How To Stay HIPAA-Compliant When Using SharePoint?
As SharePoint consultants, we often come across a question how HIPAA compliance is supported by this platform as data breaches in healthcare has recently become a serious challenge. According to HIPAA Journal’s statistics, there have been 2,546 data breaches in 2009 – 2018 that resulted in the theft or exposure of almost 190 million medical records. So, in this article, we explore if a SharePoint solution is a safe place for sensitive healthcare information.
HIPAA safeguards
HIPAA regulations are on guard of sensitive information in the healthcare industry. They require verification of a person or entity seeking access to Protected Health Information stored or transmitted electronically (ePHI): names, dates, geographical identifiers, medical record numbers, biometric identifiers and more. Also, HIPAA stipulates the security of ePHI against reading, writing, modifying or sharing. In relation to medical software, being HIPAA-compliant means that the application allows meeting the three safeguards of the HIPAA Security Rule:
- Administrative safeguards. They require healthcare institutions to perform risk assessment and risk management. They also demand to develop and review information system activity reports, manage information access, implement security incident response, a security program, employee training, and more.
- Technical safeguards. They involve common security controls, such as user authentication, authorization, access control, encryption, data integrity, and audit trail.
- Physical safeguards. They involve controls related to physical access to information and systems, including facility access, workstation access and use, workstation security, device and media controls (disposal, media reuse, etc.).
HIPAA & SharePoint
Below we explore how SharePoint can support the security measures determined by the Security Rule safeguards.
Administrative safeguards
Business Associate Agreement
HIPAA requires the Business Associate Agreement (BAA), a written contract between a covered entity and a business associate, to ensure that a business associate will adequately protect ePHI. Microsoft can enter into the BAA with a healthcare organization to deliver services. Once the BAA is in place, a healthcare organization can use Microsoft SharePoint to process and store ePHI.
Risk assessment & management
Failure to perform an adequate risk analysis continues to be one of the most commonly alleged HIPAA violations. The Advanced Security Management feature of SharePoint helps to optimize the security risk analysis. To ensure early detection and prevention of security issues, it allows setting anomaly detection policies. They enable scanning user activities and evaluating their risk to ePHI security via various indicators like a chain of sign-in failures.
Advanced Security Management can help to track specific activities. For example, out-of-the-box templates make it possible to create a policy on generating automated notifications about such items as downloading unusually large amounts of data or a sign-in from a risky IP address. These policies can be customized for such purposes as to find a user’s location or identify a device type in use.
Compliance training
HIPAA training is another process that can be carried out with the help of SharePoint. The platform supports various types of training content (videos, images, surveys, quizzes, etc.). Besides, it offers rich collaboration and gamification features that can make compliance training more engaging, thus increasing the efficiency of training and facilitating knowledge retention for healthcare employees. What’s more, due to a capability to be integrated with e-signature software, SharePoint supports compliance acknowledgement upon completing training. So, in case of violation, an e-signature can prove an employee read and understood compliance rules and policies and was obliged to abide by them.
Data integrity
To mitigate the impact of a natural disaster or service-impacting outages, at least two Microsoft data centers mirror ePHI stored in SharePoint. Metadata backups are kept for 14 days and can be restored to any point in time within a 5-minute window. Besides, SharePoint can protect ePHI from accidental deletion or overwriting due to its versioning functionality that allows for rolling back to a previous version of a document. SharePoint also offers Data Loss Prevention (DLP), which leverages a content analysis engine to scan through files, documents, and emails to identify sensitive information and restricts this data from sharing with external users to prevent accidental leakage.
Technical safeguards
User identification & authentication
SharePoint enables identifying and tracking user identity by assigning a unique number to each user. Also, SharePoint offers two-factor authentication, which makes it harder for hackers to compromise ePHI even if they crack or steal a password. The additional method of authentication can be an email address, a security question, a text, a voice call, etc. For example, a user logs in with their password and enters a code from an email.
