many companies want to run Data Loss Protection tools to prevent users from for sending data out of the organization, either on accident or on purpose. This part of the blog series will step you through how to configure a basic policy for your testing.
