Many of our healthcare customers are required to attest to their adherence to various frameworks and in-turn, would like to better understand which aspects of Office 365 that Microsoft provides as a part of its shared responsibilities with our customers. We understand that organizations have internal controls and requirements of their own as well. To improve our transparency and our customer's abilities to respond to various auditors and regulators, we introduced Compliance Manager.
Compliance Manager includes an at-a-glance summary of the shared responsibility model reflecting both Microsoft's and your organization’s data protection and compliance posture for standards and regulations such as ISO 27001:2013, NIST 800-53, the Health Insurance Portability and Accountability Act (HIPAA), the European Union General Data Protection Regulation (GDPR) and others. It also provides risk assessment workflow and management tools that include task assignment and verification to help Governance, Risk & Compliance teams and IT departments work together to streamline internal compliance activities. Because we understand that you may have to work through several of these regulations, we provide intelligent tracking that understands common and similar compliance activities across multiple standards and regulations to reduce your organizations costs and efforts from regulation to audit by applying a single activity to multiple Assessments or controls.
To get started, head over to https://servicetrust.microsoft.com and sign into your Office 365 tenant. You may also go directly to the Compliance Manager tool at https://servicetrust.microsoft.com/ComplianceManager. From there, choose Add Assessment to get started.
As you add an assessment, choose a group or add a new group and then choose Office 365 and HIPAA for this assessment. A group is a simple way to manage a set of assessments.
Now your assessment screen will look something like this (Note that my group name is PM):
This shows that there are 36 customer managed actions (items you will want to look into for your organization) and 67 that Microsoft has actioned. Let's go into the details by clicking on Office 365 – HIPAA and look at each. The header shows you the status of your assessment. Note that you can export to Excel for integration into a third-party compliance tool or to share with colleagues. We also provide a score based upon all of the possible assessments that are available.
In the next screen section, we share the current services within Office 365 that are relevant to this assessment. (Note that this is subject to change over time.) The next section is the Microsoft Managed Controls and shares all of the assessments for the Microsoft Managed Actions so that you may review what we have done. Last but not least is the section on Customer Managed Controls. As you expand this section, you will see each subsection that requires your attention. An example section is shown below:
By updating the fields and determining your organizations responses, your healthcare organization can work toward assessing compliance with this particular regulation. We allow you to assign users responsibility for a control a well as to log the date the control was both implemented and tested. Last but not least, we ask you to action the result by labeling it as Passed or Failed. We also allow you to upload appropriate documentation for this line item in the manage documents section.
That’s it! Just another 35 controls to review for this assessment. Compliance Manager makes organizing assessments easy!