Access control
SharePoint security is permission-driven. If a user doesn’t have access to some ePHI, this information will be invisible for them even upon search. Thus, only authorized users can access and manage ePHI. Also, SharePoint provides restricted access by network location, which can prevent access to ePHI from untrusted networks.
Depending on permission levels, there are three main security groups in SharePoint:
- Site Visitors are read-only users who can view and download content from SharePoint sites.
- Site Members can read, download, add, edit, delete and share content.
- Site Owners are full-control users who do everything Visitors and Members can plus they can configure site security, add web parts, etc.
As required by HIPAA, SharePoint allows Site Owners to grant access to ePHI upon a user’s request in emergencies like imminent danger to the health and safety of a person or the public. Also, SharePoint offers to assign access rights to individual ePHI files. For example, a hospital accountant can access patients’ insurance and payment information but not their medical records.
Data encryption
To protect the confidentiality of ePHI, SharePoint supports two types of data encryption:
- Encryption of data in transit. ePHI is transferred between a user and a data center and between data centers over a secure SSL/TLS connection.
- Encryption of data at rest. It is implemented on two levels: a disk level and a file level. To secure ePHI on the disk encryption level, SharePoint utilizes BitLocker. On the file encryption level, every file is secured with the key that uses the Advanced Encryption Standard (AES) with 256-bit keys.
Automatic log-off
SharePoint supports automatic termination of an electronic session after a predetermined time of inactivity. Thus, ePHI is protected against unauthorized access if a user forgets to log out of the system.
Audit trail
SharePoint reporting functionality allows tracking various types of user activity as regards ePHI. For example, an automatically generated audit report can show the access time and the user who opened, downloaded, emailed or printed out medical test results from a SharePoint system. Also, SharePoint can be integrated with optical character recognition software (OCR), which can help to convert paper PHI into readable and searchable electronic files, which facilitates audit. What’s more, Microsoft has recently announced a new SharePoint capability that can facilitate compliance of ePHI-related images, audio, and video files by extracting text from them with the help of the AI technology.
Physical safeguards
Microsoft doesn’t disclose the location of its data centers for SharePoint Online. Besides, Microsoft data centers have multilayer protection that ensures high security of stored data. The personnel’s identities are verified through multifactor authentication, including smart cards and biometrics. There are also security officers, motion sensors, video surveillance, and security breach alarms in the data centers. What’s more, the centers protect data not only from unauthorized access but also from natural disasters and environmental threats.
SharePoint security gaps
Despite offering numerous capabilities to protect ePHI, SharePoint is not free of security gaps. They can be attributed to features that can trigger potential issues in using the platform, for example:
- Assigning direct permissions. There’s a common mistake made by Site Owners: if they want to quickly grant access to SharePoint, they assign Direct Permissions to users. However, this can lead to exposing ePHI to those who shouldn’t see it causing leaks of sensitive information.
- Overusing granular permissions. A granular approach to permissions can affect the security of ePHI. For example, having too many users with limited access means that the access list needs to be managed at a micro level for those who want access to a SharePoint site. As the SharePoint farm grows, it becomes difficult to keep track of all individuals and their permissions. As a result, some individuals may be overlooked, which can lead to ePHI breaches.
- Overusing broken inheritance. To protect sensitive information, Site Owners can block permission inheritance at any level in the hierarchy. A large number of instances of broken inheritance in the SharePoint environment can lead to overlooked security settings.
To minimize the probability of such security issues, a healthcare organization bound by HIPAA regulations shouldn’t underestimate the significance of SharePoint consulting, maintenance and support services.
Afterword
Due to such functionality as access control, data encryption, audit trail, backups, and more, SharePoint can help healthcare organizations and their business associates to implement administrative, technical and physical safeguards of HIPAA Security Rule. However, it should be pointed out that security only partially depends on the capabilities of the system. It also requires a professional IT team to implement, configure and manage the SharePoint environment.